scripts/fogcutter/k8s/haproxy.cfg

## For haproxy 2.2 COPY TO /etc/haproxy/haproxy.cfg
## Do https://unix.stackexchange.com/a/538901 to fix network-online.target on debian w/ /etc/intefaces
## certbot setup:
##   - https://certbot.eff.org/lets-encrypt/debianbuster-haproxy
##   - Add "0 0 1 * * systemctl stop haproxy && certbot renew && systemctl start haproxy && cat /etc/letsencrypt/live/seaturtle.pw/{cert,privkey}.pem > /etc/letsencrypt/live/seaturtle.pw/haproxy_cert.pem" to root crontab
##     - (Default systemd timer does not have option to stop haproxy before running)
## Ensure microk8s only exposes nodeport on 127.0.0.1:
##   - Edit /var/snap/microk8s/current/args/kube-proxy, adding "--nodeport-addresses=127.0.0.1/8" 


defaults
    log                 global
    mode                tcp
    option              dontlognull
    retries             3
    maxconn             4000
    timeout connect     5000
    timeout client      50000
    timeout server      50000

frontend http-in
    mode http
    bind :::80
    redirect scheme https

frontend https-in
    mode http
    option forwardfor
    bind :::443 ssl crt /etc/letsencrypt/live/seaturtle.pw/haproxy_cert.pem ssl-min-ver TLSv1.2
    acl server1 hdr(host) -i airsonic.seaturtle.pw
    acl server1 hdr(host) -i git.seaturtle.pw
    acl server1 hdr(host) -i nc.seaturtle.pw
    acl server1 hdr(host) -i paul.walko.org
    acl server1 hdr(host) -i plex.seaturtle.pw
    acl server1 hdr(host) -i seaturtle.pw
    use_backend server1 if server1

backend server1
    mode http
    option forwardfor
    server server1 127.0.0.1:30080

listen proxy37122
    mode tcp
    bind :::37122
    server ipv4server30122 127.0.0.1:30122

listen proxy25565
    mode tcp
    bind :::25565
    server ipv4server30565 127.0.0.1:30565