pipeline { agent any parameters { string(name: 'servicename', description: "service name") string(name: 'svcdesc', description: "service description") string(name: 'targetHost', description: "system to live on", defaultValue: "moloryb.lan") booleanParam(name: 'database', description: "service has a database", defaultValue: true) } environment { SUDOER_ALLOCES = credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c') SUDOER_MOLORYB = credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7') SUDOERSSHID = '2c48e1a9-22b2-455c-9959-6b29e86d3fb5' SUDOERSSH = credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5') JENKINS = credentials('68391381-e095-4b47-b956-d23055b0808e') GITEATOKEN = credentials('d0e86441-2157-405f-8539-a9a9010c6ecf') GITEA_USR='jenkins' } stages { stage("environment setup") { steps { script { if (servicename.isEmpty()) { error("servicename mandatory") } if (servicename.contains(' ')) { error("servicename cannot have spaces. try dashes.") } switch (targetHost) { case "alloces.lan": SUDOER_USR = SUDOER_ALLOCES_USR SUDOER_PSW = SUDOER_ALLOCES_PSW case "moloryb.lan": SUDOER_USR=SUDOER_MOLORYB_USR SUDOER_PSW=SUDOER_MOLORYB_PSW break default: error("target host not recognized. btw: yes .lan, all lowercase.") } env.pw_linuxserviceaccount=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX").trim() echo env.pw_linuxserviceaccount env.pw_productiondatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX").trim() echo env.pw_productiondatabase env.pw_developmentdatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX").trim() echo env.pw_developmentdatabase } } } stage("gitea project"){ steps{ sh """ curl -X 'POST' \ 'https://gitea.arg.rip/api/v1/repos/greyn/_template-service/generate' \ -H 'accept: application/json' \ -H 'Authorization: token ${env.GITEATOKEN}' \ -H 'Content-Type: application/json' \ -d '{ "description": "${svcdesc}", "git_content": true, "git_hooks": true, "labels": true, "name": "${servicename}", "owner": "greyn", "private": false, "protected_branch": true, "topics": true, "webhooks": true }' """ } } stage("jenkins pipeline"){ steps{ //the bad news is that it looks like it's not allowed to trigger just any old job remotely //the good news is that this seems to pick it up pretty reliably //sh """ // curl -X POST -L --user ${env.JENKINS_USR}:${env.JENKINS_PSW} \ // alloces.lan:8080/job/gitea.arg.rip/build // """ timeout(time: 5, unit: 'MINUTES') { sh """ strRes="" while [ -z "\$strRes" ]; do sleep 5; #curl -X GET ${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/api/json curl -X GET -s ${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/api/json > f.json strRes=\$(jq '.jobs' f.json | jq '.[] | select(.name==\"${env.servicename}\")') rm f.json done """ } withCredentials([sshUserPrivateKey(credentialsId: 'f42347e9-e3b5-44af-a1af-c5e7b9775fee', keyFileVariable: 'PK')]) { sh """#!/bin/bash #mkdir -p ~/.ssh #ssh-keyscan -t ed25519 gitea.arg.rip >> ~/.ssh/known_hosts #cat ~/.ssh/known_hosts #shit doesn't work. ssh in, git clone, get your shit set up for keys. git -c core.sshCommand="ssh -i '$PK'\" clone ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git #fyi, future me: pushd is useless here, it pops out. Like it's loading a script and exiting. """ script { //there's no "if" "step" so any "if" must be in a "script" step if(database){ sh """#!/bin/bash pushd ${servicename} dbstartline=\$(sed -n '/---dbstart---/=' Jenkinsfile) dbendline=\$(sed -n '/---dbend---/=' Jenkinsfile) echo \"yes db.\" sed -i \"\${dbstartline}d;\${dbendline}d\" Jenkinsfile databasecredsid=\$(uuidgen) httpBasicAuth=\"http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/\" echo \"\${httpBasicAuth}\" urlGetData=\"crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\\":\\",//crumb)\" CRUMB=\$(curl -s -c cookies.txt \"\${httpBasicAuth}\${urlGetData}\") echo "crumb anyway. \$CRUMB" curl -H \$CRUMB -X POST \"http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials\" \ --data-urlencode 'json={ "": "0", "credentials": { "scope": "GLOBAL", "id": "'"\$databasecredsid"'", "secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;", "description": "database connection string", "\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" } }' sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('\$databasecredsid')/\' Jenkinsfile rm cookies.txt git add . git commit -m \"set up for database\" """ } else{ sh """#!/bin/bash echo \"no db\" pushd ${servicename} sed -i '\${dbstartline},\${dbendline}d;' Jenkinsfile git add . git commit -m "stripped database lines" """ } sh """#!/bin/bash pushd ${servicename} usernameCredsId=\$(uuidgen) CRUMB=\$(curl -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') echo \$CRUMB curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \ --data-urlencode 'json={ "": "0", "credentials": { "scope": "GLOBAL", "id": "'"\$usernameCredsId"'", "username": "${servicename}", "password": "${env.pw_linuxserviceaccount}", "description": "service account login", "\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" } }' certCredsId=\$(uuidgen) # you git cloned ${servicename}. that's why it "already exists". ssh-keygen -t ed25519 -f "${servicename}-ssh" -N "" #chmod 600 \"${servicename}-ssh\" #chmod 600 \"${servicename}-ssh.pub\" privatekeycontent=\$(cat ${servicename}-ssh) pubkeycontent=\$(cat ${servicename}-ssh.pub) CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') echo \$CRUMB curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \ --data-urlencode 'json={ "": "0", "credentials": { "scope": "GLOBAL", "id": "'"\$usernameCredsId"'", "username": "${servicename}", "password": "", "privateKeySource": { "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey\$DirectEntryPrivateKeySource", "privateKey": "\$privatekeycontent", }, "description": "${servicename}", "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey" }, "description": "service account ssh", "\$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey" } }' privatekeycontent= sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile rm cookies.txt git -c core.sshCommand="ssh -i '$PK'\" push """ } } } } stage("service account"){ steps{ script { withCredentials([sshUserPrivateKey(credentialsId: env.SUDOERSSHID, keyFileVariable: 'PK')]) { sh """#!/bin/bash ssh-keyscan -t ed25519 ${targetHost} >> ~/.ssh/known_hosts cat "${PK}" curl -u '${env.GITEA_USR}:${env.GITEATOKEN}' https://gitea.arg.rip/greyn/deployment/raw/branch/service/scripts/serviceaccount.sh --output serviceaccount.sh sed -i 's/USERNAMETOADD=/USERNAMETOADD="${servicename}"/' serviceaccount.sh sed -i 's/PASSWORDTOADD=/PASSWORDTOADD="${env.pw_linuxserviceaccount}"/' serviceaccount.sh sed -i 's/PUBKEYCONTENT=/PUBKEYCONTENT="${env.pubkeycontent}"/' serviceaccount.sh sed -i 's/SUDOER_PSW=/SUDOER_PSW="${SUDOER_PSW}"/' serviceaccount.sh echo "serviceaccount :)" pwd ls cat serviceaccount.sh ssh -i \"${PK}\" -tt ${SUDOER_USR}@${targetHost} > ~/.ssh/known_hosts ssh -i \"${PK}\" -tt ${SUDOER_USR}@${targetHost} servicename=${servicename} pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' sudo -u postgres psql && bash -s << 'ENDPSQL' create database $servicename; create user $servicename with encrypted password '$pw_productiondatabase'; grant all privileges on database $servicename to $servicename; ENDPSQL service_dev="${servicename}_dev" sudo -u postgres psql && bash -s << 'ENDPSQL' create database \$service_dev; create user \$service_dev with encrypted password '\$pw_developmentdatabase'; grant all privileges on database \$service_dev to \$service_dev; ENDPSQL ENDSSH """ } } } } stage("initial service setup"){ steps{ sshagent([SUDOERSSH]) { sh 'scp ${servicename}.service ${servicename}@${targetHost}:~/.config/systemd/user/${servicename}.service' sh """ssh -tt $SUDOER_USR@${targetHost} servicename=${servicename} pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' sudo -u ${servicename} && bash -s << 'ENDASSERVICE' systemctl --user daemon-reload systemctl --user enable ${servicename}.service ENDASSERVICE ENDSSH""" } } } } post { failure { matrixSendMessage https:true, hostname: 'greyn.club', port:8448, accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :(', formattedBody: "1-click service failed :(" } success { matrixSendMessage https:true, hostname: 'greyn.club', port:8448, accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!', formattedBody: '1-click service success! go pick up the credentials!' //TODO: archiveArtifacts the password data, then store them somewhere } } }