mirror of
https://github.com/iiab/iiab.git
synced 2025-02-13 11:42:08 +00:00
152 lines
5.7 KiB
YAML
152 lines
5.7 KiB
YAML
- name: Install package '{{ proxy }}' -- IIAB will later overwrite its /etc/squid/squid.conf
|
|
package:
|
|
name: "{{ proxy }}" # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml)
|
|
# - cadaver
|
|
state: present
|
|
|
|
# - name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
|
|
# command: /etc/init.d/squid stop
|
|
# when: is_ubuntu
|
|
|
|
- name: Stop systemd service '{{ proxy }}'
|
|
systemd:
|
|
name: "{{ proxy }}"
|
|
state: stopped
|
|
# when: squid_installed is undefined
|
|
|
|
# 2021-08-17: This stanza is gratuitous on most distros, where the user 'proxy'
|
|
# or 'squid' is preinstalled (typically with UID and GID 13 in /etc/passwd) but
|
|
# let's be sure, as distro internals / favorite distros change without warning.
|
|
- name: Ensure Linux user:group '{{ proxy_user }}:{{ proxy_user }}' exists, to own /library/cache -- and for recent versions of /usr/lib/systemd/system/squid.service that use 'Group=proxy'
|
|
user:
|
|
name: "{{ proxy_user }}" # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
|
|
group: "{{ proxy_user }}"
|
|
create_home: False
|
|
shell: /bin/false # UNIX norm should work across all distros, overriding Debian/Ubuntu norm /usr/sbin/nologin
|
|
|
|
# 2021-08-16: Squid runs as 'nobody' when started as root:
|
|
# http://www.squid-cache.org/Doc/config/cache_effective_user/
|
|
# Much more detail here, but neither directive is recommended:
|
|
# http://www.squid-cache.org/Doc/config/cache_effective_group/
|
|
#
|
|
# So nobody:root or root:root ownership don't work for cache_dir /library/cache
|
|
#
|
|
# Squid auto-creation of cache_dir (or the old way, 'squid -z') both fail:
|
|
# "FATAL: Failed to make swap directory /library/cache: (13) Permission denied"
|
|
#
|
|
# SEE ALSO: https://github.com/iiab/iiab/blob/master/roles/network/templates/squid/squid.conf.j2#L12-L32
|
|
|
|
- name: Create Squid directory /library/cache ({{ proxy_user }}:{{ proxy_user }}, 0750)
|
|
file:
|
|
state: directory
|
|
path: /library/cache
|
|
owner: "{{ proxy_user }}"
|
|
group: "{{ proxy_user }}"
|
|
mode: 0750
|
|
|
|
- name: "Install site allowlists /etc/{{ proxy }}/allow_dst_domains, /etc/{{ proxy }}/allow_url_regexs from template (root:root, 0644 by default) -- activated for HTTP/80 if you set 'gw_squid_whitelist: True' in /etc/iiab/local_vars.yml -- SEE https://wiki.squid-cache.org/SquidFaq/SquidAcl"
|
|
template:
|
|
src: "{{ item }}"
|
|
dest: /etc/{{ proxy }}/
|
|
backup: yes
|
|
with_items:
|
|
- roles/network/templates/squid/allow_dst_domains
|
|
- roles/network/templates/squid/allow_url_regexs
|
|
|
|
# - name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files"
|
|
# template:
|
|
# src: "{{ item.src }}"
|
|
# dest: "{{ item.dest }}"
|
|
# owner: "{{ item.owner }}"
|
|
# group: "{{ item.group }}"
|
|
# mode: "{{ item.mode }}"
|
|
# force: no
|
|
# with_items:
|
|
# - src: 'roles/network/templates/squid/squid.sysconfig'
|
|
# dest: '/etc/sysconfig/squid'
|
|
# owner: 'root'
|
|
# group: 'root'
|
|
# mode: '0755'
|
|
# - src: 'roles/network/templates/squid/sites.whitelist.txt'
|
|
# dest: '/etc/{{ proxy }}/sites.whitelist.txt'
|
|
# owner: '{{ proxy_user }}'
|
|
# group: '{{ proxy_user }}'
|
|
# mode: '0644'
|
|
# - src: 'roles/network/templates/squid/allowregex.rules'
|
|
# dest: '/etc/{{ proxy }}/allowregex.rules'
|
|
# owner: '{{ proxy_user }}'
|
|
# group: '{{ proxy_user }}'
|
|
# mode: '0644'
|
|
# - src: 'roles/network/templates/squid/denyregex.rules'
|
|
# dest: '/etc/{{ proxy }}/denyregex.rules'
|
|
# owner: '{{ proxy_user }}'
|
|
# group: '{{ proxy_user }}'
|
|
# mode: '0644'
|
|
# - src: 'roles/network/templates/squid/dstaddress.rules'
|
|
# dest: '/etc/{{ proxy }}/dstaddress.rules'
|
|
# owner: '{{ proxy_user }}'
|
|
# group: '{{ proxy_user }}'
|
|
# mode: '0644'
|
|
# - src: 'roles/network/templates/squid/iiab-httpcache.j2'
|
|
# dest: '/usr/bin/iiab-httpcache'
|
|
# owner: 'root'
|
|
# group: 'root'
|
|
# mode: '0755'
|
|
|
|
# - name: Create Squid directory /var/log/{{ proxy }}
|
|
# file:
|
|
# path: "/var/log/{{ proxy }}"
|
|
# owner: "{{ proxy_user }}"
|
|
# group: "{{ proxy_user }}"
|
|
# mode: '0750'
|
|
# state: directory
|
|
|
|
# - include_tasks: roles/network/tasks/dansguardian.yml
|
|
# when: dansguardian_install
|
|
|
|
|
|
# RECORD Squid AS INSTALLED
|
|
|
|
- name: "Set 'squid_installed: True'"
|
|
set_fact:
|
|
squid_installed: True
|
|
|
|
- name: "Add 'squid_installed: True' to {{ iiab_state_file }}"
|
|
lineinfile:
|
|
path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
|
|
regexp: '^squid_installed'
|
|
line: 'squid_installed: True'
|
|
|
|
|
|
# {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8
|
|
- name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }}
|
|
ini_file:
|
|
dest: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini
|
|
section: "{{ proxy }}"
|
|
option: "{{ item.option }}"
|
|
value: "{{ item.value | string }}"
|
|
with_items:
|
|
- option: name
|
|
value: Squid
|
|
- option: description
|
|
value: '"Squid caches web pages the first time they are accessed, and pulls them from the cache thereafter."'
|
|
- option: squid_install
|
|
value: "{{ squid_install }}"
|
|
- option: squid_enabled
|
|
value: "{{ squid_enabled }}"
|
|
|
|
# - name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
|
|
# ini_file:
|
|
# dest: "{{ iiab_ini_file }}"
|
|
# section: dansguardian
|
|
# option: "{{ item.option }}"
|
|
# value: "{{ item.value | string }}"
|
|
# with_items:
|
|
# - option: name
|
|
# value: DansGuardian
|
|
# - option: description
|
|
# value: '"DansGuardian searches web content for objectionable references and denies access when found."'
|
|
# - option: dansguardian_install
|
|
# value: "{{ dansguardian_install }}"
|
|
# - option: dansguardian_enabled
|
|
# value: "{{ dansguardian_enabled }}"
|