fix(sys-ctl-hlth-csp): ensure '--' separator is added when passing ignore list to checkcsp

Updated README to reflect correct usage with '--', adjusted script.py to always append separator, and simplified task template handling for consistency.

Ref: https://chatgpt.com/share/68dfc69b-7c94-800f-871b-3525deb8e374

roles/sys-ctl-hlth-csp/README.md

@@ -34,7 +34,7 @@ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
 This will run the CSP checker with:
 
 ```bash
-checkcsp start --short --ignore-network-blocks-from pxscdn.com cdn.example.org <domains...>
+checkcsp start --short --ignore-network-blocks-from pxscdn.com -- cdn.example.org <domains...>
 ```
 
 ### Systemd Integration

roles/sys-ctl-hlth-csp/files/script.py

@@ -31,6 +31,7 @@ def run_checkcsp(domains, ignore_network_blocks_from):
     if ignore_network_blocks_from:
         cmd.append("--ignore-network-blocks-from")
         cmd.extend(ignore_network_blocks_from)
+        cmd.append("--")
 
     cmd += domains
 

roles/sys-ctl-hlth-csp/tasks/01_core.yml

@@ -21,8 +21,6 @@
     system_service_tpl_exec_start: >-
       {{ system_service_script_exec }}
       --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}
-      {%- if HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | length > 0 -%}
       --ignore-network-blocks-from {{ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | join(' ') }}
-      {%- endif -%}
 
 - include_tasks: utils/run_once.yml