greyn/deployment
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

merge into: greyn:main
Branches Tags
greyn:main
greyn:service
greyn:release
greyn:predev
greyn:1
...
pull from: greyn:service
Branches Tags
greyn:service
greyn:main
greyn:release
greyn:predev
greyn:1

7 Commits
main ... service

Author SHA1 Message Date
adam
816bcff09d generates gitea project from template :)
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
Details 
jq is suffering shell-quoting issues.
 2024-11-21 13:02:37 -05:00
adam
7130f70aaf moloryb
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
Details 
i know I went to HS with a girl called "mallory". you can tell i'm L O S T because I'm like "what's she up to these days?" but can't remember anything other than she exists and has that name. Pretty sure black hair? lmao
 2024-11-21 00:13:06 -05:00
adam
3ab5269f40 default to .lan
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
Details
2024-11-20 01:06:49 -05:00
adam
22b5691d99 passed linting
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
Details
2024-11-19 11:49:50 -05:00
adam
351b806c33 hopefully it's ok that jenkins will be jenkinsing jenkins. down to 1 TODO!
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
Details
2024-11-19 02:07:51 -05:00
adam
c2575e696a see this is the bad thing - i get distracted mid Thing so i have no idea what this is. but it's pending.
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
Details
2024-11-17 23:25:14 -05:00
adam
6984d855b5 after much work, i have... added todos. there are now 10. 2024-11-17 16:02:56 -05:00
1 changed files with 218 additions and 41 deletions
Show Stats Expand all files Collapse all files

259
scripts/1clickservice.groovy
View File

@ -3,16 +3,20 @@ pipeline {
parameters { parameters {
string(name: 'servicename', description: "service name") string(name: 'servicename', description: "service name")
string(name: 'svcdesc', description: "service description") string(name: 'svcdesc', description: "service description")
boolean(name: 'database', description: "service has a database", defaultValue: true) string(name: 'targetHost', description: "system to live on", defaultValue: "moloryb.lan")
booleanParam(name: 'database', description: "service has a database", defaultValue: true)
} }
environment { environment {
pw_linuxserviceaccount="" //pw_linuxserviceaccount=""
pw_productiondatabase="" //pw_productiondatabase=""
pw_developmentdatabase="" //pw_developmentdatabase=""
ALLOCES = credentials('//TODO: its usually a uuid') //SUDOER=credentials('') //going to be set based on target host
SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
JENKINS=credentials('f1192e74-dfe0-402f-a189-703482d914fe')
GITEATOKEN = credentials('d0e86441-2157-405f-8539-a9a9010c6ecf')
} }
stages { stages {
stage("type strengthening") { stage("environment setup") {
steps { steps {
script { script {
if (servicename.isEmpty()) { if (servicename.isEmpty()) {
@ -21,35 +25,191 @@ pipeline {
if (servicename.contains(' ')) { if (servicename.contains(' ')) {
error("servicename cannot have spaces. try dashes.") error("servicename cannot have spaces. try dashes.")
} }
sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) switch (targetHost) {
sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) case "alloces.lan":
//TODO: save them somewhere. probably better to not lock myself out of these accounts from moment 0 SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
case "moloryb.lan":
SUDOER=credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7')
break
default:
error("target host not recognized. btw: yes .lan, all lowercase.")
}
env.pw_linuxserviceaccount=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
echo env.pw_linuxserviceaccount
env.pw_productiondatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
echo env.pw_productiondatabase
env.pw_developmentdatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
echo env.pw_developmentdatabase
} }
} }
} }
stage("gitea project"){ stage("gitea project"){
steps{ steps{
//TODO: clone _template-service. Must be under greyn. sh """
//TODO: if not database version, strip out database stuff curl -X 'POST' \
'https://gitea.arg.rip/api/v1/repos/greyn/_template-service/generate' \
-H 'accept: application/json' \
-H 'Authorization: token ${env.GITEATOKEN}' \
-H 'Content-Type: application/json' \
-d '{
"description": "${svcdesc}",
"git_content": true,
"git_hooks": true,
"labels": true,
"name": "${servicename}",
"owner": "greyn",
"private": false,
"protected_branch": true,
"topics": true,
"webhooks": true
}'
"""
} }
} }
stage("jenkins pipeline"){ stage("jenkins pipeline"){
steps{ steps{
//TODO: tell jenkins to scan greyn pipeline //the bad news is that it looks like it's not allowed to trigger just any old job remotely
//TODO: find this new service in jenkins //the good news is that this seems to pick it up pretty reliably
//TODO: add the shared secrets to jenkins //sh """
// curl -X POST -L --user ${env.JENKINS_USR}:${env.JENKINS_PSW} \
// alloces.lan:8080/job/gitea.arg.rip/build
// """
timeout(time: 5, unit: 'MINUTES') {
sh """
strRes=""
while [ -z "\$strRes" ];
do
sleep 5;
strRes=\$(curl -X GET -s -u ${env.JENKINS_USR}:'${env.JENKINS_PSW}' \
alloces.lan:8080/job/gitea.arg.rip/api/json \
| jq ".jobs.[] | select(.name==\"${env.servicename}\")")
done
"""
}
sshagent(['f42347e9-e3b5-44af-a1af-c5e7b9775fee']) {
sh """
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
pushd ${servicename}
dbstartline=\$(sed -n '/---dbstart---]/=' Jenkinsfile)
dbendline=\$(sed -n '/---dbend---/=' Jenkinsfile)
"""
script { //there's no "if" "step" so any "if" must be in a "script" step
if(params.database){
sh """
sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile
databasecredsid=\$(uuidgen)
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$databasecredsid",
"secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;",
"description": "database connection string",
"\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
}
}'
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile
git add .
git commit -m "set up for database"
"""
}
else{
sh """
sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile
git add .
git commit -m "stripped database lines"
"""
}
sh """
popd
env.usernameCredsId=\$(uuidgen)
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$env.usernameCredsId",
"username": "${servicename}",
"password": "${env.pw_linuxserviceaccount}",
"description": "service account login",
"\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
}
}'
certCredsId=\$(uuidgen)
ssh-keygen -t ed25519 -f "${servicename}" -N ""
privatekeycontent=\$(cat ${servicename}))
pubkeycontent=\$(cat ${servicename}.pub))
CRUMB=\$(url -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$env.usernameCredsId",
"username": "${servicename}",
"password": "",
"privateKeySource": {
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
"privateKey": "$privatekeycontent",
},
"description": "${servicename}",
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
},
"description": "service account ssh",
"\$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
}
}'
privatekeycontent=
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
"""
sh """
git push
popd
"""
}
}
} }
} }
stage("service account"){ stage("service account"){
steps{ steps{
script { script {
//jenkins, the user trying to SSH, must be able to ssh in and sudo sshagent([SUDOERSSH])
ssh user@host username=$servicename password=${env.pw_linuxserviceaccount} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' {
useradd -m -s /bin/bash $username sh """ssh -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
echo "$username:$password" | chpasswd useradd -m -s /bin/bash $username
loginctl enable-linger $username echo "$username:$password" | chpasswd
ENDSSH loginctl enable-linger $username
cd ~/home/$username
mkdir .ssh
pushd .ssh
echo $pubkeycontent > authorized_keys
popd
chown -R $username:$username .ssh
ENDSSH
"""
}
} }
} }
} }
@ -59,32 +219,49 @@ pipeline {
//i'm pretty sure "update" with nothing will init? //i'm pretty sure "update" with nothing will init?
//meaning we don't have to init, first update will init //meaning we don't have to init, first update will init
script { script {
ssh user@host servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' sshagent([SUDOERSSH])
sudo -u postgres psql && bash -s << 'ENDPSQL' {
create database $servicename; sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
create user $servicename with encrypted password '$pw_productiondatabase'; sudo -u postgres psql && bash -s << 'ENDPSQL'
grant all privileges on database $servicename to $servicename; create database $servicename;
ENDPSQL create user $servicename with encrypted password '$pw_productiondatabase';
grant all privileges on database $servicename to $servicename;
service_dev="${servicename}_dev" ENDPSQL
sudo -u postgres psql && bash -s << 'ENDPSQL'
create database $service_dev; service_dev="${servicename}_dev"
create user $service_dev with encrypted password '$pw_developmentdatabase'; sudo -u postgres psql && bash -s << 'ENDPSQL'
grant all privileges on database $service_dev to $service_dev; create database $service_dev;
ENDPSQL create user $service_dev with encrypted password '$pw_developmentdatabase';
grant all privileges on database $service_dev to $service_dev;
ENDSSH ENDPSQL
ENDSSH"""
}
} }
} }
} }
stage("initial service setup"){ stage("initial service setup"){
steps{ steps{
sh 'scp $servicename.service user@server:~/.config/systemd/user/$servicename.service' sshagent([SUDOERSSH])
ssh user@host servicename=$servicename svcpw=$ARG2 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH' {
systemctl --user daemon-reload sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
systemctl --user enable $servicename.service sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
ENDSSH sudo -u ${servicename} && bash -s << 'ENDASSERVICE'
systemctl --user daemon-reload
systemctl --user enable $servicename.service
ENDASSERVICE
ENDSSH"""
}
} }
} }
} }
post {
failure {
matrixSendMessage https:true, hostname: 'greyn.club', port:8448, accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :(', formattedBody: "1-click service <b>failed</b> :("
}
success {
matrixSendMessage https:true, hostname: 'greyn.club', port:8448, accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!', formattedBody: '1-click service success! go pick up the credentials!'
//TODO: archiveArtifacts the password data, then store them somewhere
}
}
} }