hosts: Add proxy0.pyrocufflink.blue

As its name suggests, *proxy0.pyrocufflink.blue* acts as an HTTP proxy
server running Squid.

host_vars/smtp0.pyrocufflink.blue.yml

@@ -1,18 +0,0 @@
-smtp_username: smtp0.pyrocufflink.blue
-smtp_password: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  33386638353966306566646636636663316163306638303264316231313436323463393763323431
-  6633316165656631663066633737396263653636383635320a396135646461643431323162633539
-  39643537633863313763623833373764663634333530666262646435313632666630653465363864
-  3062363365313562330a643935303366313534306138383536613333656537386634653634383434
-  63306339336265343830646137616238666131613433313164613238643737626330663132636134
-  6662653137643063393161653765633736663964366131626461
-smtp_inet_interfaces: all
-# TODO: Dynamically calculate these
-smtp_mynetworks:
-- 172.30.0.0/26
-- 172.31.0.0/27
-- '[fd99:8cd7:6528:fe1e::]/64'
-- '[fd99:8cd7:6528::]/64'
-- '[2605:6000:3ccd:da1e::]/64'
-- '[2605:6000:3ccd:da01::]/64'

host_vars/smtp1.pyrocufflink.blue/main.yml

@@ -0,0 +1,11 @@
+smtp_username: '{{ ansible_fqdn }}'
+smtp_password: '{{ vault_smtp_password }}'
+smtp_inet_interfaces: all
+# TODO: Dynamically calculate these
+smtp_mynetworks:
+- 172.30.0.0/26
+- 172.31.0.0/27
+- '[fd99:8cd7:6528:fe1e::]/64'
+- '[fd99:8cd7:6528::]/64'
+- '[2605:6000:3ccd:da1e::]/64'
+- '[2605:6000:3ccd:da01::]/64'

host_vars/smtp1.pyrocufflink.blue/vault

@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+39323632366639663466613963386638626664323666616164353365376630333035383236663061
+6437376261363436633431393766333837633161623032300a366132393366396463333136663863
+66396439663734393837366461346138636530363366303562646262313931626632326531666433
+3338316133623739350a633333656366393935363834366633326239346332333664353537373664
+61353437653263666261613033663532363939396332666265656138643664363436646138343734
+32356134353034623161353533336635306162353939666437636637356235363861626430653738
+633661656535353137373233666566313238

hosts

@@ -71,8 +71,9 @@ file0.pyrocufflink.blue
 git0.pyrocufflink.blue
 jenkins0.pyrocufflink.blue
 koji0.pyrocufflink.blue
+proxy0.pyrocufflink.blue
 rprx0.pyrocufflink.blue
-smtp0.pyrocufflink.blue
+smtp1.pyrocufflink.blue
 vmhost0.pyrocufflink.blue
 web0.pyrocufflink.blue
 zbx0.pyrocufflink.blue
@@ -91,11 +92,14 @@ dc0.pyrocufflink.blue
 dc1.pyrocufflink.blue
 
 [smtp-relay]
-smtp0.pyrocufflink.blue
+smtp1.pyrocufflink.blue
 
 [smtp-relay:children]
 zabbix-server
 
+[squid]
+proxy0.pyrocufflink.blue
+
 [zabbix-server]
 zbx0.pyrocufflink.blue
 

roles/squid/defaults/main.yml

@@ -0,0 +1,7 @@
+squid_max_object_size: 4096 MB
+squid_cache_replacement_policy: heap LFUDA
+squid_cache_dir_type: aufs
+squid_cache_dir: /var/cache/squid
+squid_cache_dir_max_size: 51200
+squid_cache_dir_l1: 16
+squid_cache_dir_l2: 256

roles/squid/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: reload squid
+  service:
+    name=squid
+    state=reloaded
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent

roles/squid/tasks/main.yml

@@ -0,0 +1,48 @@
+- name: ensure squid is installed
+  package:
+    name=squid
+    state=present
+  tags:
+  - install
+
+- name: ensure squid cache dir exists
+  file:
+    path={{ squid_cache_dir }}
+    owner=squid
+    group=squid
+    mode=0750
+    setype=squid_cache_t
+    state=directory
+
+- name: ensure squid is configured
+  template:
+    src=squid.conf.j2
+    dest=/etc/squid/squid.conf
+    mode=0640
+    owner=root
+    group=squid
+    setype=squid_conf_t
+  notify: reload squid
+
+- name: ensure squid cache directory exists
+  command:
+    /usr/sbin/squid -N -z -F -f /etc/squid/squid.conf
+    creates={{ squid_cache_dir }}/00
+
+- meta: flush_handlers
+- name: ensure squid service starts at boot
+  service:
+    name=squid
+    enabled=yes
+- name: ensure squid is running
+  service:
+    name=squid
+    state=started
+
+- name: ensure proxy is allowed through firewall
+  firewalld:
+    port=3128/tcp
+    permanent=no
+    immediate=yes
+    state=enabled
+  notify: save firewalld configuration

roles/squid/templates/squid.conf.j2

@@ -0,0 +1,81 @@
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
+
+access_log syslog:daemon.info
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Squid normally listens to port 3128
+http_port 3128
+
+maximum_object_size {{ squid_max_object_size }}
+cache_replacement_policy {{ squid_cache_replacement_policy }}
+
+# Uncomment and adjust the following to add a disk cache directory.
+cache_dir {{ squid_cache_dir_type }} {{ squid_cache_dir }} {{ squid_cache_dir_max_size }} {{ squid_cache_dir_l1 }} {{ squid_cache_dir_l2 }}
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+# Never cache objects from internal servers
+refresh_pattern \.{{ ansible_domain|replace('.', '\\.') }}	0	0%	0
+# Never cache Yum repository metadata files
+refresh_pattern repomd.xml	0	0%	0
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320

roles/ssh-hostkeys/files/ssh_known_hosts

@@ -52,3 +52,9 @@ koji0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsxeHFHrDxfPSrX0xFy
 burp0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGw4fDPocAgCyZbCzc1vV/cwUc8nOMuDB3bMM7t3pI1ju8HZqyRydfxa1ZpbeS2kK/UEuiyHm3c6H8kqN8IbZ3o=
 burp0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxxSpmOyn7xfiF/imUefpXIVhAy9wfi/LCFGTgMJY5oapyrH0ADuqgsBb8rdys3kR4pzAjdpfHND9F+Xo1FSlzQ9JvzJoij3jTiW5o1DIjBBzAwkSZcbTARj1eOf5Yr/K28pZLGDiiDT52VWwtmxMmcFCKoOEyuXMIUYPBGU0/JBylS7ZkFs9RO0IDct5/TumSeeqYJ6jhcYNZ8zY0KlvD4tVxtJ2gGxEAWNCBGGtm4I/JUvHn4STVoex5H75hLYJjUqjBMD37+cYVl084DACGmLeWfSJ96E6n9q931XnCpOSY8sziZAJ+IhwOtdQ88SA2y9SdahosbSW50mJvESrT
 burp0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzjKUePu8mb1c+Vry5x0zuFd0vWTR+gnh011QMtkjQt
+smtp1.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEl6BGcP1jduWmbZpr74JgpwUVqTrO7xP1AuAUoVTBcUkUd7bI5mLSdtJw6kye/HXxIda7YtwNHf28Mxajb0B24=
+smtp1.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsPAhJA+iUJW3vtUEujSZKRCavblfAxYHukDPgvzW4+jaWzQkok9LifZMcMQNLRr2Yw3jo9vyxqvF2d/ptRJnk/dNdvfx9FCKLD9K4xywRqlxaJ/g4joOikPTC75XDiwNv+LHFLaB4PyQ8nmMeu2TzDBvKAXgOIwjdySQXsdDyECdyJ76vHaUjI42T5pHJHIojahfSSAmOqEZdp9x7gpo/KGwcgXxesJ8mFJTjGE5SfEoYXekwxfFmnB+mKSiB80kh9jhjkHioRGz/138/JwBPU1wp4S+PYKHIlYb92RdEo/RUqpiYQTiEckB8KJAwBIUVHwJ5dO745ylLnLBCMX8f
+smtp1.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtM5xa8DfADYSduknSLopT1wo14MTqEi7C/z2jgGXx2
+proxy0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNv1c4zTK1ccZr/P7CSMJCryGqoDwehGRPQLJOj07WA5lEPUWtpLRYxFUv7WrMkgIbphjiaOmZdC48tOoPUo4h89qWc8Qkv0NBbFqYsfpYSZGwuTCdR0mYB5c3D+O2E4kA80iw/Ba6mQZGOkmQ1W55tB0VC0w+zf2Z+4bsbHqn7/fYcYyyzNPRtl5etwrQ0XtVjOPdphv6fEypPbZMgpHhHlH24rLfs8lEnQNzU6eGuBoeSG2TQmC3cqp2zOH04s5XPbHgBVCJpTBwfWfKLN4t52YfI7WBpBpjzbhfeX13/9Ji3lY2HfMCq3jYQgoEVVTlg044vMM3azpFMAMjT9+R
+proxy0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJYHAPVZ/doCszO1GL6nMTvdJO5ASv38eyRUIwhxhIhJJgbkFI5bbGdg9Kr10u0wWU5jEjhNiT4fg6QFFZAOLVM=
+proxy0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfsGYZVyo0LHLYiXt28FGmcRSA9RGWG63+xPzIrdFDI

squid.yml

@@ -0,0 +1,3 @@
+- hosts: squid
+  roles:
+  - squid