Commit 1802b152 authored by HgO's avatar HgO
Browse files

simplify webhook role by creating a single webhook

parent 8fdb22bc
Pipeline #643 failed with stage
in 1 minute and 38 seconds
webhook_config: webhook_name: github-pull-labriqueinter-net
- name: github-pull-labriqueinter-net webhook_owner: labriqueinter-net
type: github webhook_group: "{{ webhook_owner }}"
become_user: labriqueinter-net webhook_script: webhook/scripts/pull.sh
script: pull.sh webhook_working_dir: /var/www/labriqueinter-net/dist
working_dir: /var/www/labriqueinter-net/dist webhook_token: "{{ vault_webhook_github_pull_labriqueinter_net_token }}"
token: "{{ vault_webhook_github_pull_labriqueinter_net_token }}" webhook_type: github
webhook_scripts:
- webhook/scripts/pull.sh
webhook_config: webhook_name: github-pull-webhook
- name: github-pull webhook_owner: webhook
become_user: github webhook_group: "{{ webhook_owner }}"
script: pull.sh webhook_script: webhook/scripts/pull.sh
working_dir: /var/www/github webhook_working_dir: /var/www/webhook/dist
type: github webhook_token: github-secret
token: github-secret # Valid types are: github, gitlab
- name: gitlab-pull webhook_type: github
become_user: gitlab
script: pull.sh
working_dir: /var/www/gitlab
type: gitlab
token: gitlab-secret
webhook_scripts:
- webhook/scripts/pull.sh
- id: "health"
execute-command: "true"
...@@ -13,3 +13,23 @@ ...@@ -13,3 +13,23 @@
package: package:
name: git name: git
state: present state: present
- name: Installation des ACL
package:
name: acl
state: present
- name: Création de l'utilisateur webhook
user:
name: webhook
home: /var/www/webhook
shell: /sbin/nologin
system: true
state: present
- name: Récupération du dépôt git de webhook
git:
repo: https://github.com/adnanh/webhook.git
dest: /var/www/webhook/dist
single_branch: true
become_user: webhook
...@@ -4,74 +4,36 @@ ...@@ -4,74 +4,36 @@
name: webhook name: webhook
state: present state: present
- name: Création de l'utilisateur webhook
user:
name: webhook
home: /opt/webhook
shell: /sbin/nologin
system: true
state: present
- name: Permission à l'utilisateur webhook d'exécuter les scripts en tant que d'autres utilisateurs
# Required in order to pull the commits as the user who owns the web application
lineinfile:
path: /etc/sudoers
state: present
regexp: '^webhook'
line: 'webhook ALL=({{ webhook_config | selectattr("become_user", "defined") | map(attribute="become_user") | join(",") }}) NOPASSWD: {% for script in webhook_scripts %}/opt/webhook/scripts/{{ script | basename }}{% if not loop.last %}, {% endif %}{% endfor %}'
validate: 'visudo -cf %s'
tags: ['sudo']
- name: Création du dossier de configuration - name: Création du dossier de configuration
file: file:
path: /etc/webhook path: /etc/webhook
state: directory state: directory
owner: webhook owner: "{{ webhook_owner }}"
group: webhook group: "{{ webhook_group }}"
mode: "u=rwx,g=rx,o=" mode: "u=rwx,g=rx,o="
- name: Création du dossier des scripts - name: Création du dossier des scripts
file: file:
path: /opt/webhook/scripts path: /etc/webhook/scripts
state: directory state: directory
owner: webhook owner: "{{ webhook_owner }}"
group: webhook group: "{{ webhook_group }}"
mode: "u=rwx,go=rx" mode: "u=rwx,go=rx"
- name: Copie des scripts - name: Copie du script exécuté par le webhook
copy: copy:
src: "{{ script }}" src: "{{ webhook_script }}"
dest: /opt/webhook/scripts/{{ script | basename }} dest: /etc/webhook/scripts/{{ webhook_script | basename }}
owner: webhook owner: "{{ webhook_owner }}"
group: webhook group: "{{ webhook_group }}"
mode: "u=rwx,go=rx" mode: "u=rwx,go=rx"
loop: "{{ webhook_scripts }}"
loop_control:
loop_var: script
- name: Configuration des webhooks - name: Configuration du webhook
template: template:
src: webhook/config.yml.j2 src: webhook/config.yml.j2
dest: /etc/webhook/{{ webhook.name }}.yml dest: /etc/webhook/config.yml
owner: webhook owner: "{{ webhook_owner }}"
group: webhook group: "{{ webhook_group }}"
mode: "u=rw,g=r,o="
loop: "{{ webhook_config }}"
loop_control:
loop_var: webhook
label: "{{ webhook.name }}"
notify: reload webhook
- name: Configuration du webhook pour le health check
# The webhook server supports health endpoint only from v2.6.10+
# Debian buster provides webhook v2.6.9, so we have to wait for bullseye...
# Meanwhile, a workaround is to create a dummy hook that always succeed.
# See also https://github.com/adnanh/webhook/pull/283
copy:
src: webhook/health.yml
dest: /etc/webhook/health.yml
owner: webhook
group: webhook
mode: "u=rw,g=r,o=" mode: "u=rw,g=r,o="
notify: reload webhook notify: reload webhook
......
...@@ -7,18 +7,16 @@ After=network.target ...@@ -7,18 +7,16 @@ After=network.target
Type=simple Type=simple
Restart=always Restart=always
RestartSec=2s RestartSec=2s
ExecStart=/usr/bin/webhook --verbose --port 9000 --hooks /etc/webhook/health.yml {% for webhook in webhook_config %}--hooks /etc/webhook/{{ webhook.name }}.yml {% endfor %} ExecStart=/usr/bin/webhook --verbose --port 9000 --hooks /etc/webhook/config.yml
ExecReload = /bin/kill -s USR1 $MAINPID ExecReload = /bin/kill -s USR1 $MAINPID
ExecStop = /bin/kill -s TERM $MAINPID ExecStop = /bin/kill -s TERM $MAINPID
User=webhook User={{ webhook_owner }}
Group=webhook Group={{ webhook_group }}
# Systemd hardening # Systemd hardening
{% for webhook in webhook_config %} ReadWritePaths={{ webhook_working_dir }}
ReadWritePaths={{ webhook.working_dir }}
{% endfor %}
PrivateDevices=true PrivateDevices=true
ProtectControlGroups=true ProtectControlGroups=true
......
- id: "{{ webhook.name }}" {{ ansible_managed | comment }}
execute-command: "/opt/webhook/scripts/{{ webhook.script | basename }}"
# The webhook server supports health endpoint only from v2.6.10+
# Debian buster provides webhook v2.6.9, so we have to wait for bullseye...
# Meanwhile, a workaround is to create a dummy hook that always succeed.
# See also https://github.com/adnanh/webhook/pull/283
- id: "health"
execute-command: "true"
- id: "{{ webhook_name }}"
execute-command: "/etc/webhook/scripts/{{ webhook_script | basename }}"
include-command-output-in-response: true include-command-output-in-response: true
command-working-directory: "{{ webhook.working_dir }}" command-working-directory: "{{ webhook_working_dir }}"
trigger-rule-mismatch-http-response-code: 401 trigger-rule-mismatch-http-response-code: 401
trigger-rule: trigger-rule:
{% if webhook.type == "github" %} {% if webhook_type == "github" %}
and: and:
- match: - match:
type: payload-hash-sha256 type: payload-hash-sha256
secret: {{ webhook.token | string | to_json }} secret: {{ webhook_token | string | to_json }}
parameter: parameter:
source: header source: header
name: X-Hub-Signature-256 name: X-Hub-Signature-256
...@@ -18,11 +27,11 @@ ...@@ -18,11 +27,11 @@
parameter: parameter:
source: header source: header
name: X-GitHub-Event name: X-GitHub-Event
{% elif webhook.type == "gitlab" %} {% elif webhook_type == "gitlab" %}
and: and:
- match: - match:
type: value type: value
value: {{ webhook.token | string | to_json }} value: {{ webhook_token | string | to_json }}
parameter: parameter:
source: header source: header
name: X-Gitlab-Token name: X-Gitlab-Token
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment