# =============================================================================
# Admin SSH Keys (provided by user)
# =============================================================================

resource "digitalocean_ssh_key" "admin" {
  for_each = var.admin_ssh_public_keys

  name       = "${var.project_name}-${var.environment}-${each.key}"
  public_key = each.value
}

# =============================================================================
# Deploy Key (auto-generated for Forgejo Actions CI/CD)
# =============================================================================

resource "tls_private_key" "deploy" {
  algorithm = "ED25519"
}

resource "digitalocean_ssh_key" "deploy" {
  name       = "${var.project_name}-${var.environment}-deploy-key"
  public_key = tls_private_key.deploy.public_key_openssh
}

# =============================================================================
# Save deploy key locally for initial setup (optional)
# =============================================================================

resource "local_sensitive_file" "deploy_private_key" {
  content         = tls_private_key.deploy.private_key_openssh
  filename        = "${path.root}/.secrets/deploy_key_${var.environment}"
  file_permission = "0600"
}

# =============================================================================
# Internal VPC Key (jump host → internal servers like Forgejo)
# =============================================================================

resource "tls_private_key" "internal" {
  algorithm = "ED25519"
}

resource "digitalocean_ssh_key" "internal" {
  name       = "${var.project_name}-${var.environment}-internal-key"
  public_key = tls_private_key.internal.public_key_openssh
}