Optimized nginx CSP (prop. leads to problems due to too high restrictions for some roles) and implemented health check for mailer

roles/health-msmtp/README.md

@@ -0,0 +1,21 @@
+# health-msmtp
+
+## Description
+
+This Ansible role sends periodic health check emails using **msmtp** to verify that your mail transport agent is operational. It deploys a simple script and hooks it into a systemd service and timer, with failure notifications sent via Telegram.
+
+## Overview
+
+Optimized for Archlinux, this role creates the required directory structure, installs and configures the health-check script, and integrates with the **systemd-notifier-telegram** role. It uses the **systemd-timer** role to schedule regular checks based on your customizable `OnCalendar` setting.
+
+## Purpose
+
+The **health-msmtp** role ensures that your mail transport system stays available by sending a test email at defined intervals. If the email fails, a Telegram alert is triggered, allowing you to detect and address issues before they impact users.
+
+## Features
+
+- **Directory & Script Deployment:** Sets up `health-msmtp/` and deploys a templated Bash script to send test emails via msmtp.  
+- **Systemd Service & Timer:** Provides `.service` and `.timer` units to run the check and schedule it automatically.  
+- **Failure Notifications:** Leverages **systemd-notifier-telegram** to push alerts when the script exits with an error.  
+- **Configurable Schedule:** Define your desired check frequency using the `on_calendar_health_msmtp` variable.  
+- **Email Destination:** Specify the recipient via the `users.administrator.email` variable.

roles/health-msmtp/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: "reload health-journalctl.cymais.service"
+  systemd:
+    name: health-journalctl.cymais.service
+    enabled: yes
+    daemon_reload: yes

roles/health-msmtp/meta/main.yml

@@ -0,0 +1,25 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Sends periodic health check emails via msmtp"
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - health
+    - msmtp
+    - email
+    - systemd
+    - monitoring
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies:
+  - systemd-notifier-telegram

roles/health-msmtp/tasks/main.yml

@@ -0,0 +1,27 @@
+- name: "create {{ health_msmtp_folder }}"
+  file:
+    path: "{{ health_msmtp_folder }}"
+    state: directory
+    mode: 0755
+
+- name: create health-msmtp.sh
+  template:
+    src:  health-msmtp.sh.j2
+    dest: "{{ health_msmtp_folder }}health-msmtp.sh"
+    mode: '0755'
+
+- name: create health-msmtp.cymais.service
+  template:
+    src: health-msmtp.service.j2
+    dest: /etc/systemd/system/health-msmtp.cymais.service
+  notify: reload health-msmtp.cymais.service
+
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+
+- name: include role for systemd-timer for {{ service_name }}
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar: "{{ on_calendar_health_msmtp }}"

roles/health-msmtp/templates/health-msmtp.service.j2

@@ -0,0 +1,7 @@
+[Unit]
+Description=Check msmtp liveliness
+OnFailure=systemd-notifier-telegram.cymais@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash {{ health_msmtp_folder }}health-msmtp.sh

roles/health-msmtp/templates/health-msmtp.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+echo "Subject: $HOST is alive
+
+Host $HOSTNAME reports at $(date): I'm alive." | msmtp -t {{ users.administrator.email }}

roles/health-msmtp/vars/main.yml

@@ -0,0 +1 @@
+health_msmtp_folder: "{{ path_administrator_scripts }}health-msmtp/"