---
- hosts: frontend
  vars:
        firewall:
                - { port: "{{ haproxy.ports.https }}", ipv: "v4", proto: "tcp" }
                - { port: "{{ haproxy.ports.https }}", ipv: "v6", proto: "tcp" }
                - { port: "2442", ipv: "v4", proto: "tcp" }
                - { port: "2442", ipv: "v6", proto: "tcp" }
                - { port: "7777", ipv: "v4", proto: "tcp" }
                - { port: "7777", ipv: "v6", proto: "tcp" }
                - { port: "64738", ipv: "v4", proto: "tcp" }
                - { port: "64738", ipv: "v6", proto: "tcp" }
                - { port: "25565", ipv: "v4", proto: "tcp" }
                - { port: "25565", ipv: "v6", proto: "tcp" }
        apt:
                packages:
                        - { package: "haproxy", state: present }
                        - { package: "hitch", state: present }
                        - { package: "varnish", state: present }
        systemd:
                services:
                        - { name: "haproxy", enabled: true, action: reloaded }
                        - { name: "hitch", enabled: true, action: reloaded }
                        - { name: "varnish", enabled: true, action: reloaded }
                overrides:
                        - "haproxy"
                        - "hitch"
                        - "varnish"
        haproxy:
                socketroot: "/run/haproxy"
                config: "/etc/haproxy/haproxy.cfg"
                user: "varnish"
                group: "varnish"
                ports:
                        https: 443
                        tcp:
                                - {expose: 2442, proxy: 2443, group: "dev"}             # Gitea SSH
                                - {expose: 64738, proxy: "{{ global.social.murmur.port }}", group: "social"}          # Mumble
                                - {expose: 25565, proxy: "{{ global.games.minecraft.port }}", group: "games"}          # Minecraft
                                - {expose: 7777, proxy: "{{ global.games.terraria.port }}", group: "games"}          # Terraria
                redirect:
                        prefix:
                                - { pfx: "/web", acl: '{ hdr_beg(host) -i seed } { url / }' }
                public:
                        # These are load balanced, it doesn't matter what IP they point to
                        - {domain: "stats", count: 5, service: "grafana", httpchk: true}
                        - {domain: "git", count: 1, service: "gitea", httpchk: true}
                        - {domain: "seed", count: 1, service: "transmission", httpchk: false}
                        - {domain: "sd", count: 1, service: "seedown", httpchk: true}
                        - {domain: "social", count: 1, service: "pleroma", httpchk: true}
                        - {domain: "root", count: 1, service: "homepage", httpchk: true} # Homepage
                        - {domain: "deavmi-proxy", count: 1, service: "deavmi-proxy", httpchk: true} # Homepage
        varnish:
                backend:
                        sock: '{{ haproxy.socketroot }}/haproxy.sock'
                frontend:
                        sock: '/var/run/varnish.sock'
                        user: '_hitch'
                        group: 'www-data'
                        mode: '660'
                jail:
                        user: 'varnish'
        hitch:
                backend:
                        sock: '{{ varnish.frontend.sock }}'
                user: '_hitch'
                group: 'www-data'
                frontend:
                        port: 443
  roles:
        - apt
        - haproxy
        - varnish
        - hitch
        - systemd
        - firewall