Compare commits
4 Commits
76b7db421c
...
26f3637bfa
| Author | SHA1 | Date |
|---|---|---|
 Dustin
|
26f3637bfa | |
|
Dustin
|
b86ecb99fd | |
|
Dustin
|
00b04179b1 | |
|
Dustin
|
72b148bd0e |
|
|
@ -1,18 +0,0 @@
|
|||
smtp_username: smtp0.pyrocufflink.blue
|
||||
smtp_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33386638353966306566646636636663316163306638303264316231313436323463393763323431
|
||||
6633316165656631663066633737396263653636383635320a396135646461643431323162633539
|
||||
39643537633863313763623833373764663634333530666262646435313632666630653465363864
|
||||
3062363365313562330a643935303366313534306138383536613333656537386634653634383434
|
||||
63306339336265343830646137616238666131613433313164613238643737626330663132636134
|
||||
6662653137643063393161653765633736663964366131626461
|
||||
smtp_inet_interfaces: all
|
||||
# TODO: Dynamically calculate these
|
||||
smtp_mynetworks:
|
||||
- 172.30.0.0/26
|
||||
- 172.31.0.0/27
|
||||
- '[fd99:8cd7:6528:fe1e::]/64'
|
||||
- '[fd99:8cd7:6528::]/64'
|
||||
- '[2605:6000:3ccd:da1e::]/64'
|
||||
- '[2605:6000:3ccd:da01::]/64'
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
smtp_username: '{{ ansible_fqdn }}'
|
||||
smtp_password: '{{ vault_smtp_password }}'
|
||||
smtp_inet_interfaces: all
|
||||
# TODO: Dynamically calculate these
|
||||
smtp_mynetworks:
|
||||
- 172.30.0.0/26
|
||||
- 172.31.0.0/27
|
||||
- '[fd99:8cd7:6528:fe1e::]/64'
|
||||
- '[fd99:8cd7:6528::]/64'
|
||||
- '[2605:6000:3ccd:da1e::]/64'
|
||||
- '[2605:6000:3ccd:da01::]/64'
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39323632366639663466613963386638626664323666616164353365376630333035383236663061
|
||||
6437376261363436633431393766333837633161623032300a366132393366396463333136663863
|
||||
66396439663734393837366461346138636530363366303562646262313931626632326531666433
|
||||
3338316133623739350a633333656366393935363834366633326239346332333664353537373664
|
||||
61353437653263666261613033663532363939396332666265656138643664363436646138343734
|
||||
32356134353034623161353533336635306162353939666437636637356235363861626430653738
|
||||
633661656535353137373233666566313238
|
||||
8
hosts
8
hosts
|
|
@ -71,8 +71,9 @@ file0.pyrocufflink.blue
|
|||
git0.pyrocufflink.blue
|
||||
jenkins0.pyrocufflink.blue
|
||||
koji0.pyrocufflink.blue
|
||||
proxy0.pyrocufflink.blue
|
||||
rprx0.pyrocufflink.blue
|
||||
smtp0.pyrocufflink.blue
|
||||
smtp1.pyrocufflink.blue
|
||||
vmhost0.pyrocufflink.blue
|
||||
web0.pyrocufflink.blue
|
||||
zbx0.pyrocufflink.blue
|
||||
|
|
@ -91,11 +92,14 @@ dc0.pyrocufflink.blue
|
|||
dc1.pyrocufflink.blue
|
||||
|
||||
[smtp-relay]
|
||||
smtp0.pyrocufflink.blue
|
||||
smtp1.pyrocufflink.blue
|
||||
|
||||
[smtp-relay:children]
|
||||
zabbix-server
|
||||
|
||||
[squid]
|
||||
proxy0.pyrocufflink.blue
|
||||
|
||||
[zabbix-server]
|
||||
zbx0.pyrocufflink.blue
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
squid_max_object_size: 4096 MB
|
||||
squid_cache_replacement_policy: heap LFUDA
|
||||
squid_cache_dir_type: aufs
|
||||
squid_cache_dir: /var/cache/squid
|
||||
squid_cache_dir_max_size: 51200
|
||||
squid_cache_dir_l1: 16
|
||||
squid_cache_dir_l2: 256
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
- name: reload squid
|
||||
service:
|
||||
name=squid
|
||||
state=reloaded
|
||||
- name: save firewalld configuration
|
||||
command: firewall-cmd --runtime-to-permanent
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
- name: ensure squid is installed
|
||||
package:
|
||||
name=squid
|
||||
state=present
|
||||
tags:
|
||||
- install
|
||||
|
||||
- name: ensure squid cache dir exists
|
||||
file:
|
||||
path={{ squid_cache_dir }}
|
||||
owner=squid
|
||||
group=squid
|
||||
mode=0750
|
||||
setype=squid_cache_t
|
||||
state=directory
|
||||
|
||||
- name: ensure squid is configured
|
||||
template:
|
||||
src=squid.conf.j2
|
||||
dest=/etc/squid/squid.conf
|
||||
mode=0640
|
||||
owner=root
|
||||
group=squid
|
||||
setype=squid_conf_t
|
||||
notify: reload squid
|
||||
|
||||
- name: ensure squid cache directory exists
|
||||
command:
|
||||
/usr/sbin/squid -N -z -F -f /etc/squid/squid.conf
|
||||
creates={{ squid_cache_dir }}/00
|
||||
|
||||
- meta: flush_handlers
|
||||
- name: ensure squid service starts at boot
|
||||
service:
|
||||
name=squid
|
||||
enabled=yes
|
||||
- name: ensure squid is running
|
||||
service:
|
||||
name=squid
|
||||
state=started
|
||||
|
||||
- name: ensure proxy is allowed through firewall
|
||||
firewalld:
|
||||
port=3128/tcp
|
||||
permanent=no
|
||||
immediate=yes
|
||||
state=enabled
|
||||
notify: save firewalld configuration
|
||||
|
|
@ -0,0 +1,81 @@
|
|||
#
|
||||
# Recommended minimum configuration:
|
||||
#
|
||||
|
||||
# Example rule allowing access from your local networks.
|
||||
# Adapt to list your (internal) IP networks from where browsing
|
||||
# should be allowed
|
||||
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
|
||||
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
|
||||
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
|
||||
acl localnet src fc00::/7 # RFC 4193 local private network range
|
||||
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
|
||||
|
||||
acl SSL_ports port 443
|
||||
acl Safe_ports port 80 # http
|
||||
acl Safe_ports port 21 # ftp
|
||||
acl Safe_ports port 443 # https
|
||||
acl Safe_ports port 70 # gopher
|
||||
acl Safe_ports port 210 # wais
|
||||
acl Safe_ports port 1025-65535 # unregistered ports
|
||||
acl Safe_ports port 280 # http-mgmt
|
||||
acl Safe_ports port 488 # gss-http
|
||||
acl Safe_ports port 591 # filemaker
|
||||
acl Safe_ports port 777 # multiling http
|
||||
acl CONNECT method CONNECT
|
||||
|
||||
access_log syslog:daemon.info
|
||||
#
|
||||
# Recommended minimum Access Permission configuration:
|
||||
#
|
||||
# Deny requests to certain unsafe ports
|
||||
http_access deny !Safe_ports
|
||||
|
||||
# Deny CONNECT to other than secure SSL ports
|
||||
http_access deny CONNECT !SSL_ports
|
||||
|
||||
# Only allow cachemgr access from localhost
|
||||
http_access allow localhost manager
|
||||
http_access deny manager
|
||||
|
||||
# We strongly recommend the following be uncommented to protect innocent
|
||||
# web applications running on the proxy server who think the only
|
||||
# one who can access services on "localhost" is a local user
|
||||
#http_access deny to_localhost
|
||||
|
||||
#
|
||||
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
|
||||
#
|
||||
|
||||
# Example rule allowing access from your local networks.
|
||||
# Adapt localnet in the ACL section to list your (internal) IP networks
|
||||
# from where browsing should be allowed
|
||||
http_access allow localnet
|
||||
http_access allow localhost
|
||||
|
||||
# And finally deny all other access to this proxy
|
||||
http_access deny all
|
||||
|
||||
# Squid normally listens to port 3128
|
||||
http_port 3128
|
||||
|
||||
maximum_object_size {{ squid_max_object_size }}
|
||||
cache_replacement_policy {{ squid_cache_replacement_policy }}
|
||||
|
||||
# Uncomment and adjust the following to add a disk cache directory.
|
||||
cache_dir {{ squid_cache_dir_type }} {{ squid_cache_dir }} {{ squid_cache_dir_max_size }} {{ squid_cache_dir_l1 }} {{ squid_cache_dir_l2 }}
|
||||
|
||||
# Leave coredumps in the first cache dir
|
||||
coredump_dir /var/spool/squid
|
||||
|
||||
# Never cache objects from internal servers
|
||||
refresh_pattern \.{{ ansible_domain|replace('.', '\\.') }} 0 0% 0
|
||||
# Never cache Yum repository metadata files
|
||||
refresh_pattern repomd.xml 0 0% 0
|
||||
#
|
||||
# Add any of your own refresh_pattern entries above these.
|
||||
#
|
||||
refresh_pattern ^ftp: 1440 20% 10080
|
||||
refresh_pattern ^gopher: 1440 0% 1440
|
||||
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
|
||||
refresh_pattern . 0 20% 4320
|
||||
|
|
@ -52,3 +52,9 @@ koji0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsxeHFHrDxfPSrX0xFy
|
|||
burp0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGw4fDPocAgCyZbCzc1vV/cwUc8nOMuDB3bMM7t3pI1ju8HZqyRydfxa1ZpbeS2kK/UEuiyHm3c6H8kqN8IbZ3o=
|
||||
burp0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxxSpmOyn7xfiF/imUefpXIVhAy9wfi/LCFGTgMJY5oapyrH0ADuqgsBb8rdys3kR4pzAjdpfHND9F+Xo1FSlzQ9JvzJoij3jTiW5o1DIjBBzAwkSZcbTARj1eOf5Yr/K28pZLGDiiDT52VWwtmxMmcFCKoOEyuXMIUYPBGU0/JBylS7ZkFs9RO0IDct5/TumSeeqYJ6jhcYNZ8zY0KlvD4tVxtJ2gGxEAWNCBGGtm4I/JUvHn4STVoex5H75hLYJjUqjBMD37+cYVl084DACGmLeWfSJ96E6n9q931XnCpOSY8sziZAJ+IhwOtdQ88SA2y9SdahosbSW50mJvESrT
|
||||
burp0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzjKUePu8mb1c+Vry5x0zuFd0vWTR+gnh011QMtkjQt
|
||||
smtp1.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEl6BGcP1jduWmbZpr74JgpwUVqTrO7xP1AuAUoVTBcUkUd7bI5mLSdtJw6kye/HXxIda7YtwNHf28Mxajb0B24=
|
||||
smtp1.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsPAhJA+iUJW3vtUEujSZKRCavblfAxYHukDPgvzW4+jaWzQkok9LifZMcMQNLRr2Yw3jo9vyxqvF2d/ptRJnk/dNdvfx9FCKLD9K4xywRqlxaJ/g4joOikPTC75XDiwNv+LHFLaB4PyQ8nmMeu2TzDBvKAXgOIwjdySQXsdDyECdyJ76vHaUjI42T5pHJHIojahfSSAmOqEZdp9x7gpo/KGwcgXxesJ8mFJTjGE5SfEoYXekwxfFmnB+mKSiB80kh9jhjkHioRGz/138/JwBPU1wp4S+PYKHIlYb92RdEo/RUqpiYQTiEckB8KJAwBIUVHwJ5dO745ylLnLBCMX8f
|
||||
smtp1.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtM5xa8DfADYSduknSLopT1wo14MTqEi7C/z2jgGXx2
|
||||
proxy0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNv1c4zTK1ccZr/P7CSMJCryGqoDwehGRPQLJOj07WA5lEPUWtpLRYxFUv7WrMkgIbphjiaOmZdC48tOoPUo4h89qWc8Qkv0NBbFqYsfpYSZGwuTCdR0mYB5c3D+O2E4kA80iw/Ba6mQZGOkmQ1W55tB0VC0w+zf2Z+4bsbHqn7/fYcYyyzNPRtl5etwrQ0XtVjOPdphv6fEypPbZMgpHhHlH24rLfs8lEnQNzU6eGuBoeSG2TQmC3cqp2zOH04s5XPbHgBVCJpTBwfWfKLN4t52YfI7WBpBpjzbhfeX13/9Ji3lY2HfMCq3jYQgoEVVTlg044vMM3azpFMAMjT9+R
|
||||
proxy0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJYHAPVZ/doCszO1GL6nMTvdJO5ASv38eyRUIwhxhIhJJgbkFI5bbGdg9Kr10u0wWU5jEjhNiT4fg6QFFZAOLVM=
|
||||
proxy0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfsGYZVyo0LHLYiXt28FGmcRSA9RGWG63+xPzIrdFDI
|
||||
|
|
|
|||
Loading…
Reference in New Issue