kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-11-18 19:16:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:a327adf8dbd4f38dcc269bc78f3e637d3813abcc
Branches Tags
kevinveenbirkenbach:master kevinveenbirkenbach:feature/shopware kevinveenbirkenbach:feature/drupal kevinveenbirkenbach:feature/xwiki-auth-oidc kevinveenbirkenbach:feature/keycloak-service-account-client
..
compare: kevinveenbirkenbach:4d9890406efe8e1074033b6e5f83fa5a3c38ec0c
Branches Tags
kevinveenbirkenbach:master kevinveenbirkenbach:feature/shopware kevinveenbirkenbach:feature/drupal kevinveenbirkenbach:feature/xwiki-auth-oidc kevinveenbirkenbach:feature/keycloak-service-account-client

2 Commits
a327adf8db ... 4d9890406e

Author SHA1 Message Date
Kevin Veen-Birkenbach
4d9890406e fix(sys-ctl-hlth-csp): ensure '--' separator is added when passing ignore list to checkcsp 
Updated README to reflect correct usage with '--', adjusted script.py to always append separator, and simplified task template handling for consistency.

Ref: https://chatgpt.com/share/68dfc69b-7c94-800f-871b-3525deb8e374
 2025-10-03 20:50:49 +02:00
Kevin Veen-Birkenbach
59b652958f feat(sys-ctl-hlth-csp): add support for ignoring network block domains 
Introduced new variable HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM (list, default [])
to suppress network block reports (e.g., ORB) from specific external domains.
Updated script.py to accept and forward the flag, extended systemd exec command
in tasks, added defaults, and documented usage in README.

Ref: https://chatgpt.com/share/68dfc69b-7c94-800f-871b-3525deb8e374
 2025-10-03 15:23:57 +02:00
4 changed files with 55 additions and 6 deletions
Expand all files Collapse all files

28
roles/sys-ctl-hlth-csp/README.md
View File

@@ -14,6 +14,32 @@ Designed for Archlinux systems, this role periodically checks whether web resour
- **Domain Extraction:** Parses all `.conf` files in the NGINX config folder to determine the list of domains to check.
- **Automated Execution:** Registers a systemd service and timer for recurring health checks.
- **Error Notification:** Integrates with `sys-ctl-alm-compose` for alerting on failure.
- **Ignore List Support:** Optional variable to suppress network block reports from specific external domains.
## Configuration
### Variables
- **`HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM`** (list, default: `[]`)
Optional list of domains whose network block failures (e.g., ORB) should be ignored during CSP checks.
Example:
```yaml
HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
- pxscdn.com
- cdn.example.org
```
This will run the CSP checker with:
```bash
checkcsp start --short --ignore-network-blocks-from pxscdn.com -- cdn.example.org <domains...>
```
### Systemd Integration
The role configures a systemd service and timer which executes the CSP crawler periodically against all NGINX domains.
## License
@@ -24,4 +50,4 @@ Infinito.Nexus NonCommercial License
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
[https://www.veen.world](https://www.veen.world)
[https://www.veen.world](https://www.veen.world)

5
roles/sys-ctl-hlth-csp/defaults/main.yml Normal file
View File

@@ -0,0 +1,5 @@
# List of domains whose network block failures (e.g., ORB) should be ignored
# during CSP checks. This is useful for suppressing known external resources
# (e.g., third-party CDNs) that cannot be influenced but otherwise cause
# unnecessary alerts in the crawler reports.
HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM: []

23
roles/sys-ctl-hlth-csp/files/script.py
View File

@@ -21,11 +21,20 @@ def extract_domains(config_path):
print(f"Directory {config_path} not found.", file=sys.stderr)
return None
def run_checkcsp(domains):
def run_checkcsp(domains, ignore_network_blocks_from):
"""
Executes the 'checkcsp' command with the given domains.
Executes the 'checkcsp' command with the given domains and optional ignores.
"""
cmd = ["checkcsp", "start", "--short"] + domains
cmd = ["checkcsp", "start", "--short"]
# pass through ignore list only if not empty
if ignore_network_blocks_from:
cmd.append("--ignore-network-blocks-from")
cmd.extend(ignore_network_blocks_from)
cmd.append("--")
cmd += domains
try:
result = subprocess.run(cmd, check=True)
return result.returncode
@@ -45,6 +54,12 @@ def main():
required=True,
help="Directory containing NGINX .conf files"
)
parser.add_argument(
"--ignore-network-blocks-from",
nargs="*",
default=[],
help="Optional: one or more domains whose network block failures should be ignored"
)
args = parser.parse_args()
domains = extract_domains(args.nginx_config_dir)
@@ -55,7 +70,7 @@ def main():
print("No domains found to check.")
sys.exit(0)
rc = run_checkcsp(domains)
rc = run_checkcsp(domains, args.ignore_network_blocks_from)
sys.exit(rc)
if __name__ == "__main__":

5
roles/sys-ctl-hlth-csp/tasks/01_core.yml
View File

@@ -18,6 +18,9 @@
system_service_timer_enabled: true
system_service_tpl_on_failure: "{{ SYS_SERVICE_ON_FAILURE_COMPOSE }}"
system_service_tpl_timeout_start_sec: "{{ CURRENT_PLAY_DOMAINS_ALL | timeout_start_sec_for_domains }}"
system_service_tpl_exec_start: "{{ system_service_script_exec }} --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}"
system_service_tpl_exec_start: >-
{{ system_service_script_exec }}
--nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}
--ignore-network-blocks-from {{ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | join(' ') }}
- include_tasks: utils/run_once.yml