resource "proxmox_virtual_environment_container" "load_balancer" {
  node_name = "pve"

  vm_id = 6010

  tags = ["dev", "prod", "common", "load-balancer"]

  unprivileged = true

  cpu {
    cores = 1
  }

  memory {
    dedicated = 512
  }

  disk {
    datastore_id = var.datastore_id
    size         = 4
  }

  network_interface {
    bridge   = var.external_network_bridge_name
    name     = "eth-ext"
    firewall = true
    enabled  = true
  }

  network_interface {
    bridge   = var.development_network_bridge_name
    name     = "eth-dev"
    firewall = true
    enabled  = true
  }

  initialization {
    hostname = "load-balancer"
    ip_config {
      ipv4 {
        address = "dhcp"
      }
    }
    ip_config {
      ipv4 {
        address = "192.168.0.253/24"
        # gateway = "192.168.0.1"
      }
    }
    user_account {
      keys = [var.ssh_public_key]
    }
  }

  operating_system {
    template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
    type             = "debian"
  }

  started = true

  startup {
    order      = 1000
    up_delay   = 0
    down_delay = 0
  }

  features {
    nesting = true
  }
}

resource "proxmox_virtual_environment_firewall_options" "load_balancer" {
  depends_on = [proxmox_virtual_environment_container.load_balancer]

  node_name = proxmox_virtual_environment_container.load_balancer.node_name
  vm_id     = proxmox_virtual_environment_container.load_balancer.vm_id

  enabled       = true
  dhcp          = true
  input_policy  = "DROP"
  output_policy = "ACCEPT"
}

resource "proxmox_virtual_environment_firewall_rules" "load_balancer" {
  depends_on = [proxmox_virtual_environment_container.load_balancer]

  node_name = proxmox_virtual_environment_container.load_balancer.node_name
  vm_id     = proxmox_virtual_environment_container.load_balancer.vm_id

  rule {
    type    = "in"
    source  = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
    proto   = "tcp"
    dport   = "22"
    action  = "ACCEPT"
    comment = "SSH from Bastion."
  }

  rule {
    type   = "in"
    proto  = "icmp"
    dport  = "8"
    action = "ACCEPT"
  }

  rule {
    type    = "in"
    action  = "ACCEPT"
    dport   = "80"
    proto   = "tcp"
    comment = "Ping."
  }

  rule {
    type    = "in"
    proto   = "tcp"
    dport   = "443"
    action  = "ACCEPT"
    comment = "HTTPS."
  }

  rule {
    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
    comment        = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
  }

  rule {
    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_nginx_exporter.name
    comment        = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node."
  }
}

output "load_balancer_ct" {
  value     = proxmox_virtual_environment_container.load_balancer
  sensitive = true
}