Compare commits
4 Commits
c8b9a5cf0f
...
c2575e696a
Author | SHA1 | Date | |
---|---|---|---|
c2575e696a | |||
6984d855b5 | |||
25a2dc093e | |||
b297a2345a |
@ -1,41 +1,113 @@
|
|||||||
pipeline {
|
pipeline {
|
||||||
agent any
|
agent any
|
||||||
parameters {
|
parameters {
|
||||||
string(name: 'svcname', description: "service name")
|
string(name: 'servicename', description: "service name")
|
||||||
string(name: 'svcdesc', description: "service description")
|
string(name: 'svcdesc', description: "service description")
|
||||||
boolean(name: 'database', description: "service has a database", defaultValue: false)
|
string(name: 'targetHost', description: "system to live on", defaultValue: "alloces")
|
||||||
|
boolean(name: 'database', description: "service has a database", defaultValue: true)
|
||||||
|
}
|
||||||
|
environment {
|
||||||
|
pw_linuxserviceaccount=""
|
||||||
|
pw_productiondatabase=""
|
||||||
|
pw_developmentdatabase=""
|
||||||
|
SUDOER=credentials('')
|
||||||
|
SUDOERSSH=credentials('')
|
||||||
}
|
}
|
||||||
stages {
|
stages {
|
||||||
stage("type strengthening") {
|
stage("environment setup") {
|
||||||
steps {
|
steps {
|
||||||
script {
|
script {
|
||||||
if (svcname.isEmpty()) {
|
if (servicename.isEmpty()) {
|
||||||
error("svcname mandatory")
|
error("servicename mandatory")
|
||||||
}
|
}
|
||||||
|
if (servicename.contains(' ')) {
|
||||||
|
error("servicename cannot have spaces. try dashes.")
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (targetHost) {
|
||||||
|
case "alloces":
|
||||||
|
SUDOER=credentials('//TODO: its usually a uuid')
|
||||||
|
SUDOERSSH='//TODO: its usually a uuid'
|
||||||
|
break
|
||||||
|
default:
|
||||||
|
error("target host not recognized. btw: no .lan, all lowercase.")
|
||||||
|
}
|
||||||
|
|
||||||
|
sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
||||||
|
echo env.pw_linuxserviceaccount
|
||||||
|
sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
||||||
|
echo env.pw_productiondatabase
|
||||||
|
sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
||||||
|
echo env.pw_developmentdatabase
|
||||||
}
|
}
|
||||||
//TODO: generate password for the service account
|
|
||||||
//TODO: generate password for prod DB
|
|
||||||
//TODO: generate password for dev DB
|
|
||||||
//TODO: save them somewhere. probably better to not lock myself out of these accounts from moment 0
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
stage("gitea project"){
|
stage("gitea project"){
|
||||||
|
environment {
|
||||||
|
GITEA = credentials('0bd7c8f5-046c-44b9-9c77-7a28a219ae31')
|
||||||
|
}
|
||||||
steps{
|
steps{
|
||||||
script {
|
sh """
|
||||||
//TODO: clone _template-service
|
curl -X 'POST' \
|
||||||
//TODO: if not database version, strip out database stuff
|
'https://gitea.arg.rip/api/v1/repos/greyn/_service-template/generate' \
|
||||||
|
-H 'accept: application/json' \
|
||||||
|
-H 'Authorization: token $GITEA_PSW' \
|
||||||
|
-H 'Content-Type: application/json' \
|
||||||
|
-d '{
|
||||||
|
|
||||||
|
"description": "${svcdesc}",
|
||||||
|
"git_content": true,
|
||||||
|
"git_hooks": true,
|
||||||
|
"labels": true,
|
||||||
|
"name": "${servicename}",
|
||||||
|
"owner": "greyn",
|
||||||
|
"private": false,
|
||||||
|
"protected_branch": true,
|
||||||
|
"topics": true,
|
||||||
|
"webhooks": true
|
||||||
|
}'
|
||||||
|
"""
|
||||||
|
//TODO: set up credentials for jenkins to checkout
|
||||||
|
sshagent(['credentiald-id-using-ssh-key']) {
|
||||||
|
sh """
|
||||||
|
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
|
||||||
|
pushd ${servicename}
|
||||||
|
"""
|
||||||
}
|
}
|
||||||
|
if(!params.database){
|
||||||
|
sh """
|
||||||
|
#//TODO: strip database stuff. sed -i?
|
||||||
|
git add .
|
||||||
|
git commit -m "stripped database stuff"
|
||||||
|
"""
|
||||||
|
}
|
||||||
|
|
||||||
|
sshagent(['credentiald-id-using-ssh-key']) {
|
||||||
|
sh """
|
||||||
|
git push
|
||||||
|
popd
|
||||||
|
"""
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
stage("jenkins pipeline"){
|
||||||
|
steps{
|
||||||
|
//TODO: tell jenkins to scan greyn pipeline
|
||||||
|
//TODO: find this new service in jenkins
|
||||||
|
//TODO: add the shared secrets to jenkins
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
stage("service account"){
|
stage("service account"){
|
||||||
steps{
|
steps{
|
||||||
script {
|
script {
|
||||||
//jenkins, the user trying to SSH, must be able to ssh in and sudo
|
sshagent([SUDOERSSH])
|
||||||
ssh user@host username=$svcname svcpw=$ARG2 'echo "rootpass" | sudo -Sv && bash -s' << 'ENDSSH'
|
{
|
||||||
#commands to run on remote host
|
ssh $SUDOER_USR@${targetHost} username=${env.servicename} password=${env.pw_linuxserviceaccount} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||||
useradd -m -s /bin/bash $username
|
useradd -m -s /bin/bash $username
|
||||||
echo "$username:$password" | chpasswd
|
echo "$username:$password" | chpasswd
|
||||||
ENDSSH
|
loginctl enable-linger $username
|
||||||
|
ENDSSH
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -45,26 +117,43 @@ pipeline {
|
|||||||
//i'm pretty sure "update" with nothing will init?
|
//i'm pretty sure "update" with nothing will init?
|
||||||
//meaning we don't have to init, first update will init
|
//meaning we don't have to init, first update will init
|
||||||
script {
|
script {
|
||||||
ssh user@host username=$svcname svcpw=$ARG2 'echo "rootpass" | sudo -Sv && bash -s' << 'ENDSSH'
|
sshagent([SUDOERSSH])
|
||||||
|
{
|
||||||
|
ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||||
|
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||||
|
create database $servicename;
|
||||||
|
create user $servicename with encrypted password '$pw_productiondatabase';
|
||||||
|
grant all privileges on database $servicename to $servicename;
|
||||||
|
ENDPSQL
|
||||||
|
|
||||||
sudo -u postgres psql
|
service_dev="${servicename}_dev"
|
||||||
postgres=# create database mydb;
|
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||||
postgres=# create user myuser with encrypted password 'mypass';
|
create database $service_dev;
|
||||||
postgres=# grant all privileges on database mydb to myuser;
|
create user $service_dev with encrypted password '$pw_developmentdatabase';
|
||||||
|
grant all privileges on database $service_dev to $service_dev;
|
||||||
|
ENDPSQL
|
||||||
|
|
||||||
postgres=# create database mydb_dev;
|
ENDSSH
|
||||||
postgres=# create user myuser_dev with encrypted password 'myotherpass';
|
}
|
||||||
postgres=# grant all privileges on database mydb_dev to myuser_dev;
|
|
||||||
|
|
||||||
ENDSSH
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
stage("initial service setup"){
|
stage("initial service setup"){
|
||||||
steps{
|
steps{
|
||||||
script {
|
//TODO: use ssh credentials we generated. maybe set up the dang pkey.
|
||||||
//TODO
|
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
|
||||||
}
|
ssh $servicename@${targetHost} servicename=$servicename password=${env.pw_linuxserviceaccount} 'bash -s' << 'ENDSSH'
|
||||||
|
systemctl --user daemon-reload
|
||||||
|
systemctl --user enable $servicename.service
|
||||||
|
ENDSSH
|
||||||
|
}
|
||||||
|
}
|
||||||
|
post {
|
||||||
|
failure {
|
||||||
|
//TODO: post error
|
||||||
|
}
|
||||||
|
success {
|
||||||
|
//TODO: post success. Especially, tell me to come get the passwords. FTP them somewhere?
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
1
scripts/beefhaving_video.groovy
Normal file
1
scripts/beefhaving_video.groovy
Normal file
@ -0,0 +1 @@
|
|||||||
|
//TODO
|
1
scripts/dotnet_binary.groovy
Normal file
1
scripts/dotnet_binary.groovy
Normal file
@ -0,0 +1 @@
|
|||||||
|
//TODO
|
1
scripts/nupkg.groovy
Normal file
1
scripts/nupkg.groovy
Normal file
@ -0,0 +1 @@
|
|||||||
|
//TODO
|
Loading…
Reference in New Issue
Block a user