diff --git a/scripts/1clickservice.groovy b/scripts/1clickservice.groovy index 5ae4598..8206ef1 100644 --- a/scripts/1clickservice.groovy +++ b/scripts/1clickservice.groovy @@ -1,40 +1,54 @@ pipeline { agent any parameters { - string(name: 'svcname', description: "service name") + string(name: 'servicename', description: "service name") string(name: 'svcdesc', description: "service description") - boolean(name: 'database', description: "service has a database", defaultValue: false) - } + boolean(name: 'database', description: "service has a database", defaultValue: true) + } + environment { + pw_linuxserviceaccount="" + pw_productiondatabase="" + pw_developmentdatabase="" + ALLOCES = credentials('//TODO: its usually a uuid') + } stages { stage("type strengthening") { steps { script { - if (svcname.isEmpty()) { - error("svcname mandatory") + if (servicename.isEmpty()) { + error("servicename mandatory") } + if (servicename.contains(' ')) { + error("servicename cannot have spaces. try dashes.") + } + sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) + sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) + sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) + //TODO: save them somewhere. probably better to not lock myself out of these accounts from moment 0 } - //TODO: generate password for the service account - //TODO: generate password for prod DB - //TODO: generate password for dev DB - //TODO: save them somewhere. probably better to not lock myself out of these accounts from moment 0 } } stage("gitea project"){ steps{ - script { - //TODO: clone _template-service - //TODO: if not database version, strip out database stuff - } + //TODO: clone _template-service. Must be under greyn. + //TODO: if not database version, strip out database stuff + } + } + stage("jenkins pipeline"){ + steps{ + //TODO: tell jenkins to scan greyn pipeline + //TODO: find this new service in jenkins + //TODO: add the shared secrets to jenkins } } stage("service account"){ steps{ script { //jenkins, the user trying to SSH, must be able to ssh in and sudo - ssh user@host username=$svcname svcpw=$ARG2 'echo "rootpass" | sudo -Sv && bash -s' << 'ENDSSH' - #commands to run on remote host + ssh user@host username=$servicename password=${env.pw_linuxserviceaccount} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' useradd -m -s /bin/bash $username echo "$username:$password" | chpasswd + loginctl enable-linger $username ENDSSH } } @@ -45,16 +59,19 @@ pipeline { //i'm pretty sure "update" with nothing will init? //meaning we don't have to init, first update will init script { - ssh user@host username=$svcname svcpw=$ARG2 'echo "rootpass" | sudo -Sv && bash -s' << 'ENDSSH' - - sudo -u postgres psql - postgres=# create database mydb; - postgres=# create user myuser with encrypted password 'mypass'; - postgres=# grant all privileges on database mydb to myuser; - - postgres=# create database mydb_dev; - postgres=# create user myuser_dev with encrypted password 'myotherpass'; - postgres=# grant all privileges on database mydb_dev to myuser_dev; + ssh user@host servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' + sudo -u postgres psql && bash -s << 'ENDPSQL' + create database $servicename; + create user $servicename with encrypted password '$pw_productiondatabase'; + grant all privileges on database $servicename to $servicename; + ENDPSQL + + service_dev="${servicename}_dev" + sudo -u postgres psql && bash -s << 'ENDPSQL' + create database $service_dev; + create user $service_dev with encrypted password '$pw_developmentdatabase'; + grant all privileges on database $service_dev to $service_dev; + ENDPSQL ENDSSH } @@ -62,9 +79,11 @@ pipeline { } stage("initial service setup"){ steps{ - script { - //TODO - } + sh 'scp $servicename.service user@server:~/.config/systemd/user/$servicename.service' + ssh user@host servicename=$servicename svcpw=$ARG2 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' + systemctl --user daemon-reload + systemctl --user enable $servicename.service + ENDSSH } } }