HAProxy operations

Install & lifecycle

Action	Command ID	Notes
Install HAProxy	`haproxy.provision`	Fresh VM
Re-install	`haproxy.provision` + `force: true`	Overwrite install path
Reload	`haproxy.reload`	After config edits
Provision standby from backup	`standby.provision_from_backup`	Clone config from backup onto standby

Jobs are enqueued to the API; the agent claims and runs them on the next heartbeat.

Admin stats socket (drain / ready)

Runtime backend control requires a Unix admin socket in haproxy.cfg:

stats socket /run/haproxy/admin.sock mode 600 level admin expose-fd listeners
stats timeout 2m

Enable via Recipe: Enable HAProxy admin stats socket or Enable admin stats socket action.

Requires socot + agent as root. This is not a public HTTP stats page.

Backend server states

From Management/topology table (heartbeat haproxy.topology):

Action	Command ID	HAProxy runtime
Drain	`haproxy.server_drain`	`set server … state drain`
Ready	`haproxy.server_ready`	`state ready`
Maintenance	`haproxy.server_maint`	`state maint`

Params: { "backend": "web", "server": "app1" }.

TLS (Let’s Encrypt on HAProxy)

Recipe: Let’s Encrypt (failover / HAProxy)

Uses DNS-01 via Cloudflare for the pool failover FQDN
Agent writes combined PEM: /etc/haproxy/certs/<hostname>.pem
One-time operator step: add ssl crt /etc/haproxy/certs/<hostname>.pem in config, validate, reload
Renew from Management or cron preset tls.acme_renew_force

The pool must have Cloudflare linked and a failover label set before the recipe applies.

Status tab

Shows live traffic from agent heartbeat enrichment — not a duplicate of the Overview topology diagram. Use for session rates, backend health columns, etc.