From 95b73daa36b23565a8566f71f9b202d3459b685f Mon Sep 17 00:00:00 2001
From: Sam Chudnick <sam@chudnick.com>
Date: Sun, 25 Jun 2023 09:52:36 -0400
Subject: Initial Commit

---
 data/jenkins/configuration.yml.j2 | 163 ++++++++++++++++++++++++++++++++++++++
 data/jenkins/jenkins.conf         |  85 ++++++++++++++++++++
 2 files changed, 248 insertions(+)
 create mode 100644 data/jenkins/configuration.yml.j2
 create mode 100644 data/jenkins/jenkins.conf

(limited to 'data/jenkins')

diff --git a/data/jenkins/configuration.yml.j2 b/data/jenkins/configuration.yml.j2
new file mode 100644
index 0000000..c5f652d
--- /dev/null
+++ b/data/jenkins/configuration.yml.j2
@@ -0,0 +1,163 @@
+credentials:
+  system:
+    domainCredentials:
+    - credentials:
+      - basicSSHUserPrivateKey:
+          description: "SSH Key for Jenkins User in FreeIPA"
+          id: "jenkins_freeipa_ssh"
+          privateKeySource:
+            directEntry:
+              privateKey: "{{ jenkins_privkey }}"
+          scope: GLOBAL
+          username: "jenkins"
+      - string:
+          description: "Ansible Vault Credentials"
+          id: "ansible_vault"
+          scope: GLOBAL
+          secret: "{{ jenkins_vault }}"
+jenkins:
+  agentProtocols:
+  - "JNLP4-connect"
+  - "Ping"
+  authorizationStrategy:
+    loggedInUsersCanDoAnything:
+      allowAnonymousRead: true
+  crumbIssuer:
+    standard:
+      excludeClientIPFromCrumb: false
+  disableRememberMe: false
+  disabledAdministrativeMonitors:
+  - "jenkins.diagnostics.ControllerExecutorsNoAgents"
+  labelAtoms:
+  - name: "built-in"
+  markupFormatter: "plainText"
+  mode: NORMAL
+  myViewsTabBar: "standard"
+  noUsageStatistics: true
+  numExecutors: 1
+  primaryView:
+    all:
+      name: "all"
+  projectNamingStrategy: "standard"
+  quietPeriod: 5
+  remotingSecurity:
+    enabled: true
+  scmCheckoutRetryCount: 0
+  securityRealm:
+    oic:
+      authorizationServerUrl: "https://auth.chudnick.com/api/oidc/authorization"
+      automanualconfigure: "auto"
+      clientId: "jenkins"
+      clientSecret: "{{ jenkins_oic_secret }}"
+      disableSslVerification: false
+      escapeHatchEnabled: false
+      escapeHatchSecret: "{{ jenkins_oic_escapehatch }}"
+      logoutFromOpenidProvider: false
+      scopes: "openid offline_access profile groups email"
+      tokenAuthMethod: "client_secret_post"
+      tokenServerUrl: "https://auth.chudnick.com/api/oidc/token"
+      userInfoServerUrl: "https://auth.chudnick.com/api/oidc/userinfo"
+      userNameField: "sub"
+      wellKnownOpenIDConfigurationUrl: "https://auth.chudnick.com/.well-known/openid-configuration"
+  slaveAgentPort: -1
+  updateCenter:
+    sites:
+    - id: "default"
+      url: "https://updates.jenkins.io/update-center.json"
+  views:
+  - all:
+      name: "all"
+  viewsTabBar: "standard"
+globalCredentialsConfiguration:
+  configuration:
+    providerFilter: "none"
+    typeFilter: "none"
+security:
+  apiToken:
+    creationOfLegacyTokenEnabled: false
+    tokenGenerationOnCreationEnabled: false
+    usageStatisticsEnabled: true
+  gitHooks:
+    allowedOnAgents: false
+    allowedOnController: false
+  gitHostKeyVerificationConfiguration:
+    sshHostKeyVerificationStrategy: "knownHostsFileVerificationStrategy"
+  sSHD:
+    port: -1
+unclassified:
+  buildDiscarders:
+    configuredBuildDiscarders:
+    - "jobBuildDiscarder"
+  buildStepOperation:
+    enabled: false
+  fingerprints:
+    fingerprintCleanupDisabled: false
+    storage: "file"
+  scmGit:
+    addGitTagAction: false
+    allowSecondFetch: false
+    createAccountBasedOnEmail: false
+    disableGitToolChooser: false
+    hideCredentials: false
+    showEntireCommitSummaryInChanges: false
+    useExistingAccountWithSameEmail: false
+  giteaServers:
+    servers:
+    - displayName: "Local"
+      manageHooks: false
+      serverUrl: "https://gitea.chudnick.com"
+  globalTimeOutConfiguration:
+    operations:
+    - "abortOperation"
+    overwriteable: false
+  junitTestResultStorage:
+    storage: "file"
+  location:
+    adminAddress: "sam@chudnick.com"
+    url: "https://jenkins.chudnick.com/"
+  mailer:
+    charset: "UTF-8"
+    useSsl: false
+    useTls: false
+  metricsAccessKey:
+    accessKeys:
+    - canHealthCheck: true
+      canMetrics: true
+      canPing: true
+      canThreadDump: false
+      key: "{{ jenkins_metrics_key }}"
+      origins: "*"
+  pollSCM:
+    pollingThreadCount: 10
+  prometheusConfiguration:
+    appendParamLabel: false
+    appendStatusLabel: true
+    collectDiskUsage: true
+    collectingMetricsPeriodInSeconds: 120
+    countAbortedBuilds: true
+    countFailedBuilds: true
+    countNotBuiltBuilds: true
+    countSuccessfulBuilds: true
+    countUnstableBuilds: true
+    defaultNamespace: "default"
+    fetchTestResults: true
+    jobAttributeName: "jenkins_job"
+    path: "prometheus"
+    processingDisabledBuilds: false
+    useAuthenticatedEndpoint: false
+  themeManager:
+    disableUserThemes: false
+    theme: "dark"
+tool:
+  ansible:
+    installations:
+    - home: "/usr/bin/"
+      name: "Default"
+  git:
+    installations:
+    - home: "git"
+      name: "Default"
+  mavenGlobalConfig:
+    globalSettingsProvider: "standard"
+    settingsProvider: "standard"
+
diff --git a/data/jenkins/jenkins.conf b/data/jenkins/jenkins.conf
new file mode 100644
index 0000000..0c477a5
--- /dev/null
+++ b/data/jenkins/jenkins.conf
@@ -0,0 +1,85 @@
+upstream jenkins {
+  keepalive 32; # keepalive connections
+  server 127.0.0.1:8080; # jenkins ip and port
+}
+
+# Required for Jenkins websocket agents
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  '' close;
+}
+
+server {
+	listen 443 ssl;
+	server_name jenkins.chudnick.com;
+
+    ssl_certificate /etc/letsencrypt/live/chudnick.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/chudnick.com/privkey.pem;
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # Security / XSS Mitigation Headers
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+
+  root            /var/run/jenkins/war/;
+  access_log      /var/log/nginx/jenkins.access.log;
+  error_log       /var/log/nginx/jenkins.error.log;
+  ignore_invalid_headers off;
+
+  location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
+    # rewrite all static files into requests to the root
+    # E.g /static/12345678/css/something.css will become /css/something.css
+    rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
+  }
+
+  location /userContent {
+    # have nginx handle all the static requests to userContent folder
+    # note : This is the $JENKINS_HOME dir
+    root /var/lib/jenkins/;
+    if (!-f $request_filename){
+      # this file does not exist, might be a directory or a /**view** url
+      rewrite (.*) /$1 last;
+      break;
+    }
+    sendfile on;
+  }
+
+  location / {
+      sendfile off;
+      proxy_pass         http://jenkins;
+      proxy_redirect     default;
+      proxy_http_version 1.1;
+
+      # Required for Jenkins websocket agents
+      proxy_set_header   Connection        $connection_upgrade;
+      proxy_set_header   Upgrade           $http_upgrade;
+
+      proxy_set_header   Host              $host;
+      proxy_set_header   X-Real-IP         $remote_addr;
+      proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+      proxy_set_header   X-Forwarded-Proto $scheme;
+      proxy_max_temp_file_size 0;
+
+      #this is the maximum upload size
+      client_max_body_size       10m;
+      client_body_buffer_size    128k;
+
+      proxy_connect_timeout      90;
+      proxy_send_timeout         90;
+      proxy_read_timeout         90;
+      proxy_buffering            off;
+      proxy_request_buffering    off; # Required for HTTP CLI commands
+      proxy_set_header Connection ""; # Clear for keepalive
+  }
+
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name jenkins.chudnick.com;
+	return 301 https://$host$request_uri;
+}
-- 
cgit v1.2.3