secubox-openwrt/package/secubox/secubox-app-haproxy/Makefile

# SPDX-License-Identifier: MIT
# SecuBox HAProxy - Load Balancer & Reverse Proxy in LXC
# Copyright (C) 2025 CyberMind.fr

include $(TOPDIR)/rules.mk

PKG_NAME:=secubox-app-haproxy
PKG_VERSION:=1.0.0
PKG_RELEASE:=19

PKG_MAINTAINER:=CyberMind <contact@cybermind.fr>
PKG_LICENSE:=MIT

include $(INCLUDE_DIR)/package.mk

define Package/secubox-app-haproxy
  SECTION:=secubox
  CATEGORY:=SecuBox
  SUBMENU:=Services
  TITLE:=HAProxy Load Balancer & Reverse Proxy
  DEPENDS:=+lxc +lxc-common +openssl-util +wget-ssl +tar +jsonfilter +acme +acme-acmesh +socat
  PKGARCH:=all
endef

define Package/secubox-app-haproxy/description
  HAProxy load balancer and reverse proxy running in an LXC container.
  Features:
  - Virtual hosts with SNI routing
  - Multi-certificate SSL/TLS termination
  - Let's Encrypt auto-renewal via ACME
  - Backend health checks
  - URL-based routing and redirections
  - Stats dashboard
  - Rate limiting and ACLs
endef

define Package/secubox-app-haproxy/conffiles
/etc/config/haproxy
endef

define Build/Compile
endef

define Package/secubox-app-haproxy/install
	$(INSTALL_DIR) $(1)/etc/config
	$(INSTALL_CONF) ./files/etc/config/haproxy $(1)/etc/config/haproxy

	$(INSTALL_DIR) $(1)/etc/init.d
	$(INSTALL_BIN) ./files/etc/init.d/haproxy $(1)/etc/init.d/haproxy

	$(INSTALL_DIR) $(1)/usr/sbin
	$(INSTALL_BIN) ./files/usr/sbin/haproxyctl $(1)/usr/sbin/haproxyctl
	$(INSTALL_BIN) ./files/usr/sbin/haproxy-sync-certs $(1)/usr/sbin/haproxy-sync-certs
	$(INSTALL_BIN) ./files/usr/sbin/haproxy-acme-cron $(1)/usr/sbin/haproxy-acme-cron

	$(INSTALL_DIR) $(1)/usr/lib/acme/deploy
	$(INSTALL_BIN) ./files/usr/lib/acme/deploy/haproxy.sh $(1)/usr/lib/acme/deploy/haproxy.sh

	$(INSTALL_DIR) $(1)/usr/share/haproxy/templates
	$(INSTALL_DATA) ./files/usr/share/haproxy/templates/* $(1)/usr/share/haproxy/templates/

	$(INSTALL_DIR) $(1)/usr/share/haproxy/certs

	# Add cron jobs for certificate management
	$(INSTALL_DIR) $(1)/etc/cron.d
	echo "# HAProxy certificate management" > $(1)/etc/cron.d/haproxy-certs
	echo "# Sync ACME certs to HAProxy after renewals" >> $(1)/etc/cron.d/haproxy-certs
	echo "15 3 * * * root /usr/sbin/haproxy-sync-certs >/dev/null 2>&1" >> $(1)/etc/cron.d/haproxy-certs
	echo "# Process pending ACME certificate requests (every 5 min)" >> $(1)/etc/cron.d/haproxy-certs
	echo "*/5 * * * * root /usr/sbin/haproxy-acme-cron >/dev/null 2>&1" >> $(1)/etc/cron.d/haproxy-certs
endef

define Package/secubox-app-haproxy/postinst
#!/bin/sh
[ -n "$${IPKG_INSTROOT}" ] && exit 0
# Sync existing ACME certificates on install
/usr/sbin/haproxy-sync-certs 2>/dev/null || true
exit 0
endef

$(eval $(call BuildPackage,secubox-app-haproxy))
feat(haproxy): Add HAProxy load balancer packages for OpenWrt - Add secubox-app-haproxy: LXC-containerized HAProxy service - Alpine Linux container with HAProxy - Multi-certificate SSL/TLS termination with SNI routing - ACME/Let's Encrypt auto-renewal - Virtual hosts management - Backend health checks and load balancing - Add luci-app-haproxy: Full LuCI web interface - Overview dashboard with service status - Virtual hosts management with SSL options - Backends and servers configuration - SSL certificate management (ACME + import) - ACLs and URL-based routing rules - Statistics dashboard and logs - Settings for ports, timeouts, ACME - Update luci-app-secubox-portal: - Add Services category with HAProxy, HexoJS, PicoBrew, Tor Shield, Jellyfin, Home Assistant, AdGuard Home, Nextcloud - Make portal dynamic - only shows installed apps - Add empty state UI for sections with no apps - Remove 404 errors for uninstalled apps Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 19:09:32 +00:00			`# SPDX-License-Identifier: MIT`
			`# SecuBox HAProxy - Load Balancer & Reverse Proxy in LXC`
			`# Copyright (C) 2025 CyberMind.fr`

			`include $(TOPDIR)/rules.mk`

			`PKG_NAME:=secubox-app-haproxy`
			`PKG_VERSION:=1.0.0`
feat(streamlit+haproxy): Enhanced instance management and ACME cron Streamlit Instances: - Add Publish button with HAProxy integration (uses instance port) - Add Edit dialog for modifying instance settings - Replace enable/disable buttons with checkbox - Get LAN IP dynamically from status data - Bump luci-app-streamlit to r8 HAProxy: - Add haproxy-acme-cron script for background cert processing - Cron runs every 5 minutes to issue pending ACME certificates - Prevents UI blocking during certificate issuance - Bump secubox-app-haproxy to r19 RPCD: - Fix json_error to return consistent format with json_success Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-26 12:08:48 +00:00			`PKG_RELEASE:=19`
feat(haproxy): Add HAProxy load balancer packages for OpenWrt - Add secubox-app-haproxy: LXC-containerized HAProxy service - Alpine Linux container with HAProxy - Multi-certificate SSL/TLS termination with SNI routing - ACME/Let's Encrypt auto-renewal - Virtual hosts management - Backend health checks and load balancing - Add luci-app-haproxy: Full LuCI web interface - Overview dashboard with service status - Virtual hosts management with SSL options - Backends and servers configuration - SSL certificate management (ACME + import) - ACLs and URL-based routing rules - Statistics dashboard and logs - Settings for ports, timeouts, ACME - Update luci-app-secubox-portal: - Add Services category with HAProxy, HexoJS, PicoBrew, Tor Shield, Jellyfin, Home Assistant, AdGuard Home, Nextcloud - Make portal dynamic - only shows installed apps - Add empty state UI for sections with no apps - Remove 404 errors for uninstalled apps Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 19:09:32 +00:00
			`PKG_MAINTAINER:=CyberMind <contact@cybermind.fr>`
			`PKG_LICENSE:=MIT`

			`include $(INCLUDE_DIR)/package.mk`

			`define Package/secubox-app-haproxy`
			`SECTION:=secubox`
			`CATEGORY:=SecuBox`
			`SUBMENU:=Services`
			`TITLE:=HAProxy Load Balancer & Reverse Proxy`
feat(haproxy): Add edit functionality for backends, servers, and vhosts - Add showEditVhostModal() for editing virtual host properties - Add showEditBackendModal() for editing backend configuration - Add showEditServerModal() for editing server properties - Modern card-based UI with inline edit/delete actions - Toggle enable/disable for backends - Fix haproxyctl to read server option from backend UCI sections - Add debug logging to container startup script Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 04:56:03 +00:00			`DEPENDS:=+lxc +lxc-common +openssl-util +wget-ssl +tar +jsonfilter +acme +acme-acmesh +socat`
feat(haproxy): Add HAProxy load balancer packages for OpenWrt - Add secubox-app-haproxy: LXC-containerized HAProxy service - Alpine Linux container with HAProxy - Multi-certificate SSL/TLS termination with SNI routing - ACME/Let's Encrypt auto-renewal - Virtual hosts management - Backend health checks and load balancing - Add luci-app-haproxy: Full LuCI web interface - Overview dashboard with service status - Virtual hosts management with SSL options - Backends and servers configuration - SSL certificate management (ACME + import) - ACLs and URL-based routing rules - Statistics dashboard and logs - Settings for ports, timeouts, ACME - Update luci-app-secubox-portal: - Add Services category with HAProxy, HexoJS, PicoBrew, Tor Shield, Jellyfin, Home Assistant, AdGuard Home, Nextcloud - Make portal dynamic - only shows installed apps - Add empty state UI for sections with no apps - Remove 404 errors for uninstalled apps Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 19:09:32 +00:00			`PKGARCH:=all`
			`endef`

			`define Package/secubox-app-haproxy/description`
			`HAProxy load balancer and reverse proxy running in an LXC container.`
			`Features:`
			`- Virtual hosts with SNI routing`
			`- Multi-certificate SSL/TLS termination`
			`- Let's Encrypt auto-renewal via ACME`
			`- Backend health checks`
			`- URL-based routing and redirections`
			`- Stats dashboard`
			`- Rate limiting and ACLs`
			`endef`

			`define Package/secubox-app-haproxy/conffiles`
			`/etc/config/haproxy`
			`endef`

			`define Build/Compile`
			`endef`

			`define Package/secubox-app-haproxy/install`
			`$(INSTALL_DIR) $(1)/etc/config`
			`$(INSTALL_CONF) ./files/etc/config/haproxy $(1)/etc/config/haproxy`

			`$(INSTALL_DIR) $(1)/etc/init.d`
			`$(INSTALL_BIN) ./files/etc/init.d/haproxy $(1)/etc/init.d/haproxy`

			`$(INSTALL_DIR) $(1)/usr/sbin`
			`$(INSTALL_BIN) ./files/usr/sbin/haproxyctl $(1)/usr/sbin/haproxyctl`
fix(haproxy): Combine fullchain + key for HAProxy certificates HAProxy requires certificate files to contain both the fullchain (cert + intermediate CA) and the private key concatenated together. Changes: - haproxyctl: Fix cert_add to create combined .pem files - haproxy-sync-certs: New script to sync ACME certs to HAProxy format - haproxy.sh: ACME deploy hook for HAProxy - init.d: Sync certs before starting HAProxy - Makefile: Install new scripts, add cron job for cert sync This fixes the "No Private Key found" error when HAProxy tries to load certificates that only contain the fullchain without the key. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 10:42:29 +00:00			`$(INSTALL_BIN) ./files/usr/sbin/haproxy-sync-certs $(1)/usr/sbin/haproxy-sync-certs`
feat(streamlit+haproxy): Enhanced instance management and ACME cron Streamlit Instances: - Add Publish button with HAProxy integration (uses instance port) - Add Edit dialog for modifying instance settings - Replace enable/disable buttons with checkbox - Get LAN IP dynamically from status data - Bump luci-app-streamlit to r8 HAProxy: - Add haproxy-acme-cron script for background cert processing - Cron runs every 5 minutes to issue pending ACME certificates - Prevents UI blocking during certificate issuance - Bump secubox-app-haproxy to r19 RPCD: - Fix json_error to return consistent format with json_success Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-26 12:08:48 +00:00			`$(INSTALL_BIN) ./files/usr/sbin/haproxy-acme-cron $(1)/usr/sbin/haproxy-acme-cron`
fix(haproxy): Combine fullchain + key for HAProxy certificates HAProxy requires certificate files to contain both the fullchain (cert + intermediate CA) and the private key concatenated together. Changes: - haproxyctl: Fix cert_add to create combined .pem files - haproxy-sync-certs: New script to sync ACME certs to HAProxy format - haproxy.sh: ACME deploy hook for HAProxy - init.d: Sync certs before starting HAProxy - Makefile: Install new scripts, add cron job for cert sync This fixes the "No Private Key found" error when HAProxy tries to load certificates that only contain the fullchain without the key. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 10:42:29 +00:00
			`$(INSTALL_DIR) $(1)/usr/lib/acme/deploy`
			`$(INSTALL_BIN) ./files/usr/lib/acme/deploy/haproxy.sh $(1)/usr/lib/acme/deploy/haproxy.sh`
feat(haproxy): Add HAProxy load balancer packages for OpenWrt - Add secubox-app-haproxy: LXC-containerized HAProxy service - Alpine Linux container with HAProxy - Multi-certificate SSL/TLS termination with SNI routing - ACME/Let's Encrypt auto-renewal - Virtual hosts management - Backend health checks and load balancing - Add luci-app-haproxy: Full LuCI web interface - Overview dashboard with service status - Virtual hosts management with SSL options - Backends and servers configuration - SSL certificate management (ACME + import) - ACLs and URL-based routing rules - Statistics dashboard and logs - Settings for ports, timeouts, ACME - Update luci-app-secubox-portal: - Add Services category with HAProxy, HexoJS, PicoBrew, Tor Shield, Jellyfin, Home Assistant, AdGuard Home, Nextcloud - Make portal dynamic - only shows installed apps - Add empty state UI for sections with no apps - Remove 404 errors for uninstalled apps Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 19:09:32 +00:00
			`$(INSTALL_DIR) $(1)/usr/share/haproxy/templates`
			`$(INSTALL_DATA) ./files/usr/share/haproxy/templates/* $(1)/usr/share/haproxy/templates/`

			`$(INSTALL_DIR) $(1)/usr/share/haproxy/certs`
fix(haproxy): Combine fullchain + key for HAProxy certificates HAProxy requires certificate files to contain both the fullchain (cert + intermediate CA) and the private key concatenated together. Changes: - haproxyctl: Fix cert_add to create combined .pem files - haproxy-sync-certs: New script to sync ACME certs to HAProxy format - haproxy.sh: ACME deploy hook for HAProxy - init.d: Sync certs before starting HAProxy - Makefile: Install new scripts, add cron job for cert sync This fixes the "No Private Key found" error when HAProxy tries to load certificates that only contain the fullchain without the key. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 10:42:29 +00:00
feat(streamlit+haproxy): Enhanced instance management and ACME cron Streamlit Instances: - Add Publish button with HAProxy integration (uses instance port) - Add Edit dialog for modifying instance settings - Replace enable/disable buttons with checkbox - Get LAN IP dynamically from status data - Bump luci-app-streamlit to r8 HAProxy: - Add haproxy-acme-cron script for background cert processing - Cron runs every 5 minutes to issue pending ACME certificates - Prevents UI blocking during certificate issuance - Bump secubox-app-haproxy to r19 RPCD: - Fix json_error to return consistent format with json_success Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-26 12:08:48 +00:00			`# Add cron jobs for certificate management`
fix(haproxy): Combine fullchain + key for HAProxy certificates HAProxy requires certificate files to contain both the fullchain (cert + intermediate CA) and the private key concatenated together. Changes: - haproxyctl: Fix cert_add to create combined .pem files - haproxy-sync-certs: New script to sync ACME certs to HAProxy format - haproxy.sh: ACME deploy hook for HAProxy - init.d: Sync certs before starting HAProxy - Makefile: Install new scripts, add cron job for cert sync This fixes the "No Private Key found" error when HAProxy tries to load certificates that only contain the fullchain without the key. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 10:42:29 +00:00			`$(INSTALL_DIR) $(1)/etc/cron.d`
feat(streamlit+haproxy): Enhanced instance management and ACME cron Streamlit Instances: - Add Publish button with HAProxy integration (uses instance port) - Add Edit dialog for modifying instance settings - Replace enable/disable buttons with checkbox - Get LAN IP dynamically from status data - Bump luci-app-streamlit to r8 HAProxy: - Add haproxy-acme-cron script for background cert processing - Cron runs every 5 minutes to issue pending ACME certificates - Prevents UI blocking during certificate issuance - Bump secubox-app-haproxy to r19 RPCD: - Fix json_error to return consistent format with json_success Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-26 12:08:48 +00:00			`echo "# HAProxy certificate management" > $(1)/etc/cron.d/haproxy-certs`
			`echo "# Sync ACME certs to HAProxy after renewals" >> $(1)/etc/cron.d/haproxy-certs`
fix(haproxy): Combine fullchain + key for HAProxy certificates HAProxy requires certificate files to contain both the fullchain (cert + intermediate CA) and the private key concatenated together. Changes: - haproxyctl: Fix cert_add to create combined .pem files - haproxy-sync-certs: New script to sync ACME certs to HAProxy format - haproxy.sh: ACME deploy hook for HAProxy - init.d: Sync certs before starting HAProxy - Makefile: Install new scripts, add cron job for cert sync This fixes the "No Private Key found" error when HAProxy tries to load certificates that only contain the fullchain without the key. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 10:42:29 +00:00			`echo "15 3 * * * root /usr/sbin/haproxy-sync-certs >/dev/null 2>&1" >> $(1)/etc/cron.d/haproxy-certs`
feat(streamlit+haproxy): Enhanced instance management and ACME cron Streamlit Instances: - Add Publish button with HAProxy integration (uses instance port) - Add Edit dialog for modifying instance settings - Replace enable/disable buttons with checkbox - Get LAN IP dynamically from status data - Bump luci-app-streamlit to r8 HAProxy: - Add haproxy-acme-cron script for background cert processing - Cron runs every 5 minutes to issue pending ACME certificates - Prevents UI blocking during certificate issuance - Bump secubox-app-haproxy to r19 RPCD: - Fix json_error to return consistent format with json_success Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-26 12:08:48 +00:00			`echo "# Process pending ACME certificate requests (every 5 min)" >> $(1)/etc/cron.d/haproxy-certs`
			`echo "/5 * * * root /usr/sbin/haproxy-acme-cron >/dev/null 2>&1" >> $(1)/etc/cron.d/haproxy-certs`
fix(haproxy): Combine fullchain + key for HAProxy certificates HAProxy requires certificate files to contain both the fullchain (cert + intermediate CA) and the private key concatenated together. Changes: - haproxyctl: Fix cert_add to create combined .pem files - haproxy-sync-certs: New script to sync ACME certs to HAProxy format - haproxy.sh: ACME deploy hook for HAProxy - init.d: Sync certs before starting HAProxy - Makefile: Install new scripts, add cron job for cert sync This fixes the "No Private Key found" error when HAProxy tries to load certificates that only contain the fullchain without the key. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 10:42:29 +00:00			`endef`

			`define Package/secubox-app-haproxy/postinst`
			`#!/bin/sh`
			`[ -n "$${IPKG_INSTROOT}" ] && exit 0`
			`# Sync existing ACME certificates on install`
			`/usr/sbin/haproxy-sync-certs 2>/dev/null \|\| true`
			`exit 0`
feat(haproxy): Add HAProxy load balancer packages for OpenWrt - Add secubox-app-haproxy: LXC-containerized HAProxy service - Alpine Linux container with HAProxy - Multi-certificate SSL/TLS termination with SNI routing - ACME/Let's Encrypt auto-renewal - Virtual hosts management - Backend health checks and load balancing - Add luci-app-haproxy: Full LuCI web interface - Overview dashboard with service status - Virtual hosts management with SSL options - Backends and servers configuration - SSL certificate management (ACME + import) - ACLs and URL-based routing rules - Statistics dashboard and logs - Settings for ports, timeouts, ACME - Update luci-app-secubox-portal: - Add Services category with HAProxy, HexoJS, PicoBrew, Tor Shield, Jellyfin, Home Assistant, AdGuard Home, Nextcloud - Make portal dynamic - only shows installed apps - Add empty state UI for sections with no apps - Remove 404 errors for uninstalled apps Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-23 19:09:32 +00:00			`endef`

			`$(eval $(call BuildPackage,secubox-app-haproxy))`