terraform {
  required_providers {
    gitea = {
      source  = "go-gitea/gitea"
      version = "0.6.0"
    }
    vault = {
      source  = "vault"
      version = "4.4.0"
    }
    google = {
      source  = "google"
      version = "7.0.1"
    }
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 5.21" # pinned + .terraform.lock.hcl committed to avoid silent v5.x drift
    }
    ovh = {
      source  = "ovh/ovh"
      version = "2.8.0"
    }
  }
}

variable "gitea_cacert_file" {
  # The gitea provider runs inside the dflook/terraform-apply container, which does NOT trust the
  # homelab CA (unlike the ubuntu-latest-ca runner). Point it at the CA the workflow already writes
  # so it can verify https://gitea.arcodange.lab. Set via TF_VAR_gitea_cacert_file in CI; null locally.
  description = "Path to the homelab CA cert for the Gitea provider (set in CI). Null = use system trust."
  type        = string
  default     = null
}

provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/latest/docs
  base_url    = "https://gitea.arcodange.lab"
  cacert_file = var.gitea_cacert_file
  # use GITEA_TOKEN env var
}

provider "vault" {
  address = "https://vault.arcodange.lab"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd"
  }
}

provider "google" {
  project = "arcodange"
  region  = "US-EAST1"
}

provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required

provider "ovh" { # OVH_APPLICATION_KEY OVH_APPLICATION_SECRET OVH_CONSUMER_KEY
  endpoint = "ovh-eu"
}