New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/services/jenkins: Introduce declarative credentials management #121958
base: master
Are you sure you want to change the base?
Conversation
jenkins-cli
commandSigned-off-by: Pamplemousse <xav.maso@gmail.com>
978e1b5
to
46180e3
Compare
I marked this as stale due to inactivity. → More info |
Related: I came across https://www.jenkins.io/projects/jcasc/ (Jenkins Configuration as Code) today. It creates a bit of a bootstrap issue, as you need to first install the plugin (jenkinsPlugins2Nix is not broken now btw), but seems to help making Jenkins setups more declarative. |
Of course, it turns out to not be truly declarative -- it supports adding and changing settings, but not removing 😢 |
|
||
config = mkIf (jenkinsCfg.enable && cfg.enable) { | ||
assertions = [ | ||
{ assertion = jenkinsCfg.withCLI; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of having this assertion that withCLI must be true, you can use an absolute path to the jenkins-cli
program: ${pkgs.jenkins}/bin/jenkins-cli
.
script = | ||
let | ||
_jenkinsCLI = { | ||
auth = "-auth admin:\"$(cat ${jenkinsCfg.home}/secrets/initialAdminPassword)\""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: Check that initialAdminPassword gets created if -Djenkins.install.runSetupWizard=false
is used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: Check that initialAdminPassword gets created if
-Djenkins.install.runSetupWizard=false
is used.
It does not.
So this change depends on users having that plugin already installed? And currently that means imperatively installing the credentials plugin? Maybe we should get declarative plugin support in jenkins first? |
@bjornfor, indeed, as the description of the PR says:
|
Thanks for taking interest in this PR by the way @bjornfor :) |
Sorry I missed that. Should we mark this PR as a draft? |
Signed-off-by: Pamplemousse xav.maso@gmail.com
Motivation for this change
Allow declarative management of credentials for Jenkins!
Depends on #121841 (I included its commits in this PR for the
.credentials
option to be reviewable - work).There is a plugin to manage credentials: https://plugins.jenkins.io/credentials/. Useful to get stuff from SCMs, sign releases, and so on.
This my first "real" contribution to the
nixos/modules
side of things.In particular, I took a very naive approach regarding the management of "secrets", which might be insecure:
/var/lib/jenkins/credentials/<ID>/credentials.xml
(However, the
jenkins
user already has means to read/write the content of credentials through the API anyway - i.e. I don't think this is effectively widening the attack surface.);/nix/store
either.Also, as is, here are known limitations:
jenkins
by default);I had to start somewhere, and because it's somewhat my first time in this area of the repo, I was not shooting for a "perfect" solution.
Feedback appreciated! 🙏
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)Signed-off-by: Pamplemousse xav.maso@gmail.com