From 7567a1d9abc584af93539713715209e7c88b2b9a Mon Sep 17 00:00:00 2001
From: Paul Lecuq <paul@paulbsd.com>
Date: Tue, 21 Mar 2023 19:42:51 +0100
Subject: [PATCH] updated haproxy state

---
 states/haproxy/defaults.yaml            |  6 ++++++
 states/haproxy/install.sls              |  9 +++++++++
 states/haproxy/map.jinja                | 11 +++--------
 states/haproxy/templates/haproxy.cfg.j2 | 15 ++++++++-------
 4 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/states/haproxy/defaults.yaml b/states/haproxy/defaults.yaml
index 4639c48..ec638ce 100644
--- a/states/haproxy/defaults.yaml
+++ b/states/haproxy/defaults.yaml
@@ -12,10 +12,16 @@ haproxy:
     - redirects
     - vhosts
   acme: false
+  hatop:
+    fetchurl: https://github.com/jhunt/hatop/releases/download
+    version: "0.8.2"
+    hash: sha256=6ba2136e98b9a436488be67a54a5295f55f38090157d09df0154dda493ac5815
   config:
     dir: /etc/haproxy
     configfile: haproxy.cfg
     peers:
+      hosts: []
+      port: 4096
     dirs:
       - geoip
       - maps
diff --git a/states/haproxy/install.sls b/states/haproxy/install.sls
index e014f32..54509c5 100644
--- a/states/haproxy/install.sls
+++ b/states/haproxy/install.sls
@@ -36,3 +36,12 @@ haproxy-script-{{ file.name }}:
     - watch_in:
       - service: haproxy-service
 {% endfor %}
+
+haproxy-hatop-download:
+  file.managed:
+    - name: /usr/bin/hatop
+    - source: {{ haproxy.hatop.fetchurl }}/v{{ haproxy.hatop.version }}/hatop
+    - source_hash: {{ haproxy.hatop.hash }}
+    - user: root
+    - group: root
+    - mode: "0755"
diff --git a/states/haproxy/map.jinja b/states/haproxy/map.jinja
index 094dbb2..b219565 100644
--- a/states/haproxy/map.jinja
+++ b/states/haproxy/map.jinja
@@ -8,18 +8,13 @@
 {%- set net = salt['pillar.get']('net') -%}
 {%- set fqdn = salt['grains.get']('fqdn') -%}
 
-{% set peers = salt['mine.get'](
-                  tgt='G@lb:true',
-                  fun='internal_ip_addrs',
-                  tgt_type='compound') %}
-
 {% set peers_ip = [] %}
-{%- for k,v in peers.items() %}
-{%- if k != salt['grains.get']('fqdn') %}
+{%- for k,v in haproxy.peers.items() %}
+{%- if k != fqdn %}
 {%- for i in v %}
 {% set _ = peers_ip.append([k,i]) %}
 {%- endfor %}
 {%- endif %}
 {%- endfor %}
 
-{% do haproxy.config.update({"peers": peers_ip }) %}
+{% do haproxy.config.peers.update({"hosts": peers_ip }) %}
diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2
index 5f4dc81..05ec94d 100644
--- a/states/haproxy/templates/haproxy.cfg.j2
+++ b/states/haproxy/templates/haproxy.cfg.j2
@@ -88,13 +88,13 @@ defaults {{ haproxy.config.namespace }}
   {{ key }} {{ value }}
 {%- endfor %}
 
-{% if haproxy.config.peers|length > 0 -%}
+{% if haproxy.config.peers.hosts -%}
 peers paulbsd
-  bind *:4096 ssl crt {{ haproxy.config.acme_fullchains_dir }}
+  bind *:{{ haproxy.config.peers.port }} ssl crt {{ haproxy.config.acme_fullchains_dir }}
   default-server ssl verify none
   server {{ salt['grains.get']('fqdn') }}
-{%- for peer in haproxy.config.peers %}
-  server {{ peer[0] }} {{ peer[1] }}:4096
+{%- for host in haproxy.config.peers.hosts %}
+  server {{ host[0] }} {{ host[1] }}:{{ haproxy.config.peers.port }}
 {%- endfor %}
 {%- endif %}
 
@@ -106,7 +106,7 @@ cache static
 
 # Per IP rates stick table
 backend per_ip_rates from {{ haproxy.config.namespace }}
-  stick-table type string size {{ haproxy.config.ddos.size|default("1m") }} expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}}) peers paulbsd
+  stick-table type string size {{ haproxy.config.ddos.size|default("1m") }} expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}}) {{ "peers paulbsd" if haproxy.config.peers.hosts }}
 
 # Default HTTP frontend
 frontend http from {{ haproxy.config.namespace }}
@@ -148,6 +148,7 @@ frontend https from {{ haproxy.config.namespace }}
   ## ACLs
   acl internal src -f {{ haproxy.config.dir }}/maps/access
   acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
+  acl security_txt path /.well-known/security.txt
   acl robots_txt path /robots.txt
   acl max_req_rate sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200) }}
   acl self_host req.hdr(Host) {{ fqdn }}
@@ -174,7 +175,8 @@ frontend https from {{ haproxy.config.namespace }}
   http-request deny deny_status 429 if max_req_rate !internal
 
   ## Returns
-  http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
+  http-request return status 200 content-type text/plain string "User-agent: *\r\nAllow: /" if robots_txt
+  http-request return status 200 content-type text/plain string "Contact: mailto:paul@paulbsd.com" if security_txt
   http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
   http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
   http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
@@ -211,7 +213,6 @@ backend {{ name }} from {{ haproxy.config.namespace }}
 {%- for step in values.check_steps|default([]) %}
   http-check {{ step }}
 {%- endfor %}
-  {{ statusresponses() }}
 {%- endif %}
 {%- if values.overrides|default([]) %}
 {%- for override in values.overrides %}