resource "hcloud_firewall" "ingress-web" {
  name = "ingress-web"
  apply_to {
    label_selector = "firewall.hetzner.si-infra.de/web=true"
  }

  # ICMP is always a good idea
  #
  # Network reachability tests
  rule {
   direction = "in"
   protocol  = "icmp"
   source_ips = [
      "0.0.0.0/0",
      "::/0"
   ]
  }

  # Allow HTTP and HTTPS traffic in
  rule {
      direction       = "in"
      protocol        = "tcp"
      port            = "80"
      source_ips      = [
         "0.0.0.0/0",
         "::/0"
      ]
  }
  rule {
      direction       = "in"
      protocol        = "tcp"
      port            = "443"
      source_ips      = [
         "0.0.0.0/0",
         "::/0"
      ]
  }
}

resource "hcloud_firewall" "ingress-email" {
  name = "ingress-email"
  apply_to {
    label_selector = "firewall.hetzner.si-infra.de/email=true"
  }

  # ICMP is always a good idea
  #
  # Network reachability tests
  rule {
   direction = "in"
   protocol  = "icmp"
   source_ips = [
      "0.0.0.0/0",
      "::/0"
   ]
  }

  # Allow HTTP and HTTPS traffic in
  rule {
      direction       = "in"
      protocol        = "tcp"
      port            = "25"
      source_ips      = [
         "0.0.0.0/0",
         "::/0"
      ]
  }
}