2024-11-16 22:50:41 -05:00
pipeline {
agent any
parameters {
2024-11-17 15:01:57 -05:00
string ( name: 'servicename' , description: "service name" )
2024-11-16 22:50:41 -05:00
string ( name: 'svcdesc' , description: "service description" )
2024-11-17 16:02:56 -05:00
string ( name: 'targetHost' , description: "system to live on" , defaultValue: "alloces" )
2024-11-17 15:01:57 -05:00
boolean ( name: 'database' , description: "service has a database" , defaultValue: true )
}
environment {
pw_linuxserviceaccount = ""
pw_productiondatabase = ""
pw_developmentdatabase = ""
2024-11-19 02:07:51 -05:00
SUDOER = credentials ( '' ) //going to be set based on target host
2024-11-17 16:02:56 -05:00
SUDOERSSH = credentials ( '' )
2024-11-19 02:07:51 -05:00
JENKINS = credentials ( '68391381-e095-4b47-b956-d23055b0808e' )
2024-11-17 15:01:57 -05:00
}
2024-11-16 22:50:41 -05:00
stages {
2024-11-17 16:02:56 -05:00
stage ( "environment setup" ) {
2024-11-16 22:50:41 -05:00
steps {
script {
2024-11-17 15:01:57 -05:00
if ( servicename . isEmpty ( ) ) {
error ( "servicename mandatory" )
}
if ( servicename . contains ( ' ' ) ) {
error ( "servicename cannot have spaces. try dashes." )
2024-11-16 22:50:41 -05:00
}
2024-11-17 16:02:56 -05:00
switch ( targetHost ) {
case "alloces" :
2024-11-19 02:07:51 -05:00
SUDOER = credentials ( 'a674f816-2b35-4d60-ba60-7b66e86f3c5c' )
SUDOERSSH = credentials ( '2c48e1a9-22b2-455c-9959-6b29e86d3fb5' )
2024-11-17 16:02:56 -05:00
break
default :
error ( "target host not recognized. btw: no .lan, all lowercase." )
}
2024-11-17 15:01:57 -05:00
sh env . pw_linuxserviceaccount = $ ( mktemp - u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX )
2024-11-17 16:02:56 -05:00
echo env . pw_linuxserviceaccount
2024-11-17 15:01:57 -05:00
sh env . pw_productiondatabase = $ ( mktemp - u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX )
2024-11-17 16:02:56 -05:00
echo env . pw_productiondatabase
2024-11-17 15:01:57 -05:00
sh env . pw_developmentdatabase = $ ( mktemp - u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX )
2024-11-17 16:02:56 -05:00
echo env . pw_developmentdatabase
2024-11-16 22:50:41 -05:00
}
}
}
stage ( "gitea project" ) {
2024-11-17 16:02:56 -05:00
environment {
GITEA = credentials ( '0bd7c8f5-046c-44b9-9c77-7a28a219ae31' )
}
2024-11-16 22:50:41 -05:00
steps {
2024-11-17 16:02:56 -05:00
sh "" "
curl - X 'POST' \
'https://gitea.arg.rip/api/v1/repos/greyn/_service-template/generate' \
- H 'accept: application/json' \
- H 'Authorization: token $GITEA_PSW' \
- H 'Content-Type: application/json' \
- d ' {
2024-11-19 02:07:51 -05:00
"description" : "${svcdesc}" ,
"git_content" : true ,
"git_hooks" : true ,
"labels" : true ,
"name" : "${servicename}" ,
"owner" : "greyn" ,
"private" : false ,
"protected_branch" : true ,
"topics" : true ,
"webhooks" : true
} '
2024-11-17 16:02:56 -05:00
"" "
2024-11-19 02:07:51 -05:00
}
}
stage ( "jenkins pipeline" ) {
steps {
sh "" "
curl - X POST - L - - user $ { env . JENKINS_USR } : $ { env . JENKINS_PSW } \
alloces . lan : 8080 /job/ gitea . arg . rip / build
2024-11-17 23:25:14 -05:00
"" "
2024-11-19 02:07:51 -05:00
timeout ( time: 5 , unit: 'MINUTES' ) {
sh "" "
strRes = ""
while [ - z "$strRes" ] ;
do
sleep 5 ;
strRes = $ ( curl - X GET - s - u $ { env . JENKINS_USR } : $ { env . JENKINS_PSW } \
alloces . lan : 8080 /job/ gitea . arg . rip /api/ json | jq '.jobs.[] | select(.name=="${env.servicename}")' )
done
"" "
2024-11-17 23:25:14 -05:00
}
2024-11-19 02:07:51 -05:00
sshagent ( [ 'f42347e9-e3b5-44af-a1af-c5e7b9775fee' ] ) {
2024-11-17 23:25:14 -05:00
sh "" "
2024-11-19 02:07:51 -05:00
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
pushd $ { servicename }
dbstartline = $ ( sed - n '/---dbstart---]/=' Jenkinsfile )
dbendline = $ ( sed - n '/---dbend---/=' Jenkinsfile )
2024-11-17 23:25:14 -05:00
"" "
2024-11-19 02:07:51 -05:00
if ( params . database ) {
sh "" "
sed - i - e '${dbstartline}d;${dbendline}d;' Jenkinsfile
databasecredsid = $ ( uuidgen )
CRUMB = $ ( curl - s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' )
echo $CRUMB
curl - H $CRUMB - X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
- - data - urlencode ' json = {
"" : "0" ,
"credentials" : {
"scope" : "GLOBAL" ,
"id" : "$databasecredsid" ,
"secret" : "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;" ,
"description" : "database connection string" ,
"$class" : "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
}
} '
sed - i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials(' $databasecredsid ')/' Jenkinsfile
git add .
git commit - m "set up for database"
"" "
}
else {
sh "" "
sed - i - e '${dbstartline},${dbendline}d;' Jenkinsfile
git add .
git commit - m "stripped database lines"
"" "
}
2024-11-17 23:25:14 -05:00
2024-11-19 02:07:51 -05:00
sh "" "
popd
env . usernameCredsId = $ ( uuidgen )
CRUMB = $ ( curl - s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' )
echo $CRUMB
curl - H $CRUMB - X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
- - data - urlencode ' json = {
"" : "0" ,
"credentials" : {
"scope" : "GLOBAL" ,
"id" : "$env.usernameCredsId" ,
"username" : "${servicename}" ,
"password" : "${env.pw_linuxserviceaccount}" ,
"description" : "service account login" ,
"$class" : "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
}
} '
certCredsId = $ ( uuidgen )
ssh - keygen - t ed25519 - f "${servicename}" - N ""
privatekeycontent = $ ( cat $ { servicename } ) )
pubkeycontent = $ ( cat $ { servicename } . pub ) )
CRUMB = $ ( curl - s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' )
echo $CRUMB
curl - H $CRUMB - X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
- - data - urlencode ' json = {
"" : "0" ,
"credentials" : {
"scope" : "GLOBAL" ,
"id" : "$env.usernameCredsId" ,
"username" : "${servicename}" ,
"password" : "" ,
"privateKeySource" : {
"stapler-class" : "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource" ,
"privateKey" : "$privatekeycontent" ,
} ,
"description" : "${servicename}" ,
"stapler-class" : "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
} ,
"description" : "service account ssh" ,
"$class" : "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
}
} '
privatekeycontent =
sed - i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials(' $ { env . usernameCredsId } ')/' Jenkinsfile
sed - i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
"" "
2024-11-17 23:25:14 -05:00
sh "" "
git push
popd
"" "
2024-11-17 16:02:56 -05:00
}
2024-11-17 15:01:57 -05:00
}
}
2024-11-16 22:50:41 -05:00
stage ( "service account" ) {
steps {
script {
2024-11-17 16:02:56 -05:00
sshagent ( [ SUDOERSSH ] )
{
2024-11-19 02:07:51 -05:00
ssh $SUDOER_USR @ $ { targetHost } username = $ { servicename } password = $ { env . pw_linuxserviceaccount } pubkeycontent = $ { env . pubkeycontent } 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' < < 'ENDSSH'
2024-11-17 16:02:56 -05:00
useradd - m - s /bin/ bash $username
echo "$username:$password" | chpasswd
loginctl enable - linger $username
2024-11-19 02:07:51 -05:00
cd ~ /home/ $username
mkdir . ssh
pushd . ssh
echo $pubkeycontent > authorized_keys
popd
chown - R $username : $username . ssh
2024-11-17 16:02:56 -05:00
ENDSSH
}
2024-11-16 22:50:41 -05:00
}
}
}
2024-11-17 13:24:01 -05:00
stage ( "db init" ) {
when { expression { return params . database } }
steps {
//i'm pretty sure "update" with nothing will init?
//meaning we don't have to init, first update will init
script {
2024-11-17 16:02:56 -05:00
sshagent ( [ SUDOERSSH ] )
{
ssh SUDOER_USR @ $ { targetHost } servicename = $servicename pw_productiondatabase = $ { env . pw_productiondatabase } pw_developmentdatabase = $ { env . pw_developmentdatabase } 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' < < 'ENDSSH'
sudo - u postgres psql & & bash - s < < 'ENDPSQL'
create database $servicename ;
create user $servicename with encrypted password '$pw_productiondatabase' ;
grant all privileges on database $servicename to $servicename ;
ENDPSQL
service_dev = "${servicename}_dev"
sudo - u postgres psql & & bash - s < < 'ENDPSQL'
create database $service_dev ;
create user $service_dev with encrypted password '$pw_developmentdatabase' ;
grant all privileges on database $service_dev to $service_dev ;
ENDPSQL
ENDSSH
}
2024-11-17 13:24:01 -05:00
}
}
}
2024-11-16 22:50:41 -05:00
stage ( "initial service setup" ) {
steps {
2024-11-19 02:07:51 -05:00
sshagent ( [ SUDOERSSH ] )
{
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
ssh SUDOER_USR @ $ { targetHost } servicename = $servicename pw_productiondatabase = $ { env . pw_productiondatabase } pw_developmentdatabase = $ { env . pw_developmentdatabase } 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' < < 'ENDSSH'
sudo - u $ { servicename } & & bash - s < < 'ENDASSERVICE'
systemctl - - user daemon - reload
systemctl - - user enable $servicename . service
ENDASSERVICE
ENDSSH
}
2024-11-16 22:50:41 -05:00
}
}
2024-11-17 16:02:56 -05:00
post {
2024-11-19 02:07:51 -05:00
failure {
matrixSendMessage hostname: 'https://greyn.club:8448' , accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5' , roomId: '!QmOCACetHdGDlNFsZP:greyn.club' , body: '1-click service failed :('
2024-11-17 16:02:56 -05:00
}
success {
2024-11-19 02:07:51 -05:00
matrixSendMessage hostname: 'https://greyn.club:8448' , accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5' , roomId: '!QmOCACetHdGDlNFsZP:greyn.club' , body: '1-click service success! go pick up the credentials!'
//TODO: archiveArtifacts the password data
2024-11-17 16:02:56 -05:00
}
}
2024-11-16 22:50:41 -05:00
}
}
