aboutsummaryrefslogtreecommitdiff
;;; guix-forge --- Guix software forge meta-service
;;; Copyright © 2022 Arun Isaac <arunisaac@systemreboot.net>
;;;
;;; This file is part of guix-forge.
;;;
;;; guix-forge is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published
;;; by the Free Software Foundation, either version 3 of the License,
;;; or (at your option) any later version.
;;;
;;; guix-forge is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
;;; General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with guix-forge.  If not, see
;;; <https://www.gnu.org/licenses/>.

(define-module (forge webhook)
  #:use-module (srfi srfi-1)
  #:use-module (gnu build linux-container)
  #:use-module ((gnu packages admin) #:select (shadow))
  #:use-module ((gnu packages guile) #:select (guile-json-4))
  #:use-module (gnu services)
  #:use-module (gnu services shepherd)
  #:use-module (gnu system accounts)
  #:use-module (gnu system file-systems)
  #:use-module (gnu system shadow)
  #:use-module (guix gexp)
  #:use-module (guix modules)
  #:use-module (guix records)
  #:use-module (guix packages)
  #:use-module (guix git-download)
  #:use-module (guix least-authority)
  #:use-module (guix build-system go)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (forge socket)
  #:export (webhook-service-type
            webhook-configuration
            webhook-configuration?
            webhook-configuration-package
            webhook-configuration-socket
            webhook-configuration-log-directory
            webhook-configuration-hooks
            webhook-hook
            webhook-hook?
            webhook-hook-id
            webhook-hook-run))

(define-public webhook
  (package
    (name "webhook")
    (version "2.8.0")
    (source (origin
              (method git-fetch)
              (uri (git-reference
                    (url "https://github.com/adnanh/webhook")
                    (commit version)))
              (file-name (git-file-name name version))
              (sha256
               (base32
                "0n03xkgwpzans0cymmzb0iiks8mi2c76xxdak780dk0jbv6qgp5i"))))
    (build-system go-build-system)
    (arguments
     `(#:import-path "github.com/adnanh/webhook"
       #:phases
       (modify-phases %standard-phases
         (add-after 'unpack 'configure
           (lambda* (#:key inputs #:allow-other-keys)
             (substitute* "src/github.com/adnanh/webhook/webhook_test.go"
               (("/bin/echo")
                (string-append (assoc-ref inputs "coreutils")
                               "/bin/echo"))))))))
    (home-page "https://github.com/adnanh/webhook")
    (synopsis "Lightweight incoming webhook server")
    (description "webhook is a lightweight configurable tool written
in Go, that allows you to easily create HTTP endpoints (hooks) on your
server, which you can use to execute configured commands. You can also
pass data from the HTTP request (such as headers, payload or query
variables) to your commands. webhook also allows you to specify rules
which have to be satisfied in order for the hook to be triggered.

For example, if you're using Github or Bitbucket, you can use webhook
to set up a hook that runs a redeploy script for your project on your
staging server, whenever you push changes to the master branch of your
project.

If you use Mattermost or Slack, you can set up an \"Outgoing webhook
integration\" or \"Slash command\" to run various commands on your
server, which can then report back directly to you or your channels
using the \"Incoming webhook integrations\", or the appropriate
response body.

webhook aims to do nothing more than it should do, and that is:

@itemize
@item receive the request,
@item parse the headers, payload and query variables,
@item check if the specified rules for the hook are satisfied,
@item and finally, pass the specified arguments to the specified
command via command line arguments or via environment variables.
@end itemize

Everything else is the responsibility of the command's author.")
    (license license:expat)))

(define-record-type* <webhook-configuration>
  webhook-configuration make-webhook-configuration
  webhook-configuration?
  (package webhook-configuration-package
           (default webhook))
  (socket webhook-configuration-socket
          (default (forge-ip-socket
                    (ip "127.0.0.1")
                    (port 9000))))
  (log-directory webhook-configuration-log-directory
                 (default "/var/log/webhook"))
  (hooks webhook-configuration-hooks
         (default '())))

(define-record-type* <webhook-hook>
  webhook-hook make-webhook-hook
  webhook-hook?
  (id webhook-hook-id)
  (run webhook-hook-run))

(define %webhook-accounts
  (list (user-account
         (name "webhook")
         (group "webhook")
         (system? #t)
         (comment "webhook user")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin")))
        (user-group
         (name "webhook")
         (system? #t))))

(define (webhook-activation config)
  (match-record config <webhook-configuration>
    (log-directory)
    #~(begin
        ;; Create log directory and set permissions.
        (mkdir-p #$log-directory)
        (let ((user (getpw "webhook")))
          (for-each (lambda (file)
                      (chown file (passwd:uid user) (passwd:gid user)))
                    (find-files #$log-directory #:directories? #t))))))

(define (hooks-json-gexp config)
  (with-extensions (list guile-json-4)
    #~(begin
        (use-modules (srfi srfi-26)
                     (json))
        
        (call-with-output-file #$output
          (cut scm->json
               ;; We convert from list to vector on the build-side
               ;; because a vector cannot be lowered correctly into a
               ;; G-expression.
               (list->vector
                ;; We build a true dotted association list in this
                ;; roundabout way because a true dotted association
                ;; list cannot be lowered correctly into a
                ;; G-expression.
                (map (cut map (cut apply cons <>) <>)
                     '#$(map (lambda (hook)
                               `(("id" ,(webhook-hook-id hook))
                                 ("execute-command" ,(program-file (string-append (webhook-hook-id hook)
                                                                                  "-webhook")
                                                                   (webhook-hook-run hook)))))
                             (webhook-configuration-hooks config))))
               <>)))))

(define (webhook-shepherd-service config)
  (shepherd-service
   (documentation "Run webhook.")
   (provision '(webhook))
   (requirement '(networking))
   (start
    (let ((hooks-json (computed-file "hooks.json" (hooks-json-gexp config))))
      #~(make-forkexec-constructor
         (list #$(least-authority-wrapper
                  (file-append (webhook-configuration-package config)
                               "/bin/webhook")
                  #:name "webhook"
                  #:mappings (list (file-system-mapping
                                    (source hooks-json)
                                    (target source))
                                   (file-system-mapping
                                    (source (webhook-configuration-log-directory config))
                                    (target source)
                                    (writable? #t)))
                  ;; TODO: If socket is a Unix socket, run in a
                  ;; network namespace. We can't do this yet due to
                  ;; https://yhetil.org/guix/m1ilknoi5r.fsf@fastmail.net/
                  #:namespaces (delq 'net %namespaces))
               "-hooks" #$hooks-json
               "-ip" #$(forge-ip-socket-ip (webhook-configuration-socket config))
               "-port" #$(number->string (forge-ip-socket-port (webhook-configuration-socket config)))
               "-logfile" #$(string-append (webhook-configuration-log-directory config)
                                           "/webhook.log"))
         #:user "webhook"
         #:group "webhook"
         #:log-file "/var/log/webhook.log")))
   (stop #~(make-kill-destructor))))

(define webhook-service-type
  (service-type
   (name 'webhook)
   (description "Run webhook.")
   (extensions (list (service-extension account-service-type
                                        (const %webhook-accounts))
                     (service-extension activation-service-type
                                        webhook-activation)
                     (service-extension shepherd-root-service-type
                                        (compose list webhook-shepherd-service))))
   (compose concatenate)
   (extend (lambda (config hook-extensions)
             (webhook-configuration
              (inherit config)
              (hooks (append (webhook-configuration-hooks config)
                             hook-extensions)))))
   (default-value (webhook-configuration))))