pki:
  cns:
  - cr.lan
  - gcr-mirror.lan
  - dr-mirror.lan
  - docker-registry.lan
  - ups.wks
systemd:
  service:
    container-dr-mirror:
      Unit:
        Description: docker.io mirror
        After: network-online.target local-fs.target podman.socket
        Before: haproxy.service
      Service:
        ExecStart: /usr/bin/podman start -a dr-mirror
        ExecStop: /usr/bin/podman stop dr-mirror
      Install:
        WantedBy: multi-user.target
    container-container-registry:
      Unit:
        Description: Container Registry
        After: network-online.target local-fs.target podman.socket
        Before: haproxy.service
      Service:
        ExecStart: /usr/bin/podman start -a container-registry
        ExecStop: /usr/bin/podman stop container-registry
      Install:
        WantedBy: multi-user.target
    container-registry-garbage-collect:
      Unit:
        Description: Container Registry garbage collect
      Service:
        ExecStart: /usr/bin/podman exec container-registry /bin/registry garbage-collect /etc/docker/registry/config.yml -m
  timer:
    container-registry-garbage-collect:
      Unit:
        Description: Timer for registry-garbage-collect
      Timer:
        OnCalendar: weekly
        Persistent: true
      Install:
        WantedBy: timers.target
haproxy:
  enabled: True
  overwrite: True
  global:
    stats:
      enable: True
      socketpath: /var/lib/haproxy/stats
      mode: 660
      level: admin
      # Optional extra bind parameter, for example to set the owner/group on the socket file
      extra: user haproxy group haproxy
    ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
    ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"

    user: haproxy
    group: haproxy
    chroot:
      enable: True
      path: /var/lib/haproxy
    daemon: True
  defaults:
    mode: http
    stats:
      - enable
      - uri: '/haproxy-status'
    options:
      - httplog
      - dontlognull
      - forwardfor
    timeouts:
      - connect 5000
      - client 50000
      - server 50000
      - tunnel 80000 #longer timeouts for websockets
      - http-request 5s
    errorfiles:
      400: /etc/haproxy/errors/400.http
      403: /etc/haproxy/errors/403.http
      408: /etc/haproxy/errors/408.http
      500: /etc/haproxy/errors/500.http
      502: /etc/haproxy/errors/502.http
      503: /etc/haproxy/errors/503.http
      504: /etc/haproxy/errors/504.http
  #resolvers:
  #  local_dns:
  #    options:
  #      - nameserver resolvconf 192.168.10.1:53
  #      - resolve_retries 3
  #      - timeout retry 1s
  #      - hold valid 10s
  listens:
    stats:
      bind:
        - "127.0.0.1:9110"
      mode: http
      stats:
        enable: True
        uri: "/haproxy-status"
        refresh: "20s"
  frontends:
    frontend1:
      name: www-http 
      bind: 
       - "*:80"
       - "*:443 ssl crt /etc/pki/chain ca-file /etc/pki/intca.crt"
      default_backend: container-registry
      acls: 
        - host_cr hdr_beg(host) -i cr. docker-registry.
        - host_gcr-mirror hdr_beg(host) -i gcr-mirror.
        - host_dr-mirror hdr_beg(host) -i dr-mirror.
      use_backends: 
        - container-registry if host_cr
        - gcr-mirror if host_gcr-mirror
        - dr-mirror if host_dr-mirror
  backends:
    backend1:
      name: container-registry
      balance: roundrobin
      servers:
        server1:
          name: adm01
          host: 127.0.0.1
          port: 5000
          check: check
      options:
        - http-server-close
      extra:
        - http-response add-header Access-Control-Allow-Origin "*"
        - http-response add-header Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE"
        - http-response add-header Access-Control-Allow-Headers "Authorization, Accept"
        - http-response add-header Access-Control-Allow-Credentials true
        - http-response add-header Access-Control-Expose-Headers "Docker-Content-Digest"
    backend2:
      name: dr-mirror
      balance: roundrobin
      servers:
        server1:
          name: adm01
          host: 127.0.0.1
          port: 5500
          check: check
      options:
        - http-server-close
      extra:
        - http-response add-header Access-Control-Allow-Origin "*"
        - http-response add-header Access-Control-Allow-Methods "HEAD, GET, OPTIONS"
        - http-response add-header Access-Control-Allow-Headers "Authorization, Accept"
        - http-response add-header Access-Control-Allow-Credentials true
        - http-response add-header Access-Control-Expose-Headers "Docker-Content-Digest"
    backend3:
      name: gcr-mirror
      balance: roundrobin
      servers:
        server1:
          name: adm01
          host: 127.0.0.1
          port: 5600
          check: check
      options:
        - http-server-close
      extra:
        - http-response add-header Access-Control-Allow-Origin "*"
        - http-response add-header Access-Control-Allow-Methods "HEAD, GET, OPTIONS"
        - http-response add-header Access-Control-Allow-Headers "Authorization, Accept"
        - http-response add-header Access-Control-Allow-Credentials true
        - http-response add-header Access-Control-Expose-Headers "Docker-Content-Digest"