From 2d53fe6acd594901d3fbf56346df8339fefc4d79 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 16 Nov 2025 12:21:07 -0600
Subject: [PATCH] gw1/squid: Allow pxe.p.b via HTTPS

Now that Kickstart files are hosted on _pxe.pyrocufflink.blue_, we can
allow access to that entire (sub-)domain, enabling clients to fetch the
files over HTTPS.  Previously, this was not possible because in order to
allow access to Kickstart files but nothing else on Gitea, we had to
rely on full URL matching.
---
 host_vars/gw1.pyrocufflink.blue/squid.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/host_vars/gw1.pyrocufflink.blue/squid.yml b/host_vars/gw1.pyrocufflink.blue/squid.yml
index f89594f..c422a76 100644
--- a/host_vars/gw1.pyrocufflink.blue/squid.yml
+++ b/host_vars/gw1.pyrocufflink.blue/squid.yml
@@ -35,7 +35,8 @@ squid_acl:
   kickstart:
   - url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
   - url_regex git.pyrocufflink.net/infra/kickstart/raw/.*/.*\.ks$
-  - url_regex pxe.pyrocufflink.blue/kickstart/.*/.*\.ks$
+  pxe:
+  - dstdomain pxe.pyrocufflink.blue
   fcos_updates:
   - dstdomain d2uk5hbyrobdzx.cloudfront.net
   - dstdomain ostree.fedoraproject.org
@@ -83,6 +84,7 @@ squid_http_access:
 - allow localnet grafana_rpm
 - allow google_fonts
 - allow trusted kickstart
+- allow trusted pxe
 - allow trusted dch_repo
 - allow trusted ghcr
 - allow trusted gitea