kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-02 15:39:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8314d7e6a6a250b8ac73cf2acd205ded9a4c63ed
computer-playbook/roles/sys-ctl-hlth-csp
History
Kevin Veen-Birkenbach e09f561f0b Refactor run-once orchestration and bootstrap Mailu/Mastodon in a single deploy 
- Replace legacy utils/run_once.yml with the new helpers utils/once_flag.yml and utils/once_finalize.yml
- Introduce utils/compose_up.yml to ensure docker-compose stacks are up and to flush handlers safely without coupling to run-once flags
- Migrate all affected roles (desk-*, dev-*, sys-ctl-*, sys-svc-*, web-app-*, web-svc-*, util-*) to the new run-once helpers
- Rework sys-svc-msmtp to auto-load Mailu once per deploy, check reachability, and reuse the running stack instead of requiring multiple playbook passes
- Adjust web-app-mailu to integrate cert deployment, handler flushing, and run-once handling so Mailu is fully initialized in a single deploy
- Improve Matomo, CDN, logout and CSP/health-check related roles to cooperate with the new compose_up / once_* pattern
- Simplify alarm/backup/timer/service orchestration (sys-ctl-alm-*, sys-bkp-provider, sys-timer-cln-bkps, etc.) by moving run-once logic into dedicated 01_core.yml files
- Update integration tests so utils/once_flag.yml and utils/once_finalize.yml are recognised as valid run-once providers, keeping the global run_once_* guarantees consistent
- Align frontend injection and service dependencies so Mastodon- and Mailu-related services can be brought up coherently within a single deployment cycle rather than several iterations
2025-12-01 13:30:50 +01:00
..
defaults
files
handlers
meta
tasks
Refactor run-once orchestration and bootstrap Mailu/Mastodon in a single deploy
2025-12-01 13:30:50 +01:00
vars
README.md

README.md

Health CSP Crawler

Description

This Ansible role automates the validation of Content Security Policy (CSP) enforcement for all configured domains by crawling them using a CSP Checker.

Overview

Designed for Archlinux systems, this role periodically checks whether web resources (JavaScript, fonts, images, etc.) are blocked by CSP headers. It integrates Python and Node.js tooling and installs a systemd service with timer support.

Features

  • CSP Resource Validation: Uses Puppeteer to simulate browser requests and detect blocked resources.
  • Domain Extraction: Parses all .conf files in the NGINX config folder to determine the list of domains to check.
  • Automated Execution: Registers a systemd service and timer for recurring health checks.
  • Error Notification: Integrates with sys-ctl-alm-compose for alerting on failure.
  • Ignore List Support: Optional variable to suppress network block reports from specific external domains.

Configuration

Variables

  • HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM (list, default: [])
    Optional list of domains whose network block failures (e.g., ORB) should be ignored during CSP checks.

Example:

HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
  - pxscdn.com
  - cdn.example.org

This will run the CSP checker with:

checkcsp start --short --ignore-network-blocks-from pxscdn.com -- cdn.example.org <domains...>

Systemd Integration

The role configures a systemd service and timer which executes the CSP crawler periodically against all NGINX domains.

License

Infinito.Nexus NonCommercial License https://s.infinito.nexus/license

Author

Kevin Veen-Birkenbach Consulting & Coaching Solutions https://www.veen.world

Reference in New Issue View Git Blame Copy Permalink