From 259260e6f9325364c3cec56502a1ecd526529190 Mon Sep 17 00:00:00 2001 From: marieke-bijlsma Date: Thu, 12 May 2022 12:33:43 +0200 Subject: [PATCH 01/10] Install Jenkins --- galaxy-requirements.yml | 2 + group_vars/gearshift_cluster/secrets.yml | 43 ------- group_vars/jenkins_server/secrets.yml | 138 +++++++++++----------- roles/jenkins/tasks/main.yml | 99 ++++++++++++++++ single_role_playbooks/firewall.yml | 1 + single_role_playbooks/jenkins.yml | 10 +- single_role_playbooks/ssh_host_signer.yml | 1 + 7 files changed, 181 insertions(+), 113 deletions(-) delete mode 100644 group_vars/gearshift_cluster/secrets.yml diff --git a/galaxy-requirements.yml b/galaxy-requirements.yml index f63d67f3d..9a10e1d5d 100644 --- a/galaxy-requirements.yml +++ b/galaxy-requirements.yml @@ -13,6 +13,8 @@ roles: version: 3.1.1 - src: geerlingguy.jenkins version: 4.3.0 + - src: geerlingguy.java + version: 2.0.1 collections: - name: community.general version: '>=3.0.2' diff --git a/group_vars/gearshift_cluster/secrets.yml b/group_vars/gearshift_cluster/secrets.yml deleted file mode 100644 index 92e3f98b0..000000000 --- a/group_vars/gearshift_cluster/secrets.yml +++ /dev/null @@ -1,43 +0,0 @@ -$ANSIBLE_VAULT;1.2;AES256;gearshift_cluster -33643763633837633830326163663337626430333034386239653162333433356666326230383362 -3439653064653132393738613132623335373164303634640a643531326465336533643365346234 -63616663376561383033333562653631343737333230316661393763626162326637323563343531 -6135646566353139340a656434373661306438353933613362396331306232633965373432353862 -38383366343663353033643633663537633638633964386334383764633666663966653937353431 -62333831366534623933626134666530653530623137373638386436333630643836636661383961 -35306337386531353833306665396436653963383138393565633837323837313939383331353233 -35653032613839366235363134306136303964373533346538363938346137343264623262383261 -31376234336564633138626666656562373637643732333763386565313337393734353039346436 -62366337346430313737313236353238613634376662316137323165646162663631616163373334 -66386534663831656163393432616539663038323337653133323035376436616363363462653966 -39623539343338303464343963643266626435626362666439663936393464393939393266646162 -66343735343230396662326633396230643165346139663030343866373137316662306630323934 -39653035393933333539663635646264333665663238356338336662353038316661613462636262 -38613430336162653562373861363261663764363462363763663036623633373965323230623661 -34376537633263643336373835643861646635663562346635353561663632386364323566396430 -62326333306462383037333965303935656664373062663035646263313938363832623231656533 -34303435643935363866396331323738643365663337643661326633646638316239323463613563 -63313536646430313965633735323737383731383334653639373161383436363764373663306137 -63343539383766393463626635633235613137316233636464396634353736646566623835643065 -37646361613966626363393466353536653534326333636630333033313161663334346463353437 -34353031373432343337636634313238656166656333336539386461353235306138373130396330 -63343034613265333630663931373739313733356534656439386261623737353935343465653864 -61396531373065323036386266613266636637623936363934613765306565383039393631306632 -35323537353836373539356566653239396161363966316563313562343965303664653365343436 -33336230303864346330376231373431323164336338323563343765383932396534353437396333 -64633434356165333535366439323663386266303137623865343362663366303631333330366234 -39376538383539336332656231366430616439373936306133386365633766323537373863346534 -61323963666434343538636130633436646535393566306365353661643733613664666338626635 -31323561623362333735633862643063663565336132373336306635303161666363313264653936 -66653430623733353466353063646237623965353933373162353330323534343835333232326135 -62303762643266666539386231643263376436663730336263313032663665356330386539623236 -30313135316439306539333833333461313162366433643838393062623932316532316566653734 -31643632613830373435343038393337663331613263306337373763616439653761663965356333 -38323035383561313064396534343531346437383961356662623064363031353333633336383138 -62333764633330316664333739656166393465656438363037353635303566653266366561376262 -35343937313438333536616164656162616263346434383039656466376336336635353836353233 -62346230396431646431343465643063306432616333336131313864613334376436656239386231 -66633732336533346164373363623261613664636538303938623034623635353562633338343761 -61326662306235376463636366623565316135363661616161356131396261313034633838306163 -33303132306563366533346533346536393830363865656464306537343039373930373666653533 -3466393333656663323262326562626230646532326238333066 diff --git a/group_vars/jenkins_server/secrets.yml b/group_vars/jenkins_server/secrets.yml index bbc71f6ad..df455109e 100644 --- a/group_vars/jenkins_server/secrets.yml +++ b/group_vars/jenkins_server/secrets.yml @@ -1,70 +1,70 @@ $ANSIBLE_VAULT;1.2;AES256;jenkins_server -39653431386530663162643638633739383935336537386431353139616135613961633731613636 -3334383039333434383438376164343733616337363331640a313338323461633436613766353836 -34646537383932306534346234343264313836653938613537376235666662363837393833633463 -6238343938646164620a633936303632333761643737663936653937366636613533306264303532 -37376664623665346165646534313634623135333133356566393737653330353035303034373930 -36363064353739643738663038646635363239303639633835333036653735623866303330393933 -35636633353837663139663833373731633961356665316565356666356665643639336638663837 -63303863313233663234643534373431653638336665613032633036616134353837363363336631 -30313133326539303534633866353032303965626236613033653564643539336236613662336535 -64626261653363346366366534313139663633336639646562306331653538313130653463303663 -35386264396361623137313333343133383938323837623538373532656234386238613431306538 -63636130616632633062356630323366623736653039373938636362646437643032363030393634 -39336362656432376437383532643834616234666637316161363163373436363063626263306434 -38363162636262323331316333393734373230373934363334353536663862386432373864336261 -66303935393163383766393037376639643461323033316466616336636264643539373835396439 -34323763353130396232363934313636653035383965636235376464333139336135393065663030 -65613131363734363733313636393135383032663037333164613237643038316135343762626161 -63646563303737363239653261386433633062623965373130646665663732656539313462333834 -39343266353465333633343166313333643932333733316661636238643366303537616165306663 -35373965396464343437356531303236636531393234323464373034353031333664306364343561 -35653262356233623635666363343162613635666363663462626665316235353665633936326138 -30383432633536303831323461396563363133356533393533363332393361346438613261636238 -62313736663735653036323338316531373666353665666364656539613739323235373863336536 -32386266336563653339383065626539636566323234313033316261353365303236653031393263 -61663464613237643939663836356661353164366162323865396635366262323538656334323663 -37366164333038386130363734663931363934626538383963656163646236323934386639396465 -65386162313731366661633330303438303863383231373864316263356535383966336366386662 -38636534366264666234323937356464326561393261663031643137633936626263666566373564 -33656437623939356663393166653936346563383830636463626436663464633366363332383861 -34366439393265313633336639343531333533383635626533336230306237643364383231366364 -34396263356230333063636536363234646632383334663361333031356634306163313430623138 -38346237343966646566363462396237663335666430373566303937636163636435643864613235 -36376263343331646631633764313237653463376239356365346664663239613838346162616231 -65373339333363353330306161613534666433636236623231313936353837363161653063323938 -32366463623834306665323337656135303466323332383636393861373761366463366534343166 -31383834633465386335356464303435623434633561363432636331383763383633326466373566 -63326235323039353734346631393064643637353132653132373239656264616331386234363631 -32623336666238373134376137366231363061363362333465353730343330363963666434616633 -39616230623864356561613838613132613863393737313165323861313865356535393064323965 -65643065333461663136346465643730363663326665643437356563383839356461623236326330 -64353061306161323263633835343038323334633039623837666536613738626264323934653536 -61383434656436336363363066373532356463396163663538643732313961363034393034656263 -66373064623936356263656464366233323936333635653563303133333331613533623163626432 -32653365653565623537666536306530653263316635333731336539363063626531653966656666 -63343036313062666535316562356665646365343934363064336332313863613134353937373265 -38353539313836643330343330306131653933316432346537623961343336646639643738663738 -65623334643930346361396233356565373633326531363234636630646630653737643039623432 -66336662636664376663366630376666373064306530646265386364353338663435336161646261 -65303736373734366533333134653563663131653830393962643838613136326539386535666235 -62303035323865323061666632326465653032366231353930336538663437326237326634376665 -61333831633236653261653966346239613232653138653335383732386437623163363264336665 -36316534666231336438383663383834396164663034366637653165383338613562363764666336 -37333735666137663532303134323363313663333063663562343461326234366439303738383936 -39306632383164613563623263643531653935616333636139303561363464636530333439663731 -30393764636238306439616162353766303232333139363261623037313631316662626335376665 -62623233336563353932356433626430363232393039383861396266633662343933653665663534 -38323431313335643963363834373634636266373737653966613265326134616564383734373435 -64343035363633356163633166653932663531343934343230346133633333326331633032653039 -61373830613964636138386635636264396530646633633263646664613531323861613936613565 -38373230613333383338373533313866666438636436633035306138633637313839343836353538 -65316361666236306364343436366634616430626437363063653034376666313631616133653663 -62363464306234633963646233306434623061326161326339666538353830633765656262313066 -30653539643033343637393131376433363765663731316136613333326565656162333337363937 -36616535333237346561643236636563323233643066313830646466303764393364633066666536 -35643834383062326264663161613039633861333834323539663530653534633437313038373732 -33383064633337346130303139623436616166623834346530333965623266666463313163666262 -35393130326339623935616337373438636231353664336164323531646436383564393765366666 -31616433643363626232386634313038353730633631356136636563373135306365646533333462 -33303335323032646663323830666133653862383663343965363834393335336633 +63353735343734346538363161326638383763333136313434643961613831666561303333643734 +3436376535323136353831336239306333303166653136330a383165333730323039363962366266 +39643766663336393931303765666461383164653233373831663738303232366264373436393533 +3464386134396563640a316236616335383362616137613535613232663165313764303764623535 +33386464626261653936303361346130376166633666386138663437326138626237663034346236 +31633436626361333839376431653639376665386364383339373461316532383437383932613337 +37353964626666613565643966363739633539353838306564373034613766376563663237613038 +38343463303834333738643138326137376461626262626432326230393931363031626332623663 +36333932313864383332643833393931343034376535373032303132353635376235323535313636 +36633132376565666161666663653439643138613935386165656366343737323235646639623162 +61633232366232336566366139616465653339613739316537393737363164373334666238363864 +33646565663630623864333335656461666235373736353634613462323635383231333865373763 +39323864633633323435643230643761336135626136626432646432373165363561623838346463 +39316163396266343736363038643337643931346664323330653534636535316538303265343263 +34656662313631326661323463656132646239323466393033313536343834636639656366653339 +39343834326662636636656463373461633865633863616465623139336238653539636230396134 +61353662326137393939333364653730366633356436343135373034366537666135366434643430 +37313636616332636163326666333163356532643265663636303264393366353565393461383063 +36663866373764616462383536653562333137636532633430616366303063663366393466343964 +66613635636130663937356436313339356430323465333935643139663866366530383432356665 +36333166366464623131396433323162353564326663346133643263653965373464363864633135 +63626535313135306338613234313031323638343136303135313839393333643132326638396433 +33613264393161333631623965316638393033373434663765393663356432383838616636353232 +36316365326332396534653561663031633863613461616530643562386663303763373732663735 +33666139313363313634616538396165313361346530643835323131356638313362353835353263 +35383236366532353336346533303865306536396437346132363235636337366439636662383164 +31653033343232346139386663306438343037663962646663636463613832363734653765393036 +35363232383738313339373966663231613331373837343736636165636331643838353737653833 +34346436366430616363333931306232646131323465643864343964323065666665376636666538 +33353032653765326130356331643166333162393635316535396262613165373066303039386337 +38343961373863666635626331626133306661613864363566383261373534663366343963353566 +66326536653033353430653266353765343535663639356562623263373866366634666561353365 +32326565636234643438643765336666323832633766623934383139633136643634303666323930 +63343937636461623432336163323563356166626536616233356463386661363339663336313932 +66393362396139396132326435343035646131306330346639383630336537666663646165336136 +64626537303663316664353230303734616135333665393131326561386538336131386366343666 +38316363373836373161393939623035633232323663366632343436353530383430396163666535 +31373730666237333833626361613032376635613734613538336438626165306137343831626262 +31323336363565343765303937396364366461626566663034643062613261663430343764393339 +64303438303662363830343239333534393030643165346565626163373164336639386136333033 +37346165633565623931636333616134393433356438646131333637343632616463323065306136 +35373238303461373063646138646438663837666139613837333565366231393630623061323830 +63663363313964663165396339383436373063396565393562626364633132613762343436306637 +63616465343338326339393631623961613464383831643362613835623738363863303861633830 +33363735306136636466616465373661633036353737336261346234653962633937643636633064 +33656461633634636134623564373864353130353361316234336666326637393237626566643037 +62326364346538373761663137613361666439303762386366626633313835636231333863396131 +38636464613262383563356339323962643639303836656265626430613632333834323630323336 +38303336616565393035303539633662303063386362313861643766366332616663356234636332 +30356163313336613161383538353065313939633463386337643530386331303235656665656462 +30656230316264316264333430313938646339333465613131313561386265393739646266633338 +37363062323663383436353834663236333533363733313337303163316163306466393862666431 +62336564613734646332616164336634323235663834666430333733616635663738656537326137 +33346632303237616134663866363536306139333863643230363761376165396264396233353764 +32383835313636326564343734373039343231363264383237313963313535363161663666373066 +64386230316165343839323039633737623062366336656638356539613631383162376261383137 +61306437633435303632316162393339653062313838646637646331323566666433343866646362 +61653236643033636336323631333532393939623831323133383030613039396438303964306230 +37333336613634316535636165643334303633613562653935393634636530656637633332393935 +35363165333831343634316631356266353239306432373332383538313462623833343033383132 +37633130623963346432663932616337646466643863366137353636306266646462316238303132 +34623737613662323138393266306131343261616336333963656665396335616438323936306161 +35303038386535363132393364303930376338376463636135623839626433633334656232316464 +32343337383239316637333766323761653134356463333933373037623665626262636231633263 +39363636643262363036643832303535383164376466303266626533326636333234326565666266 +30313864343637383765663262663161376639633237313162626263646534353335353561316264 +39653034323338306466313437323837366531313934363936313736353737656365393635353932 +30633539363066396463336665393033333338333262306536303462396166373162316236316437 +30653263323463323935656133323035323238316466343434376434636264313131 diff --git a/roles/jenkins/tasks/main.yml b/roles/jenkins/tasks/main.yml index e69de29bb..3a5e86ca7 100644 --- a/roles/jenkins/tasks/main.yml +++ b/roles/jenkins/tasks/main.yml @@ -0,0 +1,99 @@ +# +# Install webserver. +# +--- +- name: 'Check OS version of target host.' + ansible.builtin.fail: + msg: 'This role requires RedHat/CentOS version >= 7.x' + when: ansible_facts['os_family'] != "RedHat" or ansible_facts['distribution_major_version'] <= "6" + +- name: 'Set selinux in permissive mode.' + ansible.posix.selinux: + policy: 'targeted' + state: 'permissive' + become: true + +- name: 'Install EPEL repo and rsync.' + ansible.builtin.yum: + state: 'latest' + update_cache: true + name: + - 'epel-release' + - 'rsync' + become: true + +- name: 'Install apache webserver, php and nano.' + ansible.builtin.yum: + state: 'latest' + update_cache: true + name: + - 'nano' + - 'php' + - 'httpd' + - 'mod_ssl' + notify: + - 'restart_httpd' + become: true + +# +# The *.pem file with crt as well as key must be copied to the server manually. +# +- name: 'Check if *.gcc.rug.nl wildcard certificate was installed on server.' + ansible.builtin.file: + path: '/etc/pki/tls/private/wildcard_crt_and_key.pem' + state: 'file' + owner: 'root' + group: 'root' + mode: '0600' + notify: + - 'restart_httpd' + become: true + +- name: 'Create symlinks for Apache httpd, so it can find the cert & key in the *.gcc.rug.nl wildcard certificate file.' + ansible.builtin.file: # noqa risky-file-permissions + src: '/etc/pki/tls/private/wildcard_crt_and_key.pem' + dest: "{{ item }}" + state: 'link' + owner: 'root' + group: 'root' + force: true + with_items: + - '/etc/pki/tls/private/localhost.key' + - '/etc/pki/tls/certs/localhost.crt' + notify: + - 'restart_httpd' + become: true + +- name: 'Configure ServerName in /etc/httpd/conf.d/ssl.conf' + ansible.builtin.lineinfile: + path: '/etc/httpd/conf.d/ssl.conf' + insertafter: '^' + regexp: '^#?ServerName' + line: 'ServerName jenkins.gcc.rug.nl' + owner: 'root' + group: 'root' + mode: '0644' + notify: + - 'restart_httpd' + become: true + +- name: 'Configure Apache webserver to redirect HTTP to HTTPS.' + ansible.builtin.template: + src: 'templates/apache/redirect_all_http_to_https.conf' + dest: '/etc/httpd/conf.d/redirect_all_http_to_https.conf' + owner: 'root' + group: 'root' + mode: '0644' + notify: + - 'restart_httpd' + become: true + +- name: 'Enable webserver.' + ansible.builtin.service: + name: "{{ item }}" + enabled: true + state: 'started' + with_items: + - 'httpd' + become: true +... diff --git a/single_role_playbooks/firewall.yml b/single_role_playbooks/firewall.yml index 07b94b8bf..1192ad0aa 100644 --- a/single_role_playbooks/firewall.yml +++ b/single_role_playbooks/firewall.yml @@ -4,6 +4,7 @@ - jumphost - cluster - docs + - jenkins roles: - { role: geerlingguy.firewall, become: true } ... diff --git a/single_role_playbooks/jenkins.yml b/single_role_playbooks/jenkins.yml index b78f350b9..7a1fd1409 100644 --- a/single_role_playbooks/jenkins.yml +++ b/single_role_playbooks/jenkins.yml @@ -1,5 +1,13 @@ --- -- hosts: jenkins +- hosts: jenkins + vars: + java_packages: + - java-1.8.0-openjdk + roles: + - role: geerlingguy.java + when: "ansible_os_family == 'RedHat'" + - role: geerlingguy.jenkins + become: yes - jenkins ... diff --git a/single_role_playbooks/ssh_host_signer.yml b/single_role_playbooks/ssh_host_signer.yml index a8128b825..bc5ae1b17 100644 --- a/single_role_playbooks/ssh_host_signer.yml +++ b/single_role_playbooks/ssh_host_signer.yml @@ -5,6 +5,7 @@ - repo - cluster - docs + - jenkins roles: - ssh_host_signer - ssh_known_hosts From 05a71523bfd96750a8c0c52b7c23e0f2928fecb5 Mon Sep 17 00:00:00 2001 From: marieke-bijlsma Date: Thu, 12 May 2022 14:55:07 +0200 Subject: [PATCH 02/10] put gearshift secrets back --- group_vars/gearshift_cluster/secrets.yml | 43 ++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 group_vars/gearshift_cluster/secrets.yml diff --git a/group_vars/gearshift_cluster/secrets.yml b/group_vars/gearshift_cluster/secrets.yml new file mode 100644 index 000000000..92e3f98b0 --- /dev/null +++ b/group_vars/gearshift_cluster/secrets.yml @@ -0,0 +1,43 @@ +$ANSIBLE_VAULT;1.2;AES256;gearshift_cluster +33643763633837633830326163663337626430333034386239653162333433356666326230383362 +3439653064653132393738613132623335373164303634640a643531326465336533643365346234 +63616663376561383033333562653631343737333230316661393763626162326637323563343531 +6135646566353139340a656434373661306438353933613362396331306232633965373432353862 +38383366343663353033643633663537633638633964386334383764633666663966653937353431 +62333831366534623933626134666530653530623137373638386436333630643836636661383961 +35306337386531353833306665396436653963383138393565633837323837313939383331353233 +35653032613839366235363134306136303964373533346538363938346137343264623262383261 +31376234336564633138626666656562373637643732333763386565313337393734353039346436 +62366337346430313737313236353238613634376662316137323165646162663631616163373334 +66386534663831656163393432616539663038323337653133323035376436616363363462653966 +39623539343338303464343963643266626435626362666439663936393464393939393266646162 +66343735343230396662326633396230643165346139663030343866373137316662306630323934 +39653035393933333539663635646264333665663238356338336662353038316661613462636262 +38613430336162653562373861363261663764363462363763663036623633373965323230623661 +34376537633263643336373835643861646635663562346635353561663632386364323566396430 +62326333306462383037333965303935656664373062663035646263313938363832623231656533 +34303435643935363866396331323738643365663337643661326633646638316239323463613563 +63313536646430313965633735323737383731383334653639373161383436363764373663306137 +63343539383766393463626635633235613137316233636464396634353736646566623835643065 +37646361613966626363393466353536653534326333636630333033313161663334346463353437 +34353031373432343337636634313238656166656333336539386461353235306138373130396330 +63343034613265333630663931373739313733356534656439386261623737353935343465653864 +61396531373065323036386266613266636637623936363934613765306565383039393631306632 +35323537353836373539356566653239396161363966316563313562343965303664653365343436 +33336230303864346330376231373431323164336338323563343765383932396534353437396333 +64633434356165333535366439323663386266303137623865343362663366303631333330366234 +39376538383539336332656231366430616439373936306133386365633766323537373863346534 +61323963666434343538636130633436646535393566306365353661643733613664666338626635 +31323561623362333735633862643063663565336132373336306635303161666363313264653936 +66653430623733353466353063646237623965353933373162353330323534343835333232326135 +62303762643266666539386231643263376436663730336263313032663665356330386539623236 +30313135316439306539333833333461313162366433643838393062623932316532316566653734 +31643632613830373435343038393337663331613263306337373763616439653761663965356333 +38323035383561313064396534343531346437383961356662623064363031353333633336383138 +62333764633330316664333739656166393465656438363037353635303566653266366561376262 +35343937313438333536616164656162616263346434383039656466376336336635353836353233 +62346230396431646431343465643063306432616333336131313864613334376436656239386231 +66633732336533346164373363623261613664636538303938623034623635353562633338343761 +61326662306235376463636366623565316135363661616161356131396261313034633838306163 +33303132306563366533346533346536393830363865656464306537343039373930373666653533 +3466393333656663323262326562626230646532326238333066 From 47681ad6c17b0fe99e4b7a1590eb21941fc0ac06 Mon Sep 17 00:00:00 2001 From: marieke-bijlsma Date: Thu, 12 May 2022 15:47:02 +0200 Subject: [PATCH 03/10] Add additional folders to Jenkins --- roles/jenkins/handlers/main.yml | 15 ++++++++++ .../apache/redirect_all_http_to_https.conf | 3 ++ ssh-host-ca/jenkins_server-ca | 29 +++++++++++++++++++ ssh-host-ca/jenkins_server-ca.pub | 1 + 4 files changed, 48 insertions(+) create mode 100644 roles/jenkins/handlers/main.yml create mode 100644 roles/jenkins/templates/apache/redirect_all_http_to_https.conf create mode 100644 ssh-host-ca/jenkins_server-ca create mode 100644 ssh-host-ca/jenkins_server-ca.pub diff --git a/roles/jenkins/handlers/main.yml b/roles/jenkins/handlers/main.yml new file mode 100644 index 000000000..aab1eadb8 --- /dev/null +++ b/roles/jenkins/handlers/main.yml @@ -0,0 +1,15 @@ +--- +# +# Important: maintain correct handler order. +# Handlers are executed in the order in which they are defined +# and not in the order in which they are listed in a "notify: handler_name" statement! +# +- name: 'Restart services and their dependencies.' + ansible.builtin.service: + name: "{{ item }}" + state: restarted + with_items: + - 'httpd' + become: true + listen: 'restart_httpd' +... diff --git a/roles/jenkins/templates/apache/redirect_all_http_to_https.conf b/roles/jenkins/templates/apache/redirect_all_http_to_https.conf new file mode 100644 index 000000000..79511f320 --- /dev/null +++ b/roles/jenkins/templates/apache/redirect_all_http_to_https.conf @@ -0,0 +1,3 @@ + + Redirect permanent / https://jenkins.gcc.rug.nl/ + diff --git a/ssh-host-ca/jenkins_server-ca b/ssh-host-ca/jenkins_server-ca new file mode 100644 index 000000000..7b0a3d1f5 --- /dev/null +++ b/ssh-host-ca/jenkins_server-ca @@ -0,0 +1,29 @@ +$ANSIBLE_VAULT;1.2;AES256;jenkins_server +31396666356663393664663337616566313963623166616530363462646231383138376133313639 +3932363663633066656435633231323936353734326333390a623930663537646661353864343763 +36656665353261613963393762336662616637633133306530393563636233353535663532313131 +6235663137353337340a656463646261366430393434653466343964313362613561633865353031 +32353264623835343630396533366432383261383435623136663135303538383239393135653631 +63356131336532343965633934633336313130383339666263373137323935613434376439636439 +66386438303065386434636365353038366364376565303538623038636665336433363162666531 +65376633653434326662383832323061336364386665353038663736313539613163326538353737 +30616234656638366533613766356463333630366233393861396265363538323066323564323737 +33393565613136373732326431323037643435616638633831623539653663346632303362343236 +39663339323539303666336664323065646337633530336666663039633935343165636533666563 +38613063383133326265633162316266333938336264656461373465396430356364306330623964 +62326230316533666531323230353832316335333335616466326432633633383632643165326363 +30663330663735626630303430633635316161633032373264616363643036653564343939343731 +66343333363861376466306134383339613737346434663236386363303637633963656139623331 +38363334363638643430623162643339386232623062306466656532653336633430393134306566 +63626533353434656364333938326237346436616466663466653534393230363038363561393031 +34613861333332373530306633303161383937333863373339333561326465323666373965616665 +37336131656232303765363164363538353564306233353461343639343330316465616366656536 +30653836663137366533393566323461343066626465653233323033346339363663313431353238 +61653237343239366566383032383165633661306432306364336432393033383939346432663935 +39633932353838613266373034393139623665316437626437666337356530303234653739643162 +38323631393366653539373732633964373433333166363736353361313962663966666131393633 +38343066373532386664656262366362356362666366316638643136316263393731313632623838 +31303131643332383938323265303631343131393061663839313034313965383561383936313964 +34353439363765376164386231373231303366623434303864653433636436353062646664643637 +64383735616239636233313335633839663765636330623062356139393663393466653737363334 +33376361646437613065 diff --git a/ssh-host-ca/jenkins_server-ca.pub b/ssh-host-ca/jenkins_server-ca.pub new file mode 100644 index 000000000..ba6745064 --- /dev/null +++ b/ssh-host-ca/jenkins_server-ca.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwhzsXWoAJk/Xa3TD24I/8vAL+HrR8BBY8SnTa5MNlK CA key for jenkins_server From fd2c5d75645025dff37922f589b000d31d38c008 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 23 May 2022 13:48:46 +0200 Subject: [PATCH 04/10] Removed geerlingguy.java --- galaxy-requirements.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/galaxy-requirements.yml b/galaxy-requirements.yml index 9a10e1d5d..f63d67f3d 100644 --- a/galaxy-requirements.yml +++ b/galaxy-requirements.yml @@ -13,8 +13,6 @@ roles: version: 3.1.1 - src: geerlingguy.jenkins version: 4.3.0 - - src: geerlingguy.java - version: 2.0.1 collections: - name: community.general version: '>=3.0.2' From 2c02bd7f5ef19b30af5af89f2d059c5923933c76 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 23 May 2022 13:50:27 +0200 Subject: [PATCH 05/10] Removed geerlingguy.jenkins as it is currently broken. --- galaxy-requirements.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/galaxy-requirements.yml b/galaxy-requirements.yml index f63d67f3d..8d03c0f4c 100644 --- a/galaxy-requirements.yml +++ b/galaxy-requirements.yml @@ -11,8 +11,6 @@ roles: version: 2.0.1 - src: geerlingguy.postgresql version: 3.1.1 - - src: geerlingguy.jenkins - version: 4.3.0 collections: - name: community.general version: '>=3.0.2' From 3e7ca13424782caf57ffa10d5215d76eed214fb7 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 25 May 2022 16:34:45 +0200 Subject: [PATCH 06/10] Updated Jenkins config, role and playbooks. --- group_vars/jenkins.yml | 4 +- group_vars/jenkins_server/secrets.yml | 143 ++++++------ group_vars/jenkins_server/vars.yml | 5 + roles/jenkins/defaults/main.yml | 33 +++ roles/jenkins/handlers/main.yml | 28 ++- roles/jenkins/tasks/main.yml | 219 ++++++++++++++---- .../apache/redirect_all_http_to_https.conf | 2 +- roles/jenkins/templates/apache/ssl.conf | 106 +++++++++ .../jenkins/templates/systemd/jenkins.conf.j2 | 60 +++++ single_group_playbooks/jenkins.yml | 3 +- single_role_playbooks/jenkins.yml | 10 +- static_inventories/jenkins_server.yml | 2 + 12 files changed, 479 insertions(+), 136 deletions(-) create mode 100644 roles/jenkins/defaults/main.yml create mode 100644 roles/jenkins/templates/apache/ssl.conf create mode 100644 roles/jenkins/templates/systemd/jenkins.conf.j2 diff --git a/group_vars/jenkins.yml b/group_vars/jenkins.yml index 29e5522f5..eacc89a30 100644 --- a/group_vars/jenkins.yml +++ b/group_vars/jenkins.yml @@ -15,10 +15,10 @@ extra_jumphosts_for_jenkins_server: - 'tunnel' # Nibbler - 'porch' # Wingedhelix ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }}\ - {% for jumphost_for_this_cluster in groups['jumphost'] %}\ + {% for jumphost_for_this_cluster in groups['jumphost'] | default([]) %}\ ,{{ jumphost_for_this_cluster }}+{{ ansible_hostname }}\ {% endfor %}\ - {% for extra_jumphost in extra_jumphosts_for_jenkins_server %}\ + {% for extra_jumphost in extra_jumphosts_for_jenkins_server | default([]) %}\ ,{{ extra_jumphost }}+{{ ansible_hostname }}\ {% endfor %}" ... diff --git a/group_vars/jenkins_server/secrets.yml b/group_vars/jenkins_server/secrets.yml index df455109e..7094ae497 100644 --- a/group_vars/jenkins_server/secrets.yml +++ b/group_vars/jenkins_server/secrets.yml @@ -1,70 +1,75 @@ $ANSIBLE_VAULT;1.2;AES256;jenkins_server -63353735343734346538363161326638383763333136313434643961613831666561303333643734 -3436376535323136353831336239306333303166653136330a383165333730323039363962366266 -39643766663336393931303765666461383164653233373831663738303232366264373436393533 -3464386134396563640a316236616335383362616137613535613232663165313764303764623535 -33386464626261653936303361346130376166633666386138663437326138626237663034346236 -31633436626361333839376431653639376665386364383339373461316532383437383932613337 -37353964626666613565643966363739633539353838306564373034613766376563663237613038 -38343463303834333738643138326137376461626262626432326230393931363031626332623663 -36333932313864383332643833393931343034376535373032303132353635376235323535313636 -36633132376565666161666663653439643138613935386165656366343737323235646639623162 -61633232366232336566366139616465653339613739316537393737363164373334666238363864 -33646565663630623864333335656461666235373736353634613462323635383231333865373763 -39323864633633323435643230643761336135626136626432646432373165363561623838346463 -39316163396266343736363038643337643931346664323330653534636535316538303265343263 -34656662313631326661323463656132646239323466393033313536343834636639656366653339 -39343834326662636636656463373461633865633863616465623139336238653539636230396134 -61353662326137393939333364653730366633356436343135373034366537666135366434643430 -37313636616332636163326666333163356532643265663636303264393366353565393461383063 -36663866373764616462383536653562333137636532633430616366303063663366393466343964 -66613635636130663937356436313339356430323465333935643139663866366530383432356665 -36333166366464623131396433323162353564326663346133643263653965373464363864633135 -63626535313135306338613234313031323638343136303135313839393333643132326638396433 -33613264393161333631623965316638393033373434663765393663356432383838616636353232 -36316365326332396534653561663031633863613461616530643562386663303763373732663735 -33666139313363313634616538396165313361346530643835323131356638313362353835353263 -35383236366532353336346533303865306536396437346132363235636337366439636662383164 -31653033343232346139386663306438343037663962646663636463613832363734653765393036 -35363232383738313339373966663231613331373837343736636165636331643838353737653833 -34346436366430616363333931306232646131323465643864343964323065666665376636666538 -33353032653765326130356331643166333162393635316535396262613165373066303039386337 -38343961373863666635626331626133306661613864363566383261373534663366343963353566 -66326536653033353430653266353765343535663639356562623263373866366634666561353365 -32326565636234643438643765336666323832633766623934383139633136643634303666323930 -63343937636461623432336163323563356166626536616233356463386661363339663336313932 -66393362396139396132326435343035646131306330346639383630336537666663646165336136 -64626537303663316664353230303734616135333665393131326561386538336131386366343666 -38316363373836373161393939623035633232323663366632343436353530383430396163666535 -31373730666237333833626361613032376635613734613538336438626165306137343831626262 -31323336363565343765303937396364366461626566663034643062613261663430343764393339 -64303438303662363830343239333534393030643165346565626163373164336639386136333033 -37346165633565623931636333616134393433356438646131333637343632616463323065306136 -35373238303461373063646138646438663837666139613837333565366231393630623061323830 -63663363313964663165396339383436373063396565393562626364633132613762343436306637 -63616465343338326339393631623961613464383831643362613835623738363863303861633830 -33363735306136636466616465373661633036353737336261346234653962633937643636633064 -33656461633634636134623564373864353130353361316234336666326637393237626566643037 -62326364346538373761663137613361666439303762386366626633313835636231333863396131 -38636464613262383563356339323962643639303836656265626430613632333834323630323336 -38303336616565393035303539633662303063386362313861643766366332616663356234636332 -30356163313336613161383538353065313939633463386337643530386331303235656665656462 -30656230316264316264333430313938646339333465613131313561386265393739646266633338 -37363062323663383436353834663236333533363733313337303163316163306466393862666431 -62336564613734646332616164336634323235663834666430333733616635663738656537326137 -33346632303237616134663866363536306139333863643230363761376165396264396233353764 -32383835313636326564343734373039343231363264383237313963313535363161663666373066 -64386230316165343839323039633737623062366336656638356539613631383162376261383137 -61306437633435303632316162393339653062313838646637646331323566666433343866646362 -61653236643033636336323631333532393939623831323133383030613039396438303964306230 -37333336613634316535636165643334303633613562653935393634636530656637633332393935 -35363165333831343634316631356266353239306432373332383538313462623833343033383132 -37633130623963346432663932616337646466643863366137353636306266646462316238303132 -34623737613662323138393266306131343261616336333963656665396335616438323936306161 -35303038386535363132393364303930376338376463636135623839626433633334656232316464 -32343337383239316637333766323761653134356463333933373037623665626262636231633263 -39363636643262363036643832303535383164376466303266626533326636333234326565666266 -30313864343637383765663262663161376639633237313162626263646534353335353561316264 -39653034323338306466313437323837366531313934363936313736353737656365393635353932 -30633539363066396463336665393033333338333262306536303462396166373162316236316437 -30653263323463323935656133323035323238316466343434376434636264313131 +64366233383938383637656534643462303464306265663637383066363266323336396633346535 +6262306630366130333735633236343030353533363862620a316334653661656136373663356338 +38613965383663646633656636303035333464653762623963623462326165386139393035346262 +3164663136643734620a393861303530373937366537613263373762646434386433643862613334 +34366631333536363765363631633337343130306436636231653164386565326234323964393334 +33623031633535306465383564316563643763333235373538313062363365373730383865653564 +62633837333631316139626536376562643130626134366338386630356336353633336632306434 +33366631626630363438656237336330376163323661386664636130373366373463353636373562 +32666565306535663761636333323335313635343462653762613261636630656534393232366633 +37323931656630616262313066633965373663306532323732306664663430326539643637663538 +33356263326366633761326239363230326536633164326263633630313961353139616366646462 +66623233643666333865643463613264376338633665333935346530653939666262333734346338 +66316564336564663063383166623063376562623139396131363037663363386661643064386131 +33323231623761646131643331333562376439323130343332646430656535393331396430323936 +64626561653666346566346532333838646239646332356133373930316433386464366632626235 +33633637386631363062353262613863366165316333663763343932373066643733633833356537 +39396538646135323539323139383730646363613638343234336662363731383730303962653733 +37613934356338336631653130326137346237316263303566313131356262313339363561316537 +34333836313137323431656566623833613463373565393566323063393435613336663136323832 +32306131336462333431343231636162336365363433363238616238336162626635656132386538 +37633036373531636434616263373432303036386264663864303661666434373832643234663238 +38626366373763373663653432313335633534323733356435636466653634646230343730623263 +33323962306164653538653231366135316463323462333661626439623030383932353430613438 +33316138656532643036303861613365633765346161336434356162623135316161386165623233 +36633366366239616630383033353630633339356338303033643835363136366134363464616534 +33653035616136353539663630333566656335316539646139626135373039383833393237623534 +62386334306666363861656633356366373735363030636330373966653633303063346639316565 +34663832633835626430303833366463313137393265656430343233636230373037643162633865 +65313735386634363433363564626639363939363039386562636435623561326664633565333238 +31343733643035636339383461626435663765306135663839643833396361333238313937396461 +31323062326466393438653164666565333235313162636236633739326232653735306162313561 +35353536633365613030353339396132303564353433303164313637383363333261333234366433 +61363131356363666632363632633761323935636361363431363034613830626338353239333361 +66666363326130623337376133616331373663393766303433353762636666373037653539613135 +36376434616432366163393931306261623937383332633735303439623934373630383263386663 +65363038626362666235373365336631303763356433353633656335313766383037323034373534 +34343362333038646139623839643332333434623731326637653635363661313833623633353764 +63336539366535663135626266336333373838346439316631373163643131353265613962613436 +64356333326361303862303530616366346663393032343461653033633036323863656234366562 +32363563363530356131306234326630333331343235666265366464646262646165663963303336 +62303837613638646239363739376539653230313734666232656165653361376238616631666338 +31383438313537643336653462616132383530646238353238633634356532323933343636343166 +31333933343934306630653436383763386139323361656438636239336433323966646535386332 +66393032613565653238613065363732393562396564343331366164326534356231623337346463 +31373736326662303036326332326331383038356434383831636636616236326130386164373265 +65336635333039633733323739333833356430303662663034316161333562336565633032346664 +35623066623730306662383861356132386263323032353539653166303834666532323635383331 +39346535623839326261303964376436373163643864666339633462393034393561363134333365 +37653365323766633736306563613437353362653033643665316630666564306565343465363632 +34323361333333626364376132633936656430613865643036623532336666653138383633306239 +62386332643036333362643866613764396362303335383431663037653666636432373038653638 +37616261386339313863396664373838333338613338643663323464336530373663346134636231 +35356664393335356634643434623139663966363132326236313562653061643164306164383239 +66333135626161653537363439303264393230646136623261636139356463623131306630393238 +38633662323232356137663161653663633037626664353264616261653464623661646561353039 +39646465353533643731313933333561653337666264333166366338643362633733383161373739 +38326539636132626330323936303234303637373535376166633263313337373038313536626464 +30346539323533646335623939386536656431316364353333653232376438373362386236303932 +64633238353431383163333738346133366461373162356131303931386464653763373364386664 +31383933643231396232663064646361303731353032633130343338666264383362363737626639 +38333339306662333064666436396364386337613939623262663561646637636634613761333966 +62323564386165623731303063343637393364383465643135363863656232636339386434643461 +33366630646461636464383339333630346231306434383461636431313238393766393263343539 +63396165366364343032353831376430613531303739306135656537383338366165383638623765 +62346665626638383261613931336439376666363536386361633063303836626165636665323332 +31616364623163353334316637303039376535333566313738613563333461383638616135303064 +66666566363937323162323662373762613431336333323031333562356239323366323562646262 +61383161636237366565343339363164623666333139663132323261306162613865326532623635 +36323430643663326638623662306334353433376433653661356537366430663566346233663766 +38366161346461383261373161373735336664313965323537633463303565376337306337653061 +33383533636637623265623864653363616238343933353239333039633932353330316334303730 +63663431626235393133383934316436333437363830393636653231376164613535353334633537 +62636136333131613233636534336632663764623566613233653966663763373935386634356231 +3462336364393464383661633731383139386566373137353732 diff --git a/group_vars/jenkins_server/vars.yml b/group_vars/jenkins_server/vars.yml index d043e2cab..05bceca39 100644 --- a/group_vars/jenkins_server/vars.yml +++ b/group_vars/jenkins_server/vars.yml @@ -36,4 +36,9 @@ jumphosts: - 'corridor' # Fender - 'tunnel' # Nibbler - 'porch' # Wingedhelix +jenkins_plugins: + - warnings-ng +jenkins_plugins_install_dependencies: true +jenkins_prefer_lts: true +jenkins_shellcheck_version: 0.8.0 ... diff --git a/roles/jenkins/defaults/main.yml b/roles/jenkins/defaults/main.yml new file mode 100644 index 000000000..832607860 --- /dev/null +++ b/roles/jenkins/defaults/main.yml @@ -0,0 +1,33 @@ +--- +jenkins_prefer_lts: true +jenkins_repo_url: https://pkg.jenkins.io/redhat{{ '-stable' if (jenkins_prefer_lts | bool) else '' }}/jenkins.repo +jenkins_repo_key_url: https://pkg.jenkins.io/redhat{{ '-stable' if (jenkins_prefer_lts | bool) else '' }}/jenkins.io.key +jenkins_pkg_url: https://pkg.jenkins.io/redhat +jenkins_package_state: present # Change to `latest` to update Jenkins if a newer release is available. +jenkins_connection_delay: 5 +jenkins_connection_retries: 60 +jenkins_home: /var/lib/jenkins +jenkins_hostname: localhost +jenkins_http_port: 8080 +jenkins_http_listen_address: 127.0.0.1 +jenkins_jar_location: /opt/jenkins-cli.jar +jenkins_url_prefix: '' +jenkins_java_options: "-Djenkins.install.runSetupWizard=false" +# +# Plugin list can use the plugin name or optionally a name + version dict. +# +jenkins_plugins: [] +# - warnings-ng +# - name: warnings-ng +# version: "9.12.0" +jenkins_plugins_state: latest +jenkins_plugin_updates_expiration: 86400 +jenkins_plugin_timeout: 30 +jenkins_plugins_install_dependencies: true +jenkins_updates_url: https://updates.jenkins.io +#jenkins_admin_username: admin +#jenkins_admin_password: admin +jenkins_admin_password_file: '' +jenkins_process_user: jenkins +jenkins_process_group: "{{ jenkins_process_user }}" +... \ No newline at end of file diff --git a/roles/jenkins/handlers/main.yml b/roles/jenkins/handlers/main.yml index aab1eadb8..1539133aa 100644 --- a/roles/jenkins/handlers/main.yml +++ b/roles/jenkins/handlers/main.yml @@ -4,12 +4,28 @@ # Handlers are executed in the order in which they are defined # and not in the order in which they are listed in a "notify: handler_name" statement! # -- name: 'Restart services and their dependencies.' - ansible.builtin.service: - name: "{{ item }}" +- name: Restart httpd service. + ansible.builtin.systemd: + name: httpd state: restarted - with_items: - - 'httpd' + daemon_reload: true become: true - listen: 'restart_httpd' + listen: restart_httpd + +- name: Configure Jenkins users. + ansible.builtin.template: + src: basic-security.groovy.j2 + dest: "{{ jenkins_home }}/init.groovy.d/basic-security.groovy" + owner: "{{ jenkins_process_user }}" + group: "{{ jenkins_process_group }}" + mode: 0775 + register: configure_jenkins_users + +- name: Restart jenkins service. + ansible.builtin.systemd: + name: jenkins + state: restarted + daemon_reload: true + become: true + listen: restart_jenkins ... diff --git a/roles/jenkins/tasks/main.yml b/roles/jenkins/tasks/main.yml index 3a5e86ca7..742b81fc4 100644 --- a/roles/jenkins/tasks/main.yml +++ b/roles/jenkins/tasks/main.yml @@ -9,91 +9,216 @@ - name: 'Set selinux in permissive mode.' ansible.posix.selinux: - policy: 'targeted' - state: 'permissive' + policy: targeted + state: permissive become: true -- name: 'Install EPEL repo and rsync.' +- name: 'Install EPEL repo.' ansible.builtin.yum: - state: 'latest' + state: latest update_cache: true name: - - 'epel-release' - - 'rsync' + - epel-release become: true -- name: 'Install apache webserver, php and nano.' +- name: 'Install apache webserver.' ansible.builtin.yum: - state: 'latest' + state: latest update_cache: true name: - - 'nano' - - 'php' - - 'httpd' - - 'mod_ssl' + - php + - httpd + - mod_ssl + # Do not install 'ShellCheck' from EPEL: too old notify: - - 'restart_httpd' + - restart_httpd + become: true + +- name: 'Install extra RPMs.' + ansible.builtin.yum: + state: latest + update_cache: true + name: + - curl + - git + - java-11-openjdk + - nano + - rsync + - "{{ 'libselinux-python' if ansible_python['version']['major'] < 3 else 'python3-libselinux' }}" + # Do not install 'ShellCheck' via RPM from EPEL repo: too old + become: true + +- name: "Install pre-compiled portable ShellCheck {{ jenkins_shellcheck_version }} binary from GitHub." + ansible.builtin.shell: + executable: /bin/bash + chdir: /opt/ + creates: "/opt/shellcheck-v{{ jenkins_shellcheck_version }}/shellcheck" + cmd: | + set -e + set -u + set -o pipefail + SC_VERSION="{{ jenkins_shellcheck_version }}" + SC_URL="https://github.com/koalaman/shellcheck/releases/download/v${SC_VERSION}" + SC_ARCHIVE="shellcheck-v${SC_VERSION}.linux.x86_64.tar.xz" + curl "${SC_URL}/${SC_ARCHIVE}" -L | tar -xJf - + cd "shellcheck-v${SC_VERSION}/" + cp "/opt/shellcheck-v${SC_VERSION}/shellcheck" /usr/local/bin/ + become: true + +- name: 'Ensure Jenkins repo is installed.' + ansible.builtin.get_url: + url: "{{ jenkins_repo_url }}" + dest: /etc/yum.repos.d/jenkins.repo + when: jenkins_repo_url | default(false) + become: true + +- name: 'Add Jenkins repo GPG key.' + ansible.builtin.rpm_key: + state: present + key: "{{ jenkins_repo_key_url }}" + when: jenkins_repo_url | default(false) + become: true + +- name: 'Install Jenkins.' + ansible.builtin.yum: + name: jenkins + state: "{{ jenkins_package_state }}" + update_cache: true + notify: + - configure_jenkins_users + - restart_jenkins + become: true + +- name: 'Create /etc/systemd/system/jenkins.service.d/ dir.' + ansible.builtin.file: + path: /etc/systemd/system/jenkins.service.d + state: directory + mode: '0700' + owner: root + group: root + notify: + - restart_jenkins + become: true + +- name: 'Add custom Jenkins systemd config.' + ansible.builtin.template: + src: systemd/jenkins.conf.j2 + dest: /etc/systemd/system/jenkins.service.d/custom.conf + mode: '0600' + owner: root + group: root + notify: + - restart_jenkins + become: true + +- name: 'Ensure Jenkins is started on boot.' + ansible.builtin.systemd: + name: jenkins + state: started + enabled: true + daemon_reload: true + become: true + +- name: 'Wait for Jenkins to start up before proceeding.' + ansible.builtin.uri: + url: "http://{{ jenkins_hostname }}:{{ jenkins_http_port }}{{ jenkins_url_prefix }}/cli/" + method: GET + return_content: "yes" + timeout: 5 + body_format: raw + follow_redirects: "no" + status_code: 200,403 + register: result + until: (result.status == 403 or result.status == 200) and (result.content.find("Please wait while") == -1) + retries: "{{ jenkins_connection_retries }}" + delay: "{{ jenkins_connection_delay }}" + changed_when: false + check_mode: false + +- name: 'Get the jenkins-cli jarfile from the Jenkins server.' + ansible.builtin.get_url: + url: "http://{{ jenkins_hostname }}:{{ jenkins_http_port }}{{ jenkins_url_prefix }}/jnlpJars/jenkins-cli.jar" + dest: "{{ jenkins_jar_location }}" + register: jarfile_get + until: "'OK' in jarfile_get.msg or '304' in jarfile_get.msg or 'file already exists' in jarfile_get.msg" + retries: 5 + delay: 10 + check_mode: false + +- name: 'Remove Jenkins security init scripts after first startup.' + ansible.builtin.file: + path: "{{ jenkins_home }}/init.groovy.d/basic-security.groovy" + state: absent + become: true + +- name: 'Install Jenkins plugins.' + community.general.jenkins_plugin: + name: "{{ item.name | default(item) }}" + version: "{{ item.version | default(omit) }}" + jenkins_home: "{{ jenkins_home }}" + url_username: "{{ jenkins_admin_username }}" + url_password: "{{ jenkins_admin_password }}" + state: "{{ 'present' if item.version is defined else jenkins_plugins_state }}" + timeout: "{{ jenkins_plugin_timeout }}" + updates_expiration: "{{ jenkins_plugin_updates_expiration }}" + updates_url: "{{ jenkins_updates_url }}" + url: "http://{{ jenkins_hostname }}:{{ jenkins_http_port }}{{ jenkins_url_prefix }}" + with_dependencies: "{{ jenkins_plugins_install_dependencies }}" + with_items: "{{ jenkins_plugins }}" + notify: restart_jenkins + register: plugin_result + until: plugin_result is success + retries: 3 + delay: 2 become: true # # The *.pem file with crt as well as key must be copied to the server manually. # -- name: 'Check if *.gcc.rug.nl wildcard certificate was installed on server.' +- name: 'Check if SSL certificate was installed on server.' ansible.builtin.file: path: '/etc/pki/tls/private/wildcard_crt_and_key.pem' - state: 'file' - owner: 'root' - group: 'root' + state: file + owner: root + group: root mode: '0600' notify: - - 'restart_httpd' + - restart_httpd become: true -- name: 'Create symlinks for Apache httpd, so it can find the cert & key in the *.gcc.rug.nl wildcard certificate file.' +- name: 'Create symlinks for Apache httpd, so it can find the cert & key in the SSL certificate file.' ansible.builtin.file: # noqa risky-file-permissions src: '/etc/pki/tls/private/wildcard_crt_and_key.pem' dest: "{{ item }}" - state: 'link' - owner: 'root' - group: 'root' + state: link + owner: root + group: root force: true with_items: - '/etc/pki/tls/private/localhost.key' - '/etc/pki/tls/certs/localhost.crt' notify: - - 'restart_httpd' - become: true - -- name: 'Configure ServerName in /etc/httpd/conf.d/ssl.conf' - ansible.builtin.lineinfile: - path: '/etc/httpd/conf.d/ssl.conf' - insertafter: '^' - regexp: '^#?ServerName' - line: 'ServerName jenkins.gcc.rug.nl' - owner: 'root' - group: 'root' - mode: '0644' - notify: - - 'restart_httpd' + - restart_httpd become: true -- name: 'Configure Apache webserver to redirect HTTP to HTTPS.' +- name: 'Configure Apache webserver.' ansible.builtin.template: - src: 'templates/apache/redirect_all_http_to_https.conf' - dest: '/etc/httpd/conf.d/redirect_all_http_to_https.conf' - owner: 'root' - group: 'root' + src: "templates/apache/{{ item }}" + dest: "/etc/httpd/conf.d/{{ item }}" + owner: root + group: root mode: '0644' + with_items: + - redirect_all_http_to_https.conf + - ssl.conf notify: - - 'restart_httpd' + - restart_httpd become: true -- name: 'Enable webserver.' +- name: Enable webserver. ansible.builtin.service: - name: "{{ item }}" + name: httpd enabled: true - state: 'started' - with_items: - - 'httpd' + state: started become: true ... diff --git a/roles/jenkins/templates/apache/redirect_all_http_to_https.conf b/roles/jenkins/templates/apache/redirect_all_http_to_https.conf index 79511f320..79ef3c1fc 100644 --- a/roles/jenkins/templates/apache/redirect_all_http_to_https.conf +++ b/roles/jenkins/templates/apache/redirect_all_http_to_https.conf @@ -1,3 +1,3 @@ - Redirect permanent / https://jenkins.gcc.rug.nl/ + Redirect permanent / https://{{ hostvars[inventory_hostname].fqdn }}/ diff --git a/roles/jenkins/templates/apache/ssl.conf b/roles/jenkins/templates/apache/ssl.conf new file mode 100644 index 000000000..5a4a8f140 --- /dev/null +++ b/roles/jenkins/templates/apache/ssl.conf @@ -0,0 +1,106 @@ +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 https + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + #DocumentRoot "/var/www/html/" + ServerName {{ hostvars[inventory_hostname].fqdn }} + SSLEngine on + # + # Use separate log files for the SSL virtual host; + # note that LogLevel is not inherited from httpd.conf. + # + LogLevel info + ErrorLog /var/log/httpd/ssl_error_log + CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + # + # Jenkins proxy settings. + # + ProxyRequests Off + ProxyPreserveHost On + AllowEncodedSlashes NoDecode + BrowserMatch "MSIE [2-5]" needs_update + + Order deny,allow + Allow from all + Deny from env=needs_update + + ProxyPass /{{ jenkins_url_prefix | default(omit) }} http://{{ jenkins_hostname }}:{{ jenkins_http_port }}/{{ jenkins_url_prefix | default(omit) }} nocanon + ProxyPassReverse /{{ jenkins_url_prefix | default(omit) }} http://{{ jenkins_hostname }}:{{ jenkins_http_port }}/{{ jenkins_url_prefix | default(omit) }} + ProxyPassReverse /{{ jenkins_url_prefix | default(omit) }} http://{{ hostvars[inventory_hostname].fqdn }}/{{ jenkins_url_prefix | default(omit) }} + # + # List the enabled protocol levels clients are allowed to use. + # Disable old SSLv2 and SSLv3 access by default. + # + SSLProtocol all -SSLv2 -SSLv3 + # + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. + # + SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA + # + # PEM encoded Server Certificate: + # If the certificate is encrypted, + # then you will be prompted for a pass phrase. + # Note that a kill -HUP will prompt again. + # + SSLCertificateFile /etc/pki/tls/certs/localhost.crt + # + # Server Private Key: + # If the key is not combined with the certificate, + # use this directive to point at the key file. + # + SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + + diff --git a/roles/jenkins/templates/systemd/jenkins.conf.j2 b/roles/jenkins/templates/systemd/jenkins.conf.j2 new file mode 100644 index 000000000..393f5b01b --- /dev/null +++ b/roles/jenkins/templates/systemd/jenkins.conf.j2 @@ -0,0 +1,60 @@ +[Unit] +Description=Jenkins + +[Service] +# +# Unix account that runs the Jenkins daemon +# Be careful when you change this, as you need to update the permissions of +# $JENKINS_HOME, $JENKINS_LOG, and (if you have already run Jenkins) +# $JENKINS_WEBROOT. +# +User={{ jenkins_process_user }} +Group={{ jenkins_process_group }} + +# +# Directory where Jenkins stores its configuration and workspaces +# +Environment="JENKINS_HOME={{ jenkins_home }}" +WorkingDirectory={{ jenkins_home }} + +# +# The Java home directory. When left empty, JENKINS_JAVA_CMD and PATH are consulted. +# +Environment="JAVA_HOME=/etc/alternatives/jre_11_openjdk" + +# +# Add JVM configuration options +# +Environment="JAVA_OPTS=-Djava.awt.headless=true -Djenkins.install.runSetupWizard=false " + +# +# IP address to listen on for HTTP requests. +# The default is to listen on all interfaces (0.0.0.0). +Environment="JENKINS_LISTEN_ADDRESS={{ jenkins_http_listen_address }}" + +# Port to listen on for HTTP requests. Set to -1 to disable. +# To be able to listen on privileged ports (port numbers less than 1024), +# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities +# directive below. +Environment="JENKINS_PORT={{ jenkins_http_port }}" + +{% if jenkins_url_prefix is defined and jenkins_url_prefix | length >= 1%} +# Servlet context (important if you want to use reverse proxying) +Environment="JENKINS_PREFIX={{ jenkins_url_prefix }}" + +{% endif %} +# Set the umask to control the permission bits of files that Jenkins creates. +# +# 0027 makes files read-only for group and inaccessible for others, which some +# security sensitive users might consider beneficial, especially if Jenkins +# is running on a server that is used for multiple purposes. Beware that 0027 +# permissions would interfere with sudo scripts that run on the controller +# (see JENKINS-25065). +# +# Note also that the particularly sensitive parts of $JENKINS_HOME (such as +# credentials) are always written without 'other' access. So the umask values +# only affect job configuration, build records, etc. +# +# If unset, the value from the OS is inherited, which is normally 0022. +# The default umask comes from pam_umask(8) and /etc/login.defs. +UMask=0027 diff --git a/single_group_playbooks/jenkins.yml b/single_group_playbooks/jenkins.yml index 75cff5fe3..70118d5ce 100644 --- a/single_group_playbooks/jenkins.yml +++ b/single_group_playbooks/jenkins.yml @@ -10,7 +10,6 @@ - logrotate - remove - update - - {role: geerlingguy.repo-epel, become: true} - sshd - - {role: geerlingguy.jenkins, become: true} + - jenkins ... diff --git a/single_role_playbooks/jenkins.yml b/single_role_playbooks/jenkins.yml index 7a1fd1409..b78f350b9 100644 --- a/single_role_playbooks/jenkins.yml +++ b/single_role_playbooks/jenkins.yml @@ -1,13 +1,5 @@ --- -- hosts: jenkins - vars: - java_packages: - - java-1.8.0-openjdk - +- hosts: jenkins roles: - - role: geerlingguy.java - when: "ansible_os_family == 'RedHat'" - - role: geerlingguy.jenkins - become: yes - jenkins ... diff --git a/static_inventories/jenkins_server.yml b/static_inventories/jenkins_server.yml index 3b59aa4b5..1a5283256 100644 --- a/static_inventories/jenkins_server.yml +++ b/static_inventories/jenkins_server.yml @@ -8,6 +8,8 @@ all: hosts: jenkins: cloud_flavor: m1.small + ansible_host: tunnel+jenkins + fqdn: jenkins.gcc.rug.nl jenkins_server: children: openstack_api: From 90c82d68abd08efbd17c226163f67e557c80d15b Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 25 May 2022 16:36:17 +0200 Subject: [PATCH 07/10] Bugfix for inventory_plugins/yaml_with_jumphost.py: do not use AI_PROXY when it is defined but an empty string. --- inventory_plugins/yaml_with_jumphost.py | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory_plugins/yaml_with_jumphost.py b/inventory_plugins/yaml_with_jumphost.py index ef46ca3b7..a5e1e390f 100755 --- a/inventory_plugins/yaml_with_jumphost.py +++ b/inventory_plugins/yaml_with_jumphost.py @@ -171,6 +171,7 @@ def _populate_host_vars(self, hosts, variables, group=None, port=None): self.inventory.set_variable(host, k, variables[k]) if ('AI_PROXY' in os.environ and os.getenv('AI_PROXY') is not None and + os.getenv('AI_PROXY') != '' and os.getenv('AI_PROXY') != host): self.inventory.set_variable(host, 'ansible_host', os.getenv('AI_PROXY') + '+' + host) From bb0ba836ee7866ee00ed2f24070eb0c8c0e2f5ea Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 25 May 2022 16:38:01 +0200 Subject: [PATCH 08/10] Bugfix for lor-init: do not set AI_PROXY env var to an empty string when a stack does not have a jumphost listed in its static inventory. --- lor-init | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lor-init b/lor-init index d6eeccaa3..e21b272d2 100755 --- a/lor-init +++ b/lor-init @@ -70,12 +70,16 @@ function lor-config() { # Init and report current setup. # cd "${LOR_DIR}" - export AI_PROXY="${_jumphost}" + if [[ -n "${_jumphost:-}" ]]; then + export AI_PROXY="${_jumphost}" + else + unset AI_PROXY + fi export ANSIBLE_INVENTORY="static_inventories/${_stack_name}.yml" export ANSIBLE_VAULT_IDENTITY_LIST="all@.vault/vault_pass.txt.all, ${_stack_name}@.vault/vault_pass.txt.${_stack_name}" printf 'INFO: Current working directory is: %s\n' "$(pwd)" - printf 'INFO: Using AI_PROXY: %s\n' "${AI_PROXY}" printf 'INFO: Using ANSIBLE_INVENTORY: %s\n' "${ANSIBLE_INVENTORY}" + printf 'INFO: Using AI_PROXY: %s\n' "${AI_PROXY:-None: no jumphost specified in ANSIBLE_INVENTORY}" printf 'INFO: Using ANSIBLE_VAULT_IDENTITY_LIST: %s\n' "${ANSIBLE_VAULT_IDENTITY_LIST}" # # Enable ansible_mitogen strategy plugin for improved speed of plays when available. From 84ab8b83f2fc256e1a7bd94978c25df991a2d56e Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 25 May 2022 16:39:43 +0200 Subject: [PATCH 09/10] Bugfix for single_group_playbooks/pre_deploy_checks.yml: check for stack_name Ansible variable instead of slurm_cluster_name as not all stacks are slurm clusters and hence some do not use slurm_cluster_name. --- single_group_playbooks/pre_deploy_checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/single_group_playbooks/pre_deploy_checks.yml b/single_group_playbooks/pre_deploy_checks.yml index 73df43a23..0baee20f9 100644 --- a/single_group_playbooks/pre_deploy_checks.yml +++ b/single_group_playbooks/pre_deploy_checks.yml @@ -22,8 +22,8 @@ connection: local - name: 'Verify that the group_vars were parsed.' ansible.builtin.assert: - that: slurm_cluster_name is defined - msg: "FATAL: the slurm_cluster_name Ansible variable is undefined, which suggests that the group_vars were not parsed." + that: stack_name is defined + msg: "FATAL: the stack_name Ansible variable is undefined, which suggests that the group_vars were not parsed." run_once: true delegate_to: localhost connection: local From 466040e3b3462d2b2c0aba23f9ecd34d79cbe56f Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 25 May 2022 16:41:00 +0200 Subject: [PATCH 10/10] single_role_playbooks/firewall.yml: changed wrong name/title to reflect what this play is actually doing. --- single_role_playbooks/firewall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/single_role_playbooks/firewall.yml b/single_role_playbooks/firewall.yml index 1192ad0aa..f74c00ecb 100644 --- a/single_role_playbooks/firewall.yml +++ b/single_role_playbooks/firewall.yml @@ -1,5 +1,5 @@ --- -- name: Install the common role from the hpc-cloud repo. +- name: Deploy the geerlingguy.firewall role. hosts: - jumphost - cluster