Another big round of refactoring and cleaning...

2025-08-29 15:06:26 +02:00 · 2025-07-11 17:55:26 +02:00
parent aa61bf2a44
commit 168c5c0da6
323 changed files with 761 additions and 811 deletions
--- a/roles/sys-hlth-webserver/README.md
+++ b/roles/sys-hlth-webserver/README.md
@@ -0,0 +1,20 @@
+# sys-hlth-webserver
+
+## Description
+Verifies that each of your Nginx‐served domains returns an expected HTTP status (200, 301, etc.) and alerts on deviations.
+
+## Features
+- Scans your `nginx` server block `.conf` files for domains.
+- HEAD-requests each domain and compares against per-domain expected codes.
+- Reports any mismatches via `sys-alm-compose`.
+- Scheduled via a systemd timer for periodic health sweeps.
+
+## Usage
+Include this role, install `python-requests`, and define `on_calendar_health_nginx`.
+
+## Further Resources
+- For more details on nginx configurations, visit [nginx documentation](https://nginx.org/en/docs/).
+- Learn more about Ansible's `uri_module` [here](https://docs.ansible.com/ansible/latest/modules/uri_module.html).
+
+## Contributions
+This role was created with the assistance of ChatGPT. The conversation can be found [here](https://chat.openai.com/share/4033be29-12a6-40a3-bf3c-fc5d57dba8cb) and [here](https://chat.openai.com/share/7f3766d1-9db7-4976-8fe9-68d1142c0a78).
--- a/roles/sys-hlth-webserver/TODO.md
+++ b/roles/sys-hlth-webserver/TODO.md
@@ -0,0 +1,2 @@
+# Todo
+- Implement health check for oauth2-proxy
--- a/roles/sys-hlth-webserver/handlers/main.yml
+++ b/roles/sys-hlth-webserver/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: "reload sys-hlth-webserver.cymais.service"
+  systemd:
+    name: sys-hlth-webserver.cymais.service
+    enabled: yes
+    daemon_reload: yes
--- a/roles/sys-hlth-webserver/meta/main.yml
+++ b/roles/sys-hlth-webserver/meta/main.yml
@@ -0,0 +1,26 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Checks that each Nginx domain returns its expected HTTP status and alerts on unexpected codes."
+  company: |
+    Kevin Veen-Birkenbach  
+    Consulting & Coaching Solutions  
+    https://www.veen.world
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions: ["rolling"]
+  galaxy_tags:
+    - monitor
+    - webserver
+    - nginx
+    - http
+    - health
+    - systemd
+  repository: "https://s.veen.world/cymais"
+  documentation: "https://s.veen.world/cymais"
+dependencies:
+  - gen-python-pip
+  - sys-alm-compose
--- a/roles/sys-hlth-webserver/tasks/main.yml
+++ b/roles/sys-hlth-webserver/tasks/main.yml
@@ -0,0 +1,43 @@
+- name: Install required Python modules
+  pacman:
+    name: python-requests
+    state: present
+  when: run_once_health_nginx is not defined
+
+- name: "create {{ health_nginx_folder }}"
+  file:
+    path: "{{ health_nginx_folder }}"
+    state: directory
+    mode: 0755
+  when: run_once_health_nginx is not defined
+
+- name: create sys-hlth-webserver.py
+  template:
+    src: sys-hlth-webserver.py.j2
+    dest: "{{ health_nginx_folder }}sys-hlth-webserver.py"
+  when: run_once_health_nginx is not defined
+
+- name: create sys-hlth-webserver.cymais.service
+  template: 
+    src: sys-hlth-webserver.service.j2
+    dest: /etc/systemd/system/sys-hlth-webserver.cymais.service
+  notify: reload sys-hlth-webserver.cymais.service
+  when: run_once_health_nginx is not defined
+
+- name: "set 'service_name' to '{{ role_name }}'"
+  set_fact:
+    service_name: "{{ role_name }}"
+  when: run_once_health_nginx is not defined
+
+- name: "include role for sys-timer for {{service_name}}"
+  include_role:
+    name: sys-timer
+  vars:
+    on_calendar:  "{{on_calendar_health_nginx}}"
+  when: run_once_health_nginx is not defined
+
+- name: run the health_nginx tasks once
+  set_fact:
+    run_once_health_nginx: true
+  when: run_once_health_nginx is not defined
+
--- a/roles/sys-hlth-webserver/templates/sys-hlth-webserver.py.j2
+++ b/roles/sys-hlth-webserver/templates/sys-hlth-webserver.py.j2
@@ -0,0 +1,69 @@
+import os
+import requests
+import sys
+import re
+
+def get_expected_statuses(domain: str, parts: list[str], redirected_domains: set[str]) -> list[int]:
+    """
+    Determine the expected HTTP status codes based on the domain name.
+
+    Args:
+        domain: The full domain string (e.g. 'example.com').
+        parts: The domain split into its subcomponents (e.g. ['www', 'example', 'com']).
+        redirected_domains: A set of domains that should trigger a redirect.
+
+    Returns:
+        A list of expected HTTP status codes.
+    """
+    if domain == '{{domains | get_domain('listmonk')}}':
+        return [404]
+    if (parts and parts[0] == 'www') or (domain in redirected_domains):
+        return [301]
+    if domain == '{{domains | get_domain('yourls')}}':
+        return [403]
+    return [200, 302, 301]
+
+# file in which fqdn server configs are deposit
+config_path = '{{nginx.directories.http.servers}}'
+
+# Initialize the error counter
+error_counter = 0
+
+# Regex pattern to match domain.tld or *.domain.tld
+pattern = re.compile(r"^(?:[\w-]+\.)*[\w-]+\.[\w-]+\.conf$")
+
+# Iterate over each file in the configuration directory
+for filename in os.listdir(config_path):
+    if filename.endswith('.conf') and pattern.match(filename):
+        # Extract the domain and subdomain from the filename
+        domain = filename.replace('.conf', '')
+        parts = domain.split('.')
+        
+        # Prepare the URL and expected status codes
+        url = f"{{ web_protocol }}://{domain}"
+        
+        redirected_domains = [domain['source'] for domain in {{ current_play_domain_mappings_redirect}}]
+        redirected_domains.append("{{domains | get_domain('mailu')}}")
+
+        expected_statuses = get_expected_statuses(domain, parts, redirected_domains)
+
+        try:
+            # Send a HEAD request to get only the response header
+            response = requests.head(url)
+
+            # Check if the status code matches the expected statuses
+            if response.status_code in expected_statuses:
+                print(f"{domain}: OK")
+            else:
+                print(f"{domain}: ERROR: Expected {expected_statuses}. Got {response.status_code}.")
+                error_counter += 1
+        except requests.RequestException as e:
+            # Handle exceptions for requests like connection errors
+            print(f"{domain}: error due to {e}")
+            error_counter += 1
+
+if error_counter > 0:
+    print(f"Warning: {error_counter} domains responded with an unexpected https status code.")
+
+# Exit the script with the number of errors as the exit code
+sys.exit(error_counter)
--- a/roles/sys-hlth-webserver/templates/sys-hlth-webserver.service.j2
+++ b/roles/sys-hlth-webserver/templates/sys-hlth-webserver.service.j2
@@ -0,0 +1,7 @@
+[Unit]
+Description=Check nginx configuration status
+OnFailure=sys-alm-compose.cymais@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/python3 {{ health_nginx_folder }}sys-hlth-webserver.py
--- a/roles/sys-hlth-webserver/vars/main.yml
+++ b/roles/sys-hlth-webserver/vars/main.yml
@@ -0,0 +1 @@
+health_nginx_folder: '{{ path_administrator_scripts }}sys-hlth-webserver/'
				`@@ -0,0 +1 @@`
				`health_nginx_folder: '{{ path_administrator_scripts }}sys-hlth-webserver/'`