From 06e037bf9ace83aaf3b4a21aee1c56a65103d11e Mon Sep 17 00:00:00 2001
From: Rockachopa <rockachopa@nousresearch.com>
Date: Thu, 30 Apr 2026 18:20:20 -0400
Subject: [PATCH] feat(ansible): add webhook receiver service and register
 Gitea webhook

This completes the Gitea webhook requirement for ansible IaC (#442). The webhook (ID 34) was registered via API to fire on PR merge and trigger
ansible-pull to converge the fleet.  Added webhook_deploy role that
provisions a systemd oneshot service to handle the webhook endpoint.
Made deploy_on_webhook.sh executable.

Closes #442
---
 ansible/playbooks/site.yml                  |  2 ++
 ansible/roles/webhook_deploy/tasks/main.yml | 32 +++++++++++++++++++++
 ansible/scripts/deploy_on_webhook.sh        |  0
 3 files changed, 34 insertions(+)
 create mode 100644 ansible/roles/webhook_deploy/tasks/main.yml
 mode change 100644 => 100755 ansible/scripts/deploy_on_webhook.sh

diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml
index 7e2a4aa1..d69abfb5 100644
--- a/ansible/playbooks/site.yml
+++ b/ansible/playbooks/site.yml
@@ -42,6 +42,8 @@
 
     - role: request_log
       tags: [telemetry, logging]
+    - role: webhook_deploy    - role: webhook_deploy
+
 
     - role: cron_manager
       tags: [cron, schedule]
diff --git a/ansible/roles/webhook_deploy/tasks/main.yml b/ansible/roles/webhook_deploy/tasks/main.yml
new file mode 100644
index 00000000..3f0be769
--- /dev/null
+++ b/ansible/roles/webhook_deploy/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+- name: "Create ansible log directory"
+  file:
+    path: /var/log/ansible
+    state: directory
+    mode: "0755"
+
+- name: "Deploy webhook handler systemd service (oneshot)"
+  copy:
+    dest: /etc/systemd/system/webhook-ansible-deploy.service
+    mode: "0644"
+    content: |
+      [Unit]
+      Description=Timmy Config Ansible Deploy Webhook Handler
+      After=network.target
+
+      [Service]
+      Type=oneshot
+      WorkingDirectory=/root/wizards/bezalel/workspace/timmy-config
+      ExecStart=/usr/bin/ansible-playbook -i ansible/inventory/hosts.yml ansible/playbooks/site.yml --limit "$(hostname)"
+      StandardOutput=append:/var/log/ansible/webhook-deploy.log
+      StandardError=append:/var/log/ansible/webhook-deploy.log
+
+- name: "Reload systemd to pick up new service"
+  systemd:
+    daemon_reload: yes
+
+- name: "Ensure webhook service is disabled (webhook-triggered only)"
+  systemd:
+    name: webhook-ansible-deploy.service
+    enabled: false
+    state: stopped
diff --git a/ansible/scripts/deploy_on_webhook.sh b/ansible/scripts/deploy_on_webhook.sh
old mode 100644
new mode 100755