Init

5 years ago · 93cdeafb47
11 changed files with 339 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,12 @@
+## Deployment
+
+To deploy the Jenkins server use the commands:
+```bash
+make build
+make run
+```
+
+To get the administrator password created use the command:
+```bash
+docker exec jenkins_master_1 cat /var/jenkins_home/secrets/initialAdminPassword
+```
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,78 @@
+version: '3.7'
+services:
+  jenkins:
+    build: ./jenkins
+    container_name: jenkins
+    user: root
+    volumes:
+      - jenkins-log:/var/log/jenkins
+      - jenkins-data:/var/jenkins_home
+      - ./jenkins/downloads:/var/jenkins_home/downloads
+      - /var/run/docker.sock:/var/run/docker.sock
+    secrets:
+      - jenkins_admin_username
+      - jenkins_admin_password
+    environment:
+      - VIRTUAL_HOST=jenkins.mthmmy.tk
+      - VIRTUAL_PORT=8080
+      - LETSENCRYPT_HOST=jenkins.mthmmy.tk
+      - LETSENCRYPT_EMAIL=apotwohd@gmail.com
+      - SONARQUBE_HOST=127.0.0.1:9000
+    networks:
+      - janus-net
+  nginx-proxy:
+    image: jwilder/nginx-proxy
+    container_name: nginx-proxy
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - janus-net
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+    environment:
+      - DEFAULT_HOST=mthmmy.tk
+      - conf:/etc/nginx/conf.d
+      - vhost:/etc/nginx/vhost.d
+      - html:/usr/share/nginx/html
+      - dhparam:/etc/nginx/dhparam
+      - certs:/etc/nginx/certs:ro
+  letsencrypt:
+    image: jrcs/letsencrypt-nginx-proxy-companion
+    container_name: nginx-proxy-le
+    volumes:
+      - conf:/etc/nginx/conf.d
+      - vhost:/etc/nginx/vhost.d
+      - html:/usr/share/nginx/html
+      - dhparam:/etc/nginx/dhparam
+      - certs:/etc/nginx/certs:rw
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - NGINX_PROXY_CONTAINER=nginx-proxy
+    networks:
+      - janus-net
+  sonarqube:
+    image: sonarqube
+    container_name: sonarqube
+    ports:
+      - "9000:9000"
+    networks:
+      - janus-net
+    expose:
+      - "9000"
+secrets:
+  jenkins_admin_username:
+    file: ./jenkins/user
+  jenkins_admin_password:
+    file: ./jenkins/pass
+volumes:
+  jenkins-data:
+  jenkins-log:
+  conf:
+  vhost:
+  html:
+  dhparam:
+  certs:
+networks:
+  janus-net:
+    driver: bridge
--- a/jenkins/Dockerfile
+++ b/jenkins/Dockerfile
@ -0,0 +1,33 @@
+FROM jenkinsci/blueocean
+LABEL maintainer="apotwohd@gmail.com"
+
+# Preps Jenkins directories
+USER root
+RUN mkdir /var/log/jenkins
+RUN mkdir /var/cache/jenkins
+RUN chown -R jenkins:jenkins /var/log/jenkins
+RUN chown -R jenkins:jenkins /var/cache/jenkins
+
+# Normally we should install docker inside container, but it seems to be working
+# without it.
+# ATENTION: version MUST be the same as host's docker installation!
+ARG VERSION=18.09
+RUN curl -fsSL https://get.docker.com -o get-docker.sh | sh
+
+USER jenkins
+
+# Security configuration script
+COPY security.groovy /var/jenkins_home/init.groovy.d/security.groovy
+
+# Automatically installs plugins
+COPY plugins.txt /usr/share/jenkins/ref/plugins.txt
+RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt
+
+# Adds scripts for tool installation
+COPY groovy/* /usr/share/jenkins/ref/init.groovy.d/
+
+# Sets defaults
+# Gets rid of admin password setup
+ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false -Xmx8192m"
+
+ENV JENKINS_OPTS="--handlerCountMax=300 --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war"
--- a/jenkins/downloads/jdk-7u76-linux-x64.tar.gz
+++ b/jenkins/downloads/jdk-7u76-linux-x64.tar.gz
@ -0,0 +1,9 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>404 Not Found</title>
+</head><body>
+<h1>Not Found</h1>
+<p>The requested URL /pub/funtoo/distfiles/oracle-java/jdk-7u76-linux-x64.tar.gz was not found on this server.</p>
+<hr>
+<address>Apache Server at ftp.osuosl.org Port 80</address>
+</body></html>
--- a/jenkins/downloads/jdk-8u131-linux-x64.tar.gz
+++ b/jenkins/downloads/jdk-8u131-linux-x64.tar.gz
@ -0,0 +1,9 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>404 Not Found</title>
+</head><body>
+<h1>Not Found</h1>
+<p>The requested URL /pub/funtoo/distfiles/oracle-java/jdk-8u131-linux-x64.tar.gz was not found on this server.</p>
+<hr>
+<address>Apache Server at ftp.osuosl.org Port 80</address>
+</body></html>
--- a/jenkins/groovy/java.groovy
+++ b/jenkins/groovy/java.groovy
@ -0,0 +1,29 @@
+import hudson.model.JDK
+
+import hudson.tools.InstallSourceProperty
+
+import hudson.tools.ZipExtractionInstaller
+
+def descriptor = new JDK.DescriptorImpl();
+
+def List<JDK> installations = []
+
+javaTools=[['name':'jdk8', 'url':'file:/var/jenkins_home/downloads/jdk-8u131-linux-x64.tar.gz', 'subdir':'jdk1.8.0_131'],
+
+      ['name':'jdk7', 'url':'file:/var/jenkins_home/downloads/jdk-7u76-linux-x64.tar.gz', 'subdir':'jdk1.7.0_76']]
+
+javaTools.each { javaTool ->
+
+    println("Setting up tool: ${javaTool.name}")
+
+    def installer = new ZipExtractionInstaller(javaTool.label as String, javaTool.url as String, javaTool.subdir as String);
+
+    def jdk = new JDK(javaTool.name as String, null, [new InstallSourceProperty([installer])])
+
+    installations.add(jdk)
+
+}
+
+descriptor.setInstallations(installations.toArray(new JDK[installations.size()]))
+
+descriptor.save()
--- a/jenkins/pass
+++ b/jenkins/pass
@ -0,0 +1 @@
+passasdf
--- a/jenkins/plugins.txt
+++ b/jenkins/plugins.txt
@ -0,0 +1,105 @@
+mailer
+blueocean-pipeline-editor
+blueocean-i18n
+pipeline-model-declarative-agent
+github-branch-source
+workflow-support
+durable-task
+cloudbees-folder
+workflow-cps-global-lib
+token-macro
+scm-api
+jquery-detached
+cloudbees-bitbucket-branch-source
+pipeline-stage-tags-metadata
+git-server
+blueocean-dashboard
+git
+jdk-tool
+pipeline-model-extensions
+docker-commons
+authentication-tokens
+matrix-project
+pipeline-github-lib
+git-client
+email-ext
+blueocean
+display-url-api
+workflow-cps
+blueocean-jwt
+workflow-durable-task-step
+ace-editor
+lockable-resources
+credentials-binding
+blueocean-web
+timestamper
+plain-credentials
+blueocean-commons
+blueocean-autofavorite
+blueocean-events
+gradle
+workflow-scm-step
+credentials
+handy-uri-templates-2-api
+blueocean-pipeline-api-impl
+discord-notifier
+antisamy-markup-formatter
+pipeline-rest-api
+junit
+workflow-basic-steps
+pipeline-model-api
+github-api
+jira
+pam-auth
+apache-httpcomponents-client-4-api
+blueocean-github-pipeline
+pipeline-stage-step
+ssh-slaves
+branch-api
+workflow-aggregator
+blueocean-config
+workflow-step-api
+pubsub-light
+blueocean-rest
+script-security
+blueocean-bitbucket-pipeline
+blueocean-pipeline-scm-api
+blueocean-git-pipeline
+bouncycastle-api
+momentjs
+pipeline-input-step
+workflow-multibranch
+variant
+structs
+blueocean-rest-impl
+subversion
+mapdb-api
+pipeline-stage-view
+matrix-auth
+workflow-job
+mercurial
+ssh-credentials
+sse-gateway
+pipeline-graph-analysis
+ws-cleanup
+jenkins-design-language
+pipeline-model-definition
+ant
+handlebars
+command-launcher
+ldap
+blueocean-personalization
+resource-disposer
+build-timeout
+blueocean-display-url
+pipeline-build-step
+pipeline-milestone-step
+workflow-api
+favorite
+jackson2-api
+blueocean-core-js
+docker-workflow
+blueocean-jira
+htmlpublisher
+jsch
+github
--- a/jenkins/security.groovy
+++ b/jenkins/security.groovy
@ -0,0 +1,52 @@
+#!groovy
+
+/*
+ * This script is based on the one found here:
+ * https://gist.github.com/eddie-knight/8f0dcb7422cb98d112b5244ea7600372
+*/
+
+import jenkins.model.*
+import hudson.security.*
+import jenkins.security.s2m.AdminWhitelistRule
+import hudson.security.csrf.DefaultCrumbIssuer
+import jenkins.security.s2m.AdminWhitelistRule
+
+def instance = Jenkins.getInstance()
+
+// Automate Admin Setup & Plugin Installs
+def user = new File("/run/secrets/jenkins_admin_username").text.trim()
+def pass = new File("/run/secrets/jenkins_admin_password").text.trim()
+
+// Create Admin User
+def hudsonRealm = new HudsonPrivateSecurityRealm(false)
+hudsonRealm.createAccount(user, pass)
+instance.setSecurityRealm(hudsonRealm)
+
+// Set Auth to Full Control Once Logged In
+def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
+instance.setAuthorizationStrategy(strategy)
+
+// Lock Down Jenkins Security
+instance.getInjector().getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false)
+
+// Disable remoting
+// We are not currently using Jenkins CLI
+//instance.getDescriptor("jenkins.CLI").get().setEnabled(false)
+
+// Enable Agent to master security subsystem
+instance.injector.getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false);
+
+// Disable jnlp
+instance.setSlaveAgentPort(-1);
+
+//  CSRF Protection
+instance.setCrumbIssuer(new DefaultCrumbIssuer(true))
+
+// Disable old Non-Encrypted protocols
+HashSet<String> newProtocols = new HashSet<>(instance.getAgentProtocols());
+newProtocols.removeAll(Arrays.asList(
+        "JNLP3-connect", "JNLP2-connect", "JNLP-connect", "CLI-connect"
+));
+instance.setAgentProtocols(newProtocols);
+
+instance.save()
--- a/jenkins/user
+++ b/jenkins/user
@ -0,0 +1 @@
+asdfasdf
--- a/10
+++ b/10
@ -0,0 +1,10 @@
+build:
+	@docker-compose -p janus build;
+run:
+	@docker-compose -p janus up -d
+stop:
+	@docker-compose -p janus down
+clean-data: 
+	@docker-compose -p janus down -v
+clean-images:
+	@docker rmi `docker images -q -f "dangling=true"`