August 2017 - sysadmin-notify

[ansible] Add proxy iptables rule for arm builders

by Nicolas Chauvet

commit fe3643077a4b8ba75551d42e12a30cf5ed1544f2 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Aug 24 15:26:30 2017 +0200 Add proxy iptables rule for arm builders inventory/host_vars/proxy01.scaleway.rpmfusion.net | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) --- diff --git a/inventory/host_vars/proxy01.scaleway.rpmfusion.net b/inventory/host_vars/proxy01.scaleway.rpmfusion.net index fcfc77e..72a924c 100644 --- a/inventory/host_vars/proxy01.scaleway.rpmfusion.net +++ b/inventory/host_vars/proxy01.scaleway.rpmfusion.net @@ -1 +1,4 @@ datacenter: scaleway + +# Neeed for builders to access proxy +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.1.0.228 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.32.225 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.0.204 --dport 3128 -j ACCEPT' ]

6 years, 8 months

1
0
0 / 0

[ansible] Enable local proxy for scaleway

by Nicolas Chauvet

commit 07a66659a78c75d3c7d027d191f1b09d6ca2d488 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Aug 24 14:30:31 2017 +0200 Enable local proxy for scaleway roles/hosts/files/scaleway-hosts | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) --- diff --git a/roles/hosts/files/scaleway-hosts b/roles/hosts/files/scaleway-hosts index 68e64bf..386b1e0 100644 --- a/roles/hosts/files/scaleway-hosts +++ b/roles/hosts/files/scaleway-hosts @@ -17,4 +17,7 @@ 192.168.181.141 bodhi01.online.rpmfusion.net bodhi01 # hv01 online - vpn -192.168.182.1 hv01.vpn.rpmfusion.net proxy.vpn.rpmfusion.net nfs-server.vpn.rpmfusion.net nfs-server proxy +192.168.182.1 hv01.vpn.rpmfusion.net proxy.vpn.rpmfusion.net nfs-server.vpn.rpmfusion.net nfs-server + +# scaleway +10.2.10.75 proxy01.scaleway.rpmfusion.net proxy01 proxy

6 years, 8 months

1
0
0 / 0

[ansible] reload squid

by Nicolas Chauvet

commit 550c8d46a8fec21134110e89d76aa17d67e53a8a Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Aug 24 13:27:59 2017 +0200 reload squid handlers/restart_services.yml | 3 +++ roles/hosts/files/linaro-hosts | 4 ++-- roles/hosts/files/osuosl-hosts | 7 ++----- roles/hosts/files/scaleway-hosts | 3 --- 4 files changed, 7 insertions(+), 10 deletions(-) --- diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 96f1427..85f1193 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -92,6 +92,9 @@ - name: restart glusterd service: name=glusterd state=restarted +- name: reload squid + service: name=squid state=reloaded + - name: restart supervisord service: name=supervisord state=restarted diff --git a/roles/hosts/files/linaro-hosts b/roles/hosts/files/linaro-hosts index 8543f2c..e07ed8b 100644 --- a/roles/hosts/files/linaro-hosts +++ b/roles/hosts/files/linaro-hosts @@ -7,9 +7,9 @@ 212.129.31.198 pkgs.rpmfusion.org pkgs # hv01 online - vpn -192.168.182.1 hv01.vpn.rpmfusion.net proxy.vpn.rpmfusion.net nfs-server.vpn.rpmfusion.net nfs-server proxy +192.168.182.1 hv01.vpn.rpmfusion.net proxy.vpn.rpmfusion.net nfs-server.vpn.rpmfusion.net nfs-server # linaro hosts -192.168.1.8 bastion02.linaro.rpmfusion.net bastion02 +192.168.1.8 bastion02.linaro.rpmfusion.net bastion02 proxy 192.168.1.13 aarch64-01.linaro.rpmfusion.net aarch64-01 192.168.1.10 aarch64-02.linaro.rpmfusion.net aarch64-02 diff --git a/roles/hosts/files/osuosl-hosts b/roles/hosts/files/osuosl-hosts index 42f69cd..83cfa0c 100644 --- a/roles/hosts/files/osuosl-hosts +++ b/roles/hosts/files/osuosl-hosts @@ -1,9 +1,6 @@ -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 proxy ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -# Puppet master -188.165.226.50 puppet.rpmfusion.org puppet puppet.ovh.rpmfusion.lan - # hv01 online - public 195.154.185.75 hv01.online.rpmfusion.net hv01 212.83.132.100 koji.rpmfusion.org koji @@ -15,7 +12,7 @@ #192.168.181.137 pkgs01.online.rpmfusion.net pkgs01 pkgs.rpmfusion.org pkgs # hv01 online - vpn -192.168.182.1 hv01.vpn.rpmfusion.net proxy.vpn.rpmfusion.net nfs-server.vpn.rpmfusion.net nfs-server proxy +192.168.182.1 hv01.vpn.rpmfusion.net proxy.vpn.rpmfusion.net nfs-server.vpn.rpmfusion.net nfs-server # osuosl #buildppc-01.osuosl.rpmfusion.net diff --git a/roles/hosts/files/scaleway-hosts b/roles/hosts/files/scaleway-hosts index 88e9a57..68e64bf 100644 --- a/roles/hosts/files/scaleway-hosts +++ b/roles/hosts/files/scaleway-hosts @@ -1,9 +1,6 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -# Puppet master -188.165.226.50 puppet.rpmfusion.org puppet puppet.ovh.rpmfusion.lan - # hv01 online - public #195.154.185.75 hv01.online.rpmfusion.net hv01 212.83.132.100 koji.rpmfusion.org koji

6 years, 8 months

1
0
0 / 0

[ansible] Add datacenter

by Nicolas Chauvet

commit e1436d2ea5f48a8391fa463dd40846623b8d39d1 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Aug 24 12:09:18 2017 +0200 Add datacenter inventory/host_vars/bastion02.linaro.rpmfusion.net | 1 + inventory/host_vars/proxy01.scaleway.rpmfusion.net | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) --- diff --git a/inventory/host_vars/bastion02.linaro.rpmfusion.net b/inventory/host_vars/bastion02.linaro.rpmfusion.net new file mode 100644 index 0000000..69ac632 --- /dev/null +++ b/inventory/host_vars/bastion02.linaro.rpmfusion.net @@ -0,0 +1 @@ +datacenter: linaro diff --git a/inventory/host_vars/proxy01.scaleway.rpmfusion.net b/inventory/host_vars/proxy01.scaleway.rpmfusion.net new file mode 100644 index 0000000..fcfc77e --- /dev/null +++ b/inventory/host_vars/proxy01.scaleway.rpmfusion.net @@ -0,0 +1 @@ +datacenter: scaleway

6 years, 8 months

1
0
0 / 0

[ansible] Add squid role

by Nicolas Chauvet

commit ea5a8d8c87755fae0141fd54fd99f79d0604c6c0 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Aug 24 11:59:00 2017 +0200 Add squid role files/squid/custom_redirect.py | 49 +++++++++++ files/squid/squid.conf | 76 +++++++++++++++++ files/squid/squid.conf.hv01.online.rpmfusion.net | 97 ++++++++++++++++++++++ files/squid/squid.conf.linaro | 80 ++++++++++++++++++ files/squid/squid.conf.osuosl | 80 ++++++++++++++++++ files/squid/squid.conf.scaleway | 80 ++++++++++++++++++ roles/squid/tasks/main.yml | 54 ++++++++++++ 7 files changed, 516 insertions(+), 0 deletions(-) --- diff --git a/files/squid/custom_redirect.py b/files/squid/custom_redirect.py new file mode 100755 index 0000000..00f4f03 --- /dev/null +++ b/files/squid/custom_redirect.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python + +import sys + +fedorasecondary = [ 'rawhide', '26', '27'] +fedorasecondaryarches = [ 'i386', 'ppc64', 'aarch64' ] + +def modify_url(line): + list = line.split(' ') + # first element of the list is the URL + old_url = list[0] + new_url = '\n' + # take the decision and modify the url if needed + # do remember that the new_url should contain a '\n' at the end. + if 'dl.fedoraproject.org' in old_url: + #if 'rawhide' or '/26/' or '/27/' in old_url: + if '/fedora/linux/' in old_url: + if '/25/' not in old_url: + if '/i386/' in old_url: + new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n' + elif '/ppc64' in old_url: + new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n' + elif '/aarch64/' in old_url: + new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n' + + if '/epel/7/' in old_url: + if '/i386/' in old_url: + new_url = old_url.replace('/i386/', '/x86_64/') + '\n' + + #altarch support for centos + if 'mirror.centos.org' in old_url: + if '/centos/6/' not in old_url: + if '/x86_64/' not in old_url: + new_url = old_url.replace('/centos/', '/altarch/') + '\n' + + return new_url + +while True: + # the format of the line read from stdin is + # URL ip-address/fqdn ident method + # for example + # http://saini.co.in 172.17.8.175/saini.co.in - GET - + line = sys.stdin.readline().strip() + # new_url is a simple URL only + # for example + # http://fedora.co.in + new_url = modify_url(line) + sys.stdout.write(new_url) + sys.stdout.flush() diff --git a/files/squid/squid.conf b/files/squid/squid.conf new file mode 100644 index 0000000..1e1694e --- /dev/null +++ b/files/squid/squid.conf @@ -0,0 +1,76 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 diff --git a/files/squid/squid.conf.hv01.online.rpmfusion.net b/files/squid/squid.conf.hv01.online.rpmfusion.net new file mode 100644 index 0000000..1862f42 --- /dev/null +++ b/files/squid/squid.conf.hv01.online.rpmfusion.net @@ -0,0 +1,97 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +acl to_rpmfusion dstdomain .rpmfusion.org + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +#http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +#http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access allow localnet manager +http_access deny manager + +acl Purge method PURGE +http_access allow localhost Purge +http_access allow localnet Purge +http_access deny Purge + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 192.168.181.254:3128 +http_port 192.168.182.1:3128 + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/spool/squid 100000 16 256 + +#cache_peer download.fedoraproject.org parent 80 0 no-query +#cache_peer mirror.centos.org parent 80 0 no-query +#cache_peer epel.mirrors.ovh.net parent 80 0 no-query +#cache_peer mirrors.ircam.fr parent 80 0 no-query + + +acl nonCacheURL urlpath_regex .*/repodata/repomd.xml$ +cache deny nonCacheURL +cache deny to_rpmfusion + +redirect_program /usr/bin/python /etc/squid/custom_redirect.py +redirect_children 20 + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern -i \.rpm$ 604800 90% 604800 +refresh_pattern -i \.(bz2|gz|xml)$ 172800 90% 259200 +refresh_pattern . 0 20% 4320 + +dns_v4_first on diff --git a/files/squid/squid.conf.linaro b/files/squid/squid.conf.linaro new file mode 100644 index 0000000..25b913e --- /dev/null +++ b/files/squid/squid.conf.linaro @@ -0,0 +1,80 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/spool/squid 15000 16 256 + +cache_peer proxy.vpn.rpmfusion.net parent 3128 0 no-query + +acl nonCacheURL urlpath_regex .*/repodata/repomd.xml$ +cache deny nonCacheURL + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern -i \.rpm$ 604800 90% 604800 +refresh_pattern -i \.(bz2|gz|xml)$ 172800 90% 259200 +refresh_pattern . 0 20% 4320 diff --git a/files/squid/squid.conf.osuosl b/files/squid/squid.conf.osuosl new file mode 100644 index 0000000..1cf1ce0 --- /dev/null +++ b/files/squid/squid.conf.osuosl @@ -0,0 +1,80 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/spool/squid 40000 16 256 + +cache_peer proxy.vpn.rpmfusion.net parent 3128 0 no-query + +acl nonCacheURL urlpath_regex .*/repodata/repomd.xml$ +cache deny nonCacheURL + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern -i \.rpm$ 604800 90% 604800 +refresh_pattern -i \.(bz2|gz|xml)$ 172800 90% 259200 +refresh_pattern . 0 20% 4320 diff --git a/files/squid/squid.conf.scaleway b/files/squid/squid.conf.scaleway new file mode 100644 index 0000000..1cf1ce0 --- /dev/null +++ b/files/squid/squid.conf.scaleway @@ -0,0 +1,80 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/spool/squid 40000 16 256 + +cache_peer proxy.vpn.rpmfusion.net parent 3128 0 no-query + +acl nonCacheURL urlpath_regex .*/repodata/repomd.xml$ +cache deny nonCacheURL + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern -i \.rpm$ 604800 90% 604800 +refresh_pattern -i \.(bz2|gz|xml)$ 172800 90% 259200 +refresh_pattern . 0 20% 4320 diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml new file mode 100644 index 0000000..a2b9737 --- /dev/null +++ b/roles/squid/tasks/main.yml @@ -0,0 +1,54 @@ +--- +# tasks file for squid + +- name: install squid (yum) + yum: name=squid state=present + tags: + - squid + - packages + when: ansible_distribution_major_version|int < 22 + +- name: install squid (dnf) + dnf: name=squid state=present + tags: + - squid + - packages + when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + +- name: set squid running/enabled + service: name=squid enabled=yes + ignore_errors: true + tags: + - service + - squid + +- name: custom_redirect + file: src="{{files}}/squid/custom_redirect.py" dest=/etc/squid/custom_redirect.py mode=0750 + owner=root group=squid + notify: + - reload squid + tags: + - squid + - config + when: inventory_hostname.startswith('hv01.online') + +- name: squid.conf + template: src={{item}} dest=/etc/squid/squid.conf mode=0640 owner=root group=squid + with_first_found: + - "{{files}}/squid/squid.conf.{{ansible_hostname}}" + - "{{files}}/squid/squid.conf.{{datacenter}}" + - "{{files}}/squid/squid.conf" + notify: + - reload squid + tags: + - squid + - config + +- name: create squid swap files + command: /usr/sbin/squid -z creates="/var/spool/squid/00" + notify: + - reload squid + tags: + - squid + - config +

6 years, 8 months

1
0
0 / 0

[ansible] Add squid playbook

by Nicolas Chauvet

commit 5f7ba7a51d88f8160f9ec2305de95d5e96278f28 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Wed Aug 23 17:12:40 2017 +0200 Add squid playbook playbooks/groups/squid.xml | 35 +++++++++++++++++++++++++++++++++++ 1 files changed, 35 insertions(+), 0 deletions(-) --- diff --git a/playbooks/groups/squid.xml b/playbooks/groups/squid.xml new file mode 100644 index 0000000..3b8d505 --- /dev/null +++ b/playbooks/groups/squid.xml @@ -0,0 +1,35 @@ +# create a new squid server + +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=squid:squid-stg" + +- name: make the box be real + hosts: squid-stg:squid + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - hosts + - rkhunter + - nagios/client + - collectd/base + - sudo + - rsyncd + - { role: openvpn/client, + when: env != "staging" } + - fas_client + - squid + + tasks: + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/motd.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +

6 years, 8 months

1
0
0 / 0

[ansible] Move into a dedicated squid group

by Nicolas Chauvet

commit 16da5e66c8b23d310f7e764c19fcd02d10f7e362 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Wed Aug 23 16:38:52 2017 +0200 Move into a dedicated squid group inventory/inventory | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) --- diff --git a/inventory/inventory b/inventory/inventory index 3babd7c..d9a2a92 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -48,10 +48,6 @@ pkgdb02.online.rpmfusion.net pkgs01.online.rpmfusion.net [proxies] -proxy01.scaleway.rpmfusion.net -bastion02.linaro.rpmfusion.net ansible_user=centos ansible_become=yes -buildppc-01.osuosl.rpmfusion.net -buildppcle-01.osuosl.rpmfusion.net [releng-compose] bodhi-backend01.online.rpmfusion.net @@ -62,6 +58,12 @@ koji01.online.rpmfusion.net [sign-vault] sign-vault01.online.rpmfusion.net +[squid] +proxy01.scaleway.rpmfusion.net +bastion02.linaro.rpmfusion.net ansible_user=centos ansible_become=yes +buildppc-01.osuosl.rpmfusion.net +buildppcle-01.osuosl.rpmfusion.net + [bvirthost] [buildvmhost]

6 years, 8 months

1
0
0 / 0

[ansible] Add local proxies

by Nicolas Chauvet

commit 97524f1160f875762ce4d304cf09c6bc551ce998 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Wed Aug 23 15:17:44 2017 +0200 Add local proxies inventory/inventory | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) --- diff --git a/inventory/inventory b/inventory/inventory index a4e8901..3babd7c 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -48,7 +48,10 @@ pkgdb02.online.rpmfusion.net pkgs01.online.rpmfusion.net [proxies] -pkgs01.online.rpmfusion.net +proxy01.scaleway.rpmfusion.net +bastion02.linaro.rpmfusion.net ansible_user=centos ansible_become=yes +buildppc-01.osuosl.rpmfusion.net +buildppcle-01.osuosl.rpmfusion.net [releng-compose] bodhi-backend01.online.rpmfusion.net

6 years, 8 months

1
0
0 / 0

[ansible] Revert "Update pkgdb openid endpoint"

by Nicolas Chauvet

commit 7c306fb48acdd2d44db6622a9192b7ce83155389 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Thu Aug 3 15:48:33 2017 +0200 Revert "Update pkgdb openid endpoint" This reverts commit 57b95fde604733f7a0b800341c5acdd2b68f52fe. roles/pkgdb2/templates/pkgdb2.cfg | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) --- diff --git a/roles/pkgdb2/templates/pkgdb2.cfg b/roles/pkgdb2/templates/pkgdb2.cfg index 95f35ca..51a69dd 100644 --- a/roles/pkgdb2/templates/pkgdb2.cfg +++ b/roles/pkgdb2/templates/pkgdb2.cfg @@ -85,7 +85,7 @@ SITE_ROOT = 'https://admin.rpmfusion.org' SITE_URL = '%s/pkgdb' % SITE_ROOT ## Upon changes in pkgdb, update bugzilla PKGDB2_BUGZILLA_NOTIFICATION = False -FAS_OPENID_ENDPOINT = 'https://id.rpmfusion.org/openid/' +FAS_OPENID_ENDPOINT = 'https://id.rpmfusion.org/' {% else %} PKGDB2_FAS_URL = 'http://fas01.online.rpmfusion.net/accounts' PKGDB2_FAS_INSECURE = True @@ -93,7 +93,7 @@ SITE_ROOT = 'https://admin.rpmfusion.org' SITE_URL = '%s/pkgdb' % SITE_ROOT ## Upon changes in pkgdb, update bugzilla PKGDB2_BUGZILLA_NOTIFICATION = True -FAS_OPENID_ENDPOINT = 'https://id.rpmfusion.org/openid/' +FAS_OPENID_ENDPOINT = 'https://id.rpmfusion.org/' {% endif %} ## name of the user the pkgdb application can log in to FAS with

6 years, 8 months

1
0
0 / 0

[puppet] removed one of the mirrorlist servers

by Adrian Reber

commit a1881834f4c4a6fd3cd038df6659b9becff103ad Author: Adrian Reber <adrian(a)lisas.de> Date: Sun Aug 6 19:43:17 2017 +0200 removed one of the mirrorlist servers files/dns/rpmfusion.org | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) --- diff --git a/files/dns/rpmfusion.org b/files/dns/rpmfusion.org index fad1e41..89b4ef1 100644 --- a/files/dns/rpmfusion.org +++ b/files/dns/rpmfusion.org @@ -1,6 +1,6 @@ $TTL 5M @ IN SOA ns1.rpmfusion.net. root.rpmfusion.org. ( - 2016120302 ; Serial + 2017080601 ; Serial 6H ; Refresh 1H ; Retry 5W ; Expire @@ -37,8 +37,7 @@ pkgs IN A 212.129.31.198 ; pkgs01.online download0 IN A 212.129.31.198 ; pkgs01.online download1 IN A 193.28.235.60 -mirrors IN A 81.169.241.26 - IN A 163.172.151.63 +mirrors IN A 163.172.151.63 IN A 78.47.19.71 IN A 134.108.44.54 IN A 158.69.195.211

6 years, 8 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sysadmin-notify August 2017