diff --git a/ansible/main.yml b/ansible/main.yml index 5bc4840..e312333 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -96,6 +96,7 @@ - hosts: qbittorrent roles: - qbittorrent + - http_proxy - hosts: walker roles: diff --git a/ansible/roles/http_proxy/files/squid.conf b/ansible/roles/http_proxy/files/squid.conf new file mode 100644 index 0000000..6d7deb8 --- /dev/null +++ b/ansible/roles/http_proxy/files/squid.conf @@ -0,0 +1,79 @@ +# +# Recommended minimum configuration: +# + +acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 + +# Only allow HTTPS +acl Safe_ports port 80 # http +acl Safe_ports port 443 # https + +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +http_access deny to_localhost +http_access deny hide_internal +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/cache/squid 100 16 256 + +# Leave coredumps in the first cache dir +coredump_dir /var/cache/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# Prevent all caching +cache deny all + +# Give an arbitrary hostname +visible_hostname proxy + +# Disable some identifying headers +via off +reply_header_access Server deny all +reply_header_access X-Squid-Error deny all diff --git a/ansible/roles/http_proxy/handlers/main.yml b/ansible/roles/http_proxy/handlers/main.yml new file mode 100644 index 0000000..3b22b8c --- /dev/null +++ b/ansible/roles/http_proxy/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart squid + service: + name: squid + state: restarted + become: true diff --git a/ansible/roles/http_proxy/tasks/main.yml b/ansible/roles/http_proxy/tasks/main.yml new file mode 100644 index 0000000..7c9da9f --- /dev/null +++ b/ansible/roles/http_proxy/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Install squid + package: + name: squid + become: true + +- name: Squid config + template: + src: files/squid.conf + dest: /etc/squid/squid.conf + mode: "0600" + become: true + notify: restart squid + +- name: Enable squid + service: + name: squid + enabled: true + become: true diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 4889fe6..e38eff7 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -10,6 +10,8 @@ services: - SYNAPSE_REPORT_STATS=yes - UID={{ docker_user.id }} - GID={{ docker_user.id }} + - HTTP_PROXY={{ pve_hosts.qbittorrent.ip }} + - HTTPS_PROXY={{ pve_hosts.qbittorrent.ip }} volumes: - "{{ app_data_dir }}/synapse/homeserver.yaml:/etc/homeserver.yaml" - "{{ app_data_dir }}/synapse:/data"