Better squid/squid3 whitelist and reload

This commit is contained in:
Jérémy Lecour 2017-07-12 12:17:33 +02:00 committed by Jérémy Lecour
parent 0c5117dd4e
commit bc99227259
8 changed files with 84 additions and 27 deletions

View File

@ -18,3 +18,8 @@
service:
name: squid3
state: reloaded
- name: reload squid
service:
name: squid
state: reloaded

View File

@ -53,17 +53,24 @@
dest: /etc/cron.daily/certbot
mode: "0755"
- name: Find squid3 config whitelist
shell: find /etc/squid3/whitelist-custom.conf /etc/squid3/whitelist.conf 2> /dev/null
- name: Find squid config whitelist
shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null
failed_when: false
changed_when: false
check_mode: no
register: squid3_whitelist_files
register: squid_whitelist_files
- name: set squid_service_name=squid3 for Debian < 9
set_fact:
squid_service_name: squid3
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version | version_compare('9', '<')
- name: Let's Encrypt OCSP server is authorized by squid
lineinfile:
dest: "{{ squid3_whitelist_files.stdout_lines | first }}"
dest: "{{ squid_whitelist_files.stdout_lines | first }}"
line: "http://.*.letsencrypt.org/.*"
state: present
notify: reload squid3
when: squid3_whitelist_files.stdout != ""
notify: "reload {{ squid_service_name | default('squid') }}"
when: squid_whitelist_files.stdout != ""

View File

@ -1,5 +1,10 @@
---
- name: Reload Squid
- name: reload squid
service:
name: squid
state: reloaded
- name: reload squid3
service:
name: squid3
state: reloaded
@ -8,4 +13,3 @@
service:
name: jenkins
state: restarted

View File

@ -4,23 +4,32 @@
# url: https://jenkins-ci.org/debian/jenkins-ci.org.key
data: "{{ lookup('file', 'jenkins.key') }}"
- name: Check if Squid is present
stat:
path: /etc/squid3/whitelist-custom.conf
register: _squid3_whitelist
- name: Find squid config whitelist
shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null
failed_when: false
changed_when: false
check_mode: no
register: squid_whitelist_files
- name: Append jenkins repositories to Squid whitelist
- name: set squid_service_name=squid3 for Debian < 9
set_fact:
squid_service_name: squid3
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version | version_compare('9', '<')
- name: Append packages.dotdeb.org to Squid whitelist
lineinfile:
name: /etc/squid3/whitelist-custom.conf
dest: "{{ squid_whitelist_files.stdout_lines | first }}"
line: "{{ item }}"
state: present
with_items:
- "http://pkg.jenkins-ci.org/.*"
- "http://mirrors.jenkins.io/.*"
- "http://jenkins.mirror.isppower.de/.*"
- "http://ftp.icm.edu.pl/.*"
notify: Reload Squid
when: _squid3_whitelist.stat.exists
notify: "reload {{ squid_service_name | default('squid') }}"
when: squid_whitelist_files.stdout != ""
- meta: flush_handlers

View File

@ -1,21 +1,30 @@
---
# tasks file for mongodb
- name: Check if Squid is present
stat:
path: /etc/squid3/whitelist-custom.conf
register: _squid3_whitelist
- name: Find squid config whitelist
shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null
failed_when: false
changed_when: false
check_mode: no
register: squid_whitelist_files
- name: add keyserver to Squid whitelist
- name: set squid_service_name=squid3 for Debian < 9
set_fact:
squid_service_name: squid3
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version | version_compare('9', '<')
- name: Append packages.dotdeb.org to Squid whitelist
lineinfile:
dest: /etc/squid3/whitelist-custom.conf
dest: "{{ squid_whitelist_files.stdout_lines | first }}"
line: "{{ item }}"
notify: reload squid3
state: present
with_items:
- "http://keyserver.ubuntu.com/.*"
- "hkp://keyserver.ubuntu.com/.*"
- "http://repo.mongodb.org/.*"
when: _squid3_whitelist.stat.exists
notify: "reload {{ squid_service_name | default('squid') }}"
when: squid_whitelist_files.stdout != ""
- meta: flush_handlers

View File

@ -1,10 +1,15 @@
---
- name: Reload Squid
- name: reload squid3
service:
name: squid3
state: reloaded
- name: reload squid
service:
name: squid
state: reloaded
- name: apt update
apt:
update_cache: yes

View File

@ -4,11 +4,27 @@
# url: https://download.newrelic.com/548C16BF.gpg
data: "{{ lookup('file', '548C16BF.gpg') }}"
- name: Find squid config whitelist
shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null
failed_when: false
changed_when: false
check_mode: no
register: squid_whitelist_files
- name: set squid_service_name=squid3 for Debian < 9
set_fact:
squid_service_name: squid3
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version | version_compare('9', '<')
- name: Append packages.dotdeb.org to Squid whitelist
lineinfile:
name: /etc/squid3/whitelist-custom.conf
dest: "{{ squid_whitelist_files.stdout_lines | first }}"
line: "http://apt.newrelic.com/.*"
notify: Reload Squid
state: present
notify: "reload {{ squid_service_name | default('squid') }}"
when: squid_whitelist_files.stdout != ""
- meta: flush_handlers

View File

@ -4,3 +4,5 @@ log2mail_alert_email: Null
squid_address: "{{ ansible_default_ipv4.address }}"
squid_whitelist_items: []
squid_service_name: squid