Add gitea-webhook.py

gitea-webhook.py

@@ -0,0 +1,37 @@
+#!/root/kpr-links/.venv/bin/python
+
+import hashlib, hmac, os, subprocess, sys
+from dotenv import load_dotenv
+from flask import Flask, request, abort
+
+app = Flask(__name__)
+
+REPO_DIR     = os.getenv("REPO_DIR", "/root/kpr-links")
+SERVICE_NAME = os.getenv("SERVICE_NAME", "kpr-links")
+SECRET       = os.getenv("GITEA_SECRET", "")
+
+def signature_ok(body: bytes, header: str | None) -> bool:
+    if not SECRET:
+        return True
+    if not header or not header.startswith("sha256="):
+        return False
+    theirs = header.split("=", 1)[1]
+    ours   = hmac.new(SECRET.encode(), body, hashlib.sha256).hexdigest()
+    return hmac.compare_digest(ours, theirs)
+
+@app.post("/webhook")
+def handle():
+    if not signature_ok(request.data, request.headers.get("X-Gitea-Signature")):
+        abort(403)
+    if request.headers.get("X-Gitea-Event") != "push":
+        return "ignored", 200
+    try:
+        subprocess.check_call(["git", "-C", REPO_DIR, "fetch", "--all"])
+        subprocess.check_call(["git", "-C", REPO_DIR, "reset", "--hard", "origin/main"])
+        subprocess.check_call(["systemctl", "restart", SERVICE_NAME])
+    except subprocess.CalledProcessError as e:
+        abort(500, str(e))
+    return "ok", 200
+
+if __name__ == "__main__":
+    app.run("0.0.0.0", 9000)