gw1/squid: Allow NVR servers access to repos

The Frigate NVR servers, prod & test, need to be able to access Fedora
COPR (for the *gasket-dkms* package) and Github Container Registry (for
Frigate itself).

host_vars/gw1.pyrocufflink.blue/squid.yml

@@ -7,6 +7,8 @@ squid_acl:
     - 'src fe80::/10      	# RFC 4291 link-local (directly plugged) machines'
   trusted:
   - src 172.30.0.0/26
+  - src 172.30.0.211/32
+  - src 172.30.0.214/32
   kubernetes:
   - src 172.30.0.160/28
   unifi_controller:
@@ -29,6 +31,9 @@ squid_acl:
   - dstdomain dl.fedoraproject.org
   - dstdomain fedoraproject-updates-archive.fedoraproject.org
   - dstdomain mirrors.fedoraproject.org
+  fedora_copr:
+  - dstdomain copr.fedorainfracloud.org
+  - dstdomain download.copr.fedorainfracloud.org
   dch_repo:
   - url_regex files.pyrocufflink.blue/yum/.+
   google_fonts:
@@ -43,10 +48,11 @@ squid_acl:
   - dstdomain docker.io
   - dstdomain auth.docker.io
   - dstdomain production.cloudflare.docker.com
-  linuxserverio:
+  ghcr:
-  - dstdomain lscr.io
   - dstdomain ghcr.io
   - dstdomain pkg-containers.githubusercontent.com
+  linuxserverio:
+  - dstdomain lscr.io
 
 squid_http_access:
 - 'deny !Safe_ports'
@@ -56,12 +62,15 @@ squid_http_access:
 - deny to_localhost
 - allow localnet fcos_updates
 - allow localnet fedora_repo
+- allow localnet fedora_copr
 - allow localnet grafana_rpm
 - allow google_fonts
 - allow trusted kickstart
 - allow trusted dch_repo
+- allow trusted ghcr
 - allow kubernetes stripe_api
 - allow unifi_controller dockerhub
+- allow unifi_controller ghcr
 - allow unifi_controller linuxserverio
 - deny all