diff --git a/group_vars/dch-proxy.yml b/group_vars/dch-proxy.yml
index b11e1ff..169b561 100644
--- a/group_vars/dch-proxy.yml
+++ b/group_vars/dch-proxy.yml
@@ -11,3 +11,106 @@ dch_proxy_blocklist:
 - 172.30.0.224/29
 - 172.30.0.232/29
 - 172.30.0.240/28
+
+dch_proxy_sites:
+- backend: gitea
+  match: git.pyrocufflink
+  matcher: dom
+- backend: bitwarden
+  match: bitwarden.pyrocufflink
+  matcher: dom
+- backend: nextcloud
+  match: nextcloud.pyrocufflink.net
+- backend: kubernetes
+  match: billing.hatchlearningcenter.org
+- backend: web
+  match: chmod777.sh
+  matcher: end
+- backend: web
+  match: dustinandtabitha.com
+  matcher: end
+- backend: web
+  match: dustin.hatch.name
+- backend: web
+  match: dustin.hatch.is
+- backend: web
+  match: ebonfire.com
+  matcher: end
+- backend: web
+  match: hatchlearningcenter hlckc hlcks
+  matcher: dom
+- backend: web
+  match: nratonpass.com
+  matcher: end
+- backend: web
+  match: pyrocufflink.net
+- backend: web
+  match: tabitha.biz
+  matcher: end
+- backend: kubernetes
+  match: ntfy.pyrocufflink.net
+- backend: kubernetes
+  match: darkchestofwonders.us
+
+dch_proxy_backends:
+  bitwarden:
+    servers:
+    - name: bitwarden
+      host: 'bitwarden.pyrocufflink.blue:80'
+      options: check
+  bitwarden-tls:
+    mode: tcp
+    servers:
+    - name: bitwarden
+      host: 'bitwarden.pyrocufflink.blue:443'
+      options: check
+
+  gitea:
+    servers:
+    - name: gitea
+      host: 'git0.pyrocufflink.blue:80'
+      options: check
+  gitea-tls:
+    mode: tcp
+    servers:
+    - name: gitea
+      host: 'git0.pyrocufflink.blue:443'
+      options: check
+
+  kubernetes:
+    servers:
+    - name: k8s
+      host: 'k8s-ingress.pyrocufflink.blue:80'
+      options: check
+  kubernetes-tls:
+    mode: tcp
+    servers:
+    - name: k8s
+      host: 'k8s-ingress.pyrocufflink.blue:443'
+      options: check
+
+  nextcloud:
+    servers:
+    - name: nextcloud
+      host: 'cloud0.pyrocufflink.blue:80'
+      options: check
+  nextcloud-tls:
+    mode: tcp
+    servers:
+    - name: nextcloud
+      # NOTE: NOT the default HTTPS port, but a different virtual host that
+      # accepts the PROXY protocol
+      host: 'cloud0.pyrocufflink.blue:8443'
+      options: check send-proxy-v2
+
+  web:
+    servers:
+    - name: web0
+      host: 'web0.pyrocufflink.blue:80'
+      options: check
+  web-tls:
+    mode: tcp
+    servers:
+    - name: web0
+      host: 'web0.pyrocufflink.blue:443'
+      options: check
diff --git a/roles/dch-proxy/templates/haproxy.cfg.j2 b/roles/dch-proxy/templates/haproxy.cfg.j2
index 7326b3e..cf983c2 100644
--- a/roles/dch-proxy/templates/haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/haproxy.cfg.j2
@@ -1,102 +1,42 @@
-{% macro acls() +%}
-    acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
-    acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
-    acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
+{% macro acls() %}
+acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
+acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
+acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
 {% endmacro %}
 
 frontend main
     bind :::80
 
-    {{ acls() }}
-
+    {{ acls() | indent(4) }}
     tcp-request connection reject if blocklist !allowlist
 
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
-    use_backend web if { hdr(host) -i -m end chmod777.sh }
-    use_backend web if { hdr(host) -i -m end dustinandtabitha.com }
-    use_backend web if { hdr(host) -i dustin.hatch.name }
-    use_backend web if { hdr(host) -i dustin.hatch.is }
-    use_backend web if { hdr(host) -i -m end ebonfire.com }
-    use_backend web if { hdr(host) -i -m dom hatchlearningcenter }
-    use_backend web if { hdr(host) -i -m dom hlckc }
-    use_backend web if { hdr(host) -i -m dom hlcks }
-    use_backend web if { hdr(host) -i -m end nratonpass.com }
-    use_backend web if { hdr(host) -i pyrocufflink.net }
-    use_backend web if { hdr(host) -i -m end tabitha.biz }
-    use_backend kubernetes if { hdr(host) -i ntfy.pyrocufflink.net }
-    use_backend kubernetes if { hdr(host) -i darkchestofwonders.us }
+{% for site in dch_proxy_sites %}
+    use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
+{% endfor %}
     use_backend kubernetes if internal_net
 
-
 frontend main-tls
     bind :::443
     mode tcp
     option tcplog
 
-    {{ acls() }}
-
+    {{ acls() | indent(4) }}
     tcp-request connection reject if blocklist !allowlist
     tcp-request inspect-delay 5s
     tcp-request content accept if { req.ssl_hello_type 1 }
 
-    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.blue }
-    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.net }
-    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.blue }
-    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud-tls if { req.ssl_sni -i nextcloud.pyrocufflink.net }
-    use_backend web-tls if { req.ssl_sni -i -m end chmod777.sh }
-    use_backend web-tls if { req.ssl_sni -i dustin.hatch.name }
-    use_backend web-tls if { req.ssl_sni -i dustin.hatch.is }
-    use_backend web-tls if { req.ssl_sni -i -m end ebonfire.com }
-    use_backend web-tls if { req.ssl_sni -i -m dom hatchlearningcenter }
-    use_backend web-tls if { req.ssl_sni -i -m dom hlckc }
-    use_backend web-tls if { req.ssl_sni -i -m dom hlcks }
-    use_backend web-tls if { req.ssl_sni -i pyrocufflink.net }
-    use_backend web-tls if { req.ssl_sni -i -m end tabitha.biz }
-    use_backend kubernetes-tls if { req.ssl_sni -i ntfy.pyrocufflink.net }
-    use_backend kubernetes-tls if { req.ssl_sni -i darkchestofwonders.us }
+{% for site in dch_proxy_sites %}
+    use_backend {{ site.backend }}-tls if { req.ssl_sni -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
+{% endfor %}
     use_backend kubernetes-tls if internal_net
 
+{% for name, backend in dch_proxy_backends.items() %}
 
-backend bitwarden
-    server bitwarden bitwarden.pyrocufflink.blue:80 check
-
-backend bitwarden-tls
-    mode tcp
-    server bitwarden bitwarden.pyrocufflink.blue:443 check
-
-
-backend gitea
-    server gitea git0.pyrocufflink.blue:80 check
-
-backend gitea-tls
-    mode tcp
-    server gitea git0.pyrocufflink.blue:443 check
-
-
-backend kubernetes
-    server k8s k8s-ingress.pyrocufflink.blue:80 check
-
-backend kubernetes-tls
-    mode tcp
-    server k8s k8s-ingress.pyrocufflink.blue:443 check
-
-
-backend nextcloud
-    server nextcloud cloud0.pyrocufflink.blue:80 check
-
-backend nextcloud-tls
-    mode tcp
-    server nextcloud cloud0.pyrocufflink.blue:8443 check send-proxy-v2
-
-
-backend web
-    server web0 web0.pyrocufflink.blue:80 check
-
-backend web-tls
-    mode tcp
-    server web web0.pyrocufflink.blue:443 check
+backend {{ name }}
+{% if backend.mode|d %}
+    mode {{ backend.mode }}
+{% endif %}
+{% for server in backend.servers %}
+    server {{ server.name }} {{ server.host }} {{ server.options }}
+{% endfor %}
+{% endfor %}