# HAProxy routing stubs for Kanidm.
# These are ADDITIVE fragments — merge into your main haproxy config.
# Assumes:
#   - HAProxy terminates TLS using the acme-nayeonie.com certificate
#   - Kanidm HTTPS listens on [::1]:8443
#   - Kanidm LDAP compat listens on [::1]:3890
#   - ACL-based routing by SNI / Host header
#
# In your main frontend (or add a dedicated one):
#
#   acl host_kanidm hdr(host) -i auth.nayeonie.com   # internal/admin only
#
#   use_backend kanidm if host_kanidm
#
# --- Kanidm backend ---
#
# backend kanidm
#   mode http
#   option forwardfor
#   http-request set-header X-Forwarded-Proto https
#   http-request set-header X-Forwarded-Host %[req.hdr(host)]
#   acl internal src 192.168.76.0/24 192.168.191.0/24
#   http-request deny unless internal
#   server kanidm [::1]:8443 ssl verify none check
#
# --- Forward-auth pattern for protecting other backends with Kanidm ---
#
# To protect an existing backend with Kanidm OIDC, add oauth2-proxy.
# The simplest
# path for HAProxy is:
#
#   1. Deploy oauth2-proxy (services.oauth2-proxy) configured against
#      Kanidm as OIDC provider (issuer https://auth.nayeonie.com).
#   2. In HAProxy frontend, redirect unauthenticated requests to
#      oauth2-proxy before forwarding to the real backend.
#
# This is left as a follow-up — get Kanidm running first.
{ ... }: { }