mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-11-20 12:06:25 +00:00
Compare commits
2 Commits
a327adf8db
...
4d9890406e
| Author | SHA1 | Date | |
|---|---|---|---|
| 4d9890406e | |||
| 59b652958f |
@@ -14,6 +14,32 @@ Designed for Archlinux systems, this role periodically checks whether web resour
|
|||||||
- **Domain Extraction:** Parses all `.conf` files in the NGINX config folder to determine the list of domains to check.
|
- **Domain Extraction:** Parses all `.conf` files in the NGINX config folder to determine the list of domains to check.
|
||||||
- **Automated Execution:** Registers a systemd service and timer for recurring health checks.
|
- **Automated Execution:** Registers a systemd service and timer for recurring health checks.
|
||||||
- **Error Notification:** Integrates with `sys-ctl-alm-compose` for alerting on failure.
|
- **Error Notification:** Integrates with `sys-ctl-alm-compose` for alerting on failure.
|
||||||
|
- **Ignore List Support:** Optional variable to suppress network block reports from specific external domains.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
### Variables
|
||||||
|
|
||||||
|
- **`HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM`** (list, default: `[]`)
|
||||||
|
Optional list of domains whose network block failures (e.g., ORB) should be ignored during CSP checks.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
|
||||||
|
- pxscdn.com
|
||||||
|
- cdn.example.org
|
||||||
|
```
|
||||||
|
|
||||||
|
This will run the CSP checker with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
checkcsp start --short --ignore-network-blocks-from pxscdn.com -- cdn.example.org <domains...>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Systemd Integration
|
||||||
|
|
||||||
|
The role configures a systemd service and timer which executes the CSP crawler periodically against all NGINX domains.
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
@@ -24,4 +50,4 @@ Infinito.Nexus NonCommercial License
|
|||||||
|
|
||||||
Kevin Veen-Birkenbach
|
Kevin Veen-Birkenbach
|
||||||
Consulting & Coaching Solutions
|
Consulting & Coaching Solutions
|
||||||
[https://www.veen.world](https://www.veen.world)
|
[https://www.veen.world](https://www.veen.world)
|
||||||
|
|||||||
5
roles/sys-ctl-hlth-csp/defaults/main.yml
Normal file
5
roles/sys-ctl-hlth-csp/defaults/main.yml
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
# List of domains whose network block failures (e.g., ORB) should be ignored
|
||||||
|
# during CSP checks. This is useful for suppressing known external resources
|
||||||
|
# (e.g., third-party CDNs) that cannot be influenced but otherwise cause
|
||||||
|
# unnecessary alerts in the crawler reports.
|
||||||
|
HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM: []
|
||||||
@@ -21,11 +21,20 @@ def extract_domains(config_path):
|
|||||||
print(f"Directory {config_path} not found.", file=sys.stderr)
|
print(f"Directory {config_path} not found.", file=sys.stderr)
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def run_checkcsp(domains):
|
def run_checkcsp(domains, ignore_network_blocks_from):
|
||||||
"""
|
"""
|
||||||
Executes the 'checkcsp' command with the given domains.
|
Executes the 'checkcsp' command with the given domains and optional ignores.
|
||||||
"""
|
"""
|
||||||
cmd = ["checkcsp", "start", "--short"] + domains
|
cmd = ["checkcsp", "start", "--short"]
|
||||||
|
|
||||||
|
# pass through ignore list only if not empty
|
||||||
|
if ignore_network_blocks_from:
|
||||||
|
cmd.append("--ignore-network-blocks-from")
|
||||||
|
cmd.extend(ignore_network_blocks_from)
|
||||||
|
cmd.append("--")
|
||||||
|
|
||||||
|
cmd += domains
|
||||||
|
|
||||||
try:
|
try:
|
||||||
result = subprocess.run(cmd, check=True)
|
result = subprocess.run(cmd, check=True)
|
||||||
return result.returncode
|
return result.returncode
|
||||||
@@ -45,6 +54,12 @@ def main():
|
|||||||
required=True,
|
required=True,
|
||||||
help="Directory containing NGINX .conf files"
|
help="Directory containing NGINX .conf files"
|
||||||
)
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"--ignore-network-blocks-from",
|
||||||
|
nargs="*",
|
||||||
|
default=[],
|
||||||
|
help="Optional: one or more domains whose network block failures should be ignored"
|
||||||
|
)
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
domains = extract_domains(args.nginx_config_dir)
|
domains = extract_domains(args.nginx_config_dir)
|
||||||
@@ -55,7 +70,7 @@ def main():
|
|||||||
print("No domains found to check.")
|
print("No domains found to check.")
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|
||||||
rc = run_checkcsp(domains)
|
rc = run_checkcsp(domains, args.ignore_network_blocks_from)
|
||||||
sys.exit(rc)
|
sys.exit(rc)
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
|||||||
@@ -18,6 +18,9 @@
|
|||||||
system_service_timer_enabled: true
|
system_service_timer_enabled: true
|
||||||
system_service_tpl_on_failure: "{{ SYS_SERVICE_ON_FAILURE_COMPOSE }}"
|
system_service_tpl_on_failure: "{{ SYS_SERVICE_ON_FAILURE_COMPOSE }}"
|
||||||
system_service_tpl_timeout_start_sec: "{{ CURRENT_PLAY_DOMAINS_ALL | timeout_start_sec_for_domains }}"
|
system_service_tpl_timeout_start_sec: "{{ CURRENT_PLAY_DOMAINS_ALL | timeout_start_sec_for_domains }}"
|
||||||
system_service_tpl_exec_start: "{{ system_service_script_exec }} --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}"
|
system_service_tpl_exec_start: >-
|
||||||
|
{{ system_service_script_exec }}
|
||||||
|
--nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}
|
||||||
|
--ignore-network-blocks-from {{ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | join(' ') }}
|
||||||
|
|
||||||
- include_tasks: utils/run_once.yml
|
- include_tasks: utils/run_once.yml
|
||||||
|
|||||||
Reference in New Issue
Block a user