# DNS über die Hetzner Cloud DNS API (manage_dns = true) — gleicher Cloud-Token,
# DNS ist inzwischen in die Cloud-API integriert. Die Zone muss bereits in
# Hetzner DNS existieren (Lookup per Name).

data "hcloud_zone" "zone" {
  count = var.manage_dns ? 1 : 0
  name  = var.dns_zone_name
}

# Portal-Domain (Apex "@" wenn domain == zone, sonst Subdomain-Teil) → Caddy
resource "hcloud_zone_rrset" "portal" {
  count   = var.manage_dns ? 1 : 0
  zone    = data.hcloud_zone.zone[0].id
  name    = var.domain == var.dns_zone_name ? "@" : replace(var.domain, ".${var.dns_zone_name}", "")
  type    = "A"
  ttl     = 300
  records = [{ value = hcloud_server.caddy.ipv4_address }]
}

# Wildcard für Firmen-Subdomains (KONZEPT §11) → Caddy (On-Demand-TLS)
resource "hcloud_zone_rrset" "wildcard" {
  count   = var.manage_dns ? 1 : 0
  zone    = data.hcloud_zone.zone[0].id
  name    = "*"
  type    = "A"
  ttl     = 300
  records = [{ value = hcloud_server.caddy.ipv4_address }]
}