From 59b652958f7737b4f624689d0a151b967d4c6547 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 3 Oct 2025 15:23:57 +0200 Subject: [PATCH] feat(sys-ctl-hlth-csp): add support for ignoring network block domains Introduced new variable HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM (list, default []) to suppress network block reports (e.g., ORB) from specific external domains. Updated script.py to accept and forward the flag, extended systemd exec command in tasks, added defaults, and documented usage in README. Ref: https://chatgpt.com/share/68dfc69b-7c94-800f-871b-3525deb8e374 --- roles/sys-ctl-hlth-csp/README.md | 28 +++++++++++++++++++++++- roles/sys-ctl-hlth-csp/defaults/main.yml | 5 +++++ roles/sys-ctl-hlth-csp/files/script.py | 22 +++++++++++++++---- roles/sys-ctl-hlth-csp/tasks/01_core.yml | 7 +++++- 4 files changed, 56 insertions(+), 6 deletions(-) create mode 100644 roles/sys-ctl-hlth-csp/defaults/main.yml diff --git a/roles/sys-ctl-hlth-csp/README.md b/roles/sys-ctl-hlth-csp/README.md index 6c3cc1dd..d5fa07f7 100644 --- a/roles/sys-ctl-hlth-csp/README.md +++ b/roles/sys-ctl-hlth-csp/README.md @@ -14,6 +14,32 @@ Designed for Archlinux systems, this role periodically checks whether web resour - **Domain Extraction:** Parses all `.conf` files in the NGINX config folder to determine the list of domains to check. - **Automated Execution:** Registers a systemd service and timer for recurring health checks. - **Error Notification:** Integrates with `sys-ctl-alm-compose` for alerting on failure. +- **Ignore List Support:** Optional variable to suppress network block reports from specific external domains. + +## Configuration + +### Variables + +- **`HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM`** (list, default: `[]`) + Optional list of domains whose network block failures (e.g., ORB) should be ignored during CSP checks. + +Example: + +```yaml +HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM: + - pxscdn.com + - cdn.example.org +``` + +This will run the CSP checker with: + +```bash +checkcsp start --short --ignore-network-blocks-from pxscdn.com cdn.example.org +``` + +### Systemd Integration + +The role configures a systemd service and timer which executes the CSP crawler periodically against all NGINX domains. ## License @@ -24,4 +50,4 @@ Infinito.Nexus NonCommercial License Kevin Veen-Birkenbach Consulting & Coaching Solutions -[https://www.veen.world](https://www.veen.world) \ No newline at end of file +[https://www.veen.world](https://www.veen.world) diff --git a/roles/sys-ctl-hlth-csp/defaults/main.yml b/roles/sys-ctl-hlth-csp/defaults/main.yml new file mode 100644 index 00000000..3d32f135 --- /dev/null +++ b/roles/sys-ctl-hlth-csp/defaults/main.yml @@ -0,0 +1,5 @@ +# List of domains whose network block failures (e.g., ORB) should be ignored +# during CSP checks. This is useful for suppressing known external resources +# (e.g., third-party CDNs) that cannot be influenced but otherwise cause +# unnecessary alerts in the crawler reports. +HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM: [] diff --git a/roles/sys-ctl-hlth-csp/files/script.py b/roles/sys-ctl-hlth-csp/files/script.py index dcd032c1..94b3d626 100644 --- a/roles/sys-ctl-hlth-csp/files/script.py +++ b/roles/sys-ctl-hlth-csp/files/script.py @@ -21,11 +21,19 @@ def extract_domains(config_path): print(f"Directory {config_path} not found.", file=sys.stderr) return None -def run_checkcsp(domains): +def run_checkcsp(domains, ignore_network_blocks_from): """ - Executes the 'checkcsp' command with the given domains. + Executes the 'checkcsp' command with the given domains and optional ignores. """ - cmd = ["checkcsp", "start", "--short"] + domains + cmd = ["checkcsp", "start", "--short"] + + # pass through ignore list only if not empty + if ignore_network_blocks_from: + cmd.append("--ignore-network-blocks-from") + cmd.extend(ignore_network_blocks_from) + + cmd += domains + try: result = subprocess.run(cmd, check=True) return result.returncode @@ -45,6 +53,12 @@ def main(): required=True, help="Directory containing NGINX .conf files" ) + parser.add_argument( + "--ignore-network-blocks-from", + nargs="*", + default=[], + help="Optional: one or more domains whose network block failures should be ignored" + ) args = parser.parse_args() domains = extract_domains(args.nginx_config_dir) @@ -55,7 +69,7 @@ def main(): print("No domains found to check.") sys.exit(0) - rc = run_checkcsp(domains) + rc = run_checkcsp(domains, args.ignore_network_blocks_from) sys.exit(rc) if __name__ == "__main__": diff --git a/roles/sys-ctl-hlth-csp/tasks/01_core.yml b/roles/sys-ctl-hlth-csp/tasks/01_core.yml index 2c63aca9..78a4d19c 100644 --- a/roles/sys-ctl-hlth-csp/tasks/01_core.yml +++ b/roles/sys-ctl-hlth-csp/tasks/01_core.yml @@ -18,6 +18,11 @@ system_service_timer_enabled: true system_service_tpl_on_failure: "{{ SYS_SERVICE_ON_FAILURE_COMPOSE }}" system_service_tpl_timeout_start_sec: "{{ CURRENT_PLAY_DOMAINS_ALL | timeout_start_sec_for_domains }}" - system_service_tpl_exec_start: "{{ system_service_script_exec }} --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}" + system_service_tpl_exec_start: >- + {{ system_service_script_exec }} + --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }} + {%- if HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | length > 0 -%} + --ignore-network-blocks-from {{ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | join(' ') }} + {%- endif -%} - include_tasks: utils/run_once.yml