diff --git a/scripts/1clickservice.groovy b/scripts/1clickservice.groovy index 8206ef1..a34b057 100644 --- a/scripts/1clickservice.groovy +++ b/scripts/1clickservice.groovy @@ -3,16 +3,18 @@ pipeline { parameters { string(name: 'servicename', description: "service name") string(name: 'svcdesc', description: "service description") + string(name: 'targetHost', description: "system to live on", defaultValue: "alloces") boolean(name: 'database', description: "service has a database", defaultValue: true) } environment { pw_linuxserviceaccount="" pw_productiondatabase="" pw_developmentdatabase="" - ALLOCES = credentials('//TODO: its usually a uuid') + SUDOER=credentials('') + SUDOERSSH=credentials('') } stages { - stage("type strengthening") { + stage("environment setup") { steps { script { if (servicename.isEmpty()) { @@ -21,17 +23,64 @@ pipeline { if (servicename.contains(' ')) { error("servicename cannot have spaces. try dashes.") } + + switch (targetHost) { + case "alloces": + SUDOER=credentials('//TODO: its usually a uuid') + SUDOERSSH='//TODO: its usually a uuid' + break + default: + error("target host not recognized. btw: no .lan, all lowercase.") + } + sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) + echo env.pw_linuxserviceaccount sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) + echo env.pw_productiondatabase sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) - //TODO: save them somewhere. probably better to not lock myself out of these accounts from moment 0 + echo env.pw_developmentdatabase } } } stage("gitea project"){ + environment { + GITEA = credentials('0bd7c8f5-046c-44b9-9c77-7a28a219ae31') + } steps{ - //TODO: clone _template-service. Must be under greyn. - //TODO: if not database version, strip out database stuff + sh """ + curl -X 'POST' \ + 'https://gitea.arg.rip/api/v1/repos/greyn/_service-template/generate' \ + -H 'accept: application/json' \ + -H 'Authorization: token $GITEA_PSW' \ + -H 'Content-Type: application/json' \ + -d '{ + + "description": "${svcdesc}", + "git_content": true, + "git_hooks": true, + "labels": true, + "name": "${servicename}", + "owner": "greyn", + "private": false, + "protected_branch": true, + "topics": true, + "webhooks": true + }' + """ + if(!params.database){ + //TODO: set up credentials for jenkins to checkout + sshagent(['credentiald-id-using-ssh-key']) + { + sh """ + git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git' + pushd ${servicename} + #//TODO: strip database stuff. sed -i? + git add . + git commit -m "stripped database stuff" + git push + """ + } + } } } stage("jenkins pipeline"){ @@ -44,12 +93,14 @@ pipeline { stage("service account"){ steps{ script { - //jenkins, the user trying to SSH, must be able to ssh in and sudo - ssh user@host username=$servicename password=${env.pw_linuxserviceaccount} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' - useradd -m -s /bin/bash $username - echo "$username:$password" | chpasswd - loginctl enable-linger $username - ENDSSH + sshagent([SUDOERSSH]) + { + ssh $SUDOER_USR@${targetHost} username=${env.servicename} password=${env.pw_linuxserviceaccount} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' + useradd -m -s /bin/bash $username + echo "$username:$password" | chpasswd + loginctl enable-linger $username + ENDSSH + } } } } @@ -59,32 +110,44 @@ pipeline { //i'm pretty sure "update" with nothing will init? //meaning we don't have to init, first update will init script { - ssh user@host servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' - sudo -u postgres psql && bash -s << 'ENDPSQL' - create database $servicename; - create user $servicename with encrypted password '$pw_productiondatabase'; - grant all privileges on database $servicename to $servicename; - ENDPSQL - - service_dev="${servicename}_dev" - sudo -u postgres psql && bash -s << 'ENDPSQL' - create database $service_dev; - create user $service_dev with encrypted password '$pw_developmentdatabase'; - grant all privileges on database $service_dev to $service_dev; - ENDPSQL - - ENDSSH + sshagent([SUDOERSSH]) + { + ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' + sudo -u postgres psql && bash -s << 'ENDPSQL' + create database $servicename; + create user $servicename with encrypted password '$pw_productiondatabase'; + grant all privileges on database $servicename to $servicename; + ENDPSQL + + service_dev="${servicename}_dev" + sudo -u postgres psql && bash -s << 'ENDPSQL' + create database $service_dev; + create user $service_dev with encrypted password '$pw_developmentdatabase'; + grant all privileges on database $service_dev to $service_dev; + ENDPSQL + + ENDSSH + } } } } stage("initial service setup"){ steps{ - sh 'scp $servicename.service user@server:~/.config/systemd/user/$servicename.service' - ssh user@host servicename=$servicename svcpw=$ARG2 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' + //TODO: use ssh credentials we generated. maybe set up the dang pkey. + sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service' + ssh $servicename@${targetHost} servicename=$servicename password=${env.pw_linuxserviceaccount} 'bash -s' << 'ENDSSH' systemctl --user daemon-reload systemctl --user enable $servicename.service ENDSSH } } + post { + failure { + //TODO: post error + } + success { + //TODO: post success. Especially, tell me to come get the passwords. FTP them somewhere? + } + } } } \ No newline at end of file