From 3cb4cbf0d26d5c662c55fd4e7121f14fe0ee0907 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 13 May 2025 15:43:17 +0200 Subject: [PATCH] Added checkcsp to health-csp --- roles/health-csp/README.md | 20 +---------- roles/health-csp/meta/main.yml | 4 +-- roles/health-csp/tasks/main.yml | 36 +++++++++---------- .../templates/health-csp.service.j2 | 3 +- roles/health-csp/vars/main.yml | 3 +- roles/nginx/meta/main.yml | 2 +- 6 files changed, 22 insertions(+), 46 deletions(-) diff --git a/roles/health-csp/README.md b/roles/health-csp/README.md index 9681f50b..cb2989ba 100644 --- a/roles/health-csp/README.md +++ b/roles/health-csp/README.md @@ -2,7 +2,7 @@ ## Description -This Ansible role automates the validation of [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) enforcement for all configured domains by crawling them using a Puppeteer-based Node.js script. +This Ansible role automates the validation of [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) enforcement for all configured domains by crawling them using a [CSP Checker](https://github.com/kevinveenbirkenbach/csp-checker). ## Overview @@ -15,24 +15,6 @@ Designed for Archlinux systems, this role periodically checks whether web resour - **Automated Execution:** Registers a systemd service and timer for recurring health checks. - **Error Notification:** Integrates with `systemd-notifier` for alerting on failure. -## Dependencies - -This role depends on the following: - -- [`nodejs`](../nodejs/) -- [`npm`](../npm/) -- [`systemd-notifier`](../systemd-notifier/) -- [`systemd-timer`](../systemd-timer/) - -## Configuration - -Set the following variables to customize behavior: - -```yaml -health_csp_crawler_folder: "{{ path_administrator_scripts }}health-csp/" -on_calendar_health_csp_crawler: "daily" -``` - ## License CyMaIS NonCommercial License (CNCL) diff --git a/roles/health-csp/meta/main.yml b/roles/health-csp/meta/main.yml index 74a1a431..21bb1ce9 100644 --- a/roles/health-csp/meta/main.yml +++ b/roles/health-csp/meta/main.yml @@ -24,6 +24,4 @@ galaxy_info: issue_tracker_url: "https://s.veen.world/cymaisissues" documentation: "https://s.veen.world/cymais" dependencies: - - systemd-notifier - - nodejs - - npm \ No newline at end of file + - systemd-notifier \ No newline at end of file diff --git a/roles/health-csp/tasks/main.yml b/roles/health-csp/tasks/main.yml index 80df0838..2f088dc9 100644 --- a/roles/health-csp/tasks/main.yml +++ b/roles/health-csp/tasks/main.yml @@ -1,46 +1,44 @@ +- name: "pkgmgr install" + include_role: + name: pkgmgr-install + vars: + package_name: checkcsp + when: run_once_backup_docker_to_local is not defined + - name: "create {{ health_csp_crawler_folder }}" file: path: "{{ health_csp_crawler_folder }}" state: directory mode: 0755 - -- name: "Install puppeteer if node_modules not yet present" - ansible.builtin.command: - cmd: npm install puppeteer - chdir: "{{ health_csp_crawler_folder }}" - creates: "{{ health_csp_crawler_folder }}/node_modules" - -- name: Check if puppeteer is usable - command: node -e "require('puppeteer')" - args: - chdir: "{{ health_csp_crawler_folder }}" - register: puppeteer_check - failed_when: puppeteer_check.rc != 0 + when: run_once_backup_docker_to_local is not defined - name: copy health-csp.py copy: src: health-csp.py dest: "{{ health_csp_crawler_script }}" mode: 0755 - -- name: copy health-csp.js - copy: - src: health-csp.js - dest: "{{ health_csp_crawler_node }}" - mode: 0755 + when: run_once_backup_docker_to_local is not defined - name: create health-csp.cymais.service template: src: health-csp.service.j2 dest: /etc/systemd/system/health-csp.cymais.service notify: reload health-csp.cymais.service + when: run_once_backup_docker_to_local is not defined - name: set service_name to role_name set_fact: service_name: "{{ role_name }}" + when: run_once_backup_docker_to_local is not defined - name: include systemd timer role include_role: name: systemd-timer vars: on_calendar: "{{ on_calendar_health_csp_crawler }}" + when: run_once_backup_docker_to_local is not defined + +- name: run the backup_docker_to_local tasks once + set_fact: + run_once_backup_docker_to_local: true + when: run_once_backup_docker_to_local is not defined diff --git a/roles/health-csp/templates/health-csp.service.j2 b/roles/health-csp/templates/health-csp.service.j2 index cd89ad74..391c7584 100644 --- a/roles/health-csp/templates/health-csp.service.j2 +++ b/roles/health-csp/templates/health-csp.service.j2 @@ -5,5 +5,4 @@ OnFailure=systemd-notifier.cymais@%n.service [Service] Type=oneshot ExecStart=/usr/bin/python3 {{ health_csp_crawler_script }} \ - --nginx-config-dir={{ nginx.directories.http.servers }} \ - --script={{ health_csp_crawler_node }} + --nginx-config-dir={{ nginx.directories.http.servers }} \ No newline at end of file diff --git a/roles/health-csp/vars/main.yml b/roles/health-csp/vars/main.yml index 34b2e70e..fce09830 100644 --- a/roles/health-csp/vars/main.yml +++ b/roles/health-csp/vars/main.yml @@ -1,3 +1,2 @@ health_csp_crawler_folder: "{{ path_administrator_scripts }}health-csp/" -health_csp_crawler_script: "{{ health_csp_crawler_folder }}health-csp.py" -health_csp_crawler_node: "{{ health_csp_crawler_folder }}health-csp.js" \ No newline at end of file +health_csp_crawler_script: "{{ health_csp_crawler_folder }}health-csp.py" \ No newline at end of file diff --git a/roles/nginx/meta/main.yml b/roles/nginx/meta/main.yml index d6cf8586..b94ba991 100644 --- a/roles/nginx/meta/main.yml +++ b/roles/nginx/meta/main.yml @@ -1,3 +1,3 @@ dependencies: - health-nginx -# - health-csp \ No newline at end of file + - health-csp \ No newline at end of file