glam/infrastructure/scripts/setup-deploy-webhook.sh

#!/bin/bash
# Setup script for GLAM deploy webhook on the server
# Run this on the Hetzner server as root

set -e

echo "=== GLAM Deploy Webhook Setup ==="

# Configuration
WEBHOOK_SECRET="${1:-$(openssl rand -hex 32)}"
GLAM_USER="glam"
SCRIPTS_DIR="/var/lib/glam/scripts"
REPO_DIR="/var/lib/glam/repo"

# Create directories
echo "Creating directories..."
mkdir -p "$SCRIPTS_DIR"
mkdir -p "$REPO_DIR"

# Clone/update the repo
if [ -d "$REPO_DIR/.git" ]; then
    echo "Updating existing repo..."
    cd "$REPO_DIR"
    git fetch origin
    git reset --hard origin/master
else
    echo "Cloning repository..."
    git clone https://git.bronhouder.nl/kempersc/glam.git "$REPO_DIR"
    cd "$REPO_DIR"
    git checkout master
fi

# Install Python dependencies
echo "Installing Python dependencies..."
pip3 install fastapi uvicorn pydantic --quiet

# Copy webhook script
echo "Deploying webhook script..."
cp "$REPO_DIR/infrastructure/scripts/deploy-webhook.py" "$SCRIPTS_DIR/"

# Create systemd service
echo "Creating systemd service..."
cat > /etc/systemd/system/deploy-webhook.service << EOF
[Unit]
Description=GLAM Deploy Webhook Service
Documentation=https://git.bronhouder.nl/kempersc/glam
After=network.target caddy.service

[Service]
Type=simple
User=$GLAM_USER
Group=$GLAM_USER
WorkingDirectory=$SCRIPTS_DIR
Environment="WEBHOOK_SECRET=$WEBHOOK_SECRET"
ExecStart=/usr/bin/python3 -m uvicorn deploy-webhook:app --host 127.0.0.1 --port 8099
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal

# Security
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/glam /var/www/glam-frontend

[Install]
WantedBy=multi-user.target
EOF

# Set ownership
echo "Setting ownership..."
chown -R $GLAM_USER:$GLAM_USER "$REPO_DIR"
chown -R $GLAM_USER:$GLAM_USER "$SCRIPTS_DIR"

# Add webhook endpoint to Caddy
echo "Checking Caddy configuration..."
if ! grep -q "/webhook/deploy" /etc/caddy/Caddyfile; then
    echo "Adding webhook endpoint to Caddy..."
    # Insert webhook handler after /health in bronhouder.nl block
    # This is a simple sed approach - may need manual adjustment
    sed -i '/bronhouder.nl, www.bronhouder.nl/,/handle \/health/a\\n\t# Webhook endpoint for Forgejo push events\n\thandle /webhook/deploy* {\n\t\treverse_proxy 127.0.0.1:8099 {\n\t\t\ttransport http {\n\t\t\t\tread_timeout 120s\n\t\t\t\twrite_timeout 120s\n\t\t\t}\n\t\t}\n\t}' /etc/caddy/Caddyfile || {
        echo "WARNING: Could not auto-add webhook to Caddyfile"
        echo "Please manually add the following to bronhouder.nl block:"
        cat << 'CADDY'
	# Webhook endpoint for Forgejo push events
	handle /webhook/deploy* {
		reverse_proxy 127.0.0.1:8099 {
			transport http {
				read_timeout 120s
				write_timeout 120s
			}
		}
	}
CADDY
    }
fi

# Reload systemd and start service
echo "Starting services..."
systemctl daemon-reload
systemctl enable deploy-webhook
systemctl restart deploy-webhook

# Reload Caddy if config was changed
caddy validate --config /etc/caddy/Caddyfile && systemctl reload caddy || {
    echo "WARNING: Caddy config validation failed. Please fix manually."
}

# Initial schema sync
echo "Running initial schema sync..."
cd "$REPO_DIR"
rsync -av --delete \
    --exclude "*.pyc" \
    --exclude "__pycache__" \
    --exclude ".git" \
    "schemas/20251121/linkml/" \
    "/var/www/glam-frontend/schemas/20251121/linkml/"

echo ""
echo "=== Setup Complete ==="
echo ""
echo "Webhook Secret: $WEBHOOK_SECRET"
echo ""
echo "Next steps:"
echo "1. Go to https://git.bronhouder.nl/kempersc/glam/settings/hooks"
echo "2. Add a new webhook:"
echo "   - Target URL: https://bronhouder.nl/webhook/deploy"
echo "   - HTTP Method: POST"
echo "   - Content Type: application/json"
echo "   - Secret: $WEBHOOK_SECRET"
echo "   - Trigger On: Push Events"
echo "   - Branch filter: master"
echo ""
echo "Test with: curl -X POST https://bronhouder.nl/webhook/deploy/manual -H 'Authorization: Bearer $WEBHOOK_SECRET'"