From c676aa2a0b17f42ea6e97c671a4c52d3d70fd426 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 19 Sep 2019 18:46:59 -0500
Subject: [PATCH] roles/dch-proxy: Add haproxy config for Bitwarden

This commit adds an HAProxy backend for Bitwarden, and adds ACL rules to
the frontend to proxy traffic to *bitwarden.pyrocufflink.blue* or
*bitwarden.pyrocufflink.net* to it.
---
 roles/dch-proxy/tasks/main.yml                             | 7 +++++++
 roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2 | 7 +++++++
 roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2     | 4 ++++
 3 files changed, 18 insertions(+)
 create mode 100644 roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2

diff --git a/roles/dch-proxy/tasks/main.yml b/roles/dch-proxy/tasks/main.yml
index 3ece320..cd0e758 100644
--- a/roles/dch-proxy/tasks/main.yml
+++ b/roles/dch-proxy/tasks/main.yml
@@ -19,6 +19,13 @@
     mode=0644
   notify: reload haproxy
 
+- name: ensure bitwarden haproxy backend is configured
+  template:
+    src=backend-bitwarden.haproxy.cfg.j2
+    dest=/etc/haproxy/70-backend-bitwarden.cfg
+    mode=0644
+  notify: reload haproxy
+
 - name: ensure openvpn haproxy backend is configured
   template:
     src=backend-openvpn.haproxy.cfg.j2
diff --git a/roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2
new file mode 100644
index 0000000..de7274b
--- /dev/null
+++ b/roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2
@@ -0,0 +1,7 @@
+backend bitwarden
+	server bitwarden bitwarden.pyrocufflink.blue:80 check
+
+
+backend bitwarden-tls
+	mode tcp
+	server bitwarden bitwarden.pyrocufflink.blue:443 check
diff --git a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
index 6554639..d7dd16b 100644
--- a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
@@ -5,6 +5,8 @@ frontend main
     use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
     use_backend jenkins if { hdr(host) -i jenkins.pyrocufflink.blue }
     use_backend jenkins if { hdr(host) -i jenkins.pyrocufflink.net }
+    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
+    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
     default_backend web
 
 
@@ -20,6 +22,8 @@ frontend main-tls
     use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.net }
     use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.blue }
     use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.net }
+    use_backend bitwarden-tls if { req_ssl_sni -i bitwarden.pyrocufflink.blue }
+    use_backend bitwarden-tls if { req_ssl_sni -i bitwarden.pyrocufflink.net }
     use_backend web-tls if { req_ssl_sni -i darkchestofwonders.us }
     use_backend web-tls if { req_ssl_sni -i pyrocufflink.net }
     default_backend openvpn