feat(pre-2.1.0): demo data overhaul, examples, migration guides, install script

Pre-2.1.0 adoption polish delivering all four milestones: A) Demo Data Overhaul — seed_demo.sql rewritten with 35 certs across 5 issuers, 8 agents, 8 targets, 50+ jobs spanning 90 days, 55+ audit events, discovery scans, network scan targets, S/MIME cert. B) Examples Directory — 5 turnkey docker-compose configs: acme-nginx, acme-wildcard-dns01, private-ca-traefik, step-ca-haproxy, multi-issuer. C) Migration Guides — migrate-from-certbot.md, migrate-from-acmesh.md, certctl-for-cert-manager-users.md. D) Agent Install Script — install-agent.sh with cross-platform support (Linux systemd + macOS launchd), release.yml updated for 6-target cross-compilation. Triple-audited against codebase: 22 factual corrections applied across docs, examples, and config (env var names, CLI flags, ports, DNS hook interface, scheduler loop counts, license conversion date). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-07 18:01:37 +00:00 · 2026-03-29 18:26:58 -04:00
parent 5f81de3219
commit bcf2c3ae92
29 changed files with 4508 additions and 214 deletions
@@ -0,0 +1,69 @@
+global
+  log stdout local0
+  log stdout local1 notice
+  chroot /var/lib/haproxy
+  stats socket /run/haproxy/admin.sock mode 660 level admin
+  stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
+
+  # Default SSL options for modern TLS
+  tune.ssl.default-dh-param 2048
+  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
+  ssl-default-bind-options ssl-min-ver TLSv1.2
+
+defaults
+  mode  http
+  log   global
+  option  httplog
+  option  dontlognull
+  timeout connect 5000
+  timeout client  50000
+  timeout server  50000
+  errorfile 400 /etc/haproxy/errors/400.http
+  errorfile 403 /etc/haproxy/errors/403.http
+  errorfile 408 /etc/haproxy/errors/408.http
+  errorfile 500 /etc/haproxy/errors/500.http
+  errorfile 502 /etc/haproxy/errors/502.http
+  errorfile 503 /etc/haproxy/errors/503.http
+  errorfile 504 /etc/haproxy/errors/504.http
+
+# Statistics endpoint (accessible on port 8080)
+listen stats
+  bind *:8080
+  stats enable
+  stats uri /stats
+  stats refresh 30s
+  stats admin if TRUE
+
+# Example HTTPS frontend with certificate from certctl
+# This frontend will serve HTTPS on port 443 using a combined PEM file
+# deployed by certctl to /etc/haproxy/ssl/cert.pem
+frontend https_in
+  # HTTP redirect to HTTPS
+  bind *:80
+  mode http
+  acl is_http hdr(X-Forwarded-Proto) http
+  redirect scheme https code 301 if !is_https
+
+  # HTTPS with certificate
+  # In production, certctl will manage cert.pem and reload HAProxy after deployment
+  bind *:443 ssl crt /etc/haproxy/ssl/cert.pem strict-sni
+  mode http
+  option httplog
+
+  # Default backend
+  default_backend http_backend
+
+# Example backend (simple web service placeholder)
+backend http_backend
+  mode http
+  option httpchk GET /
+  server local_app 127.0.0.1:8000 check disabled
+
+# Health endpoint (useful for certctl agent deployment verification)
+frontend health
+  bind *:9999
+  mode http
+  monitor-uri /health