gw1/squid: Allow Frigate access to Github API

Frigate uses the Github API to check for new releases.  It then
populates the `update.frigate_server` entity in Home Assistant via MQTT
with the information it retrieved.  If it is unable to access the Github
API, the Home Assistant entity will be marked as "unavailable," which
triggers an alert notification from Home Assistant. Thus, we need to
allow Frigate to access Github if we want to use that entity as an
indicator of whether or not Frigate is connected to the MQTT broker.

I don't want to allow access to the Github API to everything on the
Frigate server, just Frigate itself.  To do that, I've assigned a unique
username and password for Frigate.  Only requests with the proper
`Proxy-Authorization` header will be allowed access.  By providing the
credentials only the Frigate container, we can ensure no other process
has access.

I think I did this mostly as an exercise; there's no particular reason
to disallow access to the Github API, since it's mostly read-only and
can't really be used to exfiltrate any data (probably?).

host_vars/gw1.pyrocufflink.blue/squid.yml

@@ -1,3 +1,8 @@
+squid_auth_param:
+  basic:
+    program: /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.htpasswd
+    children: 1
+
 squid_acl:
   localnet:
     - 'src 10.0.0.0/8		# RFC 1918 local private network (LAN)'
@@ -20,6 +25,10 @@ squid_acl:
   - 'port 443		# https'
   CONNECT:
   - method CONNECT
+  frigate:
+  - proxy_auth frigate
+  github_api:
+  - dstdomain api.github.com
   kickstart:
   - url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
   fcos_updates:
@@ -72,6 +81,7 @@ squid_http_access:
 - allow unifi_controller dockerhub
 - allow unifi_controller ghcr
 - allow unifi_controller linuxserverio
+- allow trusted frigate github_api
 - deny all
 
 squid_cache_dir: