simplify webhook role by creating a single webhook

1802b152 · HgO · 8fdb22bc · 1802b152 · 1802b152 · 8fdb22bc
Commit 1802b152 authored Jan 14, 2022 by HgO
--- a/inventories/group_vars/webhook/vars.yml
+++ b/inventories/group_vars/webhook/vars.yml
-webhook_config:
-  - name: github-pull-labriqueinter-net
-    type: github
-    become_user: labriqueinter-net
-    script: pull.sh
-    working_dir: /var/www/labriqueinter-net/dist
-    token: "{{ vault_webhook_github_pull_labriqueinter_net_token }}"
-
-webhook_scripts:
-  - webhook/scripts/pull.sh
+webhook_name: github-pull-labriqueinter-net
+webhook_owner: labriqueinter-net
+webhook_group: "{{ webhook_owner }}"
+webhook_script: webhook/scripts/pull.sh
+webhook_working_dir: /var/www/labriqueinter-net/dist
+webhook_token: "{{ vault_webhook_github_pull_labriqueinter_net_token }}"
+webhook_type: github
--- a/roles/webhook/defaults/main.yml
+++ b/roles/webhook/defaults/main.yml
-webhook_config:
-  - name: github-pull
-    become_user: github
-    script: pull.sh
-    working_dir: /var/www/github
-    type: github
-    token: github-secret
-  - name: gitlab-pull
-    become_user: gitlab
-    script: pull.sh
-    working_dir: /var/www/gitlab
-    type: gitlab
-    token: gitlab-secret
-
-webhook_scripts:
-  - webhook/scripts/pull.sh
+webhook_name: github-pull-webhook
+webhook_owner: webhook
+webhook_group: "{{ webhook_owner }}"
+webhook_script: webhook/scripts/pull.sh
+webhook_working_dir: /var/www/webhook/dist
+webhook_token: github-secret
+# Valid types are: github, gitlab
+webhook_type: github
--- a/roles/webhook/files/webhook/health.yml
+++ b/roles/webhook/files/webhook/health.yml
- id: "health"
-  execute-command: "true"
--- a/roles/webhook/molecule/default/prepare.yml
+++ b/roles/webhook/molecule/default/prepare.yml
@@ -13,3 +13,23 @@
      package:
        name: git
        state: present
+
+    - name: Installation des ACL
+      package:
+        name: acl
+        state: present
+
+    - name: Création de l'utilisateur webhook
+      user:
+        name: webhook
+        home: /var/www/webhook
+        shell: /sbin/nologin
+        system: true
+        state: present
+    
+    - name: Récupération du dépôt git de webhook
+      git:
+        repo: https://github.com/adnanh/webhook.git
+        dest: /var/www/webhook/dist
+        single_branch: true
+      become_user: webhook
--- a/roles/webhook/tasks/main.yml
+++ b/roles/webhook/tasks/main.yml
@@ -4,74 +4,36 @@
    name: webhook
    state: present

- name: Création de l'utilisateur webhook
-  user:
-    name: webhook
-    home: /opt/webhook
-    shell: /sbin/nologin
-    system: true
-    state: present
-
- name: Permission à l'utilisateur webhook d'exécuter les scripts en tant que d'autres utilisateurs
-  # Required in order to pull the commits as the user who owns the web application
-  lineinfile:
-    path: /etc/sudoers
-    state: present
-    regexp: '^webhook'
-    line: 'webhook ALL=({{ webhook_config | selectattr("become_user", "defined") | map(attribute="become_user") | join(",") }}) NOPASSWD: {% for script in webhook_scripts %}/opt/webhook/scripts/{{ script | basename }}{% if not loop.last %}, {% endif %}{% endfor %}'
-    validate: 'visudo -cf %s'
-  tags: ['sudo']
-
 - name: Création du dossier de configuration
  file:
    path: /etc/webhook
    state: directory
-    owner: webhook
-    group: webhook
+    owner: "{{ webhook_owner }}"
+    group: "{{ webhook_group }}"
    mode: "u=rwx,g=rx,o="

 - name: Création du dossier des scripts
  file:
-    path: /opt/webhook/scripts
+    path: /etc/webhook/scripts
    state: directory
-    owner: webhook
-    group: webhook
+    owner: "{{ webhook_owner }}"
+    group: "{{ webhook_group }}"
    mode: "u=rwx,go=rx"

- name: Copie des scripts
+- name: Copie du script exécuté par le webhook
  copy:
-    src: "{{ script }}"
-    dest: /opt/webhook/scripts/{{ script | basename }}
-    owner: webhook
-    group: webhook
+    src: "{{ webhook_script }}"
+    dest: /etc/webhook/scripts/{{ webhook_script | basename }}
+    owner: "{{ webhook_owner }}"
+    group: "{{ webhook_group }}"
    mode: "u=rwx,go=rx"
-  loop: "{{ webhook_scripts }}"
-  loop_control:
-    loop_var: script

- name: Configuration des webhooks
+- name: Configuration du webhook
  template:
    src: webhook/config.yml.j2
-    dest: /etc/webhook/{{ webhook.name }}.yml
-    owner: webhook
-    group: webhook
-    mode: "u=rw,g=r,o="
-  loop: "{{ webhook_config }}"
-  loop_control:
-    loop_var: webhook
-    label: "{{ webhook.name }}"
-  notify: reload webhook
-
- name: Configuration du webhook pour le health check
-  # The webhook server supports health endpoint only from v2.6.10+
-  # Debian buster provides webhook v2.6.9, so we have to wait for bullseye...
-  # Meanwhile, a workaround is to create a dummy hook that always succeed.
-  # See also https://github.com/adnanh/webhook/pull/283
-  copy:
-    src: webhook/health.yml
-    dest: /etc/webhook/health.yml
-    owner: webhook
-    group: webhook
+    dest: /etc/webhook/config.yml
+    owner: "{{ webhook_owner }}"
+    group: "{{ webhook_group }}"
    mode: "u=rw,g=r,o="
  notify: reload webhook


--- a/roles/webhook/templates/systemd/webhook.service.j2
+++ b/roles/webhook/templates/systemd/webhook.service.j2
@@ -7,18 +7,16 @@ After=network.target
 Type=simple
 Restart=always
 RestartSec=2s
-ExecStart=/usr/bin/webhook --verbose --port 9000 --hooks /etc/webhook/health.yml {% for webhook in webhook_config %}--hooks /etc/webhook/{{ webhook.name }}.yml {% endfor %}
+ExecStart=/usr/bin/webhook --verbose --port 9000 --hooks /etc/webhook/config.yml

 ExecReload = /bin/kill -s USR1 $MAINPID
 ExecStop = /bin/kill -s TERM $MAINPID

-User=webhook
-Group=webhook
+User={{ webhook_owner }}
+Group={{ webhook_group }}

 # Systemd hardening
-{% for webhook in webhook_config %}
-ReadWritePaths={{ webhook.working_dir }}
-{% endfor %}
+ReadWritePaths={{ webhook_working_dir }}

 PrivateDevices=true
 ProtectControlGroups=true

--- a/roles/webhook/templates/webhook/config.yml.j2
+++ b/roles/webhook/templates/webhook/config.yml.j2
- id: "{{ webhook.name }}"
-  execute-command: "/opt/webhook/scripts/{{ webhook.script | basename }}"
+{{ ansible_managed | comment }}
+
+# The webhook server supports health endpoint only from v2.6.10+
+# Debian buster provides webhook v2.6.9, so we have to wait for bullseye...
+# Meanwhile, a workaround is to create a dummy hook that always succeed.
+# See also https://github.com/adnanh/webhook/pull/283
+- id: "health"
+  execute-command: "true"
+
+- id: "{{ webhook_name }}"
+  execute-command: "/etc/webhook/scripts/{{ webhook_script | basename }}"
  include-command-output-in-response: true
-  command-working-directory: "{{ webhook.working_dir }}"
+  command-working-directory: "{{ webhook_working_dir }}"
  trigger-rule-mismatch-http-response-code: 401
  trigger-rule:
-{% if webhook.type == "github" %}
+{% if webhook_type == "github" %}
    and:
      - match:
          type: payload-hash-sha256
-          secret: {{ webhook.token | string | to_json }}
+          secret: {{ webhook_token | string | to_json }}
          parameter:
            source: header
            name: X-Hub-Signature-256
@@ -18,11 +27,11 @@
          parameter:
            source: header
            name: X-GitHub-Event
-{% elif webhook.type == "gitlab" %}
+{% elif webhook_type == "gitlab" %}
    and:
      - match:
        type: value
-        value: {{ webhook.token | string | to_json }}
+        value: {{ webhook_token | string | to_json }}
        parameter:
          source: header
          name: X-Gitlab-Token