include:
  - haproxy

haproxy_sysconfig:
  file.managed:
    - name: /etc/sysconfig/haproxy
    - mode: '0600'
    - replace: false

haproxy_dhparam:
  cmd.run:
    - name: openssl dhparam -out /etc/haproxy/dhparam 2048
    - unless: test -f /etc/haproxy/dhparam
    - watch_in:
      - service: haproxy.service

haproxy_trees:
  file.recurse:
    - names:
        - /etc/haproxy/blacklists:
            - source: salt://{{ slspath }}/files/etc/haproxy/blacklists
        - /etc/haproxy/errorfiles:
            - source: salt://{{ slspath }}/files/etc/haproxy/errorfiles
    - clean: true
    - template: jinja
    - require:
      - haproxy.install
    - watch_in:
      - service: haproxy.service

{%- set secrets = salt['pillar.get']('profile:proxy:haproxy:secrets', {}) %}
{%- if 'stats_user' in secrets and 'stats_passphrase' in secrets and salt['grains.get']('include_secrets', True) %}
haproxy_sysconfig_variables:
  file.keyvalue:
    - name: /etc/sysconfig/haproxy
    - append_if_not_found: true
    - show_changes: false
    - key_values:
        STATS_USER: {{ secrets['stats_user'] }}
        STATS_PASSPHRASE: {{ secrets['stats_passphrase'] }}
    - require:
      - file: haproxy_sysconfig
    - watch:
      - service: haproxy.service
{%- else %}
{%- do salt.log.debug('Skipping management of HAProxy secrets!') %}
{%- endif %}