dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity
Files
96902342037e666644035c6b148849b15f991752
configpolicy/host_vars/gw1.pyrocufflink.blue/squid.yml
Dustin C. Hatch 6359a140ac gw1/squid: Allow proxy access from kube network 
Since we use the proxy when PXE booting to speed up Live OS image and
RPM package downloads, we need to allow machines using it to access the
kickstart files which are now hosted on the PXE server.  Virtual
machines on the Kubernetes network (_pyrocufflink.black_ also need
access to those kickstarts, so we need to mark that subnet as trusted.
2025-07-12 16:45:47 -05:00

108 lines
3.0 KiB
YAML
Raw Blame History

squid_auth_param:
basic:
program: /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.htpasswd
children: 1
squid_acl:
localnet:
- 'src 10.0.0.0/8 # RFC 1918 local private network (LAN)'
- 'src 172.16.0.0/12 # RFC 1918 local private network (LAN)'
- 'src 192.168.0.0/16 # RFC 1918 local private network (LAN)'
- 'src fc00::/7 # RFC 4193 local private network range'
- 'src fe80::/10 # RFC 4291 link-local (directly plugged) machines'
trusted:
- src 172.30.0.0/26
- src 172.30.0.160/27
- src 172.30.0.211/32
- src 172.30.0.214/32
- src 172.31.1.0/24
kubernetes:
- src 172.30.0.160/28
unifi_controller:
- src 172.30.0.242/32
- src 172.30.0.251/32
SSL_ports:
- port 443
Safe_ports:
- 'port 80 # http'
- 'port 443 # https'
CONNECT:
- method CONNECT
frigate:
- proxy_auth frigate
github_api:
- dstdomain api.github.com
kickstart:
- url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
- url_regex git.pyrocufflink.net/infra/kickstart/raw/.*/.*\.ks$
- url_regex pxe.pyrocufflink.blue/kickstart/.*/.*\.ks$
fcos_updates:
- dstdomain d2uk5hbyrobdzx.cloudfront.net
- dstdomain ostree.fedoraproject.org
- dstdomain updates.coreos.fedoraproject.org
fedora_repo:
- dstdomain codecs.fedoraproject.org
- dstdomain dl.fedoraproject.org
- dstdomain fedoraproject-updates-archive.fedoraproject.org
- dstdomain mirrors.fedoraproject.org
fedora_copr:
- dstdomain copr.fedorainfracloud.org
- dstdomain download.copr.fedorainfracloud.org
dch_repo:
- url_regex files.pyrocufflink.blue/yum/.+
google_fonts:
- dstdomain fonts.googleapis.com
- dstdomain fonts.gstatic.com
grafana_rpm:
- dstdomain rpm.grafana.com
stripe_api:
- dstdomain api.stripe.com
dockerhub:
- dstdomain registry-1.docker.io
- dstdomain docker.io
- dstdomain auth.docker.io
- dstdomain production.cloudflare.docker.com
ghcr:
- dstdomain ghcr.io
- dstdomain pkg-containers.githubusercontent.com
linuxserverio:
- dstdomain lscr.io
gitea:
- dstdomain git.pyrocufflink.blue
- dstdomain git.pyrocufflink.net
squid_http_access:
- 'deny !Safe_ports'
- 'deny CONNECT !SSL_ports'
- allow localhost manager
- deny manager
- deny to_localhost
- allow localnet fcos_updates
- allow localnet fedora_repo
- allow localnet fedora_copr
- allow localnet grafana_rpm
- allow google_fonts
- allow trusted kickstart
- allow trusted dch_repo
- allow trusted ghcr
- allow trusted gitea
- allow kubernetes stripe_api
- allow unifi_controller dockerhub
- allow unifi_controller ghcr
- allow unifi_controller linuxserverio
- allow unifi_controller gitea
- allow unifi_controller fedora_repo
- allow unifi_controller dch_repo
- allow unifi_controller grafana_rpm
- allow trusted frigate github_api
- deny all
squid_cache_dir:
- ufs /var/cache/squid 20480 16 256
squid_refresh_pattern:
- \.{{ ansible_domain|replace('.', '\.') }} 0 0% 0
- repomd\.xml$ 0 0% 0
- (vmlinuz|(initrd|squashfs|install)\.img)$ 480 20% 10080
- \.rpm$ 86400 80% 2592000
Reference in New Issue View Git Blame Copy Permalink