---
#####################################################
#                                                   #
#                HAProxy Configuration              #
#                                                   #
#####################################################

deploy_haproxy_deploy_method: "{{ deployment_method }}"
deploy_haproxy_version: "{{ haproxy_version }}"

deploy_haproxy_env_variables: {}
deploy_haproxy_start_service: true
deploy_haproxy_cert_dir: "{{ sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}"
deploy_haproxy_extra_container_volumes: []
deploy_haproxy_global:
  - log /dev/log local0
  - log /dev/log local1 notice
  - stats socket {{ deploy_haproxy_socket }} level admin
  - chroot {{ deploy_haproxy_chroot }}
  - daemon
  - description hashistack haproxy

deploy_haproxy_defaults:
  - log global
  - mode http
  - option httplog
  - option dontlognull
  - timeout connect 5000
  - timeout client  5000
  - timeout server  5000

deploy_haproxy_frontends:
  - name: external_http
    options: >-
      {%- set haproxy_options = [
        'description hashistack external http frontend',
        'mode http',
        'bind :80'
      ] -%}

      {%- if enable_tls_external -%}
        {%- set tls_cert_paths = [] -%}
        {%- for item in ['consul', 'nomad', 'vault'] if vars['enable_' + item] | bool -%}
          {%- set crt_option = '/var/lib/haproxy/certs/' + vars[item + '_fqdn'] + '.pem' -%}
          {%- set _ = tls_cert_paths.append(crt_option) -%}
        {%- endfor -%}
        {%- set tls_options = ['bind :443 ssl crt ' + tls_cert_paths | join(' crt ') ] -%}
        {%- set _ = tls_options.append('http-request redirect scheme https unless { ssl_fc }') -%}
        {%- set haproxy_options = haproxy_options + tls_options -%}
      {%- endif -%}

      {%- set haproxy_options = haproxy_options + consul_haproxy_frontend_options + vault_haproxy_frontend_options -%}

      {{ haproxy_options }}

deploy_haproxy_backends: "{{ consul_haproxy_backends + vault_haproxy_backends }}"

deploy_haproxy_listen:
  - name: monitoring
    options:
      - bind :9000
      - mode http
      - option httpchk
      - stats enable
      - stats uri /stats
      - stats refresh 30s
      - stats show-desc
      - stats show-legends
      - stats auth admin:password
      - http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost
      - http-check expect status 200
      - acl health_check_ok nbsrv() ge 1
      - monitor-uri /health
      - http-request use-service prometheus-exporter if { path /metrics }

deploy_keepalived_deploy_method: "{{ deployment_method }}"
deploy_keepalived_version: "latest"
deploy_keepalived_start_service: true
deploy_keepalived_env_variables: {}

deploy_keepalived_vrrp_instance_name: "{{ ansible_hostname }}"
deploy_keepalived_interface: "{{ api_interface }}"
deploy_keepalived_state: "BACKUP"
deploy_keepalived_router_id: 50
deploy_keepalived_priority: 100
deploy_keepalived_advert_interval: 1
deploy_keepalived_unicast_source: "{{ api_interface_address }}"
deploy_keepalived_unicast_peers: "{{ groups['haproxy_servers'] | difference([ansible_hostname]) | map('extract', hostvars, ['api_interface_address']) | list }}"
deploy_keepalived_auth_passwd: "password"
deploy_keepalived_virtual_ips:
  - "{{ hashistack_external_vip_addr }}/32 dev {{ hashistack_external_vip_interface }}"
deploy_keepalived_notify_script: notify.sh

deploy_keepalived_custom_scripts_src: tasks/haproxy/files/keepalived/scripts.d
deploy_keepalived_extra_container_volumes: []

deploy_keepalived_use_custom_config: true
deploy_keepalived_custom_config_src: tasks/haproxy/files/keepalived/keepalived.conf.j2