Compare commits
No commits in common. "service" and "main" have entirely different histories.
@ -3,20 +3,16 @@ pipeline {
|
||||
parameters {
|
||||
string(name: 'servicename', description: "service name")
|
||||
string(name: 'svcdesc', description: "service description")
|
||||
string(name: 'targetHost', description: "system to live on", defaultValue: "moloryb.lan")
|
||||
booleanParam(name: 'database', description: "service has a database", defaultValue: true)
|
||||
boolean(name: 'database', description: "service has a database", defaultValue: true)
|
||||
}
|
||||
environment {
|
||||
//pw_linuxserviceaccount=""
|
||||
//pw_productiondatabase=""
|
||||
//pw_developmentdatabase=""
|
||||
//SUDOER=credentials('') //going to be set based on target host
|
||||
SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
|
||||
JENKINS=credentials('f1192e74-dfe0-402f-a189-703482d914fe')
|
||||
GITEATOKEN = credentials('d0e86441-2157-405f-8539-a9a9010c6ecf')
|
||||
pw_linuxserviceaccount=""
|
||||
pw_productiondatabase=""
|
||||
pw_developmentdatabase=""
|
||||
ALLOCES = credentials('//TODO: its usually a uuid')
|
||||
}
|
||||
stages {
|
||||
stage("environment setup") {
|
||||
stage("type strengthening") {
|
||||
steps {
|
||||
script {
|
||||
if (servicename.isEmpty()) {
|
||||
@ -25,191 +21,35 @@ pipeline {
|
||||
if (servicename.contains(' ')) {
|
||||
error("servicename cannot have spaces. try dashes.")
|
||||
}
|
||||
|
||||
switch (targetHost) {
|
||||
case "alloces.lan":
|
||||
SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
|
||||
case "moloryb.lan":
|
||||
SUDOER=credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7')
|
||||
break
|
||||
default:
|
||||
error("target host not recognized. btw: yes .lan, all lowercase.")
|
||||
}
|
||||
|
||||
env.pw_linuxserviceaccount=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
|
||||
echo env.pw_linuxserviceaccount
|
||||
env.pw_productiondatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
|
||||
echo env.pw_productiondatabase
|
||||
env.pw_developmentdatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
|
||||
echo env.pw_developmentdatabase
|
||||
sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
||||
sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
||||
sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
||||
//TODO: save them somewhere. probably better to not lock myself out of these accounts from moment 0
|
||||
}
|
||||
}
|
||||
}
|
||||
stage("gitea project"){
|
||||
steps{
|
||||
sh """
|
||||
curl -X 'POST' \
|
||||
'https://gitea.arg.rip/api/v1/repos/greyn/_template-service/generate' \
|
||||
-H 'accept: application/json' \
|
||||
-H 'Authorization: token ${env.GITEATOKEN}' \
|
||||
-H 'Content-Type: application/json' \
|
||||
-d '{
|
||||
"description": "${svcdesc}",
|
||||
"git_content": true,
|
||||
"git_hooks": true,
|
||||
"labels": true,
|
||||
"name": "${servicename}",
|
||||
"owner": "greyn",
|
||||
"private": false,
|
||||
"protected_branch": true,
|
||||
"topics": true,
|
||||
"webhooks": true
|
||||
}'
|
||||
"""
|
||||
//TODO: clone _template-service. Must be under greyn.
|
||||
//TODO: if not database version, strip out database stuff
|
||||
}
|
||||
}
|
||||
stage("jenkins pipeline"){
|
||||
steps{
|
||||
//the bad news is that it looks like it's not allowed to trigger just any old job remotely
|
||||
//the good news is that this seems to pick it up pretty reliably
|
||||
//sh """
|
||||
// curl -X POST -L --user ${env.JENKINS_USR}:${env.JENKINS_PSW} \
|
||||
// alloces.lan:8080/job/gitea.arg.rip/build
|
||||
// """
|
||||
|
||||
timeout(time: 5, unit: 'MINUTES') {
|
||||
sh """
|
||||
strRes=""
|
||||
while [ -z "\$strRes" ];
|
||||
do
|
||||
sleep 5;
|
||||
strRes=\$(curl -X GET -s -u ${env.JENKINS_USR}:'${env.JENKINS_PSW}' \
|
||||
alloces.lan:8080/job/gitea.arg.rip/api/json \
|
||||
| jq ".jobs.[] | select(.name==\"${env.servicename}\")")
|
||||
done
|
||||
"""
|
||||
}
|
||||
sshagent(['f42347e9-e3b5-44af-a1af-c5e7b9775fee']) {
|
||||
sh """
|
||||
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
|
||||
pushd ${servicename}
|
||||
|
||||
dbstartline=\$(sed -n '/---dbstart---]/=' Jenkinsfile)
|
||||
dbendline=\$(sed -n '/---dbend---/=' Jenkinsfile)
|
||||
"""
|
||||
script { //there's no "if" "step" so any "if" must be in a "script" step
|
||||
if(params.database){
|
||||
sh """
|
||||
sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile
|
||||
|
||||
databasecredsid=\$(uuidgen)
|
||||
|
||||
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
||||
echo $CRUMB
|
||||
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
||||
--data-urlencode 'json={
|
||||
"": "0",
|
||||
"credentials": {
|
||||
"scope": "GLOBAL",
|
||||
"id": "$databasecredsid",
|
||||
"secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;",
|
||||
"description": "database connection string",
|
||||
"\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
|
||||
}
|
||||
}'
|
||||
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile
|
||||
|
||||
git add .
|
||||
git commit -m "set up for database"
|
||||
"""
|
||||
}
|
||||
else{
|
||||
sh """
|
||||
sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile
|
||||
git add .
|
||||
git commit -m "stripped database lines"
|
||||
"""
|
||||
}
|
||||
|
||||
sh """
|
||||
popd
|
||||
|
||||
env.usernameCredsId=\$(uuidgen)
|
||||
|
||||
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
||||
echo $CRUMB
|
||||
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
||||
--data-urlencode 'json={
|
||||
"": "0",
|
||||
"credentials": {
|
||||
"scope": "GLOBAL",
|
||||
"id": "$env.usernameCredsId",
|
||||
"username": "${servicename}",
|
||||
"password": "${env.pw_linuxserviceaccount}",
|
||||
"description": "service account login",
|
||||
"\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
|
||||
}
|
||||
}'
|
||||
|
||||
certCredsId=\$(uuidgen)
|
||||
|
||||
|
||||
ssh-keygen -t ed25519 -f "${servicename}" -N ""
|
||||
privatekeycontent=\$(cat ${servicename}))
|
||||
pubkeycontent=\$(cat ${servicename}.pub))
|
||||
CRUMB=\$(url -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
||||
echo $CRUMB
|
||||
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
||||
--data-urlencode 'json={
|
||||
"": "0",
|
||||
"credentials": {
|
||||
"scope": "GLOBAL",
|
||||
"id": "$env.usernameCredsId",
|
||||
"username": "${servicename}",
|
||||
"password": "",
|
||||
"privateKeySource": {
|
||||
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
|
||||
"privateKey": "$privatekeycontent",
|
||||
},
|
||||
"description": "${servicename}",
|
||||
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
|
||||
},
|
||||
"description": "service account ssh",
|
||||
"\$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
|
||||
}
|
||||
}'
|
||||
privatekeycontent=
|
||||
|
||||
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
|
||||
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
|
||||
|
||||
"""
|
||||
sh """
|
||||
git push
|
||||
popd
|
||||
"""
|
||||
}
|
||||
}
|
||||
//TODO: tell jenkins to scan greyn pipeline
|
||||
//TODO: find this new service in jenkins
|
||||
//TODO: add the shared secrets to jenkins
|
||||
}
|
||||
}
|
||||
stage("service account"){
|
||||
steps{
|
||||
script {
|
||||
sshagent([SUDOERSSH])
|
||||
{
|
||||
sh """ssh -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||
useradd -m -s /bin/bash $username
|
||||
echo "$username:$password" | chpasswd
|
||||
loginctl enable-linger $username
|
||||
cd ~/home/$username
|
||||
mkdir .ssh
|
||||
pushd .ssh
|
||||
echo $pubkeycontent > authorized_keys
|
||||
popd
|
||||
chown -R $username:$username .ssh
|
||||
ENDSSH
|
||||
"""
|
||||
}
|
||||
//jenkins, the user trying to SSH, must be able to ssh in and sudo
|
||||
ssh user@host username=$servicename password=${env.pw_linuxserviceaccount} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||
useradd -m -s /bin/bash $username
|
||||
echo "$username:$password" | chpasswd
|
||||
loginctl enable-linger $username
|
||||
ENDSSH
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -219,49 +59,32 @@ pipeline {
|
||||
//i'm pretty sure "update" with nothing will init?
|
||||
//meaning we don't have to init, first update will init
|
||||
script {
|
||||
sshagent([SUDOERSSH])
|
||||
{
|
||||
sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||
create database $servicename;
|
||||
create user $servicename with encrypted password '$pw_productiondatabase';
|
||||
grant all privileges on database $servicename to $servicename;
|
||||
ENDPSQL
|
||||
|
||||
service_dev="${servicename}_dev"
|
||||
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||
create database $service_dev;
|
||||
create user $service_dev with encrypted password '$pw_developmentdatabase';
|
||||
grant all privileges on database $service_dev to $service_dev;
|
||||
ENDPSQL
|
||||
|
||||
ENDSSH"""
|
||||
}
|
||||
ssh user@host servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||
create database $servicename;
|
||||
create user $servicename with encrypted password '$pw_productiondatabase';
|
||||
grant all privileges on database $servicename to $servicename;
|
||||
ENDPSQL
|
||||
|
||||
service_dev="${servicename}_dev"
|
||||
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||
create database $service_dev;
|
||||
create user $service_dev with encrypted password '$pw_developmentdatabase';
|
||||
grant all privileges on database $service_dev to $service_dev;
|
||||
ENDPSQL
|
||||
|
||||
ENDSSH
|
||||
}
|
||||
}
|
||||
}
|
||||
stage("initial service setup"){
|
||||
steps{
|
||||
sshagent([SUDOERSSH])
|
||||
{
|
||||
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
|
||||
sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||
sudo -u ${servicename} && bash -s << 'ENDASSERVICE'
|
||||
systemctl --user daemon-reload
|
||||
systemctl --user enable $servicename.service
|
||||
ENDASSERVICE
|
||||
ENDSSH"""
|
||||
}
|
||||
sh 'scp $servicename.service user@server:~/.config/systemd/user/$servicename.service'
|
||||
ssh user@host servicename=$servicename svcpw=$ARG2 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||
systemctl --user daemon-reload
|
||||
systemctl --user enable $servicename.service
|
||||
ENDSSH
|
||||
}
|
||||
}
|
||||
}
|
||||
post {
|
||||
failure {
|
||||
matrixSendMessage https:true, hostname: 'greyn.club', port:8448, accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :(', formattedBody: "1-click service <b>failed</b> :("
|
||||
}
|
||||
success {
|
||||
matrixSendMessage https:true, hostname: 'greyn.club', port:8448, accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!', formattedBody: '1-click service success! go pick up the credentials!'
|
||||
//TODO: archiveArtifacts the password data, then store them somewhere
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user