r/dch-proxy: Define sites declaratively

I've already made a couple of mistakes keeping the HTTP and HTTPS rules
in sync.  Let's define the sites declaratively and derive the HAProxy
rules from the data, rather then manually type the rules.

group_vars/dch-proxy.yml

@@ -11,3 +11,106 @@ dch_proxy_blocklist:
 - 172.30.0.224/29
 - 172.30.0.232/29
 - 172.30.0.240/28
+
+dch_proxy_sites:
+- backend: gitea
+  match: git.pyrocufflink
+  matcher: dom
+- backend: bitwarden
+  match: bitwarden.pyrocufflink
+  matcher: dom
+- backend: nextcloud
+  match: nextcloud.pyrocufflink.net
+- backend: kubernetes
+  match: billing.hatchlearningcenter.org
+- backend: web
+  match: chmod777.sh
+  matcher: end
+- backend: web
+  match: dustinandtabitha.com
+  matcher: end
+- backend: web
+  match: dustin.hatch.name
+- backend: web
+  match: dustin.hatch.is
+- backend: web
+  match: ebonfire.com
+  matcher: end
+- backend: web
+  match: hatchlearningcenter hlckc hlcks
+  matcher: dom
+- backend: web
+  match: nratonpass.com
+  matcher: end
+- backend: web
+  match: pyrocufflink.net
+- backend: web
+  match: tabitha.biz
+  matcher: end
+- backend: kubernetes
+  match: ntfy.pyrocufflink.net
+- backend: kubernetes
+  match: darkchestofwonders.us
+
+dch_proxy_backends:
+  bitwarden:
+    servers:
+    - name: bitwarden
+      host: 'bitwarden.pyrocufflink.blue:80'
+      options: check
+  bitwarden-tls:
+    mode: tcp
+    servers:
+    - name: bitwarden
+      host: 'bitwarden.pyrocufflink.blue:443'
+      options: check
+
+  gitea:
+    servers:
+    - name: gitea
+      host: 'git0.pyrocufflink.blue:80'
+      options: check
+  gitea-tls:
+    mode: tcp
+    servers:
+    - name: gitea
+      host: 'git0.pyrocufflink.blue:443'
+      options: check
+
+  kubernetes:
+    servers:
+    - name: k8s
+      host: 'k8s-ingress.pyrocufflink.blue:80'
+      options: check
+  kubernetes-tls:
+    mode: tcp
+    servers:
+    - name: k8s
+      host: 'k8s-ingress.pyrocufflink.blue:443'
+      options: check
+
+  nextcloud:
+    servers:
+    - name: nextcloud
+      host: 'cloud0.pyrocufflink.blue:80'
+      options: check
+  nextcloud-tls:
+    mode: tcp
+    servers:
+    - name: nextcloud
+      # NOTE: NOT the default HTTPS port, but a different virtual host that
+      # accepts the PROXY protocol
+      host: 'cloud0.pyrocufflink.blue:8443'
+      options: check send-proxy-v2
+
+  web:
+    servers:
+    - name: web0
+      host: 'web0.pyrocufflink.blue:80'
+      options: check
+  web-tls:
+    mode: tcp
+    servers:
+    - name: web0
+      host: 'web0.pyrocufflink.blue:443'
+      options: check

roles/dch-proxy/templates/haproxy.cfg.j2

@@ -1,102 +1,42 @@
-{% macro acls() +%}
+{% macro acls() %}
-    acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
+acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
-    acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
+acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
-    acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
+acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
 {% endmacro %}
 
 frontend main
     bind :::80
 
-    {{ acls() }}
+    {{ acls() | indent(4) }}
-
     tcp-request connection reject if blocklist !allowlist
 
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
+{% for site in dch_proxy_sites %}
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
+    use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
+{% endfor %}
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
-    use_backend web if { hdr(host) -i -m end chmod777.sh }
-    use_backend web if { hdr(host) -i -m end dustinandtabitha.com }
-    use_backend web if { hdr(host) -i dustin.hatch.name }
-    use_backend web if { hdr(host) -i dustin.hatch.is }
-    use_backend web if { hdr(host) -i -m end ebonfire.com }
-    use_backend web if { hdr(host) -i -m dom hatchlearningcenter }
-    use_backend web if { hdr(host) -i -m dom hlckc }
-    use_backend web if { hdr(host) -i -m dom hlcks }
-    use_backend web if { hdr(host) -i -m end nratonpass.com }
-    use_backend web if { hdr(host) -i pyrocufflink.net }
-    use_backend web if { hdr(host) -i -m end tabitha.biz }
-    use_backend kubernetes if { hdr(host) -i ntfy.pyrocufflink.net }
-    use_backend kubernetes if { hdr(host) -i darkchestofwonders.us }
     use_backend kubernetes if internal_net
 
-
 frontend main-tls
     bind :::443
     mode tcp
     option tcplog
 
-    {{ acls() }}
+    {{ acls() | indent(4) }}
-
     tcp-request connection reject if blocklist !allowlist
     tcp-request inspect-delay 5s
     tcp-request content accept if { req.ssl_hello_type 1 }
 
-    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.blue }
+{% for site in dch_proxy_sites %}
-    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.net }
+    use_backend {{ site.backend }}-tls if { req.ssl_sni -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
-    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.blue }
+{% endfor %}
-    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud-tls if { req.ssl_sni -i nextcloud.pyrocufflink.net }
-    use_backend web-tls if { req.ssl_sni -i -m end chmod777.sh }
-    use_backend web-tls if { req.ssl_sni -i dustin.hatch.name }
-    use_backend web-tls if { req.ssl_sni -i dustin.hatch.is }
-    use_backend web-tls if { req.ssl_sni -i -m end ebonfire.com }
-    use_backend web-tls if { req.ssl_sni -i -m dom hatchlearningcenter }
-    use_backend web-tls if { req.ssl_sni -i -m dom hlckc }
-    use_backend web-tls if { req.ssl_sni -i -m dom hlcks }
-    use_backend web-tls if { req.ssl_sni -i pyrocufflink.net }
-    use_backend web-tls if { req.ssl_sni -i -m end tabitha.biz }
-    use_backend kubernetes-tls if { req.ssl_sni -i ntfy.pyrocufflink.net }
-    use_backend kubernetes-tls if { req.ssl_sni -i darkchestofwonders.us }
     use_backend kubernetes-tls if internal_net
 
+{% for name, backend in dch_proxy_backends.items() %}
 
-backend bitwarden
+backend {{ name }}
-    server bitwarden bitwarden.pyrocufflink.blue:80 check
+{% if backend.mode|d %}
-
+    mode {{ backend.mode }}
-backend bitwarden-tls
+{% endif %}
-    mode tcp
+{% for server in backend.servers %}
-    server bitwarden bitwarden.pyrocufflink.blue:443 check
+    server {{ server.name }} {{ server.host }} {{ server.options }}
-
+{% endfor %}
-
+{% endfor %}
-backend gitea
-    server gitea git0.pyrocufflink.blue:80 check
-
-backend gitea-tls
-    mode tcp
-    server gitea git0.pyrocufflink.blue:443 check
-
-
-backend kubernetes
-    server k8s k8s-ingress.pyrocufflink.blue:80 check
-
-backend kubernetes-tls
-    mode tcp
-    server k8s k8s-ingress.pyrocufflink.blue:443 check
-
-
-backend nextcloud
-    server nextcloud cloud0.pyrocufflink.blue:80 check
-
-backend nextcloud-tls
-    mode tcp
-    server nextcloud cloud0.pyrocufflink.blue:8443 check send-proxy-v2
-
-
-backend web
-    server web0 web0.pyrocufflink.blue:80 check
-
-backend web-tls
-    mode tcp
-    server web web0.pyrocufflink.blue:443 check