commit dba7ec36d0d5ce2ebc31567f0e4117ef5e97df3f
Author: Daniel Berteaud <dbd@ehtrace.com>
Date:   Mon Oct 16 00:31:11 2023 +0200

    Initial commit

diff --git a/bundles.yml b/bundles.yml
new file mode 100644
index 0000000..5b9120e
--- /dev/null
+++ b/bundles.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - url: ../common.git
diff --git a/images/squid/Dockerfile b/images/squid/Dockerfile
new file mode 100644
index 0000000..ce0e8c9
--- /dev/null
+++ b/images/squid/Dockerfile
@@ -0,0 +1,25 @@
+FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
+MAINTAINER [[ .docker.maintainer ]]
+
+ENV SQUID_CONFDIR=/etc/squid \
+    SQUID_CONF_acl_10="safe_ports port 80 443 21" \
+    SQUID_CONF_acl_11="ssl_ports port 443 8443 8006 8007" \
+    SQUID_CONF_acl_12="rfc1918_dst dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \
+    SQUID_CONF_http_access_10="deny CONNECT !ssl_ports"\
+    SQUID_CONF_http_access_1000="allow all"
+
+RUN set -eux &&\
+    apk --no-cache upgrade &&\
+    apk --no-cache add squid apache2-utils &&\
+    mkdir /etc/squid/conf.d/ &&\
+    touch /etc/squid/conf.d/env.conf &&\
+    touch /etc/squid/auth &&\
+    chown squid:squid /etc/squid/auth &&\
+    chmod 600 /etc/squid/auth &&\
+    chown -R squid:squid /etc/squid/conf.d/
+
+COPY root/ /
+
+EXPOSE 3128
+USER squid
+CMD ["squid", "-N", "-u", "0"]
diff --git a/images/squid/root/entrypoint.d/10-squid-conf.sh b/images/squid/root/entrypoint.d/10-squid-conf.sh
new file mode 100755
index 0000000..7c2e4d3
--- /dev/null
+++ b/images/squid/root/entrypoint.d/10-squid-conf.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -e
+
+mkdir -p ${SQUID_CONFDIR}
+for USER in $(printenv | grep -E "^SQUID_USER_" | sed -E 's/^SQUID_USER_([^=]+)=.*/\1/'); do
+  echo "Adding user ${USER} in ${SQUID_CONFDIR}/auth"
+  htpasswd -b -B ${SQUID_CONFDIR}/auth ${USER} "$(printenv SQUID_USER_${USER})"
+done
+
+mkdir -p ${SQUID_CONFDIR}/conf.d
+if [ -n "${SQUID_LISTS_DIR}" -a -d "${SQUID_LISTS_DIR}" ]; then
+  for CATEGORY in $(find "${SQUID_LISTS_DIR}" -type d -mindepth 1 -maxdepth 1); do
+    for LIST in $(ls ${CATEGORY}/*.list); do
+      CATEGORY=$(basename ${CATEGORY})
+      echo "Adding acl ${CATEGORY} dstdomain \"${LIST}\" in ${SQUID_CONFDIR}/conf.d/env.conf"
+      echo "acl ${CATEGORY} dstdomain \"${LIST}\"" >> ${SQUID_CONFDIR}/conf.d/env.conf
+    done
+  done
+fi
+
+for VAR in $(printenv | grep -E "^SQUID_CONF_" | sed -E 's/^SQUID_CONF_([^=]+)=.*/\1/' | sort -V); do
+  DIRECTIVE=$(echo ${VAR} | sed -E 's/^[0-9]+_//' | sed -E "s/_[0-9]+$//")
+  echo "Adding ${VAR} setting in ${SQUID_CONFDIR}/conf.d/env.conf"
+  echo "${DIRECTIVE} $(printenv SQUID_CONF_${VAR})" >> ${SQUID_CONFDIR}/conf.d/env.conf
+done
diff --git a/images/squid/root/etc/squid/squid.conf b/images/squid/root/etc/squid/squid.conf
new file mode 100644
index 0000000..dbb3eec
--- /dev/null
+++ b/images/squid/root/etc/squid/squid.conf
@@ -0,0 +1,18 @@
+max_filedescriptors 8192
+pid_filename none
+http_port 3128
+
+# Log on stdout
+access_log stdio:/dev/stdout combined
+
+# Deny cache manager
+http_access deny manager
+
+# NCSA auth
+auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
+auth_param basic children 2 startup=2 idle=1
+auth_param basic credentialsttl 1 hours
+
+# Include config fragment
+include /etc/squid/conf.d/*.conf
+
diff --git a/prep.d/10-mv_conf.sh b/prep.d/10-mv_conf.sh
new file mode 100755
index 0000000..4ee53ca
--- /dev/null
+++ b/prep.d/10-mv_conf.sh
@@ -0,0 +1 @@
+[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "squid" .squid.instance) ]]
diff --git a/squid.nomad.hcl b/squid.nomad.hcl
new file mode 100644
index 0000000..8c25b7b
--- /dev/null
+++ b/squid.nomad.hcl
@@ -0,0 +1,82 @@
+[[- $c := merge .squid . -]]
+
+job [[ $c.instance | toJSON ]] {
+
+[[ template "common/job_start.tpl" $c ]]
+
+  group "squid" {
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "[[ $c.instance ]][[ $c.consul.suffix ]]"
+      port = 3128
+[[ template "common/connect.tpl" $c ]]
+    }
+
+    task "squid" {
+      driver = [[ $c.nomad.driver | toJSON ]]
+  
+      config {
+        image = [[ .squid.image | toJSON ]]
+        #readonly_rootfs = true
+        pids_limit = 100
+      }
+
+      env {
+        SQUID_LISTS_DIR = "/local/lists"
+        SQUID_CONF_0_include_0 = "/secrets/squid/conf.d/*.conf"
+        SQUID_CONF_auth_param_0 = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/squid/auth"
+        SQUID_CONF_acl_10 = "ssl_ports ports [[ join .squid.ssl_ports " " ]]"
+      }
+
+      template {
+        data =<<_EOT
+[[ template "squid/auth.tpl" . ]]
+_EOT
+        destination = "secrets/squid/auth"
+        uid = 100000
+        gid = 100031
+        perms = 0640
+        change_mode = "noop"
+      }
+
+      template {
+        data =<<_EOT
+[[ template "squid/acl.conf.tpl" . ]]
+_EOT
+        destination = "secrets/squid/conf.d/acl.conf"
+        uid = 100000
+        gid = 100031
+        perms = 0640
+        change_mode = "signal"
+        change_signal = "SIGHUP"
+      }
+
+[[- range $k, $v := .squid.lists ]]
+  [[- if has $v "url" ]]
+
+      artifact {
+        source = [[ $v.url | toJSON ]]
+        destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
+        mode = "file"
+      }
+  [[- else if has $v "content" ]]
+
+      template {
+        data =<<_EOT
+[[ $v.content ]]
+_EOT
+        destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
+        change_mode = "signal"
+        change_signal = "SIGHUP"
+      }
+  [[- end ]]
+[[- end ]]
+  
+[[- template "common/file_env.tpl" $c.env ]]
+[[- template "common/resources.tpl" .squid.resources ]]
+    }
+  }
+}
diff --git a/templates/acl.conf.tpl b/templates/acl.conf.tpl
new file mode 100644
index 0000000..893aa4e
--- /dev/null
+++ b/templates/acl.conf.tpl
@@ -0,0 +1,5 @@
+{{- range services }}
+  {{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
+acl auth_{{ .Name }} proxy_auth {{ .Name }}
+  {{- end }}
+{{- end }}
diff --git a/templates/auth.tpl b/templates/auth.tpl
new file mode 100644
index 0000000..293417e
--- /dev/null
+++ b/templates/auth.tpl
@@ -0,0 +1,5 @@
+{{- range services }}
+  {{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
+{{ .Name }}:{{ sprig_bcrypt .Name }}
+  {{- end }}
+{{- end }}
diff --git a/variables.yml b/variables.yml
new file mode 100644
index 0000000..b116613
--- /dev/null
+++ b/variables.yml
@@ -0,0 +1,89 @@
+---
+
+squid:
+  # Name of this instance (job name and service name)
+  instance: squid
+
+  # Docker image to use
+  image: danielberteaud/squid:23.10-1
+
+  # Resources
+  resources:
+    cpu: 100
+    memory: 256
+
+  # Env variables passed to the container
+  # squid configuration can be passed with
+  #
+  # To add directive
+  # - SQUID_CONF_<directive>: value
+  # To add directive, but sorted using <index> (number)
+  # - SQUID_CONF_<index>_<directive>: value
+  # When a directive can be repeasted sevral times, you can also pass an additional number like
+  # - SQUID_CONF_<directive>_<number>: value
+  # For example
+  # # Ensure include is added before everything else
+  # SQUID_CONF_0_include_0: /secrets/squid/conf.d/*.conf
+  # # Add some access
+  # # Make authentication mandatory
+  # SQUID_CONF_http_access_20: deny !auth all
+  # # Allow access to the white category. As every access will be done through the service mesh
+  # # We can restrict it to localhost
+  # SQUID_CONF_http_access_21: allow localhost white
+  env:
+    SQUID_CONF_acl_10: auth proxy_auth REQUIRED
+    SQUID_CONF_http_access_20: deny !auth all
+    SQUID_CONF_http_access_21: allow localhost white
+    SQUID_CONF_http_access_22: deny black
+    SQUID_CONF_http_access_200: deny all
+
+  # List of destination ports for which squid will allow tunneling using CONNECT
+  ssl_ports:
+    - 443
+    - 8443
+    - 8006
+    - 8007
+
+  # List of domain to build black/white lists
+  # content can be used to directly set the content of the list (which can include consul-template fragment to read from consul KV store)
+  # url can be used to download a file from an http(s) source
+  lists:
+    almalinux:
+      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains
+      category: white
+    dbd:
+      content: |
+        .lapiole.org
+      category: white
+    debian:
+      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains
+      category: white
+    epel:
+      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains
+      category: white
+    remi:
+      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains
+      category: white
+    windows:
+      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains
+      category: white
+    various:
+      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains
+      category: white
+    whitelist:
+      content: |
+        {{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/white" }}
+        {{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/white" }}
+        {{- end }}
+      category: white
+    blacklist:
+      content: |
+        {{- if keyExists "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
+        {{ key "[[ .consul.prefix ]]service/[[ .squid.instance ]]/lists/black" }}
+        {{- end }}
+      category: black
+
+  # Disable default TCP check to prevent log noise
+  consul:
+    connect:
+      disable_default_tcp_check: true