dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity
Files
2d53fe6acd594901d3fbf56346df8339fefc4d79
configpolicy/host_vars/gw1.pyrocufflink.blue/squid.yml
Dustin C. Hatch 2d53fe6acd gw1/squid: Allow pxe.p.b via HTTPS 
Now that Kickstart files are hosted on _pxe.pyrocufflink.blue_, we can
allow access to that entire (sub-)domain, enabling clients to fetch the
files over HTTPS.  Previously, this was not possible because in order to
allow access to Kickstart files but nothing else on Gitea, we had to
rely on full URL matching.
2025-11-16 16:49:15 -06:00

110 lines
3.0 KiB
YAML
Raw Blame History

squid_auth_param:
basic:
program: /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.htpasswd
children: 1
squid_acl:
localnet:
- 'src 10.0.0.0/8 # RFC 1918 local private network (LAN)'
- 'src 172.16.0.0/12 # RFC 1918 local private network (LAN)'
- 'src 192.168.0.0/16 # RFC 1918 local private network (LAN)'
- 'src fc00::/7 # RFC 4193 local private network range'
- 'src fe80::/10 # RFC 4291 link-local (directly plugged) machines'
trusted:
- src 172.30.0.0/26
- src 172.30.0.160/27
- src 172.30.0.211/32
- src 172.30.0.214/32
- src 172.31.1.0/24
kubernetes:
- src 172.30.0.160/28
unifi_controller:
- src 172.30.0.242/32
- src 172.30.0.251/32
SSL_ports:
- port 443
Safe_ports:
- 'port 80 # http'
- 'port 443 # https'
CONNECT:
- method CONNECT
frigate:
- proxy_auth frigate
github_api:
- dstdomain api.github.com
kickstart:
- url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
- url_regex git.pyrocufflink.net/infra/kickstart/raw/.*/.*\.ks$
pxe:
- dstdomain pxe.pyrocufflink.blue
fcos_updates:
- dstdomain d2uk5hbyrobdzx.cloudfront.net
- dstdomain ostree.fedoraproject.org
- dstdomain updates.coreos.fedoraproject.org
fedora_repo:
- dstdomain codecs.fedoraproject.org
- dstdomain dl.fedoraproject.org
- dstdomain fedoraproject-updates-archive.fedoraproject.org
- dstdomain mirrors.fedoraproject.org
fedora_copr:
- dstdomain copr.fedorainfracloud.org
- dstdomain download.copr.fedorainfracloud.org
dch_repo:
- url_regex files.pyrocufflink.blue/yum/.+
google_fonts:
- dstdomain fonts.googleapis.com
- dstdomain fonts.gstatic.com
grafana_rpm:
- dstdomain rpm.grafana.com
stripe_api:
- dstdomain api.stripe.com
dockerhub:
- dstdomain registry-1.docker.io
- dstdomain docker.io
- dstdomain auth.docker.io
- dstdomain production.cloudflare.docker.com
ghcr:
- dstdomain ghcr.io
- dstdomain pkg-containers.githubusercontent.com
linuxserverio:
- dstdomain lscr.io
gitea:
- dstdomain git.pyrocufflink.blue
- dstdomain git.pyrocufflink.net
squid_http_access:
- 'deny !Safe_ports'
- 'deny CONNECT !SSL_ports'
- allow localhost manager
- deny manager
- deny to_localhost
- allow localnet fcos_updates
- allow localnet fedora_repo
- allow localnet fedora_copr
- allow localnet grafana_rpm
- allow google_fonts
- allow trusted kickstart
- allow trusted pxe
- allow trusted dch_repo
- allow trusted ghcr
- allow trusted gitea
- allow kubernetes stripe_api
- allow unifi_controller dockerhub
- allow unifi_controller ghcr
- allow unifi_controller linuxserverio
- allow unifi_controller gitea
- allow unifi_controller fedora_repo
- allow unifi_controller dch_repo
- allow unifi_controller grafana_rpm
- allow trusted frigate github_api
- deny all
squid_cache_dir:
- ufs /var/cache/squid 20480 16 256
squid_refresh_pattern:
- \.{{ ansible_domain|replace('.', '\.') }} 0 0% 0
- repomd\.xml$ 0 0% 0
- (vmlinuz|(initrd|squashfs|install)\.img)$ 480 20% 10080
- \.rpm$ 86400 80% 2592000
Reference in New Issue View Git Blame Copy Permalink