diff --git a/Dockerfile b/Dockerfile
index f8f1e46..1e281e0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,101 @@
-FROM haproxy-2.5.4
-MAINTAINER gyurix
-COPY haproxy-loadbalancer.cfg /etc/haproxy/haproxy.cfg
-ENTRYPOINT ["haproxy", "-f", "/etc/haproxy/haproxy.cfg", "-p", "/var/run/haproxy.pid"]
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.19
+
+# runtime dependencies
+RUN set -eux; \
+	apk add --no-cache \
+# @system-ca: https://github.com/docker-library/haproxy/pull/216
+		ca-certificates \
+	;
+
+# roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+RUN set -eux; \
+	addgroup --gid 99 --system haproxy; \
+	adduser \
+		--disabled-password \
+		--home /var/lib/haproxy \
+		--ingroup haproxy \
+		--no-create-home \
+		--system \
+		--uid 99 \
+		haproxy \
+	; \
+	mkdir /var/lib/haproxy; \
+	chown haproxy:haproxy /var/lib/haproxy
+
+ENV HAPROXY_VERSION 3.0-dev11
+ENV HAPROXY_URL https://www.haproxy.org/download/3.0/src/devel/haproxy-3.0-dev11.tar.gz
+ENV HAPROXY_SHA256 111530dfc240f516d501e77f5066471db4541011c1fb3b2cc1ed509610f810a1
+
+# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .build-deps \
+		gcc \
+		libc-dev \
+		linux-headers \
+		lua5.4-dev \
+		make \
+		openssl \
+		openssl-dev \
+		pcre2-dev \
+		readline-dev \
+		tar \
+	; \
+	\
+	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
+	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
+	mkdir -p /usr/src/haproxy; \
+	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
+	rm haproxy.tar.gz; \
+	\
+	makeOpts=' \
+		TARGET=linux-musl \
+		USE_GETADDRINFO=1 \
+		USE_LUA=1 LUA_INC=/usr/include/lua5.4 LUA_LIB=/usr/lib/lua5.4 \
+		USE_OPENSSL=1 \
+		USE_PCRE2=1 USE_PCRE2_JIT=1 \
+		USE_PROMEX=1 \
+		\
+		EXTRA_OBJS=" \
+		" \
+	'; \
+	\
+	nproc="$(getconf _NPROCESSORS_ONLN)"; \
+	eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \
+	eval "make -C /usr/src/haproxy install-bin $makeOpts"; \
+	\
+	mkdir -p /usr/local/etc/haproxy; \
+	cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors; \
+	rm -rf /usr/src/haproxy; \
+	\
+	runDeps="$( \
+		scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+			| tr ',' '\n' \
+			| sort -u \
+			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+	)"; \
+	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk del --no-network .build-deps; \
+	\
+# smoke test
+	haproxy -v
+
+# https://www.haproxy.org/download/1.8/doc/management.txt
+# "4. Stopping and restarting HAProxy"
+# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
+# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
+STOPSIGNAL SIGUSR1
+
+# https://github.com/docker-library/haproxy/issues/200
+WORKDIR /var/lib/haproxy
+COPY haproxy.cfg /usr/local/etc/haproxy/
+RUN chown -R haproxy:haproxy /usr/local/etc/haproxy
+
+CMD haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg
+USER haproxy
diff --git a/haproxy-loadbalancer.cfg b/haproxy.cfg
similarity index 100%
rename from haproxy-loadbalancer.cfg
rename to haproxy.cfg