---

# Name of this instance (job name and service name)
instance: squid

squid:

  # Docker image to use
  image: '[[ .docker.repo ]]squid:24.5-1'

  # Number of instances to run:
  count: 1

  # Resources
  resources:
    cpu: 100
    memory: 256

  vault:
    policies:
      - '[[ .instance ]][[ .consul.suffix ]]'
    rand_secrets:
      - fields:
          - manager_pwd

  # Env variables passed to the container
  # squid configuration can be passed with
  #
  # To add directive
  # - SQUID_CONF_<directive>: value
  # To add directive, but sorted using <index> (number)
  # - SQUID_CONF_<index>_<directive>: value
  # When a directive can be repeasted sevral times, you can also pass an additional number like
  # - SQUID_CONF_<directive>_<number>: value
  # For example
  # # Ensure include is added before everything else
  # SQUID_CONF_0_include_0: /secrets/squid/conf.d/*.conf
  # # Add some access
  # # Make authentication mandatory
  # SQUID_CONF_http_access_20: deny !auth all
  # # Allow access to the white category. As every access will be done through the service mesh
  # # We can restrict it to localhost
  # SQUID_CONF_http_access_21: allow localhost white
  env:
    SQUID_CONF_10_acl: auth proxy_auth REQUIRED
    SQUID_CONF_101_http_access: deny !auth all
    SQUID_CONF_102_http_access: allow localhost white
    SQUID_CONF_103_http_access: deny black
    SQUID_CONF_999_http_access: deny all

  # List of destination ports for which squid will allow tunneling using CONNECT
  ssl_ports:
    - 443
    - 8443
    - 8006
    - 8007
    - 8448

  # List of domain to build black/white lists
  # content can be used to directly set the content of the list (which can include consul-template fragment to read from consul KV store)
  # url can be used to download a file from an http(s) source
  lists:
    almalinux:
      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_almalinux.domains
      category: white
    dbd:
      content: |
        .lapiole.org
      category: white
    debian:
      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_debian.domains
      category: white
    epel:
      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_epel.domains
      category: white
    remi:
      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_remi.domains
      category: white
    windows:
      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_windows.domains
      category: white
    various:
      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/software_various.domains
      category: white
    services:
      url: https://git.lapiole.org/dani/ansible-roles/raw/branch/master/roles/squid/files/acl/service_various.domains
      category: white
    whitelist:
      content: |
        {{- if keyExists "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/white" }}
        {{ key "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/white" }}
        {{- end }}
      category: white
    blacklist:
      content: |
        # Add an fake domain to prevents warnings in case Consul has no blacklist entry
        .nonexistingdomain
        {{- if keyExists "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/black" }}
        {{ key "[[ .consul.kv.root ]]service/[[ .instance ]]/lists/black" }}
        {{- end }}
      category: black

  # Disable default TCP check to prevent log noise
  consul:
    connect:
      disable_default_tcp_check: true

  prometheus:
    enabled: '[[ .prometheus.available ]]'
    metrics_url: http://127.0.0.1:9301/metrics

  exporter:
    version: 1.11.0
    image: '[[ .docker.repo ]]squid-exporter:[[ .squid.exporter.version ]]-1'
    resources:
      cpu: 10
      memory: 30
    vault:
      policies:
        - '[[ .instance ]][[ .consul.suffix ]]'