tf-ct-services/main.tf

###############################################################################
# com.uvlava.ct.services — standing CT services host: CT + MC MCPs (always-up)
# + cocottetech app backends (prospector / finances / marketing / onlyfans /
# cocottetech). Each app self-declares onto this host via its own .infra.yaml.
# Base image only here (docker + swap); app/MCP deploys land later.
###############################################################################

resource "digitalocean_droplet" "ct_services" {
  name     = var.name
  image    = "ubuntu-24-04-x64"
  size     = var.droplet_size
  region   = var.region
  ssh_keys = var.ssh_key_fingerprints
  tags     = ["ct", "services", "mcp"]

  user_data = file("${path.module}/cloud-init.yaml")

  lifecycle {
    # App/MCP data + state live in /opt volumes; `name` is ForceNew (rename via doctl).
    ignore_changes = [user_data, name]
  }
}

resource "digitalocean_firewall" "ct_services" {
  name        = "ct-services-fw"
  droplet_ids = [digitalocean_droplet.ct_services.id]

  inbound_rule {
    protocol         = "tcp"
    port_range       = "22"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }
  inbound_rule {
    protocol         = "tcp"
    port_range       = "80"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }
  inbound_rule {
    protocol         = "tcp"
    port_range       = "443"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "1-65535"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
  outbound_rule {
    protocol              = "udp"
    port_range            = "1-65535"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
  outbound_rule {
    protocol              = "icmp"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
}

output "ct_services_ip" {
  value = digitalocean_droplet.ct_services.ipv4_address
}