feat(sys-ctl-hlth-csp): add support for ignoring network block domains

Introduced new variable HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM (list, default []) to suppress network block reports (e.g., ORB) from specific external domains. Updated script.py to accept and forward the flag, extended systemd exec command in tasks, added defaults, and documented usage in README. Ref: https://chatgpt.com/share/68dfc69b-7c94-800f-871b-3525deb8e374
2025-10-09 18:28:10 +02:00 · 2025-10-03 15:23:57 +02:00
parent a327adf8db
commit 59b652958f
4 changed files with 56 additions and 6 deletions
--- a/roles/sys-ctl-hlth-csp/README.md
+++ b/roles/sys-ctl-hlth-csp/README.md
@@ -14,6 +14,32 @@ Designed for Archlinux systems, this role periodically checks whether web resour
 - **Domain Extraction:** Parses all `.conf` files in the NGINX config folder to determine the list of domains to check.
 - **Automated Execution:** Registers a systemd service and timer for recurring health checks.
 - **Error Notification:** Integrates with `sys-ctl-alm-compose` for alerting on failure.
+- **Ignore List Support:** Optional variable to suppress network block reports from specific external domains.
+
+## Configuration
+
+### Variables
+
+- **`HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM`** (list, default: `[]`)  
+  Optional list of domains whose network block failures (e.g., ORB) should be ignored during CSP checks.
+
+Example:
+
+```yaml
+HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
+  - pxscdn.com
+  - cdn.example.org
+```
+
+This will run the CSP checker with:
+
+```bash
+checkcsp start --short --ignore-network-blocks-from pxscdn.com cdn.example.org <domains...>
+```
+
+### Systemd Integration
+
+The role configures a systemd service and timer which executes the CSP crawler periodically against all NGINX domains.

 ## License

@@ -24,4 +50,4 @@ Infinito.Nexus NonCommercial License

 Kevin Veen-Birkenbach
 Consulting & Coaching Solutions
-[https://www.veen.world](https://www.veen.world)
+[https://www.veen.world](https://www.veen.world)
--- a/roles/sys-ctl-hlth-csp/defaults/main.yml
+++ b/roles/sys-ctl-hlth-csp/defaults/main.yml
@@ -0,0 +1,5 @@
+# List of domains whose network block failures (e.g., ORB) should be ignored
+# during CSP checks. This is useful for suppressing known external resources
+# (e.g., third-party CDNs) that cannot be influenced but otherwise cause
+# unnecessary alerts in the crawler reports.
+HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM: []
--- a/roles/sys-ctl-hlth-csp/files/script.py
+++ b/roles/sys-ctl-hlth-csp/files/script.py
@@ -21,11 +21,19 @@ def extract_domains(config_path):
        print(f"Directory {config_path} not found.", file=sys.stderr)
        return None

-def run_checkcsp(domains):
+def run_checkcsp(domains, ignore_network_blocks_from):
    """
-    Executes the 'checkcsp' command with the given domains.
+    Executes the 'checkcsp' command with the given domains and optional ignores.
    """
-    cmd = ["checkcsp", "start", "--short"] + domains
+    cmd = ["checkcsp", "start", "--short"]
+
+    # pass through ignore list only if not empty
+    if ignore_network_blocks_from:
+        cmd.append("--ignore-network-blocks-from")
+        cmd.extend(ignore_network_blocks_from)
+
+    cmd += domains
+
    try:
        result = subprocess.run(cmd, check=True)
        return result.returncode
@@ -45,6 +53,12 @@ def main():
        required=True,
        help="Directory containing NGINX .conf files"
    )
+    parser.add_argument(
+        "--ignore-network-blocks-from",
+        nargs="*",
+        default=[],
+        help="Optional: one or more domains whose network block failures should be ignored"
+    )
    args = parser.parse_args()

    domains = extract_domains(args.nginx_config_dir)
@@ -55,7 +69,7 @@ def main():
        print("No domains found to check.")
        sys.exit(0)

-    rc = run_checkcsp(domains)
+    rc = run_checkcsp(domains, args.ignore_network_blocks_from)
    sys.exit(rc)

 if __name__ == "__main__":
--- a/roles/sys-ctl-hlth-csp/tasks/01_core.yml
+++ b/roles/sys-ctl-hlth-csp/tasks/01_core.yml
@@ -18,6 +18,11 @@
    system_service_timer_enabled:         true
    system_service_tpl_on_failure:        "{{ SYS_SERVICE_ON_FAILURE_COMPOSE }}"
    system_service_tpl_timeout_start_sec: "{{ CURRENT_PLAY_DOMAINS_ALL | timeout_start_sec_for_domains }}"
-    system_service_tpl_exec_start:        "{{ system_service_script_exec }} --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}"
+    system_service_tpl_exec_start: >-
+      {{ system_service_script_exec }}
+      --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}
+      {%- if HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | length > 0 -%}
+      --ignore-network-blocks-from {{ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | join(' ') }}
+      {%- endif -%}

 - include_tasks: utils/run_once.yml