From af18a575d14b565c714fdd25b841dbf9297b862c Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 27 Jan 2024 08:55:30 -0600
Subject: [PATCH] r/squid: Support custom ACLs and rules

The default set of access control lists and access rules for Squid are
fine for allowing hosts on the local network access to the web in
general.  For other uses, such as web filtering, etc. more complex rules
may be needed.  To that end, the *squid* role now supports some
additional variables.  Notably, `squid_acl` contains a map of ACL names
to list entries and `squid_http_access` contains a list of access rules.
If these are set, their corresponding defaults are not included in the
rendered configuration file.
---
 roles/squid/defaults/main.yml       |  1 +
 roles/squid/templates/squid.conf.j2 | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/roles/squid/defaults/main.yml b/roles/squid/defaults/main.yml
index 7edc835..287bf35 100644
--- a/roles/squid/defaults/main.yml
+++ b/roles/squid/defaults/main.yml
@@ -5,3 +5,4 @@ squid_cache_dir: /var/cache/squid
 squid_cache_dir_max_size: 51200
 squid_cache_dir_l1: 16
 squid_cache_dir_l2: 256
+squid_access_log: syslog:daemon.info
diff --git a/roles/squid/templates/squid.conf.j2 b/roles/squid/templates/squid.conf.j2
index 06a07a1..66e5b30 100644
--- a/roles/squid/templates/squid.conf.j2
+++ b/roles/squid/templates/squid.conf.j2
@@ -1,3 +1,4 @@
+{% if squid_acl is not defined %}
 #
 # Recommended minimum configuration:
 #
@@ -23,8 +24,17 @@ acl Safe_ports port 488		# gss-http
 acl Safe_ports port 591		# filemaker
 acl Safe_ports port 777		# multiling http
 acl CONNECT method CONNECT
+{% else %}
+{% for name in squid_acl %}
 
-access_log syslog:daemon.info
+{% for acl in squid_acl[name] %}
+acl {{ name }} {{ acl }}
+{% endfor %}
+{% endfor %}
+{% endif %}
+
+access_log {{ squid_access_log }}
+{% if squid_http_access is not defined %}
 #
 # Recommended minimum Access Permission configuration:
 #
@@ -55,6 +65,11 @@ http_access allow localhost
 
 # And finally deny all other access to this proxy
 http_access deny all
+{% else %}
+{% for rule in squid_http_access %}
+http_access {{ rule }}
+{% endfor %}
+{% endif %}
 
 # Squid normally listens to port 3128
 http_port 3128