---
# mappings
profiles::haproxy::mappings:
  fe_http:
    ensure: present
    mappings:
      - 'puppetboard.main.unkin.net be_puppetboard'
      - 'puppetdbapi.main.unkin.net be_puppetdbapi'
  fe_https:
    ensure: present
    mappings:
      - 'puppetboard.main.unkin.net be_puppetboard'
      - 'puppetdbapi.main.unkin.net be_puppetdbapi'

profiles::haproxy::frontends:
  fe_http:
    options:
      use_backend:
        - "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
  fe_https:
    options:
      use_backend:
        - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"

profiles::haproxy::backends:
  be_puppetboard:
    description: Backend for Puppetboard
    collect_exported: false # handled in custom function
    options:
      balance: roundrobin
      option:
        - httpchk GET /
        - forwardfor
      cookie: SRVNAME insert
      http-request:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }
      redirect: 'scheme https if !{ ssl_fc }'
  be_puppetdbapi:
    description: Backend for the PuppetDB API
    collect_exported: false # handled in custom function
    options:
      balance: roundrobin
      option:
        - httpchk GET /
        - forwardfor
      cookie: SRVNAME insert
      http-request:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }
      redirect: 'scheme https if !{ ssl_fc }'

profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
  - /etc/pki/tls/vault/certificate.pem

# additional altnames
profiles::pki::vault::alt_names:
  - puppetboard.main.unkin.net
  - puppetdbapi.main.unkin.net

# additional cnames
profiles::haproxy::dns::cnames:
  - puppetboard.main.unkin.net
  - puppetdbapi.main.unkin.net