resource "hcloud_firewall" "opnsense" {
  name = "opnsense"
  # HTTP
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "80"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  # HTTPS
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "443"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  # Wireguard
  rule {
    direction = "in"
    protocol  = "udp"
    port      = "51820"
    source_ips = [
      "0.0.0.0/0"
    ]
  }
  # DNS UDP
  rule {
    direction = "in"
    protocol  = "udp"
    port      = "53"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  # DNS TCP
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "53"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  # SMTP
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "25"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  # SMTPS
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "465"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  # IMAPS
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "993"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }  
  # Matrix Federation
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "8448"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }  
  # ICMP IPv6
  rule {
    direction = "in"
    protocol  = "icmp"
    source_ips = [
      "::/0"
    ]
  }   
}

resource "hcloud_firewall_attachment" "opnsense" {
  firewall_id = hcloud_firewall.opnsense.id
  server_ids  = [
    hcloud_server.opnsense_a.id,
    hcloud_server.opnsense_b.id
  ]
}