From b462567522b4697bc312b8c69e91a669692ff3d6 Mon Sep 17 00:00:00 2001
From: Greg Sutcliffe <fedora@emeraldreverie.org>
Date: Tue, 18 Nov 2025 16:36:30 +0000
Subject: [PATCH] Firmware: add a proxy to reach downloads.dell.com

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
---
 playbooks/groups/noc.yml                    |  1 +
 roles/firmware_proxy/files/httpd_vhost.conf | 27 +++++++++++++++++++++
 roles/firmware_proxy/tasks/main.yml         | 17 +++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 roles/firmware_proxy/files/httpd_vhost.conf
 create mode 100644 roles/firmware_proxy/tasks/main.yml

diff --git a/playbooks/groups/noc.yml b/playbooks/groups/noc.yml
index 10393001b5..6317ae9fbb 100644
--- a/playbooks/groups/noc.yml
+++ b/playbooks/groups/noc.yml
@@ -63,6 +63,7 @@
   roles:
   - { role: dhcp_server, when: datacenter == 'rdu3' }
   - { role: tftp_server, when: datacenter == 'rdu3' }
+  - { role: firmware_proxy, when: datacenter == 'rdu3' }
   - { role: nagios_server, when: datacenter == 'ibiblio' or datacenter == 'rdu3' }
 
   tasks:
diff --git a/roles/firmware_proxy/files/httpd_vhost.conf b/roles/firmware_proxy/files/httpd_vhost.conf
new file mode 100644
index 0000000000..b0c94e2402
--- /dev/null
+++ b/roles/firmware_proxy/files/httpd_vhost.conf
@@ -0,0 +1,27 @@
+Listen 8080
+<VirtualHost *:8080>
+    # Enable forward proxy
+    ProxyRequests On
+    ProxyVia On
+
+    # Restrict access to mgmt vlans
+    <Proxy *>
+        Require ip 10.16.160.0/24
+        Require ip 10.16.160.1/24
+    </Proxy>
+
+    # Only proxy to Dell links
+    <ProxyMatch "^https?://.*\.?dell\.com">
+        Require ip 10.16.160.0/24
+        Require ip 10.16.161.0/24
+    </ProxyMatch>
+
+    # Deny everything else
+    <ProxyMatch "^(?!.*\.?dell\.com)">
+        Require all denied
+    </ProxyMatch>
+
+    # Logging
+    ErrorLog logs/firmware-proxy-error.log
+    CustomLog logs/firmware-proxy-access.log combined
+</VirtualHost>
diff --git a/roles/firmware_proxy/tasks/main.yml b/roles/firmware_proxy/tasks/main.yml
new file mode 100644
index 0000000000..b89e5d8140
--- /dev/null
+++ b/roles/firmware_proxy/tasks/main.yml
@@ -0,0 +1,17 @@
+## A playbook for an httpd proxy which relays
+# the firmware catalogs to the Dell iDRACs
+#
+# Currently this is just an Apache vhost and restart
+#
+---
+- name: Copy over proxy httpd vhost
+  ansible.builtin.copy:
+    src: httpd_vhost.conf
+    dest: /etc/httpd/conf.d/firmware-proxy.conf
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+  - firmware_proxy
+  notify:
+    - Reload httpd