55 lines
1.8 KiB
Python
55 lines
1.8 KiB
Python
import asyncio
|
|
import hashlib
|
|
import hmac
|
|
import logging
|
|
|
|
from fastapi import APIRouter, HTTPException, Request
|
|
|
|
from config import settings
|
|
|
|
logger = logging.getLogger("admin.deploy")
|
|
|
|
router = APIRouter(prefix="/api/admin", tags=["admin"])
|
|
|
|
|
|
@router.post("/deploy")
|
|
async def deploy(request: Request):
|
|
"""Gitea webhook endpoint — pulls latest code and rebuilds Docker containers.
|
|
|
|
Gitea webhook configuration:
|
|
URL: https://<your-domain>/api/admin/deploy
|
|
Secret token: value of DEPLOY_SECRET env var
|
|
Content-Type: application/json
|
|
Trigger: Push events only (branch: main)
|
|
|
|
Add to VPS .env:
|
|
DEPLOY_SECRET=<random-strong-token>
|
|
DEPLOY_PROJECT_PATH=/home/bellsystems/bellsystems-cp
|
|
"""
|
|
if not settings.deploy_secret:
|
|
raise HTTPException(status_code=503, detail="Deploy secret not configured on server")
|
|
|
|
# Gitea sends the HMAC-SHA256 of the request body in X-Gitea-Signature
|
|
sig_header = request.headers.get("X-Gitea-Signature", "")
|
|
body = await request.body()
|
|
expected_sig = hmac.new(
|
|
key=settings.deploy_secret.encode(),
|
|
msg=body,
|
|
digestmod=hashlib.sha256,
|
|
).hexdigest()
|
|
if not hmac.compare_digest(sig_header, expected_sig):
|
|
raise HTTPException(status_code=403, detail="Invalid webhook signature")
|
|
|
|
logger.info("Auto-deploy triggered via Gitea webhook")
|
|
|
|
# Trigger the host-side systemd service which runs as the bellsystems user.
|
|
# This avoids running git/docker as root inside the container.
|
|
await asyncio.create_subprocess_shell(
|
|
"systemctl start bellsystems-deploy",
|
|
stdout=asyncio.subprocess.DEVNULL,
|
|
stderr=asyncio.subprocess.DEVNULL,
|
|
)
|
|
|
|
logger.info("Auto-deploy triggered via systemd")
|
|
return {"ok": True, "message": "Deploy started"}
|