From 7f44883afd08684ee7c0b0b5d69ebfa351ef39f4 Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Thu, 23 Oct 2025 17:21:00 +0200
Subject: [PATCH 1/3] finish  webhook sections -
 https://gitlab.confdroid.com/internal/confdroid_management/-/issues/284

---
 .vscode/settings.json                   |  1 +
 manifests/firewall/iptables.pp          |  7 ++++++
 manifests/params.pp                     |  3 +++
 manifests/r10k/webhook.pp               | 31 +++++++++++++++++++++++++
 templates/r10k/r10k_webhook_service.erb | 19 +++++++++++++++
 5 files changed, 61 insertions(+)
 create mode 100644 templates/r10k/r10k_webhook_service.erb

diff --git a/.vscode/settings.json b/.vscode/settings.json
index e842291..0c83ab4 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -17,6 +17,7 @@
         "pydantic",
         "pylint",
         "pytest",
+        "refreshonly",
         "repolist",
         "requestlogging",
         "springframework",
diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
index daba168..7f4b8b0 100644
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -17,6 +17,13 @@ class puppet_cd::firewall::iptables (
       dport => '8443',
       jump  => 'accept',
     }
+    if $pt_use_r10k_webhook == true {
+      firewall { '38080 open port 8080':
+        proto => 'tcp',
+        dport => '8080',
+        jump  => 'accept',
+      }
+    }
   }
 
   if $fqdn == $pt_db_fqdn {
diff --git a/manifests/params.pp b/manifests/params.pp
index d125443..3027126 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -236,11 +236,14 @@ class puppet_cd::params (
   $pt_r10k_webhook_erb              = 'puppet_cd/r10k/webhook.py.erb'
   $pt_r10k_req_file                 = "${pt_r10k_webhook_dir}/requirements.txt"
   $pt_r10k_req_erb                  = 'puppet_cd/r10k/requirements.txt.erb'
+  $pt_r10k_wh_service_file          = '/etc/systemd/system/r10k-webhook.service'
+  $pt_r10k_wh_service_erb           = 'puppet_cd/r10k/r10k_webhook_service.erb'
 
 # service
   $pt_server_service                = 'puppetserver'
   $pt_agent_service                 = 'puppet'
   $pt_db_service                    = 'puppetdb'
+  $pt_r10k_wb_service               = 'r10k-webhook'
 
 #
   # includes must be last
diff --git a/manifests/r10k/webhook.pp b/manifests/r10k/webhook.pp
index 21ef888..cbce3e5 100644
--- a/manifests/r10k/webhook.pp
+++ b/manifests/r10k/webhook.pp
@@ -60,5 +60,36 @@ class puppet_cd::r10k::webhook (
       require => [Package[$pt_r10k_webhook_pkg],File[$pt_r10k_req_file]],
       unless  => 'pip3 show fastapi',  # Idempotent check
     }
+
+    # establish exec systemd reload
+    exec { 'systemctl_daemon_reload':
+      command     => 'systemctl daemon-reload',
+      path        => ['/bin', '/usr/bin'],
+      require     => Exec['pip_install_r10k_webhook'],
+      refreshonly => true,
+    }
+
+    # install systemd service file
+    file { $pt_r10k_wh_service_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => systemd_unit_file_t,
+      seluser  => system_u,
+      content  => template($pt_r10k_wh_service_erb),
+      require  => Exec['systemctl_daemon_reload'],
+      notify   => Exec['systemctl_daemon_reload'],
+    }
+
+    # manage service
+    service { 'r10k-webhook':
+      ensure    => 'running',
+      enable    => true,
+      require   => File[$pt_r10k_wh_service_file],
+      subscribe => File[$pt_r10k_webhook_file],
+    }
   }
 }
diff --git a/templates/r10k/r10k_webhook_service.erb b/templates/r10k/r10k_webhook_service.erb
new file mode 100644
index 0000000..821f0de
--- /dev/null
+++ b/templates/r10k/r10k_webhook_service.erb
@@ -0,0 +1,19 @@
+[Unit]
+Description=r10k Webhook Server
+After=network.target haproxy.service
+
+[Service]
+Type=simple
+User=puppet
+Group=puppet
+WorkingDirectory=/opt/r10k-webhook
+ExecStart=/usr/bin/python3 /opt/r10k-webhook/webhook_server.py
+Restart=always
+RestartSec=5
+Environment=R10K_WEBHOOK_SECRET=YOUR_SECRET_HERE
+LimitNOFILE=65536
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file

From dc99da8b727920199306ae95aef127685d962954 Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Thu, 23 Oct 2025 17:22:04 +0200
Subject: [PATCH 2/3] finish  webhook sections -
 https://gitlab.confdroid.com/internal/confdroid_management/-/issues/284

---
 .vscode/settings.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.vscode/settings.json b/.vscode/settings.json
index 0c83ab4..2aa5b11 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -14,6 +14,7 @@
         "kahadb",
         "levelname",
         "logappender",
+        "NOFILE",
         "pydantic",
         "pylint",
         "pytest",

From 60051b12c22d1a4ecda380b8cef7fd8b60a7c797 Mon Sep 17 00:00:00 2001
From: Jenkins Server <jenkins@confdroid.com>
Date: Thu, 23 Oct 2025 17:23:46 +0200
Subject: [PATCH 3/3] Recommit for updates in build 12

---
 ...puppet_cd_3A_3Afirewall_3A_3Aiptables.html | 16 ++++-
 doc/puppet_classes/puppet_cd_3A_3Aparams.html |  8 ++-
 .../puppet_cd_3A_3Ar10k_3A_3Awebhook.html     | 64 ++++++++++++++++++-
 3 files changed, 85 insertions(+), 3 deletions(-)

diff --git a/doc/puppet_classes/puppet_cd_3A_3Afirewall_3A_3Aiptables.html b/doc/puppet_classes/puppet_cd_3A_3Afirewall_3A_3Aiptables.html
index 86bc85d..e269b4f 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Afirewall_3A_3Aiptables.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Afirewall_3A_3Aiptables.html
@@ -139,7 +139,14 @@
 41
 42
 43
-44</pre>
+44
+45
+46
+47
+48
+49
+50
+51</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/firewall/iptables.pp', line 6</span>
@@ -158,6 +165,13 @@ class puppet_cd::firewall::iptables (
       dport =&gt; &#39;8443&#39;,
       jump  =&gt; &#39;accept&#39;,
     }
+    if $pt_use_r10k_webhook == true {
+      firewall { &#39;38080 open port 8080&#39;:
+        proto =&gt; &#39;tcp&#39;,
+        dport =&gt; &#39;8080&#39;,
+        jump  =&gt; &#39;accept&#39;,
+      }
+    }
   }
 
   if $fqdn == $pt_db_fqdn {
diff --git a/doc/puppet_classes/puppet_cd_3A_3Aparams.html b/doc/puppet_classes/puppet_cd_3A_3Aparams.html
index 88afd11..5c6da7a 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Aparams.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Aparams.html
@@ -1677,7 +1677,10 @@
 245
 246
 247
-248</pre>
+248
+249
+250
+251</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/params.pp', line 88</span>
@@ -1833,11 +1836,14 @@ class puppet_cd::params (
   $pt_r10k_webhook_erb              = &#39;puppet_cd/r10k/webhook.py.erb&#39;
   $pt_r10k_req_file                 = &quot;${pt_r10k_webhook_dir}/requirements.txt&quot;
   $pt_r10k_req_erb                  = &#39;puppet_cd/r10k/requirements.txt.erb&#39;
+  $pt_r10k_wh_service_file          = &#39;/etc/systemd/system/r10k-webhook.service&#39;
+  $pt_r10k_wh_service_erb           = &#39;puppet_cd/r10k/r10k_webhook_service.erb&#39;
 
 # service
   $pt_server_service                = &#39;puppetserver&#39;
   $pt_agent_service                 = &#39;puppet&#39;
   $pt_db_service                    = &#39;puppetdb&#39;
+  $pt_r10k_wb_service               = &#39;r10k-webhook&#39;
 
 #
   # includes must be last
diff --git a/doc/puppet_classes/puppet_cd_3A_3Ar10k_3A_3Awebhook.html b/doc/puppet_classes/puppet_cd_3A_3Ar10k_3A_3Awebhook.html
index 00efc32..74d9a53 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Ar10k_3A_3Awebhook.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Ar10k_3A_3Awebhook.html
@@ -159,7 +159,38 @@
 61
 62
 63
-64</pre>
+64
+65
+66
+67
+68
+69
+70
+71
+72
+73
+74
+75
+76
+77
+78
+79
+80
+81
+82
+83
+84
+85
+86
+87
+88
+89
+90
+91
+92
+93
+94
+95</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/r10k/webhook.pp', line 6</span>
@@ -221,6 +252,37 @@ class puppet_cd::r10k::webhook (
       require =&gt; [Package[$pt_r10k_webhook_pkg],File[$pt_r10k_req_file]],
       unless  =&gt; &#39;pip3 show fastapi&#39;,  # Idempotent check
     }
+
+    # establish exec systemd reload
+    exec { &#39;systemctl_daemon_reload&#39;:
+      command     =&gt; &#39;systemctl daemon-reload&#39;,
+      path        =&gt; [&#39;/bin&#39;, &#39;/usr/bin&#39;],
+      require     =&gt; Exec[&#39;pip_install_r10k_webhook&#39;],
+      refreshonly =&gt; true,
+    }
+
+    # install systemd service file
+    file { $pt_r10k_wh_service_file:
+      ensure   =&gt; file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0644&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; systemd_unit_file_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($pt_r10k_wh_service_erb),
+      require  =&gt; Exec[&#39;systemctl_daemon_reload&#39;],
+      notify   =&gt; Exec[&#39;systemctl_daemon_reload&#39;],
+    }
+
+    # manage service
+    service { &#39;r10k-webhook&#39;:
+      ensure    =&gt; &#39;running&#39;,
+      enable    =&gt; true,
+      require   =&gt; File[$pt_r10k_wh_service_file],
+      subscribe =&gt; File[$pt_r10k_webhook_file],
+    }
   }
 }</pre>
       </td>