Squid clarifs in local_vars.yml, enable_services.yml etc

2025-03-09 15:40:17 +00:00 · 2021-08-15 10:06:01 -04:00 · 2021-08-15 10:06:01 -04:00 · 7c6494b31a
commit 7c6494b31a
parent dfd1ff8b1b
8 changed files with 59 additions and 26 deletions
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -34,7 +34,7 @@
  include_tasks: roles/network/tasks/dhcpd.yml
  when: dhcpd_install is defined and dhcpd_install

-# LESS MAINTAINED
+# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
 - name: Install Squid    # (and DansGuardian if dansguardian_install)
  include_tasks: roles/network/tasks/squid.yml
  when: squid_install is defined and squid_install
--- a/roles/network/tasks/enable_services.yml
+++ b/roles/network/tasks/enable_services.yml
@ -134,43 +134,43 @@
 #     enabled: no
 #   when: (dansguardian_install or dansguardian_installed is defined) and not dansguardian_enabled

- name: Mandate 'HTTPCACHE_ON=True' in {{ iiab_env_file }}, if squid_enabled
+- debug:
+    var: squid_install
+- debug:
+    var: squid_enabled
+- debug:
+    var: squid_installed
+
+- name: Mandate 'HTTPCACHE_ON=True' in {{ iiab_env_file }} - if squid_install and squid_enabled
  lineinfile:
    path: "{{ iiab_env_file }}"
    regexp: '^HTTPCACHE_ON=*'
    line: 'HTTPCACHE_ON=True'
-    state: present
  when: squid_install and squid_enabled

- name: Enable Squid systemd service ({{ proxy }}) if squid_enabled
+- name: Enable Squid systemd service ({{ proxy }}) - if squid_install and squid_enabled
  systemd:
-    name: "{{ proxy }}"
+    name: "{{ proxy }}"    # squid (or squid3 on old OS's vars/debian-8.yml & vars/raspbian-8.yml)
    enabled: yes
  when: squid_install and squid_enabled

- name: Install /etc/{{ proxy }}/squid-iiab.conf from template, owned by {{ proxy_user }}:{{ proxy_user }}
+- name: Install /etc/{{ proxy }}/squid-iiab.conf from template, owned by {{ proxy_user }}:{{ proxy_user }} (0644 by default) - if squid_install and squid_enabled
  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-    mode: "{{ item.mode }}"
-  with_items:
-    - src: squid/squid-iiab.conf.j2
-      dest: "/etc/{{ proxy }}/squid-iiab.conf"
-      owner: "{{ proxy_user }}"
-      group: "{{ proxy_user }}"
-      mode: 0644
+    src: squid/squid-iiab.conf.j2
+    dest: "/etc/{{ proxy }}/squid-iiab.conf"
+    owner: "{{ proxy_user }}"    # proxy (or "squid" on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
+    group: "{{ proxy_user }}"
+    # mode: 0644
  when: squid_install and squid_enabled

- name: Point to Squid config file from startup file, if squid_enabled (debuntu)
+- name: Point to Squid config file from startup file - if squid_install and squid_enabled
  lineinfile:
    regexp: '^CONFIG'
    line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
    path: "/etc/init.d/{{ proxy }}"
-  when: squid_install and squid_enabled and is_debuntu
+  when: squid_install and squid_enabled

- name: Disable Squid service, if not squid_enabled
+- name: Disable Squid service, if not squid_enabled - if (squid_install or squid_installed is defined) and not squid_enabled
  systemd:
    name: "{{ proxy }}"
    enabled: no
@ -181,7 +181,6 @@
    path: "{{ iiab_env_file }}"
    regexp: '^HTTPCACHE_ON=*'
    line: 'HTTPCACHE_ON=False'
-    state: present
  when: squid_install and not squid_enabled

 # - name: Enable Wondershaper service, if wondershaper_enabled
@ -219,7 +218,7 @@

 - name: Add 'squid' variable values to {{ iiab_ini_file }}
  ini_file:
-    path: "{{ iiab_ini_file }}"
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: squid
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
--- a/roles/network/templates/squid/sites.whitelist.txt
+++ b/roles/network/templates/squid/sites.whitelist.txt
@ -10,7 +10,7 @@
 .translate.google.com
 .gstatic.com
 .unleashkids.org
-.iiab.io.org
+.iiab.io
 .hopeforhaitischildren.org
 .lenouvelliste.com
 .voanouvel.com
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -123,8 +123,6 @@ wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi

 # Set True if client machines should have "passthrough" access to WAN/Internet:
 iiab_gateway_enabled: False
-gw_squid_whitelist: False
-gw_block_https: False

 # Gateway mode
 iiab_lan_enabled: True
@ -257,9 +255,13 @@ nginx_log_dir: /var/log/nginx

 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.

-# LESS MAINTAINED as of July 2021
+# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
 squid_install: False
 squid_enabled: False
+gw_squid_whitelist: False    # Only HTTP sites can be blocked, not HTTPS sites
+gw_block_https: False        # SEE ABOVE: iiab_gateway_enabled

 # UNMAINTAINED as of July 2021
 # DansGuardian REQUIRES Squid (above) be installed & enabled.
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@ -147,6 +147,14 @@ pi_swap_file_size: 1024

 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.

+# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+squid_install: False
+squid_enabled: False
+gw_squid_whitelist: False    # Only HTTP sites can be blocked, not HTTPS sites
+gw_block_https: False        # SEE ABOVE: iiab_gateway_enabled
+
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: True
 bluetooth_enabled: False
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@ -147,6 +147,14 @@ pi_swap_file_size: 1024

 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.

+# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+squid_install: False
+squid_enabled: False
+gw_squid_whitelist: False    # Only HTTP sites can be blocked, not HTTPS sites
+gw_block_https: False        # SEE ABOVE: iiab_gateway_enabled
+
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: True
 bluetooth_enabled: False
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@ -147,6 +147,14 @@ pi_swap_file_size: 1024

 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.

+# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+squid_install: False
+squid_enabled: False
+gw_squid_whitelist: False    # Only HTTP sites can be blocked, not HTTPS sites
+gw_block_https: False        # SEE ABOVE: iiab_gateway_enabled
+
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: True
 bluetooth_enabled: False
--- a/vars/local_vars_unittest.yml
+++ b/vars/local_vars_unittest.yml
@ -147,6 +147,14 @@ pi_swap_file_size: 1024

 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.

+# Proxy Cache and basic site blocking using /etc/squid/sites.whitelist.txt
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/sites.whitelist.txt
+# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+squid_install: False
+squid_enabled: False
+gw_squid_whitelist: False    # Only HTTP sites can be blocked, not HTTPS sites
+gw_block_https: False        # SEE ABOVE: iiab_gateway_enabled
+
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: False
 bluetooth_enabled: False