This repository has been archived by the owner on Jan 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
/
master.yml
316 lines (274 loc) · 9.68 KB
/
master.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
---
- hosts: master
become: yes
become_method: sudo
vars:
jenkins_repo_url: https://pkg.jenkins.io/redhat/jenkins.repo
jenkins_repo_key_url: https://pkg.jenkins.io/redhat/jenkins.io.key
# this password file is currently not used
admin_password_filepath: /var/lib/jenkins/secrets/openscapPassword
important_jenkins_plugins:
- github
- github-oauth
- ghprb
- role-strategy
- cmakebuilder
- build-name-setter
- ssh-slaves
- leastload
- ansicolor
- nodelabelparameter
- managed-scripts
- greenballs # not important, but better than blue ones
- dynamic-axis
- embeddable-build-status # not stricly important, this is for build status in READMEs
- htmlpublisher
reset_jenkins_jobs: false # set this to true if you want all the jobs reset, you probably only need to do this when you lose the jenkins home dir data
jenkins_jobs:
- openscap-custom-repo
- openscap-daemon-pull-requests
- openscap-daemon
- openscap-maint
- openscap-master-disabled-probes
- openscap-master-pull-requests
- openscap-master
- openscap-parametrized
- openscap-pull-requests
- oscap-anaconda-addon-master
- oscap-anaconda-addon-pull-requests
- oscap-anaconda-addon-rhel7
- scap-security-guide-linkcheck
- scap-security-guide-nightly-multi-test
- scap-security-guide-nightly-oval510-zip
- scap-security-guide-nightly-zip
- scap-security-guide-nist-testsuite
- scap-security-guide-parameters
- scap-security-guide-pull-requests-multi
- scap-security-guide-pull-requests
- scap-security-guide-py2-py3-sanity
- scap-workbench-maint
- scap-workbench-pull-requests
- static_openscap_docs
domains:
- jenkins.complianceascode.io
tasks:
- name: Create mount point for Jenkins data directory
file:
path: /var/lib/jenkins
state: directory
- name: Install prerequisites for authorized keys addition
package:
name:
- libselinux-python
- python2-libsemanage
- name: Ensure Jenkins repo is enabled
get_url:
url: "{{ jenkins_repo_url }}"
dest: /etc/yum.repos.d/jenkins.repo
- name: Add Jenkins repo GPG key
rpm_key:
state: present
key: "{{ jenkins_repo_key_url }}"
- name: Ensure nginx (reverse proxy) repo is enabled
copy:
src: ./master_cfg/nginx.repo
dest: /etc/yum.repos.d/nginx.repo
- name: Ensure dependencies are installed
package:
name:
- curl
- libselinux-python
- initscripts
- java
- git # jenkins itself needs git as well
state: installed
- name: Ensure python dependencies are installed
pip:
name:
- python-jenkins # is in EPEL, but who cares if we have to pip lxml anyway
- lxml # libxml2 is RPM, but too old :(
- name: Install Jenkins
package:
name: jenkins
state: present
- name: Set up Jenkins user
user:
name: jenkins
comment: "Jenkins master user"
home: /var/lib/jenkins
generate_ssh_key: yes # we will use this key to connect to workers
- name: Fetch jenkins public key from master to local machine
fetch:
src: /var/lib/jenkins/.ssh/id_rsa.pub
dest: generated_bits/master_id_rsa.pub
flat: yes
fail_on_missing: yes
- name: Set up Jenkins service # this needs to be before set up Jenkins start-up options
service:
name: jenkins
enabled: yes
state: started
- name: Set up Jenkins start-up Java options
lineinfile:
dest: /etc/sysconfig/jenkins
regexp: '^JENKINS_JAVA_OPTIONS='
line: 'JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Djenkins.install.runSetupWizard=false"' # the setup wizard is a security risk
notify: restart jenkins
- name: Install nginx (reverse proxy)
package:
name: nginx
state: installed
- name: Set-up a directory for TLS certificates for nginx
file:
path: /etc/nginx/tls
state: directory
mode: 0755
owner: root
group: root
- name: Set-up a directory for letsencrypt .well-known files
file:
path: /letsencrypt_public_html/.well-known/
state: directory
mode: 0755
owner: root
group: root
setype: httpd_sys_content_t
- name: Check whether a TLS key for nginx is present
stat:
path: /etc/nginx/tls/server.key
register: nginx_tls_key
# no clue if I am doing this right...
- name: Generate self signed temporary TLS certificate for nginx
command: openssl req -new -nodes -x509 -subj "/C=US/ST=Massachusetts/L=Boston/O=IT/CN=jenkins.open-scap.org" -days 365 -keyout /etc/nginx/tls/server.key -out /etc/nginx/tls/server.crt -extensions v3_ca creates=/etc/nginx/tls/server.crt
when: nginx_tls_key.stat.exists == False # only if letsencrypt's cert is missing
- name: Config nginx (reverse proxy) with jenkins.conf
template:
src: ./master_cfg/nginx_jenkins.conf
dest: /etc/nginx/conf.d/jenkins.conf
notify: restart nginx
- name: Enable gzip compression in nginx (reverse proxy)
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: "^[\\s]*#?gzip"
line: " gzip on; gzip_disable \"msie6\"; gzip_comp_level 6; gzip_min_length 1100; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; gzip_vary on;"
notify: restart nginx
- name: Tell SELinux to let nginx (reverse proxy) connect to network
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
- name: Set up nginx (reverse proxy) service
service:
name: nginx
enabled: yes
state: started
- name: Check admin password file
stat:
path: "{{ admin_password_filepath }}"
register: admin_password_file
- name: Slurp admin password from initialAdminPassword
slurp:
src: /var/lib/jenkins/secrets/initialAdminPassword
register: admin_passfile_init
when: admin_password_file.stat.exists == False
- name: Slurp admin password from openscapPassword
slurp:
src: "{{ admin_password_filepath }}"
register: admin_passfile_scap
when: admin_password_file.stat.exists == True
- name: Get admin password
set_fact:
admin_password: "{{ admin_passfile_scap if admin_password_file.stat.exists == True else admin_passfile_init }}"
- name: Decode admin password
set_fact:
admin_password: "{{ admin_password['content'] | b64decode | trim }}" # it contained newline character
- name: Set Jenkins master nr of executors to 0 # we don't want to ever build anything on master, only on workers
lineinfile:
dest: /var/lib/jenkins/config.xml
regexp: "^[\\s]*<numExecutors>"
line: " <numExecutors>0</numExecutors>"
notify: restart jenkins
- name: Install Jenkins plugins
jenkins_plugin:
name: "{{ item }}"
state: present
with_dependencies: yes
url_username: admin
url_password: "{{ admin_password }}"
register: jenkins_plugins
with_items: "{{ important_jenkins_plugins }}"
ignore_errors: True # We do ignore errors because with oauth set up,
# logging in with local admin account is no longer
# possible.
# TODO: make a check before and react accordingly
- name: Restart Jenkins if new plugins got installed
service:
name: jenkins
state: restarted
when: jenkins_plugins.changed
- name: Wait for Jenkins to start up
uri:
url: http://localhost:8080
method: GET
status_code: 200
timeout: 5
user: admin
password: "{{ admin_password }}"
force_basic_auth: yes
register: jenkins_service_status
# Empty jenkins starts in 4 seconds, 30 seconds should suffice
retries: 15
delay: 2
until: >
'status' in jenkins_service_status and
jenkins_service_status['status'] == 200
when: jenkins_plugins.changed
- name: Jenkins plugin enabling
jenkins_plugin:
name: "{{ item }}"
state: enabled
url_username: admin
url_password: "{{ admin_password }}"
with_items: "{{ important_jenkins_plugins }}"
notify: restart jenkins
ignore_errors: True # We do ignore errors because with oauth set up,
# logging in with local admin account is no longer
# possible.
# TODO: make a check before and react accordingly
- name: Create / Reset Jenkins jobs
jenkins_job:
config: "{{ lookup('file', 'jobs/' + item + '.xml') }}"
name: "{{ item }}"
user: admin
password: "{{ admin_password }}"
with_items: "{{ jenkins_jobs }}"
when: reset_jenkins_jobs
- name: Letsencrypt repository is available
git:
repo: https://github.com/letsencrypt/letsencrypt
dest: /root/letsencrypt
update: yes
- name: Copy the letsencrypt script over
template:
src: ./master_cfg/letsencrypt.sh
dest: /root/
mode: 0700
- name: Set-up automated letsencrypt TLS renewal via cron
cron:
name: "Renew TLS certificates via letsencrypt"
user: "root"
special_time: monthly
job: "/root/letsencrypt.sh"
- name: Restart Jenkins every other day
cron:
name: "Periodic Jenkins restart"
user: "root"
minute: 8
hour: 4 # Jenkins master operates within the UTC timezone, so 4 AM UTC should be OK
day: "*/2"
job: "/usr/bin/systemctl restart jenkins"
handlers:
- name: restart nginx
service: name=nginx state=restarted
- name: restart jenkins
service: name=jenkins state=restarted