configpolicy/host_vars/gw1.pyrocufflink.blue/squid.yml

squid_auth_param:
  basic:
    program: /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.htpasswd
    children: 1

squid_acl:
  localnet:
    - 'src 10.0.0.0/8		# RFC 1918 local private network (LAN)'
    - 'src 172.16.0.0/12		# RFC 1918 local private network (LAN)'
    - 'src 192.168.0.0/16		# RFC 1918 local private network (LAN)'
    - 'src fc00::/7       	# RFC 4193 local private network range'
    - 'src fe80::/10      	# RFC 4291 link-local (directly plugged) machines'
  trusted:
  - src 172.30.0.0/26
  - src 172.30.0.211/32
  - src 172.30.0.214/32
  kubernetes:
  - src 172.30.0.160/28
  unifi_controller:
  - src 172.30.0.242/32
  SSL_ports:
  - port 443
  Safe_ports:
  - 'port 80		# http'
  - 'port 443		# https'
  CONNECT:
  - method CONNECT
  frigate:
  - proxy_auth frigate
  github_api:
  - dstdomain api.github.com
  kickstart:
  - url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
  fcos_updates:
  - dstdomain d2uk5hbyrobdzx.cloudfront.net
  - dstdomain ostree.fedoraproject.org
  - dstdomain updates.coreos.fedoraproject.org
  fedora_repo:
  - dstdomain codecs.fedoraproject.org
  - dstdomain dl.fedoraproject.org
  - dstdomain fedoraproject-updates-archive.fedoraproject.org
  - dstdomain mirrors.fedoraproject.org
  fedora_copr:
  - dstdomain copr.fedorainfracloud.org
  - dstdomain download.copr.fedorainfracloud.org
  dch_repo:
  - url_regex files.pyrocufflink.blue/yum/.+
  google_fonts:
  - dstdomain fonts.googleapis.com
  - dstdomain fonts.gstatic.com
  grafana_rpm:
  - dstdomain rpm.grafana.com
  stripe_api:
  - dstdomain api.stripe.com
  dockerhub:
  - dstdomain registry-1.docker.io
  - dstdomain docker.io
  - dstdomain auth.docker.io
  - dstdomain production.cloudflare.docker.com
  ghcr:
  - dstdomain ghcr.io
  - dstdomain pkg-containers.githubusercontent.com
  linuxserverio:
  - dstdomain lscr.io

squid_http_access:
- 'deny !Safe_ports'
- 'deny CONNECT !SSL_ports'
- allow localhost manager
- deny manager
- deny to_localhost
- allow localnet fcos_updates
- allow localnet fedora_repo
- allow localnet fedora_copr
- allow localnet grafana_rpm
- allow google_fonts
- allow trusted kickstart
- allow trusted dch_repo
- allow trusted ghcr
- allow kubernetes stripe_api
- allow unifi_controller dockerhub
- allow unifi_controller ghcr
- allow unifi_controller linuxserverio
- allow trusted frigate github_api
- deny all

squid_cache_dir:
- ufs /var/cache/squid 20480 16 256

squid_refresh_pattern:
- \.{{ ansible_domain|replace('.', '\.') }} 0 0% 0
- repomd\.xml$ 0 0% 0
- (vmlinuz|(initrd|squashfs|install)\.img)$ 480 20% 10080
- \.rpm$ 86400 80% 2592000