# offsite/main.tf — off-site Hetzner hosts. Terraform owns VM existence (ADR-006,
# generalized to Hetzner). ALWAYS `make tf-plan TF_ENV=offsite` and review before
# `make tf-apply TF_ENV=offsite`.

module "askari" {
  source = "../../modules/hetzner_vm"

  name        = "askari"
  server_type = "cx23" # x86, 2 vCPU / 4 GB / 40 GB (CAX11/ARM was out of stock in
  #                              every EU location 2026-06-14; cx23 is same-spec + cheaper)
  location           = "hel1" # Helsinki
  image              = "debian-13"
  ansible_ssh_pubkey = var.ansible_ssh_pubkey
  ssh_admin_cidrs    = ["91.226.145.80/32"] # TEMP (incident recovery 2026-06-17): re-open WAN :22 to ubongo only; re-close once the firewall/Docker + boot-race issues are fixed
  public_web         = true # Caddy 80/443 + NetBird 3478 (M4)
  labels = {
    env        = "offsite"
    group      = "offsite_hosts"
    managed-by = "terraform"
  }
}