kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-09 02:45:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
379b1d420eb2814e4364f5f079846df6856ede13
computer-playbook/roles/sys-ctl-hlth-csp
History
Kevin Veen-Birkenbach 716ebef33b Refactor task includes and update variable handling for Ansible 2.20 migration 
This commit updates multiple roles to ensure compatibility with Ansible 2.20.
Several include paths and task-loading mechanisms required adjustments,
as Ansible 2.20 applies stricter evaluation rules for complex Jinja expressions
and no longer resolves certain relative include paths the way Ansible 2.18 did.

Key changes:
- Replaced legacy once_finalize.yml and once_flag.yml with the new structure
  under tasks/utils/once/finalize.yml and tasks/utils/once/flag.yml.
- Updated all include_tasks statements to use 'path_join' with playbook_dir,
  ensuring deterministic and absolute file resolution across roles.
- Fixed all network helper includes by converting direct relative paths such as
  'roles/docker-compose/tasks/utils/network.yml' to proper Jinja-evaluated paths.
- Normalized MATOMO_* variable names for consistency with the updated variable
  scope behavior in Ansible 2.20.
- Removed deprecated patterns that were implicitly supported in Ansible 2.18
  but break under the more strict variable and path resolution model in 2.20.

These changes are part of the full migration step required to ensure the
infinito-nexus roles remain stable, deterministic, and forward-compatible with
Ansible 2.20.

Details of the discussion and reasoning can be found in this conversation:
https://chatgpt.com/share/69300a8d-24d4-800f-bec0-e895a695618a
2025-12-03 11:02:34 +01:00
..
defaults
files
handlers
meta
tasks
Refactor task includes and update variable handling for Ansible 2.20 migration
2025-12-03 11:02:34 +01:00
vars
README.md

README.md

Health CSP Crawler

Description

This Ansible role automates the validation of Content Security Policy (CSP) enforcement for all configured domains by crawling them using a CSP Checker.

Overview

Designed for Archlinux systems, this role periodically checks whether web resources (JavaScript, fonts, images, etc.) are blocked by CSP headers. It integrates Python and Node.js tooling and installs a systemd service with timer support.

Features

  • CSP Resource Validation: Uses Puppeteer to simulate browser requests and detect blocked resources.
  • Domain Extraction: Parses all .conf files in the NGINX config folder to determine the list of domains to check.
  • Automated Execution: Registers a systemd service and timer for recurring health checks.
  • Error Notification: Integrates with sys-ctl-alm-compose for alerting on failure.
  • Ignore List Support: Optional variable to suppress network block reports from specific external domains.

Configuration

Variables

  • HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM (list, default: [])
    Optional list of domains whose network block failures (e.g., ORB) should be ignored during CSP checks.

Example:

HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
  - pxscdn.com
  - cdn.example.org

This will run the CSP checker with:

checkcsp start --short --ignore-network-blocks-from pxscdn.com -- cdn.example.org <domains...>

Systemd Integration

The role configures a systemd service and timer which executes the CSP crawler periodically against all NGINX domains.

License

Infinito.Nexus NonCommercial License https://s.infinito.nexus/license

Author

Kevin Veen-Birkenbach Consulting & Coaching Solutions https://www.veen.world

Reference in New Issue View Git Blame Copy Permalink