Commit 1802b152 authored by HgO's avatar HgO
Browse files

simplify webhook role by creating a single webhook

parent 8fdb22bc
Pipeline #643 failed with stage
in 1 minute and 38 seconds
webhook_config:
- name: github-pull-labriqueinter-net
type: github
become_user: labriqueinter-net
script: pull.sh
working_dir: /var/www/labriqueinter-net/dist
token: "{{ vault_webhook_github_pull_labriqueinter_net_token }}"
webhook_scripts:
- webhook/scripts/pull.sh
webhook_name: github-pull-labriqueinter-net
webhook_owner: labriqueinter-net
webhook_group: "{{ webhook_owner }}"
webhook_script: webhook/scripts/pull.sh
webhook_working_dir: /var/www/labriqueinter-net/dist
webhook_token: "{{ vault_webhook_github_pull_labriqueinter_net_token }}"
webhook_type: github
webhook_config:
- name: github-pull
become_user: github
script: pull.sh
working_dir: /var/www/github
type: github
token: github-secret
- name: gitlab-pull
become_user: gitlab
script: pull.sh
working_dir: /var/www/gitlab
type: gitlab
token: gitlab-secret
webhook_scripts:
- webhook/scripts/pull.sh
webhook_name: github-pull-webhook
webhook_owner: webhook
webhook_group: "{{ webhook_owner }}"
webhook_script: webhook/scripts/pull.sh
webhook_working_dir: /var/www/webhook/dist
webhook_token: github-secret
# Valid types are: github, gitlab
webhook_type: github
- id: "health"
execute-command: "true"
......@@ -13,3 +13,23 @@
package:
name: git
state: present
- name: Installation des ACL
package:
name: acl
state: present
- name: Création de l'utilisateur webhook
user:
name: webhook
home: /var/www/webhook
shell: /sbin/nologin
system: true
state: present
- name: Récupération du dépôt git de webhook
git:
repo: https://github.com/adnanh/webhook.git
dest: /var/www/webhook/dist
single_branch: true
become_user: webhook
......@@ -4,74 +4,36 @@
name: webhook
state: present
- name: Création de l'utilisateur webhook
user:
name: webhook
home: /opt/webhook
shell: /sbin/nologin
system: true
state: present
- name: Permission à l'utilisateur webhook d'exécuter les scripts en tant que d'autres utilisateurs
# Required in order to pull the commits as the user who owns the web application
lineinfile:
path: /etc/sudoers
state: present
regexp: '^webhook'
line: 'webhook ALL=({{ webhook_config | selectattr("become_user", "defined") | map(attribute="become_user") | join(",") }}) NOPASSWD: {% for script in webhook_scripts %}/opt/webhook/scripts/{{ script | basename }}{% if not loop.last %}, {% endif %}{% endfor %}'
validate: 'visudo -cf %s'
tags: ['sudo']
- name: Création du dossier de configuration
file:
path: /etc/webhook
state: directory
owner: webhook
group: webhook
owner: "{{ webhook_owner }}"
group: "{{ webhook_group }}"
mode: "u=rwx,g=rx,o="
- name: Création du dossier des scripts
file:
path: /opt/webhook/scripts
path: /etc/webhook/scripts
state: directory
owner: webhook
group: webhook
owner: "{{ webhook_owner }}"
group: "{{ webhook_group }}"
mode: "u=rwx,go=rx"
- name: Copie des scripts
- name: Copie du script exécuté par le webhook
copy:
src: "{{ script }}"
dest: /opt/webhook/scripts/{{ script | basename }}
owner: webhook
group: webhook
src: "{{ webhook_script }}"
dest: /etc/webhook/scripts/{{ webhook_script | basename }}
owner: "{{ webhook_owner }}"
group: "{{ webhook_group }}"
mode: "u=rwx,go=rx"
loop: "{{ webhook_scripts }}"
loop_control:
loop_var: script
- name: Configuration des webhooks
- name: Configuration du webhook
template:
src: webhook/config.yml.j2
dest: /etc/webhook/{{ webhook.name }}.yml
owner: webhook
group: webhook
mode: "u=rw,g=r,o="
loop: "{{ webhook_config }}"
loop_control:
loop_var: webhook
label: "{{ webhook.name }}"
notify: reload webhook
- name: Configuration du webhook pour le health check
# The webhook server supports health endpoint only from v2.6.10+
# Debian buster provides webhook v2.6.9, so we have to wait for bullseye...
# Meanwhile, a workaround is to create a dummy hook that always succeed.
# See also https://github.com/adnanh/webhook/pull/283
copy:
src: webhook/health.yml
dest: /etc/webhook/health.yml
owner: webhook
group: webhook
dest: /etc/webhook/config.yml
owner: "{{ webhook_owner }}"
group: "{{ webhook_group }}"
mode: "u=rw,g=r,o="
notify: reload webhook
......
......@@ -7,18 +7,16 @@ After=network.target
Type=simple
Restart=always
RestartSec=2s
ExecStart=/usr/bin/webhook --verbose --port 9000 --hooks /etc/webhook/health.yml {% for webhook in webhook_config %}--hooks /etc/webhook/{{ webhook.name }}.yml {% endfor %}
ExecStart=/usr/bin/webhook --verbose --port 9000 --hooks /etc/webhook/config.yml
ExecReload = /bin/kill -s USR1 $MAINPID
ExecStop = /bin/kill -s TERM $MAINPID
User=webhook
Group=webhook
User={{ webhook_owner }}
Group={{ webhook_group }}
# Systemd hardening
{% for webhook in webhook_config %}
ReadWritePaths={{ webhook.working_dir }}
{% endfor %}
ReadWritePaths={{ webhook_working_dir }}
PrivateDevices=true
ProtectControlGroups=true
......
- id: "{{ webhook.name }}"
execute-command: "/opt/webhook/scripts/{{ webhook.script | basename }}"
{{ ansible_managed | comment }}
# The webhook server supports health endpoint only from v2.6.10+
# Debian buster provides webhook v2.6.9, so we have to wait for bullseye...
# Meanwhile, a workaround is to create a dummy hook that always succeed.
# See also https://github.com/adnanh/webhook/pull/283
- id: "health"
execute-command: "true"
- id: "{{ webhook_name }}"
execute-command: "/etc/webhook/scripts/{{ webhook_script | basename }}"
include-command-output-in-response: true
command-working-directory: "{{ webhook.working_dir }}"
command-working-directory: "{{ webhook_working_dir }}"
trigger-rule-mismatch-http-response-code: 401
trigger-rule:
{% if webhook.type == "github" %}
{% if webhook_type == "github" %}
and:
- match:
type: payload-hash-sha256
secret: {{ webhook.token | string | to_json }}
secret: {{ webhook_token | string | to_json }}
parameter:
source: header
name: X-Hub-Signature-256
......@@ -18,11 +27,11 @@
parameter:
source: header
name: X-GitHub-Event
{% elif webhook.type == "gitlab" %}
{% elif webhook_type == "gitlab" %}
and:
- match:
type: value
value: {{ webhook.token | string | to_json }}
value: {{ webhook_token | string | to_json }}
parameter:
source: header
name: X-Gitlab-Token
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment