From 137f0fd863b9d230cd0d8690f960464103ecbec5 Mon Sep 17 00:00:00 2001
From: Valentin Haudiquet <valentin.haudiquet@canonical.com>
Date: Thu, 16 Oct 2025 22:31:53 +0200
Subject: [PATCH] squid: deployed squid

---
 .github/dependabot.yml                        |  1 +
 .swarmcd/stacks.yaml                          |  5 +++
 .../infrastructure/squid/docker-compose.yml   | 24 ++++++++++
 docker/infrastructure/squid/squid.conf        | 45 +++++++++++++++++++
 4 files changed, 75 insertions(+)
 create mode 100644 docker/infrastructure/squid/docker-compose.yml
 create mode 100644 docker/infrastructure/squid/squid.conf

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 42c3c5b..c858555 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -16,6 +16,7 @@ updates:
       - "/docker/infrastructure/mail/roundcube"
       - "/docker/infrastructure/mail/stalwart"
       - "/docker/infrastructure/network/traefik"
+      - "/docker/infrastructure/squid"
       - "/docker/infrastructure/sshportal"
       - "/docker/personal/gramps"
       - "/docker/personal/media/films-series/jackett"
diff --git a/.swarmcd/stacks.yaml b/.swarmcd/stacks.yaml
index d359a2a..7e46a71 100644
--- a/.swarmcd/stacks.yaml
+++ b/.swarmcd/stacks.yaml
@@ -57,6 +57,11 @@ traefik:
   branch: main
   compose_file: docker/infrastructure/network/traefik/docker-compose.yml
 
+squid:
+  repo: homeprod
+  branch: main
+  compose_file: docker/infrastructure/squid/docker-compose.yml
+
 sshportal:
   repo: homeprod
   branch: main
diff --git a/docker/infrastructure/squid/docker-compose.yml b/docker/infrastructure/squid/docker-compose.yml
new file mode 100644
index 0000000..dff51c4
--- /dev/null
+++ b/docker/infrastructure/squid/docker-compose.yml
@@ -0,0 +1,24 @@
+services:
+  squid:
+    image: ubuntu/squid:6.13-25.04_edge
+    ports:
+      - target: 3128
+        published: 3128
+        mode: host
+    environment:
+      - TZ=Europe/Paris
+    volumes:
+      - log:/var/log/squid
+      - cache:/var/spool/squid
+      - type: bind
+        source: /root/homeprod/docker/infrastructure/squid/squid.conf
+        target: /etc/squid/squid.conf
+
+volumes:
+  log:
+  cache:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/squid/cache'
diff --git a/docker/infrastructure/squid/squid.conf b/docker/infrastructure/squid/squid.conf
new file mode 100644
index 0000000..20262cc
--- /dev/null
+++ b/docker/infrastructure/squid/squid.conf
@@ -0,0 +1,45 @@
+acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
+acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
+acl localnet src fc00::/7       	# RFC 4193 local private network range
+acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
+
+# Caching
+cache_dir aufs /var/spool/squid 40000 16 256
+maximum_object_size 4 GB
+
+## In-memory caching
+cache_mem 256 MB
+maximum_object_size_in_memory 5 MB
+
+## Always refresh Packages and Release files
+refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
+refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
+refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
+refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
+
+## Handle meta-release and changelogs.ubuntu.com special
+refresh_pattern changelogs.ubuntu.com\/.*  0  1% 1
+
+## Archive files: cache them for 90 days
+refresh_pattern deb$   129600 100% 129600
+refresh_pattern udeb$   129600 100% 129600
+refresh_pattern tar.gz$  129600 100% 129600
+refresh_pattern tar.xz$  129600 100% 129600
+refresh_pattern tar.bz2$  129600 100% 129600
+
+## Docker: cache for 24h (min) to 7 days (max)
+refresh_pattern -i (/blobs/sha256)     1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
+refresh_pattern -i (/images/sha256)    1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
+refresh_pattern -i (/manifests/)       1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
+
+## Default: cache everything for 0h (min) to 72h (max)
+refresh_pattern .       0   20% 4320
+
+http_port 3128
+
+http_access allow localhost
+http_access allow localnet