after much work, i have... added todos. there are now 10.

This commit is contained in:
adam 2024-11-17 16:02:56 -05:00
parent 25a2dc093e
commit 6984d855b5

View File

@ -3,16 +3,18 @@ pipeline {
parameters {
string(name: 'servicename', description: "service name")
string(name: 'svcdesc', description: "service description")
string(name: 'targetHost', description: "system to live on", defaultValue: "alloces")
boolean(name: 'database', description: "service has a database", defaultValue: true)
}
environment {
pw_linuxserviceaccount=""
pw_productiondatabase=""
pw_developmentdatabase=""
ALLOCES = credentials('//TODO: its usually a uuid')
SUDOER=credentials('')
SUDOERSSH=credentials('')
}
stages {
stage("type strengthening") {
stage("environment setup") {
steps {
script {
if (servicename.isEmpty()) {
@ -21,17 +23,64 @@ pipeline {
if (servicename.contains(' ')) {
error("servicename cannot have spaces. try dashes.")
}
switch (targetHost) {
case "alloces":
SUDOER=credentials('//TODO: its usually a uuid')
SUDOERSSH='//TODO: its usually a uuid'
break
default:
error("target host not recognized. btw: no .lan, all lowercase.")
}
sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
echo env.pw_linuxserviceaccount
sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
echo env.pw_productiondatabase
sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
//TODO: save them somewhere. probably better to not lock myself out of these accounts from moment 0
echo env.pw_developmentdatabase
}
}
}
stage("gitea project"){
environment {
GITEA = credentials('0bd7c8f5-046c-44b9-9c77-7a28a219ae31')
}
steps{
//TODO: clone _template-service. Must be under greyn.
//TODO: if not database version, strip out database stuff
sh """
curl -X 'POST' \
'https://gitea.arg.rip/api/v1/repos/greyn/_service-template/generate' \
-H 'accept: application/json' \
-H 'Authorization: token $GITEA_PSW' \
-H 'Content-Type: application/json' \
-d '{
"description": "${svcdesc}",
"git_content": true,
"git_hooks": true,
"labels": true,
"name": "${servicename}",
"owner": "greyn",
"private": false,
"protected_branch": true,
"topics": true,
"webhooks": true
}'
"""
if(!params.database){
//TODO: set up credentials for jenkins to checkout
sshagent(['credentiald-id-using-ssh-key'])
{
sh """
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
pushd ${servicename}
#//TODO: strip database stuff. sed -i?
git add .
git commit -m "stripped database stuff"
git push
"""
}
}
}
}
stage("jenkins pipeline"){
@ -44,12 +93,14 @@ pipeline {
stage("service account"){
steps{
script {
//jenkins, the user trying to SSH, must be able to ssh in and sudo
ssh user@host username=$servicename password=${env.pw_linuxserviceaccount} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
useradd -m -s /bin/bash $username
echo "$username:$password" | chpasswd
loginctl enable-linger $username
ENDSSH
sshagent([SUDOERSSH])
{
ssh $SUDOER_USR@${targetHost} username=${env.servicename} password=${env.pw_linuxserviceaccount} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
useradd -m -s /bin/bash $username
echo "$username:$password" | chpasswd
loginctl enable-linger $username
ENDSSH
}
}
}
}
@ -59,32 +110,44 @@ pipeline {
//i'm pretty sure "update" with nothing will init?
//meaning we don't have to init, first update will init
script {
ssh user@host servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
sudo -u postgres psql && bash -s << 'ENDPSQL'
create database $servicename;
create user $servicename with encrypted password '$pw_productiondatabase';
grant all privileges on database $servicename to $servicename;
ENDPSQL
service_dev="${servicename}_dev"
sudo -u postgres psql && bash -s << 'ENDPSQL'
create database $service_dev;
create user $service_dev with encrypted password '$pw_developmentdatabase';
grant all privileges on database $service_dev to $service_dev;
ENDPSQL
ENDSSH
sshagent([SUDOERSSH])
{
ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
sudo -u postgres psql && bash -s << 'ENDPSQL'
create database $servicename;
create user $servicename with encrypted password '$pw_productiondatabase';
grant all privileges on database $servicename to $servicename;
ENDPSQL
service_dev="${servicename}_dev"
sudo -u postgres psql && bash -s << 'ENDPSQL'
create database $service_dev;
create user $service_dev with encrypted password '$pw_developmentdatabase';
grant all privileges on database $service_dev to $service_dev;
ENDPSQL
ENDSSH
}
}
}
}
stage("initial service setup"){
steps{
sh 'scp $servicename.service user@server:~/.config/systemd/user/$servicename.service'
ssh user@host servicename=$servicename svcpw=$ARG2 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
//TODO: use ssh credentials we generated. maybe set up the dang pkey.
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
ssh $servicename@${targetHost} servicename=$servicename password=${env.pw_linuxserviceaccount} 'bash -s' << 'ENDSSH'
systemctl --user daemon-reload
systemctl --user enable $servicename.service
ENDSSH
}
}
post {
failure {
//TODO: post error
}
success {
//TODO: post success. Especially, tell me to come get the passwords. FTP them somewhere?
}
}
}
}