diff --git a/pillar/prod/top.sls b/pillar/prod/top.sls
index 4621c50a..97655bc1 100644
--- a/pillar/prod/top.sls
+++ b/pillar/prod/top.sls
@@ -43,6 +43,7 @@ base:
 
   'docs':
     - match: nodegroup
+    - firewall.http
     - firewall.rs-lb-backend
     - groups.docs
     - secrets.docs
diff --git a/salt/docs/config/github-webhook-secret-environment b/salt/docs/config/github-webhook-secret-environment
new file mode 100644
index 00000000..4a3853a8
--- /dev/null
+++ b/salt/docs/config/github-webhook-secret-environment
@@ -0,0 +1 @@
+GITHUB_WEBHOOK_SECRET={{ github_webhook_secret }}
diff --git a/salt/docs/init.sls b/salt/docs/init.sls
index 5eb3575b..2a8b2483 100644
--- a/salt/docs/init.sls
+++ b/salt/docs/init.sls
@@ -32,6 +32,39 @@ docsbuild:
     - require:
       - group: docs
 
+/srv/docsbuild/.config/environment.d:
+  file.directory:
+    - user: docsbuild
+    - group: docsbuild
+    - mode: 750
+    - require:
+      - user: docsbuild
+
+/srv/docsbuild/.config/environment.d/github-webhook-secret.conf:
+  file.managed:
+    - user: docsbuild
+    - group: docsbuild
+    - mode: 640
+    - require:
+      - file: /srv/docsbuild/.config/environment.d
+    - template: jinja
+    - source: salt://docs/config/github-webhook-secret-environment
+    - context:
+      github_webhook_secret: {{ pillar.get('docs', {}).get('github', {}).get('hook', {}).get('secret', '') }}
+
+/var/lib/systemd/linger/docsbuild:
+  file.exists:
+    - user: root
+    - group: root
+    - mode: 0644
+
+/var/run/docsbuild:
+  file.directory:
+    - user: docsbuild
+    - mode: 755
+    - require:
+      - user: docsbuild
+
 docsbuild-scripts:
    git.latest:
      - name: https://github.com/python/docsbuild-scripts.git