From 4d9890406efe8e1074033b6e5f83fa5a3c38ec0c Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 3 Oct 2025 20:50:49 +0200
Subject: [PATCH] fix(sys-ctl-hlth-csp): ensure '--' separator is added when
 passing ignore list to checkcsp

Updated README to reflect correct usage with '--', adjusted script.py to always append separator, and simplified task template handling for consistency.

Ref: https://chatgpt.com/share/68dfc69b-7c94-800f-871b-3525deb8e374
---
 roles/sys-ctl-hlth-csp/README.md         | 2 +-
 roles/sys-ctl-hlth-csp/files/script.py   | 1 +
 roles/sys-ctl-hlth-csp/tasks/01_core.yml | 2 --
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/roles/sys-ctl-hlth-csp/README.md b/roles/sys-ctl-hlth-csp/README.md
index d5fa07f7..61bafaf8 100644
--- a/roles/sys-ctl-hlth-csp/README.md
+++ b/roles/sys-ctl-hlth-csp/README.md
@@ -34,7 +34,7 @@ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
 This will run the CSP checker with:
 
 ```bash
-checkcsp start --short --ignore-network-blocks-from pxscdn.com cdn.example.org <domains...>
+checkcsp start --short --ignore-network-blocks-from pxscdn.com -- cdn.example.org <domains...>
 ```
 
 ### Systemd Integration
diff --git a/roles/sys-ctl-hlth-csp/files/script.py b/roles/sys-ctl-hlth-csp/files/script.py
index 94b3d626..6f7deba9 100644
--- a/roles/sys-ctl-hlth-csp/files/script.py
+++ b/roles/sys-ctl-hlth-csp/files/script.py
@@ -31,6 +31,7 @@ def run_checkcsp(domains, ignore_network_blocks_from):
     if ignore_network_blocks_from:
         cmd.append("--ignore-network-blocks-from")
         cmd.extend(ignore_network_blocks_from)
+        cmd.append("--")
 
     cmd += domains
 
diff --git a/roles/sys-ctl-hlth-csp/tasks/01_core.yml b/roles/sys-ctl-hlth-csp/tasks/01_core.yml
index 78a4d19c..acb4f36b 100644
--- a/roles/sys-ctl-hlth-csp/tasks/01_core.yml
+++ b/roles/sys-ctl-hlth-csp/tasks/01_core.yml
@@ -21,8 +21,6 @@
     system_service_tpl_exec_start: >-
       {{ system_service_script_exec }}
       --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}
-      {%- if HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | length > 0 -%}
       --ignore-network-blocks-from {{ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | join(' ') }}
-      {%- endif -%}
 
 - include_tasks: utils/run_once.yml