From 9365fd2dd55e5fc8bb4f5eae78892e0248a6aea5 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 12 Jun 2024 18:52:54 -0500
Subject: [PATCH] gw1: squid: Allow access to FCOS update servers

*unifi2.pyrocufflink.blue*, which is connected to the management
network, can only access the Internet via the proxy.  In order for
Zincati/`rpm-ostree` to automatically update the machine, the proxy
needs to allow access to the FCOS update servers.
---
 host_vars/gw1.pyrocufflink.blue/squid.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/host_vars/gw1.pyrocufflink.blue/squid.yml b/host_vars/gw1.pyrocufflink.blue/squid.yml
index 340d876..235fd67 100644
--- a/host_vars/gw1.pyrocufflink.blue/squid.yml
+++ b/host_vars/gw1.pyrocufflink.blue/squid.yml
@@ -12,6 +12,9 @@ squid_acl:
   - 'port 443		# https'
   CONNECT:
   - method CONNECT
+  fcos_updates:
+  - dstdomain updates.coreos.fedoraproject.org
+  - dstdomain ostree.fedoraproject.org
   fedora_repo:
   - dstdomain mirrors.fedoraproject.org
   - dstdomain dl.fedoraproject.org
@@ -27,6 +30,7 @@ squid_http_access:
 - allow localhost manager
 - deny manager
 - deny to_localhost
+- allow localnet fcos_updates
 - allow localnet fedora_repo
 - allow localnet grafana_rpm
 - allow google_fonts