## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "haproxy/map.jinja" import haproxy,certs with context %}

{%- macro internal_access() -%}
  acl internal src -f /etc/haproxy/access
  http-response return status 403 default-errorfiles if ! internal
{%- endmacro -%}

{%- macro handle_head() -%}
  http-request return status 200 if { method -i HEAD }
{%- endmacro -%}

{%- macro handle_endpoints(endpoints, check, ssl) -%}
  {%- for endpoint in endpoints %}
  server {{ endpoint.name }} {{ endpoint.name }}:{{ endpoint.port }}{{ " check observe layer7 " if check|default(true) }}{{ " ssl verify none " if ssl|default(false) }}
  {%- endfor %}
{%- endmacro -%}

{%- macro admin() -%}
listen stats
  mode http
  bind *:7000 v4v6
  stats enable
  stats refresh 5s
  stats uri /
{%- endmacro -%}

{%- macro api() -%}
listen stats
  mode http
  bind *:7000 v4v6
  stats enable
  stats refresh 5s
  stats uri /
{%- endmacro %}

global
  #lua-load /etc/haproxy/hello_world.lua
  maxconn 1000
  stats socket ipv4@127.0.0.1:9990 level admin
  stats socket /var/run/hap-lb.sock mode 666 level admin
  stats timeout 2m
  ssl-default-bind-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
  ssl-default-bind-options {{ haproxy.config.ssl_options|join(" ") }}
  ssl-default-server-ciphers {{ haproxy.config.ssl_ciphers|join(":") }}
  ssl-default-server-options {{ haproxy.config.ssl_options|join(" ") }}
  crt-base {{ haproxy.config.acme_dir }}/certs
  ssl-dh-param-file {{ haproxy.config.acme_dir }}/dh/dh.pem

defaults
{%- for default in haproxy.config.defaults.keys() %}
  {{ default }}
{%- endfor %}

{%- if haproxy.config.admin %}
  {{ admin() }}
{%- endif %}

frontend http
  bind *:80,:::80 v4v6
  mode http
  acl http ssl_fc,not
  http-request redirect scheme https if http

frontend https
  bind *:443,:::443 v4v6 {% for cert in certs %}{{ " ssl crt " + cert + " " }}{% endfor %}
  {%- for name, values in haproxy.config.vhosts.items() %}
  use_backend {{ name }} if { hdr(Host) -i {{ values.host }} }
  {%- endfor %}
  default_backend nginx

{% for name, values in haproxy.config.vhosts.items() %}
backend {{ name }}
  balance {{ values.balance|default("roundrobin") }}
{%- if values.handle_head|default(false) %}
  {{ handle_head() }}
{%- endif %}
{%- if values.internal_access|default(false) %}
  {{ internal_access() }}
{%- endif %}
  {{- handle_endpoints(values.endpoints, values.check, values.ssl) }}
{% endfor %}

{% for name, values in haproxy.config.services.items() %}
listen {{ name }}
  bind :::{{ values.port }} v4v6
  mode tcp
{%- if values.type == "postgres" %}
  option pgsql-check user postgres
{%- endif %}
  default-server inter 3s fall 3
  {%- for endpoint in values.endpoints %}
  server {{ endpoint.name }} {{ endpoint.name }}:{{ endpoint.port }} check port {{ endpoint.port }}
  {%- endfor %}
{% endfor %}