From c3f1f5750d573400eb831ad65a4abc9e5ca38861 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 1 Jul 2018 15:17:14 -0500
Subject: [PATCH] roles/dch-proxy: Add OpenVPN backend

The `openvpn` haproxy backend allows forwarding TLS traffic for
*vpn.securepassage.com* to the OpenVPN-over-TLS service on the gateway.
---
 roles/dch-proxy/tasks/main.yml                           | 7 +++++++
 roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2 | 3 +++
 roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2   | 3 ++-
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2

diff --git a/roles/dch-proxy/tasks/main.yml b/roles/dch-proxy/tasks/main.yml
index ee5b9ff..5bd1417 100644
--- a/roles/dch-proxy/tasks/main.yml
+++ b/roles/dch-proxy/tasks/main.yml
@@ -25,3 +25,10 @@
     dest=/etc/haproxy/70-backend-jenkins.cfg
     mode=0644
   notify: reload haproxy
+
+- name: ensure openvpn haproxy backend is configured
+  template:
+    src=backend-openvpn.haproxy.cfg.j2
+    dest=/etc/haproxy/70-backend-openvpn.cfg
+    mode=0644
+  notify: reload haproxy
diff --git a/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
new file mode 100644
index 0000000..42fef03
--- /dev/null
+++ b/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
@@ -0,0 +1,3 @@
+backend openvpn
+	mode tcp
+	server openvpn 172.30.0.1:9876 check
diff --git a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
index ef0ee79..bb43f39 100644
--- a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
@@ -20,4 +20,5 @@ frontend main-tls
     use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.net }
     use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.blue }
     use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.net }
-    default_backend myala-tls
+    use_backend myala-tls if { req_ssl_sni -i darkchestofwonders.us }
+    default_backend openvpn