[webhook] Switches match rule to just use an IP whitelist.

2025-06-05 11:10:40 -07:00
parent 9acaae9277
commit d432ef8014
1 changed files with 27 additions and 9 deletions
--- a/system/hosts/mcp/static-site-hooks.nix
+++ b/system/hosts/mcp/static-site-hooks.nix
@@ -58,18 +58,36 @@ in
        id = "deploy-www2-terakoda-com";
        http-methods = [ "POST" ];
        command-working-directory = "/tank/web/www2.terakoda.com";
-        include-command-output-in-response = true;
        include-command-output-in-response-on-error = true;
        execute-command = "${testHook}/bin/deploy-astro-app";
+        trigger-rule-mismatch-http-response-code = 400;
        trigger-rule = {
-          match = {
-            type = "payload-mac-sha256";
-            secret = "test123";
-            parameter = {
-              source = "header";
-              name = "X-Hub-Signature-256";
-            };
-          };
+          or = [
+            # There were some issues getting the payload signature validation to work.
+            # Switching to only accepting requests from internal IPs.
+            # {
+            #   match = {
+            #     type = "payload-hmac-sha1";
+            #     secret = "mysecret";
+            #     parameter = {
+            #       source = "header";
+            #       name = "X-Hub-Signature";
+            #     };
+            #   };
+            # }
+            {
+              match = {
+                type = "ip-whitelist";
+                ip-range = "192.168.0.0/16";
+              };
+            }
+            {
+              match = {
+                type = "ip-whitelist";
+                ip-range = "10.88.0.0/16";
+              };
+            }
+          ];
        };
      };
    };