From 3214d4b9b2a69cd557d4532c3011991ff6025d04 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 31 Jul 2024 18:41:13 -0500
Subject: [PATCH] gw1/squid: Allow UniFi controller to OCI registries

The UniFi Network server needs to be able access the
_linuxserver.io_/GitHub and Docker Hub OCI image registries for the
Unifi Network and Caddy container images, respectively.
---
 host_vars/gw1.pyrocufflink.blue/squid.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/host_vars/gw1.pyrocufflink.blue/squid.yml b/host_vars/gw1.pyrocufflink.blue/squid.yml
index 1f6882b..05ab766 100644
--- a/host_vars/gw1.pyrocufflink.blue/squid.yml
+++ b/host_vars/gw1.pyrocufflink.blue/squid.yml
@@ -9,6 +9,8 @@ squid_acl:
   - src 172.30.0.0/26
   kubernetes:
   - src 172.30.0.160/28
+  unifi_controller:
+  - src 172.30.0.242/32
   SSL_ports:
   - port 443
   Safe_ports:
@@ -36,6 +38,15 @@ squid_acl:
   - dstdomain rpm.grafana.com
   stripe_api:
   - dstdomain api.stripe.com
+  dockerhub:
+  - dstdomain registry-1.docker.io
+  - dstdomain docker.io
+  - dstdomain auth.docker.io
+  - dstdomain production.cloudflare.docker.com
+  linuxserverio:
+  - dstdomain lscr.io
+  - dstdomain ghcr.io
+  - dstdomain pkg-containers.githubusercontent.com
 
 squid_http_access:
 - 'deny !Safe_ports'
@@ -50,6 +61,8 @@ squid_http_access:
 - allow trusted kickstart
 - allow trusted dch_repo
 - allow kubernetes stripe_api
+- allow unifi_controller dockerhub
+- allow unifi_controller linuxserverio
 - deny all
 
 squid_cache_dir: