kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-15 16:40:45 +02:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/roles/sys-hlth-csp
History
Kevin Veen-Birkenbach 4fa1c6cfbd
ansible: quote file modes; keycloak: robust LDAP bind update + config cleanup 
Highlights
- Quote all file modes as strings ("0755"/"0770") across multiple roles to avoid YAML octal quirks and improve portability.
- Keycloak: introduce actions.{import_realm,update_ldap_bind} feature flags and wire them via vars/config.
- Implement idempotent LDAP bind updater (tasks/03_update-ldap-bind.yml):
  * kcadm login with no_log protection,
  * fetch LDAP UserStorage component by name,
  * compare current bindDn/bindCredential and update only when changed.
- Keycloak realm import template: keep providerId="ldap" and set name from keycloak_ldap_component_name.
- Centralize Keycloak readiness check in tasks/main.yml; remove duplicate waits from 02_update_client_redirects.yml and 04_ssh_public_key.yml.
- 01_import.yml: fix typo (keycloak), quote modes, tidy spacing, and replace Jinja-in-Jinja fileglob with concatenation.
- 02_update_client_redirects.yml: correct assert fail_msg filename; keep login-first flow.
- Minor template/vars tidy-ups (spacing, comments, consistent variable usage).

Files touched (excerpt)
- roles/*/*: replace 0755/0770 → "0755"/"0770"
- roles/web-app-keycloak/config/main.yml: add actions map
- roles/web-app-keycloak/vars/main.yml: unify Keycloak vars and feature flags
- roles/web-app-keycloak/tasks/{01_import,02_update_client_redirects,03_update-ldap-bind,04_ssh_public_key,main}.yml
- roles/web-app-keycloak/templates/{docker-compose.yml.j2,import/realm.json.j2}

https://chatgpt.com/share/689bda16-b138-800f-8258-e13f6d7d8239
2025-08-13 02:20:38 +02:00
..
files
Another big round of refactoring and cleaning...
2025-07-11 17:55:26 +02:00
handlers
Renamed cymais to infinito and did some other optimations and logout implementations
2025-07-29 16:35:42 +02:00
meta
Optimized URLS
2025-08-13 00:33:47 +02:00
tasks
ansible: quote file modes; keycloak: robust LDAP bind update + config cleanup
2025-08-13 02:20:38 +02:00
templates
Renamed cymais to infinito and did some other optimations and logout implementations
2025-07-29 16:35:42 +02:00
vars
Another big round of refactoring and cleaning...
2025-07-11 17:55:26 +02:00
README.md
Optimized URLS
2025-08-13 00:33:47 +02:00

README.md

Health CSP Crawler

Description

This Ansible role automates the validation of Content Security Policy (CSP) enforcement for all configured domains by crawling them using a CSP Checker.

Overview

Designed for Archlinux systems, this role periodically checks whether web resources (JavaScript, fonts, images, etc.) are blocked by CSP headers. It integrates Python and Node.js tooling and installs a systemd service with timer support.

Features

  • CSP Resource Validation: Uses Puppeteer to simulate browser requests and detect blocked resources.
  • Domain Extraction: Parses all .conf files in the NGINX config folder to determine the list of domains to check.
  • Automated Execution: Registers a systemd service and timer for recurring health checks.
  • Error Notification: Integrates with sys-alm-compose for alerting on failure.

License

Infinito.Nexus NonCommercial License (CNCL) https://s.infinito.nexus/license

Author

Kevin Veen-Birkenbach Consulting & Coaching Solutions https://www.veen.world