---
profiles::haproxy::ls_stats::port: 9090
profiles::haproxy::ls_stats::user: 'admin'
profiles::selinux::setenforce::mode: permissive

profiles::haproxy::selinux::ports:
  - 9090
profiles::haproxy::selinux::sebooleans:
  - haproxy_connect_any

profiles::haproxy::server::globals:
  log:
    - /dev/log local0
    - /dev/log local1 notice
  stats:
    - timeout 30s
    - socket /var/lib/haproxy/stats
    - socket /var/lib/haproxy/admin.sock mode 660 level admin
  ca-base: /etc/ssl/certs
  crt-base: /etc/ssl/private
  ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  ssl-default-bind-options: 'ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3'
  ssl-default-server-ciphers: kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  ssl-default-server-options: no-sslv3
  tune.ssl.default-dh-param: 2048

profiles::haproxy::server::defaults:
  mode: http
  option:
    - httplog
    - dontlognull
    - http-server-close
    - forwardfor except 127.0.0.0/8
    - redispatch
  timeout:
    - http-request 10s
    - queue 1m
    - connect 10s
    - client 5m
    - server 5m
    - http-keep-alive 10s
    - check 10s
  retries: 3
  maxconn: 5000

profiles::haproxy::frontends:
  fe_http:
    description: 'Global HTTP Frontend'
    bind:
      0.0.0.0:80:
        - transparent
    mode: 'http'
    options:
      acl:
        - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
      http-request:
        - 'set-header X-Forwarded-Proto https'
        - 'set-header X-Real-IP %[src]'
  fe_https:
    description: 'Global HTTPS Frontend'
    bind:
      0.0.0.0:443:
        - ssl
        - crt-list /etc/haproxy/certificate.list
        - ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        - force-tlsv12
    mode: 'http'
    options:
      acl:
        - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
      http-request:
        - 'set-header X-Forwarded-Proto https'
        - 'set-header X-Real-IP %[src]'

profiles::haproxy::backends:
  be_letsencrypt:
    description: Backend for LetsEncrypt Verifications
    collect_exported: true
    options:
      balance: roundrobin
  be_default:
    description: Backend for unmatched HTTP traffic
    collect_exported: true
    options:
      balance: roundrobin
      option:
        - httpchk GET /
        - forwardfor
      cookie: SRVNAME insert
      http-request:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }

prometheus::haproxy_exporter::cnf_scrape_uri: unix:/var/lib/haproxy/stats
prometheus::haproxy_exporter::export_scrape_job: true