# Copyright (c) HashiCorp, Inc.

terraform {
  required_providers {
    tor = {
      source = "guardianproject/tor"
    }
  }
}

provider "tor" {}

# Generate relay identity keys
resource "tor_relay_identity_rsa" "bridge" {}

resource "tor_relay_identity_ed25519" "bridge" {}

# Generate obfs4 state using the identity keys
resource "tor_obfs4_state" "bridge" {
  rsa_identity_private_key     = tor_relay_identity_rsa.bridge.private_key_pem
  ed25519_identity_private_key = tor_relay_identity_ed25519.bridge.private_key_pem
  iat_mode                     = 1
}

# Generate bridge line for client distribution
data "tor_obfs4_bridge_line" "bridge" {
  ip_address                = "192.0.2.1"
  port                      = 443
  identity_fingerprint_sha1 = tor_relay_identity_rsa.bridge.public_key_fingerprint_sha1
  obfs4_state_certificate   = tor_obfs4_state.bridge.certificate
  obfs4_state_iat_mode      = tor_obfs4_state.bridge.iat_mode
}

# Output bridge configuration for deployment
output "rsa_identity_pem" {
  description = "RSA identity private key for bridge configuration"
  value       = tor_relay_identity_rsa.bridge.private_key_pem
  sensitive   = true
}

output "ed25519_identity_pem" {
  description = "Ed25519 identity private key for bridge configuration"
  value       = tor_relay_identity_ed25519.bridge.private_key_pem
  sensitive   = true
}

output "obfs4_state_json" {
  description = "Complete obfs4 state for bridge runtime"
  value       = tor_obfs4_state.bridge.state_json
  sensitive   = true
}

output "bridge_line" {
  description = "Complete bridge line for client use"
  value       = data.tor_obfs4_bridge_line.bridge.bridge_line
}