diff --git a/.vscode/settings.json b/.vscode/settings.json
index e842291..0c83ab4 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -17,6 +17,7 @@
         "pydantic",
         "pylint",
         "pytest",
+        "refreshonly",
         "repolist",
         "requestlogging",
         "springframework",
diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
index daba168..7f4b8b0 100644
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -17,6 +17,13 @@ class puppet_cd::firewall::iptables (
       dport => '8443',
       jump  => 'accept',
     }
+    if $pt_use_r10k_webhook == true {
+      firewall { '38080 open port 8080':
+        proto => 'tcp',
+        dport => '8080',
+        jump  => 'accept',
+      }
+    }
   }
 
   if $fqdn == $pt_db_fqdn {
diff --git a/manifests/params.pp b/manifests/params.pp
index d125443..3027126 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -236,11 +236,14 @@ class puppet_cd::params (
   $pt_r10k_webhook_erb              = 'puppet_cd/r10k/webhook.py.erb'
   $pt_r10k_req_file                 = "${pt_r10k_webhook_dir}/requirements.txt"
   $pt_r10k_req_erb                  = 'puppet_cd/r10k/requirements.txt.erb'
+  $pt_r10k_wh_service_file          = '/etc/systemd/system/r10k-webhook.service'
+  $pt_r10k_wh_service_erb           = 'puppet_cd/r10k/r10k_webhook_service.erb'
 
 # service
   $pt_server_service                = 'puppetserver'
   $pt_agent_service                 = 'puppet'
   $pt_db_service                    = 'puppetdb'
+  $pt_r10k_wb_service               = 'r10k-webhook'
 
 #
   # includes must be last
diff --git a/manifests/r10k/webhook.pp b/manifests/r10k/webhook.pp
index 21ef888..cbce3e5 100644
--- a/manifests/r10k/webhook.pp
+++ b/manifests/r10k/webhook.pp
@@ -60,5 +60,36 @@ class puppet_cd::r10k::webhook (
       require => [Package[$pt_r10k_webhook_pkg],File[$pt_r10k_req_file]],
       unless  => 'pip3 show fastapi',  # Idempotent check
     }
+
+    # establish exec systemd reload
+    exec { 'systemctl_daemon_reload':
+      command     => 'systemctl daemon-reload',
+      path        => ['/bin', '/usr/bin'],
+      require     => Exec['pip_install_r10k_webhook'],
+      refreshonly => true,
+    }
+
+    # install systemd service file
+    file { $pt_r10k_wh_service_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => systemd_unit_file_t,
+      seluser  => system_u,
+      content  => template($pt_r10k_wh_service_erb),
+      require  => Exec['systemctl_daemon_reload'],
+      notify   => Exec['systemctl_daemon_reload'],
+    }
+
+    # manage service
+    service { 'r10k-webhook':
+      ensure    => 'running',
+      enable    => true,
+      require   => File[$pt_r10k_wh_service_file],
+      subscribe => File[$pt_r10k_webhook_file],
+    }
   }
 }
diff --git a/templates/r10k/r10k_webhook_service.erb b/templates/r10k/r10k_webhook_service.erb
new file mode 100644
index 0000000..821f0de
--- /dev/null
+++ b/templates/r10k/r10k_webhook_service.erb
@@ -0,0 +1,19 @@
+[Unit]
+Description=r10k Webhook Server
+After=network.target haproxy.service
+
+[Service]
+Type=simple
+User=puppet
+Group=puppet
+WorkingDirectory=/opt/r10k-webhook
+ExecStart=/usr/bin/python3 /opt/r10k-webhook/webhook_server.py
+Restart=always
+RestartSec=5
+Environment=R10K_WEBHOOK_SECRET=YOUR_SECRET_HERE
+LimitNOFILE=65536
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file