#!/bin/bash # Setup script for GLAM deploy webhook on the server # Run this on the Hetzner server as root set -e echo "=== GLAM Deploy Webhook Setup ===" # Configuration WEBHOOK_SECRET="${1:-$(openssl rand -hex 32)}" GLAM_USER="glam" SCRIPTS_DIR="/var/lib/glam/scripts" REPO_DIR="/var/lib/glam/repo" # Create directories echo "Creating directories..." mkdir -p "$SCRIPTS_DIR" mkdir -p "$REPO_DIR" # Clone/update the repo if [ -d "$REPO_DIR/.git" ]; then echo "Updating existing repo..." cd "$REPO_DIR" git fetch origin git reset --hard origin/master else echo "Cloning repository..." git clone https://git.bronhouder.nl/kempersc/glam.git "$REPO_DIR" cd "$REPO_DIR" git checkout master fi # Install Python dependencies echo "Installing Python dependencies..." pip3 install fastapi uvicorn pydantic --quiet # Copy webhook script echo "Deploying webhook script..." cp "$REPO_DIR/infrastructure/scripts/deploy-webhook.py" "$SCRIPTS_DIR/" # Create systemd service echo "Creating systemd service..." cat > /etc/systemd/system/deploy-webhook.service << EOF [Unit] Description=GLAM Deploy Webhook Service Documentation=https://git.bronhouder.nl/kempersc/glam After=network.target caddy.service [Service] Type=simple User=$GLAM_USER Group=$GLAM_USER WorkingDirectory=$SCRIPTS_DIR Environment="WEBHOOK_SECRET=$WEBHOOK_SECRET" ExecStart=/usr/bin/python3 -m uvicorn deploy-webhook:app --host 127.0.0.1 --port 8099 Restart=always RestartSec=5 StandardOutput=journal StandardError=journal # Security NoNewPrivileges=true ProtectSystem=strict ProtectHome=true ReadWritePaths=/var/lib/glam /var/www/glam-frontend [Install] WantedBy=multi-user.target EOF # Set ownership echo "Setting ownership..." chown -R $GLAM_USER:$GLAM_USER "$REPO_DIR" chown -R $GLAM_USER:$GLAM_USER "$SCRIPTS_DIR" # Add webhook endpoint to Caddy echo "Checking Caddy configuration..." if ! grep -q "/webhook/deploy" /etc/caddy/Caddyfile; then echo "Adding webhook endpoint to Caddy..." # Insert webhook handler after /health in bronhouder.nl block # This is a simple sed approach - may need manual adjustment sed -i '/bronhouder.nl, www.bronhouder.nl/,/handle \/health/a\\n\t# Webhook endpoint for Forgejo push events\n\thandle /webhook/deploy* {\n\t\treverse_proxy 127.0.0.1:8099 {\n\t\t\ttransport http {\n\t\t\t\tread_timeout 120s\n\t\t\t\twrite_timeout 120s\n\t\t\t}\n\t\t}\n\t}' /etc/caddy/Caddyfile || { echo "WARNING: Could not auto-add webhook to Caddyfile" echo "Please manually add the following to bronhouder.nl block:" cat << 'CADDY' # Webhook endpoint for Forgejo push events handle /webhook/deploy* { reverse_proxy 127.0.0.1:8099 { transport http { read_timeout 120s write_timeout 120s } } } CADDY } fi # Reload systemd and start service echo "Starting services..." systemctl daemon-reload systemctl enable deploy-webhook systemctl restart deploy-webhook # Reload Caddy if config was changed caddy validate --config /etc/caddy/Caddyfile && systemctl reload caddy || { echo "WARNING: Caddy config validation failed. Please fix manually." } # Initial schema sync echo "Running initial schema sync..." cd "$REPO_DIR" rsync -av --delete \ --exclude "*.pyc" \ --exclude "__pycache__" \ --exclude ".git" \ "schemas/20251121/linkml/" \ "/var/www/glam-frontend/schemas/20251121/linkml/" echo "" echo "=== Setup Complete ===" echo "" echo "Webhook Secret: $WEBHOOK_SECRET" echo "" echo "Next steps:" echo "1. Go to https://git.bronhouder.nl/kempersc/glam/settings/hooks" echo "2. Add a new webhook:" echo " - Target URL: https://bronhouder.nl/webhook/deploy" echo " - HTTP Method: POST" echo " - Content Type: application/json" echo " - Secret: $WEBHOOK_SECRET" echo " - Trigger On: Push Events" echo " - Branch filter: master" echo "" echo "Test with: curl -X POST https://bronhouder.nl/webhook/deploy/manual -H 'Authorization: Bearer $WEBHOOK_SECRET'"