Similar to the existing systemd unit hardening of varnish and ATS services, we should also harden the haproxy service, at least starting with the unit used by the cp hosts.
The current output of systemd-analyze security haproxy.service returns UNSAFE and we should try to make it better, incrementally.