--- # mappings profiles::haproxy::mappings: fe_http: ensure: present mappings: - 'au-syd1-pve.main.unkin.net be_ausyd1pve_web' - 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api' - 'sonarr.main.unkin.net be_sonarr' - 'radarr.main.unkin.net be_radarr' - 'lidarr.main.unkin.net be_lidarr' - 'readarr.main.unkin.net be_readarr' - 'prowlarr.main.unkin.net be_prowlarr' - 'jellyfin.main.unkin.net be_jellyfin' fe_https: ensure: present mappings: - 'au-syd1-pve.main.unkin.net be_ausyd1pve_web' - 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api' - 'sonarr.main.unkin.net be_sonarr' - 'radarr.main.unkin.net be_radarr' - 'lidarr.main.unkin.net be_lidarr' - 'readarr.main.unkin.net be_readarr' - 'prowlarr.main.unkin.net be_prowlarr' - 'jellyfin.main.unkin.net be_jellyfin' profiles::haproxy::frontends: fe_http: options: use_backend: - "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]" fe_https: options: acl: - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' use_backend: - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" http-request: - 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets' http-response: - 'set-header X-Frame-Options DENY if acl_ausyd1pve' - 'set-header X-Content-Type-Options nosniff' - 'set-header X-XSS-Protection 1;mode=block' profiles::haproxy::backends: be_ausyd1pve_web: description: Backend for au-syd1 pve cluster (Web) collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_ausyd1pve_api: description: Backend for au-syd1 pve cluster (API only) collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_sonarr: description: Backend for au-syd1 sonarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_radarr: description: Backend for au-syd1 radarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_lidarr: description: Backend for au-syd1 lidarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_readarr: description: Backend for au-syd1 readarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_prowlarr: description: Backend for au-syd1 prowlarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_jellyfin: description: Backend for au-syd1 jellyfin collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::certificates: - /etc/pki/tls/vault/certificate.pem # additional altnames profiles::pki::vault::alt_names: - au-syd1-pve.main.unkin.net - au-syd1-pve-api.main.unkin.net - sonarr.main.unkin.net - radarr.main.unkin.net - lidarr.main.unkin.net - readarr.main.unkin.net - prowlarr.main.unkin.net - jellyfin.main.unkin.net # additional cnames profiles::haproxy::dns::cnames: - au-syd1-pve.main.unkin.net - au-syd1-pve-api.main.unkin.net