Add updater container (spannend hoor)

docker-compose.yml

@@ -5,4 +5,5 @@ include:
   - paperless/docker-compose.yml
   - pingvin/docker-compose.yml
   - pocketid/docker-compose.yml
+  - updater/docker-compose.yml
   - vaultwarden/docker-compose.yml

update

@@ -1,3 +0,0 @@
-#!/bin/bash
-cd /data/docker-config
-git pull && docker compose up -d

updater/.env.example

@@ -0,0 +1,2 @@
+GITEA_WEBHOOK_SECRET=
+DOCKER_CONFIG_DIR=

updater/Dockerfile

@@ -0,0 +1,16 @@
+# Use the official PHP image with Apache
+FROM php:8.1-apache
+
+# Install git and docker-compose
+RUN apt-get update && \
+    apt-get install -y git docker-compose && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy the PHP file to the Apache document root
+COPY webhook.php /var/www/html/index.php
+
+# Expose port 80
+EXPOSE 80
+
+# Start Apache server
+CMD ["apache2-foreground"]

updater/docker-compose.yml

@@ -0,0 +1,9 @@
+services:
+  updater:
+    build: .
+    ports:
+      - "6969:80"
+    env_file:
+      - .env
+    volumes:
+      - ${DOCKER_CONFIG_DIR}:/config

updater/webhook.php

@@ -0,0 +1,71 @@
+<?php
+
+error_log(date('Y-m-d H:i:s'). "\t received request from " . $_SERVER['REMOTE_ADDR']);
+
+
+$secret_key = getenv('GITEA_WEBHOOK_SECRET');
+if (empty($secret_key)) {
+    error_log('FAILED - secret key missing from environment');
+    exit();
+}
+
+// check for POST request
+if ($_SERVER['REQUEST_METHOD'] != 'POST') {
+    error_log('FAILED - not POST - ' . $_SERVER['REQUEST_METHOD']);
+    exit();
+}
+
+// get content type
+$content_type = isset($_SERVER['CONTENT_TYPE']) ? strtolower(trim($_SERVER['CONTENT_TYPE'])) : '';
+
+if ($content_type != 'application/json') {
+    error_log('FAILED - not application/json - ' . $content_type);
+    exit();
+}
+
+// get payload
+$payload = trim(file_get_contents("php://input"));
+
+if (empty($payload)) {
+    error_log('FAILED - no payload');
+    exit();
+}
+
+// get header signature
+$header_signature = isset($_SERVER['HTTP_X_GITEA_SIGNATURE']) ? $_SERVER['HTTP_X_GITEA_SIGNATURE'] : '';
+
+if (empty($header_signature)) {
+    error_log('FAILED - header signature missing');
+    exit();
+}
+
+// calculate payload signature
+$payload_signature = hash_hmac('sha256', $payload, $secret_key);
+
+// check payload signature against header signature
+if ($header_signature !== $payload_signature) {
+    error_log('FAILED - payload signature');
+    exit();
+}
+
+// convert json to array
+$decoded = json_decode($payload, true);
+
+// check for json decode errors
+if (json_last_error() !== JSON_ERROR_NONE) {
+    error_log('FAILED - json decode - ' . json_last_error());
+    exit();
+}
+
+// success, log something without error_log
+error_log('SUCCESS - ' . $decoded['ref']);
+
+chdir('/config');
+exec('git pull');
+exec('docker compose up -d --quiet-pull > /proc/1/fd/1 2>/proc/1/fd/2 &');
+
+// send return code and text message
+http_response_code(200);
+echo 'lekker pik';
+
+