1 files changed, 184 insertions, 0 deletions
diff --git a/roles/services/jenkins/tasks/main.yml b/roles/services/jenkins/tasks/main.yml
new file mode 100644
index 0000000..29dbb28
--- /dev/null
+++ b/roles/services/jenkins/tasks/main.yml
@@ -0,0 +1,184 @@
+- name: install extrepo
+  package:
+    name: extrepo
+    state: latest
+- name: add jenkins repo
+  register: result
+  changed_when: result.stdout | regex_search("skipped") | bool
+  notify: update repos
+  command:
+    cmd: extrepo enable jenkins
+    creates: /etc/apt/sources.list.d/extrepo_jenkins.sources
+- meta: flush_handlers
+- name: update jenkins repo data
+  changed_when: false
+  command:
+    cmd: extrepo update jenkins
+- name: install packages
+  package:
+    name: "{{ jenkins_packages }}"
+- name: generate ssh key for jenkins user
+  user:
+    name: jenkins
+    generate_ssh_key: yes
+- name: get jenkins user ssh key
+  changed_when: false
+  command: cat /var/lib/jenkins/.ssh/id_rsa.pub
+  register: pubkey
+- name: create jenkins user in freeipa
+  freeipa.ansible_freeipa.ipauser:
+    ipaadmin_principal:
+    ipaadmin_password: "{{ ipafulladmin_password }}"
+    name: jenkins
+    passwordexpiration: "2050-01-01"
+    first: jenkins
+    last: ci
+    sshpubkey: "{{ pubkey.stdout }}"
+- name: create jenkins_admin group in freeipa
+  freeipa.ansible_freeipa.ipagroup:
+    ipaadmin_password: "{{ ipafulladmin_password }}"
+    name: jenkins_admin
+- name: add user jenkins to jenkins_admin group in freeipa
+  freeipa.ansible_freeipa.ipagroup:
+    ipaadmin_password: "{{ ipafulladmin_password }}"
+    name: jenkins_admin
+    action: member
+    user:
+      - jenkins
+- name: create sudo rule to allow jenkins to execute on all without password
+  freeipa.ansible_freeipa.ipasudorule:
+    ipaadmin_password: "{{ ipafulladmin_password }}"
+    name: jenkins_rule
+    sudooption: "!authenticate"
+    group: jenkins_admin
+    hostcategory: all
+    cmdcategory: all
+    runasusercategory: all
+    runasgroupcategory: all
+- name: deploy nginx configuration
+  copy:
+    src: "{{ jenkins_nginx_config }}"
+    dest: /etc/nginx/sites-available/jenkins.conf
+    owner: root
+    group: root
+    mode: '0644'
+  register: nginx_config
+  notify: restart nginx
+- name: create cert/key dir
+  file:
+    state: directory
+    path: "/etc/letsencrypt/live/{{ services_domain }}"
+    owner: root
+    group: root
+    mode: "0755"
+- name: remove existing private key file
+  file:
+    path: "/etc/letsencrypt/live/{{ services_domain }}/privkey.pem"
+    state: absent
+- name: write private key to file
+  lineinfile:
+    path: "/etc/letsencrypt/live/{{ services_domain }}/privkey.pem"
+    line: "{{ nginx_key }}"
+    insertbefore: EOF
+    create: yes
+- name: deploy cert
+  copy:
+    src: "{{ nginx_cert }}"
+    dest: "/etc/letsencrypt/live/{{ services_domain }}/fullchain.pem"
+    owner: root
+    group: root
+    mode: '0644'
+- name: symlink site
+  file:
+    src: /etc/nginx/sites-available/jenkins.conf
+    dest: /etc/nginx/sites-enabled/jenkins.conf
+    owner: root
+    group: root
+    state: link
+- name: allow http (80/tcp) traffic
+  ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+- name: allow https (443/tcp) traffic
+  ufw:
+    rule: allow
+    port: '443'
+    proto: tcp
+- name: install ansible plugin
+  jenkins_plugin:
+    url_username: "{{ jenkins_username }}"
+    url_password: "{{ jenkins_apikey }}"
+    url: "{{ jenkins_url }}"
+    name: ansible
+- name: install gitea plugin
+  jenkins_plugin:
+    url_username: "{{ jenkins_username }}"
+    url_password: "{{ jenkins_apikey }}"
+    url: "{{ jenkins_url }}"
+    name: gitea
+- name: install openid login plugin
+  jenkins_plugin:
+    url_username: "{{ jenkins_username }}"
+    url_password: "{{ jenkins_apikey }}"
+    url: "{{ jenkins_url }}"
+    name: oic-auth
+- name: install prometheus plugin
+  jenkins_plugin:
+    url_username: "{{ jenkins_username }}"
+    url_password: "{{ jenkins_apikey }}"
+    url: "{{ jenkins_url }}"
+    name: prometheus
+- name: install casc plugin
+  jenkins_plugin:
+    url_username: "{{ jenkins_username }}"
+    url_password: "{{ jenkins_apikey }}"
+    url: "{{ jenkins_url }}"
+    name: configuration-as-code
+- name: install warnings-ng plugin
+  jenkins_plugin:
+    url_username: "{{ jenkins_username }}"
+    url_password: "{{ jenkins_apikey }}"
+    url: "{{ jenkins_url }}"
+    name: warnings-ng
+- name: deploy configuration as code file
+  register: casc_file
+  notify: restart jenkins
+  template:
+    src: "{{ jenkins_config }}"
+    dest: "/var/lib/jenkins/jenkins.yaml"
+    owner: jenkins
+    group: jenkins
+    mode: "0644"
+- name: enable jenkins
+  systemd:
+    daemon_reload: yes
+    enabled: yes
+    masked: no
+    name: jenkins

diff --git a/roles/services/jenkins/tasks/main.yml b/roles/services/jenkins/tasks/main.yml new file mode 100644 index 0000000..29dbb28 --- /dev/null +++ b/roles/services/jenkins/tasks/main.yml
@@ -0,0 +1,184 @@
	1	- name: install extrepo
	2	package:
	3	name: extrepo
	4	state: latest
	5
	6	- name: add jenkins repo
	7	register: result
	8	changed_when: result.stdout \| regex_search("skipped") \| bool
	9	notify: update repos
	10	command:
	11	cmd: extrepo enable jenkins
	12	creates: /etc/apt/sources.list.d/extrepo_jenkins.sources
	13
	14	- meta: flush_handlers
	15
	16	- name: update jenkins repo data
	17	changed_when: false
	18	command:
	19	cmd: extrepo update jenkins
	20
	21	- name: install packages
	22	package:
	23	name: "{{ jenkins_packages }}"
	24
	25	- name: generate ssh key for jenkins user
	26	user:
	27	name: jenkins
	28	generate_ssh_key: yes
	29
	30	- name: get jenkins user ssh key
	31	changed_when: false
	32	command: cat /var/lib/jenkins/.ssh/id_rsa.pub
	33	register: pubkey
	34
	35	- name: create jenkins user in freeipa
	36	freeipa.ansible_freeipa.ipauser:
	37	ipaadmin_principal:
	38	ipaadmin_password: "{{ ipafulladmin_password }}"
	39	name: jenkins
	40	passwordexpiration: "2050-01-01"
	41	first: jenkins
	42	last: ci
	43	sshpubkey: "{{ pubkey.stdout }}"
	44
	45	- name: create jenkins_admin group in freeipa
	46	freeipa.ansible_freeipa.ipagroup:
	47	ipaadmin_password: "{{ ipafulladmin_password }}"
	48	name: jenkins_admin
	49
	50	- name: add user jenkins to jenkins_admin group in freeipa
	51	freeipa.ansible_freeipa.ipagroup:
	52	ipaadmin_password: "{{ ipafulladmin_password }}"
	53	name: jenkins_admin
	54	action: member
	55	user:
	56	- jenkins
	57
	58	- name: create sudo rule to allow jenkins to execute on all without password
	59	freeipa.ansible_freeipa.ipasudorule:
	60	ipaadmin_password: "{{ ipafulladmin_password }}"
	61	name: jenkins_rule
	62	sudooption: "!authenticate"
	63	group: jenkins_admin
	64	hostcategory: all
	65	cmdcategory: all
	66	runasusercategory: all
	67	runasgroupcategory: all
	68
	69	- name: deploy nginx configuration
	70	copy:
	71	src: "{{ jenkins_nginx_config }}"
	72	dest: /etc/nginx/sites-available/jenkins.conf
	73	owner: root
	74	group: root
	75	mode: '0644'
	76	register: nginx_config
	77	notify: restart nginx
	78
	79	- name: create cert/key dir
	80	file:
	81	state: directory
	82	path: "/etc/letsencrypt/live/{{ services_domain }}"
	83	owner: root
	84	group: root
	85	mode: "0755"
	86
	87	- name: remove existing private key file
	88	file:
	89	path: "/etc/letsencrypt/live/{{ services_domain }}/privkey.pem"
	90	state: absent
	91
	92	- name: write private key to file
	93	lineinfile:
	94	path: "/etc/letsencrypt/live/{{ services_domain }}/privkey.pem"
	95	line: "{{ nginx_key }}"
	96	insertbefore: EOF
	97	create: yes
	98
	99	- name: deploy cert
	100	copy:
	101	src: "{{ nginx_cert }}"
	102	dest: "/etc/letsencrypt/live/{{ services_domain }}/fullchain.pem"
	103	owner: root
	104	group: root
	105	mode: '0644'
	106
	107	- name: symlink site
	108	file:
	109	src: /etc/nginx/sites-available/jenkins.conf
	110	dest: /etc/nginx/sites-enabled/jenkins.conf
	111	owner: root
	112	group: root
	113	state: link
	114
	115	- name: allow http (80/tcp) traffic
	116	ufw:
	117	rule: allow
	118	port: '80'
	119	proto: tcp
	120
	121	- name: allow https (443/tcp) traffic
	122	ufw:
	123	rule: allow
	124	port: '443'
	125	proto: tcp
	126
	127	- name: install ansible plugin
	128	jenkins_plugin:
	129	url_username: "{{ jenkins_username }}"
	130	url_password: "{{ jenkins_apikey }}"
	131	url: "{{ jenkins_url }}"
	132	name: ansible
	133
	134	- name: install gitea plugin
	135	jenkins_plugin:
	136	url_username: "{{ jenkins_username }}"
	137	url_password: "{{ jenkins_apikey }}"
	138	url: "{{ jenkins_url }}"
	139	name: gitea
	140
	141	- name: install openid login plugin
	142	jenkins_plugin:
	143	url_username: "{{ jenkins_username }}"
	144	url_password: "{{ jenkins_apikey }}"
	145	url: "{{ jenkins_url }}"
	146	name: oic-auth
	147
	148	- name: install prometheus plugin
	149	jenkins_plugin:
	150	url_username: "{{ jenkins_username }}"
	151	url_password: "{{ jenkins_apikey }}"
	152	url: "{{ jenkins_url }}"
	153	name: prometheus
	154
	155	- name: install casc plugin
	156	jenkins_plugin:
	157	url_username: "{{ jenkins_username }}"
	158	url_password: "{{ jenkins_apikey }}"
	159	url: "{{ jenkins_url }}"
	160	name: configuration-as-code
	161
	162	- name: install warnings-ng plugin
	163	jenkins_plugin:
	164	url_username: "{{ jenkins_username }}"
	165	url_password: "{{ jenkins_apikey }}"
	166	url: "{{ jenkins_url }}"
	167	name: warnings-ng
	168
	169	- name: deploy configuration as code file
	170	register: casc_file
	171	notify: restart jenkins
	172	template:
	173	src: "{{ jenkins_config }}"
	174	dest: "/var/lib/jenkins/jenkins.yaml"
	175	owner: jenkins
	176	group: jenkins
	177	mode: "0644"
	178
	179	- name: enable jenkins
	180	systemd:
	181	daemon_reload: yes
	182	enabled: yes
	183	masked: no
	184	name: jenkins