r/squid: Fix SELinux AVC denial after cache init

Running `squid -z` as *root* leaves behind temporary files in
`/dev/shm`.  When *squid.service* starts squid, in the proper SELinux
domain, it is unable to access these files and crashes.  To avoid this,
we mount a private *tmpfs* so no existing files are accessible in the
service's namespace.

roles/squid/handlers/main.yml

@@ -1,3 +1,7 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
 - name: initialize squid cache directories
   command:
     /usr/sbin/squid -N -z -F -f /etc/squid/squid.conf

roles/squid/tasks/main.yml

@@ -29,6 +29,27 @@
   - initialize squid cache directories
   - reload squid
 
+- name: ensure squid systemd unit drop-in directory exists
+  file:
+    path: /etc/systemd/system/squid.service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+- name: ensure squid private tmp is configured
+  copy:
+    src: private-tmp.conf
+    dest: /etc/systemd/system/squid.service.d/private-tmp.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+
 - meta: flush_handlers
 - name: ensure squid service starts at boot
   service: