gw1/squid: Allow NVR servers access to repos

The Frigate NVR servers, prod & test, need to be able to access Fedora COPR (for the *gasket-dkms* package) and Github Container Registry (for Frigate itself).
2024-08-12 18:07:31 -05:00 · 2024-08-12 18:07:31 -05:00 · 3250628cd1
parent 8239b60634
commit 3250628cd1
1 changed files with 11 additions and 2 deletions
--- a/host_vars/gw1.pyrocufflink.blue/squid.yml
+++ b/host_vars/gw1.pyrocufflink.blue/squid.yml
@ -7,6 +7,8 @@ squid_acl:
    - 'src fe80::/10      	# RFC 4291 link-local (directly plugged) machines'
  trusted:
  - src 172.30.0.0/26
+  - src 172.30.0.211/32
+  - src 172.30.0.214/32
  kubernetes:
  - src 172.30.0.160/28
  unifi_controller:
@ -29,6 +31,9 @@ squid_acl:
  - dstdomain dl.fedoraproject.org
  - dstdomain fedoraproject-updates-archive.fedoraproject.org
  - dstdomain mirrors.fedoraproject.org
+  fedora_copr:
+  - dstdomain copr.fedorainfracloud.org
+  - dstdomain download.copr.fedorainfracloud.org
  dch_repo:
  - url_regex files.pyrocufflink.blue/yum/.+
  google_fonts:
@ -43,10 +48,11 @@ squid_acl:
  - dstdomain docker.io
  - dstdomain auth.docker.io
  - dstdomain production.cloudflare.docker.com
-  linuxserverio:
-  - dstdomain lscr.io
+  ghcr:
  - dstdomain ghcr.io
  - dstdomain pkg-containers.githubusercontent.com
+  linuxserverio:
+  - dstdomain lscr.io

 squid_http_access:
 - 'deny !Safe_ports'
@ -56,12 +62,15 @@ squid_http_access:
 - deny to_localhost
 - allow localnet fcos_updates
 - allow localnet fedora_repo
+- allow localnet fedora_copr
 - allow localnet grafana_rpm
 - allow google_fonts
 - allow trusted kickstart
 - allow trusted dch_repo
+- allow trusted ghcr
 - allow kubernetes stripe_api
 - allow unifi_controller dockerhub
+- allow unifi_controller ghcr
 - allow unifi_controller linuxserverio
 - deny all