gw1: squid: Cache RPMs and installer images

Installing Fedora on a bunch of machines, simultaneously or in rapid
succession, can be painfully slow, as several large files need to be
downloaded.  To speed this up, we download those files via the proxy and
cache them on the proxy server.

As a side-effect, the proxy needs to allow access to the Kickstart
"server" (i.e. my workstation, at least for now), since Anaconda will
use the configured proxy for everything it downloads.

host_vars/gw1.pyrocufflink.blue/squid.yml

@@ -5,6 +5,8 @@ squid_acl:
     - 'src 192.168.0.0/16		# RFC 1918 local private network (LAN)'
     - 'src fc00::/7       	# RFC 4193 local private network range'
     - 'src fe80::/10      	# RFC 4291 link-local (directly plugged) machines'
+  trusted:
+  - src 172.30.0.0/26
   SSL_ports:
   - port 443
   Safe_ports:
@@ -12,6 +14,8 @@ squid_acl:
   - 'port 443		# https'
   CONNECT:
   - method CONNECT
+  kickstart:
+  - url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
   fcos_updates:
   - dstdomain updates.coreos.fedoraproject.org
   - dstdomain ostree.fedoraproject.org
@@ -34,6 +38,14 @@ squid_http_access:
 - allow localnet fedora_repo
 - allow localnet grafana_rpm
 - allow google_fonts
+- allow trusted kickstart
 - deny all
 
-squid_cache_dir: []
+squid_cache_dir:
+- ufs /var/cache/squid 20480 16 256
+
+squid_refresh_pattern:
+- \.{{ ansible_domain|replace('.', '\.') }} 0 0% 0
+- repomd\.xml$ 0 0% 0
+- (vmlinuz|(initrd|squashfs|install)\.img)$ 480 20% 10080
+- \.rpm$ 86400 80% 2592000