From 95b73daa36b23565a8566f71f9b202d3459b685f Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Sun, 25 Jun 2023 09:52:36 -0400 Subject: Initial Commit --- roles/services/jenkins/handlers/main.yml | 13 +++ roles/services/jenkins/tasks/main.yml | 184 +++++++++++++++++++++++++++++++ 2 files changed, 197 insertions(+) create mode 100644 roles/services/jenkins/handlers/main.yml create mode 100644 roles/services/jenkins/tasks/main.yml (limited to 'roles/services/jenkins') diff --git a/roles/services/jenkins/handlers/main.yml b/roles/services/jenkins/handlers/main.yml new file mode 100644 index 0000000..92f0084 --- /dev/null +++ b/roles/services/jenkins/handlers/main.yml @@ -0,0 +1,13 @@ +- name: update repos + apt: + update_cache: yes + +- name: restart nginx + service: + name: nginx + state: restarted + +- name: restart jenkins + service: + name: jenkins + state: restarted diff --git a/roles/services/jenkins/tasks/main.yml b/roles/services/jenkins/tasks/main.yml new file mode 100644 index 0000000..29dbb28 --- /dev/null +++ b/roles/services/jenkins/tasks/main.yml @@ -0,0 +1,184 @@ +- name: install extrepo + package: + name: extrepo + state: latest + +- name: add jenkins repo + register: result + changed_when: result.stdout | regex_search("skipped") | bool + notify: update repos + command: + cmd: extrepo enable jenkins + creates: /etc/apt/sources.list.d/extrepo_jenkins.sources + +- meta: flush_handlers + +- name: update jenkins repo data + changed_when: false + command: + cmd: extrepo update jenkins + +- name: install packages + package: + name: "{{ jenkins_packages }}" + +- name: generate ssh key for jenkins user + user: + name: jenkins + generate_ssh_key: yes + +- name: get jenkins user ssh key + changed_when: false + command: cat /var/lib/jenkins/.ssh/id_rsa.pub + register: pubkey + +- name: create jenkins user in freeipa + freeipa.ansible_freeipa.ipauser: + ipaadmin_principal: + ipaadmin_password: "{{ ipafulladmin_password }}" + name: jenkins + passwordexpiration: "2050-01-01" + first: jenkins + last: ci + sshpubkey: "{{ pubkey.stdout }}" + +- name: create jenkins_admin group in freeipa + freeipa.ansible_freeipa.ipagroup: + ipaadmin_password: "{{ ipafulladmin_password }}" + name: jenkins_admin + +- name: add user jenkins to jenkins_admin group in freeipa + freeipa.ansible_freeipa.ipagroup: + ipaadmin_password: "{{ ipafulladmin_password }}" + name: jenkins_admin + action: member + user: + - jenkins + +- name: create sudo rule to allow jenkins to execute on all without password + freeipa.ansible_freeipa.ipasudorule: + ipaadmin_password: "{{ ipafulladmin_password }}" + name: jenkins_rule + sudooption: "!authenticate" + group: jenkins_admin + hostcategory: all + cmdcategory: all + runasusercategory: all + runasgroupcategory: all + +- name: deploy nginx configuration + copy: + src: "{{ jenkins_nginx_config }}" + dest: /etc/nginx/sites-available/jenkins.conf + owner: root + group: root + mode: '0644' + register: nginx_config + notify: restart nginx + +- name: create cert/key dir + file: + state: directory + path: "/etc/letsencrypt/live/{{ services_domain }}" + owner: root + group: root + mode: "0755" + +- name: remove existing private key file + file: + path: "/etc/letsencrypt/live/{{ services_domain }}/privkey.pem" + state: absent + +- name: write private key to file + lineinfile: + path: "/etc/letsencrypt/live/{{ services_domain }}/privkey.pem" + line: "{{ nginx_key }}" + insertbefore: EOF + create: yes + +- name: deploy cert + copy: + src: "{{ nginx_cert }}" + dest: "/etc/letsencrypt/live/{{ services_domain }}/fullchain.pem" + owner: root + group: root + mode: '0644' + +- name: symlink site + file: + src: /etc/nginx/sites-available/jenkins.conf + dest: /etc/nginx/sites-enabled/jenkins.conf + owner: root + group: root + state: link + +- name: allow http (80/tcp) traffic + ufw: + rule: allow + port: '80' + proto: tcp + +- name: allow https (443/tcp) traffic + ufw: + rule: allow + port: '443' + proto: tcp + +- name: install ansible plugin + jenkins_plugin: + url_username: "{{ jenkins_username }}" + url_password: "{{ jenkins_apikey }}" + url: "{{ jenkins_url }}" + name: ansible + +- name: install gitea plugin + jenkins_plugin: + url_username: "{{ jenkins_username }}" + url_password: "{{ jenkins_apikey }}" + url: "{{ jenkins_url }}" + name: gitea + +- name: install openid login plugin + jenkins_plugin: + url_username: "{{ jenkins_username }}" + url_password: "{{ jenkins_apikey }}" + url: "{{ jenkins_url }}" + name: oic-auth + +- name: install prometheus plugin + jenkins_plugin: + url_username: "{{ jenkins_username }}" + url_password: "{{ jenkins_apikey }}" + url: "{{ jenkins_url }}" + name: prometheus + +- name: install casc plugin + jenkins_plugin: + url_username: "{{ jenkins_username }}" + url_password: "{{ jenkins_apikey }}" + url: "{{ jenkins_url }}" + name: configuration-as-code + +- name: install warnings-ng plugin + jenkins_plugin: + url_username: "{{ jenkins_username }}" + url_password: "{{ jenkins_apikey }}" + url: "{{ jenkins_url }}" + name: warnings-ng + +- name: deploy configuration as code file + register: casc_file + notify: restart jenkins + template: + src: "{{ jenkins_config }}" + dest: "/var/lib/jenkins/jenkins.yaml" + owner: jenkins + group: jenkins + mode: "0644" + +- name: enable jenkins + systemd: + daemon_reload: yes + enabled: yes + masked: no + name: jenkins -- cgit v1.2.3