scripts/1clickservice.groovy

@@ -3,20 +3,16 @@ pipeline {
     parameters { 
         string(name: 'servicename', description: "service name")
         string(name: 'svcdesc', description: "service description")
-        string(name: 'targetHost', description: "system to live on", defaultValue: "moloryb.lan")
+        boolean(name: 'database', description: "service has a database", defaultValue: true)
-        booleanParam(name: 'database', description: "service has a database", defaultValue: true)
     }
     environment {
-        //pw_linuxserviceaccount=""
+        pw_linuxserviceaccount=""
-        //pw_productiondatabase=""
+        pw_productiondatabase=""
-        //pw_developmentdatabase=""
+        pw_developmentdatabase=""
-        //SUDOER=credentials('') //going to be set based on target host
+        ALLOCES = credentials('//TODO: its usually a uuid')
-        SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
-        JENKINS=credentials('f1192e74-dfe0-402f-a189-703482d914fe')
-        GITEATOKEN = credentials('d0e86441-2157-405f-8539-a9a9010c6ecf')
     }
     stages {
-        stage("environment setup") {
+        stage("type strengthening") {
             steps {
                 script {
                     if (servicename.isEmpty()) {
@@ -25,191 +21,35 @@ pipeline {
                     if (servicename.contains(' ')) {
                         error("servicename cannot have spaces. try dashes.")
                     }
-
+                    sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
-                    switch (targetHost) {
+                    sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
-                        case "alloces.lan":
+                    sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
-                            SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
+                    //TODO: save them somewhere. probably better to not lock myself out of these accounts from moment 0 
-                        case "moloryb.lan":
-                            SUDOER=credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7')
-                      break
-                        default:
-                            error("target host not recognized. btw: yes .lan, all lowercase.")
-                    }
-
-                    env.pw_linuxserviceaccount=sh(returnStdout: true, script:  "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
-                    echo env.pw_linuxserviceaccount
-                    env.pw_productiondatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
-                    echo env.pw_productiondatabase
-                    env.pw_developmentdatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
-                    echo env.pw_developmentdatabase
                 }
             }
         }
         stage("gitea project"){
             steps{
-                sh """
+                //TODO: clone _template-service. Must be under greyn.
-                    curl -X 'POST' \
+                //TODO: if not database version, strip out database stuff
-                      'https://gitea.arg.rip/api/v1/repos/greyn/_template-service/generate' \
-                      -H 'accept: application/json' \
-                      -H 'Authorization: token ${env.GITEATOKEN}' \
-                      -H 'Content-Type: application/json' \
-                      -d '{
-                          "description": "${svcdesc}",
-                          "git_content": true,
-                          "git_hooks": true,
-                          "labels": true,
-                          "name": "${servicename}",
-                          "owner": "greyn",
-                          "private": false,
-                          "protected_branch": true,
-                          "topics": true,
-                          "webhooks": true
-                        }'
-                """
             }
         }
         stage("jenkins pipeline"){
             steps{
-                //the bad news is that it looks like it's not allowed to trigger just any old job remotely
+                //TODO: tell jenkins to scan greyn pipeline
-                //the good news is that this seems to pick it up pretty reliably
+                //TODO: find this new service in jenkins
-                //sh """
+                //TODO: add the shared secrets to jenkins
-                //    curl -X POST -L --user ${env.JENKINS_USR}:${env.JENKINS_PSW} \
-                //        alloces.lan:8080/job/gitea.arg.rip/build
-                //    """
-
-                timeout(time: 5, unit: 'MINUTES') {
-                    sh """
-                        strRes=""
-                        while [ -z "\$strRes" ]; 
-                        do
-                            sleep 5;
-                            strRes=\$(curl -X GET -s -u ${env.JENKINS_USR}:'${env.JENKINS_PSW}' \
-                                alloces.lan:8080/job/gitea.arg.rip/api/json \
-                                | jq ".jobs.[] | select(.name==\"${env.servicename}\")")
-                        done
-                    """ 
-                }
-                sshagent(['f42347e9-e3b5-44af-a1af-c5e7b9775fee']) {
-                    sh """
-                        git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
-                        pushd ${servicename}
-
-                        dbstartline=\$(sed -n '/---dbstart---]/=' Jenkinsfile)
-                        dbendline=\$(sed -n '/---dbend---/=' Jenkinsfile)
-                    """
-                    script { //there's no "if" "step" so any "if" must be in a "script" step
-                        if(params.database){
-                            sh """
-                                sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile
-
-                                databasecredsid=\$(uuidgen)
-
-                                CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
-                                echo $CRUMB
-                                curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
-                                --data-urlencode 'json={
-                                  "": "0",
-                                  "credentials": {
-                                    "scope": "GLOBAL",
-                                    "id": "$databasecredsid",
-                                    "secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;",
-                                    "description": "database connection string",
-                                    "\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
-                                  }
-                                }'
-                                sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile
-
-                                git add .
-                                git commit -m "set up for database"
-                            """
-                        }
-                        else{
-                            sh """
-                                sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile
-                                git add .
-                                git commit -m "stripped database lines"
-                            """
-                        }
-                    
-                        sh """
-                            popd
-
-                            env.usernameCredsId=\$(uuidgen)
-
-                            CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
-                            echo $CRUMB
-                            curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
-                            --data-urlencode 'json={
-                              "": "0",
-                              "credentials": {
-                                "scope": "GLOBAL",
-                                "id": "$env.usernameCredsId",
-                                "username": "${servicename}",
-                                "password": "${env.pw_linuxserviceaccount}",
-                                "description": "service account login",
-                                "\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
-                              }
-                            }'
-
-                            certCredsId=\$(uuidgen)
-
-
-                            ssh-keygen -t ed25519 -f "${servicename}" -N ""
-                            privatekeycontent=\$(cat ${servicename}))
-                            pubkeycontent=\$(cat ${servicename}.pub))
-                            CRUMB=\$(url -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
-                            echo $CRUMB
-                            curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
-                            --data-urlencode 'json={
-                              "": "0",
-                              "credentials": {
-                                "scope": "GLOBAL",
-                                "id": "$env.usernameCredsId",
-                                "username": "${servicename}",
-                                "password": "",
-                                "privateKeySource": {
-                                    "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
-                                      "privateKey": "$privatekeycontent",
-                                    },
-                                    "description": "${servicename}",
-                                    "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
-                                },
-                                "description": "service account ssh",
-                                "\$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
-                              }
-                            }'
-                            privatekeycontent=
-
-                            sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
-                            sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
-
-                        """
-                        sh """
-                            git push
-                            popd
-                        """
-                    }
-                }
             }
         }
         stage("service account"){
             steps{
                 script {
-                    sshagent([SUDOERSSH]) 
+                    //jenkins, the user trying to SSH, must be able to ssh in and sudo
-                    {
+                    ssh user@host username=$servicename password=${env.pw_linuxserviceaccount} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
-                        sh """ssh -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
+                        useradd -m -s /bin/bash $username
-                            useradd -m -s /bin/bash $username
+                        echo "$username:$password" | chpasswd
-                            echo "$username:$password" | chpasswd
+                        loginctl enable-linger $username
-                            loginctl enable-linger $username
+                    ENDSSH
-                            cd ~/home/$username
-                            mkdir .ssh
-                            pushd .ssh
-                            echo $pubkeycontent > authorized_keys
-                            popd
-                            chown -R $username:$username .ssh
-                        ENDSSH
-                        """
-                    }
                 }
             }
         }
@@ -219,49 +59,32 @@ pipeline {
                 //i'm pretty sure "update" with nothing will init? 
                 //meaning we don't have to init, first update will init
                 script {
-                    sshagent([SUDOERSSH])
+                    ssh user@host servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
-                    {
+                        sudo -u postgres psql && bash -s << 'ENDPSQL'
-                        sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
+                            create database $servicename;
-                            sudo -u postgres psql && bash -s << 'ENDPSQL'
+                            create user $servicename with encrypted password '$pw_productiondatabase';
-                                create database $servicename;
+                            grant all privileges on database $servicename to $servicename;
-                                create user $servicename with encrypted password '$pw_productiondatabase';
+                        ENDPSQL
-                                grant all privileges on database $servicename to $servicename;
+                        
-                            ENDPSQL
+                        service_dev="${servicename}_dev"
-                            
+                        sudo -u postgres psql && bash -s << 'ENDPSQL'
-                            service_dev="${servicename}_dev"
+                            create database $service_dev;
-                            sudo -u postgres psql && bash -s << 'ENDPSQL'
+                            create user $service_dev with encrypted password '$pw_developmentdatabase';
-                                create database $service_dev;
+                            grant all privileges on database $service_dev to $service_dev;
-                                create user $service_dev with encrypted password '$pw_developmentdatabase';
+                        ENDPSQL
-                                grant all privileges on database $service_dev to $service_dev;
+                
-                            ENDPSQL
+                    ENDSSH
-                    
-                        ENDSSH"""
-                    }
                 }
             }
         }
         stage("initial service setup"){
             steps{
-                sshagent([SUDOERSSH])
+                sh 'scp $servicename.service user@server:~/.config/systemd/user/$servicename.service'
-                {
+                ssh user@host servicename=$servicename svcpw=$ARG2 'echo "$ALLOCES_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
-                    sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
+                    systemctl --user daemon-reload
-                    sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
+                    systemctl --user enable $servicename.service
-                        sudo -u ${servicename} && bash -s << 'ENDASSERVICE'
+                ENDSSH
-                            systemctl --user daemon-reload
-                            systemctl --user enable $servicename.service
-                        ENDASSERVICE
-                    ENDSSH"""
-                }  
             }
         }
     }
-    post { 
-        failure {
-            matrixSendMessage https:true, hostname: 'greyn.club', port:8448, accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :(', formattedBody: "1-click service <b>failed</b> :(" 
-        }
-        success {
-            matrixSendMessage https:true, hostname: 'greyn.club', port:8448, accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!', formattedBody: '1-click service success! go pick up the credentials!'
-            //TODO: archiveArtifacts the password data, then store them somewhere
-        }
-    }
 }