Add squid as a forwarding proxy so containers are exposed through a VPN

Implementation isn't perfect, but as `qbittorrent` already had an outbound VPN connection, it makes sense to just reuse it.

ansible/main.yml

@@ -96,6 +96,7 @@
 - hosts: qbittorrent
   roles:
     - qbittorrent
+    - http_proxy
 
 - hosts: walker
   roles:

ansible/roles/http_proxy/files/squid.conf

@@ -0,0 +1,79 @@
+#
+# Recommended minimum configuration:
+#
+
+acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }}
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
+acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
+acl localnet src fc00::/7               # RFC 4193 local private network range
+acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+
+# Only allow HTTPS
+acl Safe_ports port 80          # http
+acl Safe_ports port 443         # https
+
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+http_access deny to_localhost
+http_access deny hide_internal
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Squid normally listens to port 3128
+http_port 3128
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/cache/squid 100 16 256
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/cache/squid
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern .               0       20%     4320
+
+# Prevent all caching
+cache deny all
+
+# Give an arbitrary hostname
+visible_hostname proxy
+
+# Disable some identifying headers
+via off
+reply_header_access Server deny all
+reply_header_access X-Squid-Error deny all

ansible/roles/http_proxy/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart squid
+  service:
+    name: squid
+    state: restarted
+  become: true

ansible/roles/http_proxy/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: Install squid
+  package:
+    name: squid
+  become: true
+
+- name: Squid config
+  template:
+    src: files/squid.conf
+    dest: /etc/squid/squid.conf
+    mode: "0600"
+  become: true
+  notify: restart squid
+
+- name: Enable squid
+  service:
+    name: squid
+    enabled: true
+  become: true

ansible/roles/pve_docker/files/synapse/docker-compose.yml

@@ -10,6 +10,8 @@ services:
       - SYNAPSE_REPORT_STATS=yes
       - UID={{ docker_user.id }}
       - GID={{ docker_user.id }}
+      - HTTP_PROXY={{ pve_hosts.qbittorrent.ip }}
+      - HTTPS_PROXY={{ pve_hosts.qbittorrent.ip }}
     volumes:
       - "{{ app_data_dir }}/synapse/homeserver.yaml:/etc/homeserver.yaml"
       - "{{ app_data_dir }}/synapse:/data"