diff --git a/dch-proxy.yml b/dch-proxy.yml
index 4cd2a01..51456fe 100644
--- a/dch-proxy.yml
+++ b/dch-proxy.yml
@@ -4,5 +4,18 @@
   tasks:
   - name: ensure haproxy is running
     service:
-      name=haproxy
-      state=started
+      name: haproxy
+      state: started
+    tags:
+    - service
+  - name: ensure firewall is configured for haproxy
+    firewalld:
+      service: '{{ item }}'
+      immediate: true
+      permanent: true
+      state: enabled
+    loop:
+    - http
+    - https
+    tags:
+    - firewalld
diff --git a/group_vars/dch-proxy.yml b/group_vars/dch-proxy.yml
new file mode 100644
index 0000000..b11e1ff
--- /dev/null
+++ b/group_vars/dch-proxy.yml
@@ -0,0 +1,13 @@
+dch_proxy_internal_networks:
+- 172.30.0.0/16
+- 172.31.1.0/24
+# - 'fd68:c2d2:500e:3e00::/56'
+
+dch_proxy_allowlist:
+- 172.30.0.211/32
+
+dch_proxy_blocklist:
+- 172.30.0.208/28
+- 172.30.0.224/29
+- 172.30.0.232/29
+- 172.30.0.240/28
diff --git a/roles/dch-proxy/tasks/main.yml b/roles/dch-proxy/tasks/main.yml
index cd0e758..9622261 100644
--- a/roles/dch-proxy/tasks/main.yml
+++ b/roles/dch-proxy/tasks/main.yml
@@ -1,41 +1,9 @@
-- name: ensure main haproxy frontend is configured
+- name: ensure haproxy is configured
   template:
-    src=frontend-main.haproxy.cfg.j2
-    dest=/etc/haproxy/50-frontend-main.cfg
-    mode=0644
-  notify: reload haproxy
-
-- name: ensure gitea haproxy backend is configured
-  template:
-    src=backend-gitea.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-gitea.cfg
-    mode=0644
-  notify: reload haproxy
-
-- name: ensure jenkins haproxy backend is configured
-  template:
-    src=backend-jenkins.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-jenkins.cfg
-    mode=0644
-  notify: reload haproxy
-
-- name: ensure bitwarden haproxy backend is configured
-  template:
-    src=backend-bitwarden.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-bitwarden.cfg
-    mode=0644
-  notify: reload haproxy
-
-- name: ensure openvpn haproxy backend is configured
-  template:
-    src=backend-openvpn.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-openvpn.cfg
-    mode=0644
-  notify: reload haproxy
-
-- name: ensure websites haproxy backend is configured
-  template:
-    src=backend-websites.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-websites.cfg
-    mode=0644
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/conf.d/50-main.cfg
+    mode: u=rw,go=r
+  tags:
+  - config
+  - haproxy-config
   notify: reload haproxy
diff --git a/roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2
deleted file mode 100644
index de7274b..0000000
--- a/roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-backend bitwarden
-	server bitwarden bitwarden.pyrocufflink.blue:80 check
-
-
-backend bitwarden-tls
-	mode tcp
-	server bitwarden bitwarden.pyrocufflink.blue:443 check
diff --git a/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2
deleted file mode 100644
index acf02f9..0000000
--- a/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-backend gitea
-    server gitea git0.pyrocufflink.blue:80 check
-
-
-backend gitea-tls
-    mode tcp
-    server gitea git0.pyrocufflink.blue:443 check
diff --git a/roles/dch-proxy/templates/backend-jenkins.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-jenkins.haproxy.cfg.j2
deleted file mode 100644
index b365020..0000000
--- a/roles/dch-proxy/templates/backend-jenkins.haproxy.cfg.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-backend jenkins
-	server jenkins jenkins.pyrocufflink.blue:80 check
-
-
-backend jenkins-tls
-	mode tcp
-	server jenkins jenkins.pyrocufflink.blue:443 check
diff --git a/roles/dch-proxy/templates/backend-nextcloud.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-nextcloud.haproxy.cfg.j2
deleted file mode 100644
index cff23d5..0000000
--- a/roles/dch-proxy/templates/backend-nextcloud.haproxy.cfg.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-backend nextcloud
-	server nextcloud cloud0.pyrocufflink.blue:80 check
-
-
-backend nextcloud-tls
-	mode tcp
-	server nextcloud cloud0.pyrocufflink.blue:443 check
diff --git a/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
deleted file mode 100644
index 6a9093e..0000000
--- a/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-backend openvpn
-	mode tcp
-	server openvpn 172.30.0.2:9876 check
diff --git a/roles/dch-proxy/templates/backend-websites.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-websites.haproxy.cfg.j2
deleted file mode 100644
index 2d2023f..0000000
--- a/roles/dch-proxy/templates/backend-websites.haproxy.cfg.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-backend web
-	server web0 web0.pyrocufflink.blue:80 check
-
-
-backend web-tls
-	mode tcp
-	server web web0.pyrocufflink.blue:443 check
diff --git a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
deleted file mode 100644
index e3cb69e..0000000
--- a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-frontend main
-    bind :::80
-
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
-    use_backend jenkins if { hdr(host) -i jenkins.pyrocufflink.blue }
-    use_backend jenkins if { hdr(host) -i jenkins.pyrocufflink.net }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
-    default_backend web
-
-
-frontend main-tls
-    bind :::443
-    mode tcp
-    option tcplog
-
-    tcp-request inspect-delay 5s
-    tcp-request content accept if { req_ssl_hello_type 1 }
-
-    use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.blue }
-    use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.net }
-    use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.blue }
-    use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.net }
-    use_backend bitwarden-tls if { req_ssl_sni -i bitwarden.pyrocufflink.blue }
-    use_backend bitwarden-tls if { req_ssl_sni -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud-tls if { req_ssl_sni -i nextcloud.pyrocufflink.net }
-    use_backend web-tls if { req_ssl_sni -i darkchestofwonders.us }
-    use_backend web-tls if { req_ssl_sni -i pyrocufflink.net }
-    use_backend web-tls if { req_ssl_sni -i -m end chmod777.sh }
-    default_backend openvpn
diff --git a/roles/dch-proxy/templates/haproxy.cfg.j2 b/roles/dch-proxy/templates/haproxy.cfg.j2
new file mode 100644
index 0000000..7326b3e
--- /dev/null
+++ b/roles/dch-proxy/templates/haproxy.cfg.j2
@@ -0,0 +1,102 @@
+{% macro acls() +%}
+    acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
+    acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
+    acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
+{% endmacro %}
+
+frontend main
+    bind :::80
+
+    {{ acls() }}
+
+    tcp-request connection reject if blocklist !allowlist
+
+    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
+    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
+    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
+    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
+    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
+    use_backend web if { hdr(host) -i -m end chmod777.sh }
+    use_backend web if { hdr(host) -i -m end dustinandtabitha.com }
+    use_backend web if { hdr(host) -i dustin.hatch.name }
+    use_backend web if { hdr(host) -i dustin.hatch.is }
+    use_backend web if { hdr(host) -i -m end ebonfire.com }
+    use_backend web if { hdr(host) -i -m dom hatchlearningcenter }
+    use_backend web if { hdr(host) -i -m dom hlckc }
+    use_backend web if { hdr(host) -i -m dom hlcks }
+    use_backend web if { hdr(host) -i -m end nratonpass.com }
+    use_backend web if { hdr(host) -i pyrocufflink.net }
+    use_backend web if { hdr(host) -i -m end tabitha.biz }
+    use_backend kubernetes if { hdr(host) -i ntfy.pyrocufflink.net }
+    use_backend kubernetes if { hdr(host) -i darkchestofwonders.us }
+    use_backend kubernetes if internal_net
+
+
+frontend main-tls
+    bind :::443
+    mode tcp
+    option tcplog
+
+    {{ acls() }}
+
+    tcp-request connection reject if blocklist !allowlist
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req.ssl_hello_type 1 }
+
+    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.blue }
+    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.net }
+    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.blue }
+    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.net }
+    use_backend nextcloud-tls if { req.ssl_sni -i nextcloud.pyrocufflink.net }
+    use_backend web-tls if { req.ssl_sni -i -m end chmod777.sh }
+    use_backend web-tls if { req.ssl_sni -i dustin.hatch.name }
+    use_backend web-tls if { req.ssl_sni -i dustin.hatch.is }
+    use_backend web-tls if { req.ssl_sni -i -m end ebonfire.com }
+    use_backend web-tls if { req.ssl_sni -i -m dom hatchlearningcenter }
+    use_backend web-tls if { req.ssl_sni -i -m dom hlckc }
+    use_backend web-tls if { req.ssl_sni -i -m dom hlcks }
+    use_backend web-tls if { req.ssl_sni -i pyrocufflink.net }
+    use_backend web-tls if { req.ssl_sni -i -m end tabitha.biz }
+    use_backend kubernetes-tls if { req.ssl_sni -i ntfy.pyrocufflink.net }
+    use_backend kubernetes-tls if { req.ssl_sni -i darkchestofwonders.us }
+    use_backend kubernetes-tls if internal_net
+
+
+backend bitwarden
+    server bitwarden bitwarden.pyrocufflink.blue:80 check
+
+backend bitwarden-tls
+    mode tcp
+    server bitwarden bitwarden.pyrocufflink.blue:443 check
+
+
+backend gitea
+    server gitea git0.pyrocufflink.blue:80 check
+
+backend gitea-tls
+    mode tcp
+    server gitea git0.pyrocufflink.blue:443 check
+
+
+backend kubernetes
+    server k8s k8s-ingress.pyrocufflink.blue:80 check
+
+backend kubernetes-tls
+    mode tcp
+    server k8s k8s-ingress.pyrocufflink.blue:443 check
+
+
+backend nextcloud
+    server nextcloud cloud0.pyrocufflink.blue:80 check
+
+backend nextcloud-tls
+    mode tcp
+    server nextcloud cloud0.pyrocufflink.blue:8443 check send-proxy-v2
+
+
+backend web
+    server web0 web0.pyrocufflink.blue:80 check
+
+backend web-tls
+    mode tcp
+    server web web0.pyrocufflink.blue:443 check