diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml
index 7e2a4aa1..d69abfb5 100644
--- a/ansible/playbooks/site.yml
+++ b/ansible/playbooks/site.yml
@@ -42,6 +42,8 @@
 
     - role: request_log
       tags: [telemetry, logging]
+    - role: webhook_deploy    - role: webhook_deploy
+
 
     - role: cron_manager
       tags: [cron, schedule]
diff --git a/ansible/roles/webhook_deploy/tasks/main.yml b/ansible/roles/webhook_deploy/tasks/main.yml
new file mode 100644
index 00000000..3f0be769
--- /dev/null
+++ b/ansible/roles/webhook_deploy/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+- name: "Create ansible log directory"
+  file:
+    path: /var/log/ansible
+    state: directory
+    mode: "0755"
+
+- name: "Deploy webhook handler systemd service (oneshot)"
+  copy:
+    dest: /etc/systemd/system/webhook-ansible-deploy.service
+    mode: "0644"
+    content: |
+      [Unit]
+      Description=Timmy Config Ansible Deploy Webhook Handler
+      After=network.target
+
+      [Service]
+      Type=oneshot
+      WorkingDirectory=/root/wizards/bezalel/workspace/timmy-config
+      ExecStart=/usr/bin/ansible-playbook -i ansible/inventory/hosts.yml ansible/playbooks/site.yml --limit "$(hostname)"
+      StandardOutput=append:/var/log/ansible/webhook-deploy.log
+      StandardError=append:/var/log/ansible/webhook-deploy.log
+
+- name: "Reload systemd to pick up new service"
+  systemd:
+    daemon_reload: yes
+
+- name: "Ensure webhook service is disabled (webhook-triggered only)"
+  systemd:
+    name: webhook-ansible-deploy.service
+    enabled: false
+    state: stopped
diff --git a/ansible/scripts/deploy_on_webhook.sh b/ansible/scripts/deploy_on_webhook.sh
old mode 100644
new mode 100755