{% macro acls() +%}
    acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
    acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
    acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
{% endmacro %}

frontend main
    bind :::80

    {{ acls() }}

    tcp-request connection reject if blocklist !allowlist

    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
    use_backend web if { hdr(host) -i -m end chmod777.sh }
    use_backend web if { hdr(host) -i -m end dustinandtabitha.com }
    use_backend web if { hdr(host) -i dustin.hatch.name }
    use_backend web if { hdr(host) -i dustin.hatch.is }
    use_backend web if { hdr(host) -i -m end ebonfire.com }
    use_backend web if { hdr(host) -i -m dom hatchlearningcenter }
    use_backend web if { hdr(host) -i -m dom hlckc }
    use_backend web if { hdr(host) -i -m dom hlcks }
    use_backend web if { hdr(host) -i -m end nratonpass.com }
    use_backend web if { hdr(host) -i pyrocufflink.net }
    use_backend web if { hdr(host) -i -m end tabitha.biz }
    use_backend kubernetes if { hdr(host) -i ntfy.pyrocufflink.net }
    use_backend kubernetes if { hdr(host) -i darkchestofwonders.us }
    use_backend kubernetes if internal_net


frontend main-tls
    bind :::443
    mode tcp
    option tcplog

    {{ acls() }}

    tcp-request connection reject if blocklist !allowlist
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.blue }
    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.net }
    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.blue }
    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.net }
    use_backend nextcloud-tls if { req.ssl_sni -i nextcloud.pyrocufflink.net }
    use_backend web-tls if { req.ssl_sni -i -m end chmod777.sh }
    use_backend web-tls if { req.ssl_sni -i dustin.hatch.name }
    use_backend web-tls if { req.ssl_sni -i dustin.hatch.is }
    use_backend web-tls if { req.ssl_sni -i -m end ebonfire.com }
    use_backend web-tls if { req.ssl_sni -i -m dom hatchlearningcenter }
    use_backend web-tls if { req.ssl_sni -i -m dom hlckc }
    use_backend web-tls if { req.ssl_sni -i -m dom hlcks }
    use_backend web-tls if { req.ssl_sni -i pyrocufflink.net }
    use_backend web-tls if { req.ssl_sni -i -m end tabitha.biz }
    use_backend kubernetes-tls if { req.ssl_sni -i ntfy.pyrocufflink.net }
    use_backend kubernetes-tls if { req.ssl_sni -i darkchestofwonders.us }
    use_backend kubernetes-tls if internal_net


backend bitwarden
    server bitwarden bitwarden.pyrocufflink.blue:80 check

backend bitwarden-tls
    mode tcp
    server bitwarden bitwarden.pyrocufflink.blue:443 check


backend gitea
    server gitea git0.pyrocufflink.blue:80 check

backend gitea-tls
    mode tcp
    server gitea git0.pyrocufflink.blue:443 check


backend kubernetes
    server k8s k8s-ingress.pyrocufflink.blue:80 check

backend kubernetes-tls
    mode tcp
    server k8s k8s-ingress.pyrocufflink.blue:443 check


backend nextcloud
    server nextcloud cloud0.pyrocufflink.blue:80 check

backend nextcloud-tls
    mode tcp
    server nextcloud cloud0.pyrocufflink.blue:8443 check send-proxy-v2


backend web
    server web0 web0.pyrocufflink.blue:80 check

backend web-tls
    mode tcp
    server web web0.pyrocufflink.blue:443 check