From fe87db7acd1eb80b1c2132cb9acc79b239a45a1f Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 1 May 2019 16:35:13 +0200
Subject: [PATCH] Jenkins role: automate the initialization, create an admin
 user.

---
 jenkins/common/defaults/main.yml           |  7 +++-
 jenkins/common/tasks/main.yml              | 22 +++++++++++
 jenkins/master/defaults/main.yml           | 45 +++++++++++++++++++---
 jenkins/master/tasks/jenkins_deb_pkgs.yml  | 10 ++---
 jenkins/master/tasks/jenkins_init.yml      | 18 +++++++++
 jenkins/master/tasks/jenkins_plugins.yml   | 15 +++++++-
 jenkins/master/tasks/jenkins_rh_pkgs.yml   |  3 ++
 jenkins/master/tasks/main.yml              |  2 +
 jenkins/master/templates/admin_user.groovy | 24 ++++++++++++
 9 files changed, 131 insertions(+), 15 deletions(-)
 create mode 100644 jenkins/master/tasks/jenkins_init.yml
 create mode 100644 jenkins/master/templates/admin_user.groovy

diff --git a/jenkins/common/defaults/main.yml b/jenkins/common/defaults/main.yml
index dc125c3..b63b514 100644
--- a/jenkins/common/defaults/main.yml
+++ b/jenkins/common/defaults/main.yml
@@ -3,9 +3,12 @@
 jenkins_dest: "/var/lib/jenkins"
 jenkins_username: jenkins
 jenkins_group: jenkins
-jenkins_shell: /bin/bash
+jenkins_shell: /usr/bin/nologin
+jenkins_slaves_via_ssh: True
 
-jenkins_maven_config: True
+
+# These should go away
+jenkins_maven_config: False
 jenkins_maven_settings_dirs:
   - .m2
 
diff --git a/jenkins/common/tasks/main.yml b/jenkins/common/tasks/main.yml
index b57d2d2..33d8446 100644
--- a/jenkins/common/tasks/main.yml
+++ b/jenkins/common/tasks/main.yml
@@ -1,4 +1,26 @@
 ---
+- block:
+  - name: Create the ssh key on the master node
+    user: name={{ jenkins_username }} generate_ssh_key=True 
+    delegate_to: '{{ item }}'
+    with_items: '{{ groups.jenkins_master }}'
+
+  - name: Get the master ssh keys
+    become: True
+    become_user: '{{ jenkins_username }}'
+    shell: cat ~/.ssh/id_rsa.pub
+    register: jenkins_pubkeys
+
+  - name: Deploy the public ssh key on the slaves
+    authorized_key: user={{ jenkins_username }} key={{ item[0] }}
+    delegate_to: '{{ item[1] }}'
+    with_nested:
+      - '{{ jenkins_pubkeys.stdout }}'
+      - "{{ groups['jenkins_slaves'] }}"
+
+  when: jenkins_slaves_via_ssh
+  tags: [ 'jenkins', 'jenkins_common', 'jenkins_master', 'jenkins_slave', 'jenkins_slaves' ]
+
 - block:
     - name: Create the maven setting directory
       file: dest={{ jenkins_dest }}/{{ item }} state=directory
diff --git a/jenkins/master/defaults/main.yml b/jenkins/master/defaults/main.yml
index b6141ff..8345927 100644
--- a/jenkins/master/defaults/main.yml
+++ b/jenkins/master/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-jenkins_install: False
+jenkins_install: True
 jenkins_use_latest: False
 jenkins_pkg_state: latest
 jenkins_repo_key: 'https://pkg.jenkins.io/debian/jenkins-ci.org.key'
@@ -14,10 +14,41 @@ jenkins_rh_latest_repo_key: https://pkg.jenkins.io/redhat/jenkins.io.key
 jenkins_packages:
   - jenkins
 
-jenkins_package_requirements:
-  - curl
+jenkins_deb_package_requirements:
   - python-svn
+  - dblatex
+  - imagemagick
+  - graphviz
+  - fonts-dejavu
+  - dos2unix
+  - build-essential
+  - curl
+  - fabric
+  - git
+  - git-svn
+  - maven
+  - python-dev
+  - sloccount
+  - subversion
+  - subversion-tools
+  - unzip
 
+jenkins_rh_package_requirements:
+  - curl
+  - dblatex
+  - docbook-utils-pdf
+  - texlive-cmap
+  - ImageMagick
+  - graphviz
+  - graphviz-java
+  - graphviz-graphs
+  - dejavu-sans-fonts
+  - dejavu-sans-mono-fonts
+  - dejavu-serif-fonts
+  - dejavu-fonts-common
+  - dos2unix
+
+jenkins_stb_support: False
 jenkins_sbt_launch_jars:
   - sbt-launch-0.11.0.jar
   - sbt-launch-0.12.jar
@@ -31,7 +62,8 @@ jenkins_webroot: /var/cache/jenkins/war
 jenkins_username: jenkins
 jenkins_group: jenkins
 jenkins_shell: /bin/bash
-jenkins_restart_delay: 60
+jenkins_restart_delay: 20
+jenkins_restart_wait_timeout: 600
 jenkins_admin_user: admin
 jenkins_jdk_xmx: 4096M
 jenkins_jdk_gc_opts: "-XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled"
@@ -41,7 +73,7 @@ jenkins_java_path: /usr/bin/java
 
 jenkins_cli_dest: "{{ jenkins_dest }}/jenkins-cli.jar" # Jenkins CLI destination
 jenkins_updates_dest: "{{ jenkins_dest }}/updates_jenkins.json" # Jenkins updates file
-jenkins_admin_user_pwd_file: "{{ jenkins_dest }}/.jenkins_admin_pwd"
+jenkins_admin_user_pwd_file: "{{ jenkins_dest }}/secrets/.jenkins_admin_pwd"
 
 jenkins_access_params:
   url_username: '{{ jenkins_admin_user }}'
@@ -56,6 +88,7 @@ jenkins_plugins:
   - { name: 'github-api', state: 'latest', dependencies: 'True' }
   - { name: 'global-build-stats', state: 'latest', dependencies: 'True' }
   - { name: 'mailer', state: 'latest', dependencies: 'True' }
+  - { name: 'matrix-project', state: 'latest', dependencies: 'True' }
   - { name: 'maven-plugin', state: 'latest', dependencies: 'True' }
   - { name: 'monitoring', state: 'latest', dependencies: 'True' }
   - { name: 'extended-read-permission', state: 'latest', dependencies: 'True' }
@@ -71,4 +104,4 @@ jenkins_plugins:
   - { name: 'jquery-ui', state: 'latest', dependencies: 'True' }
   - { name: 'parameterized-trigger', state: 'latest', dependencies: 'True' }
   - { name: 'javadoc', state: 'latest', dependencies: 'True' }
-  - { name: 'job-dsl-plugin', state: 'latest', dependencies: 'True' }
+  - { name: 'job-dsl', state: 'latest', dependencies: 'True' }
diff --git a/jenkins/master/tasks/jenkins_deb_pkgs.yml b/jenkins/master/tasks/jenkins_deb_pkgs.yml
index 111be20..05f5993 100644
--- a/jenkins/master/tasks/jenkins_deb_pkgs.yml
+++ b/jenkins/master/tasks/jenkins_deb_pkgs.yml
@@ -12,17 +12,16 @@
     when: jenkins_use_latest
 
   - name: Install jenkins
-    apt: pkg={{ item }} state={{ jenkins_pkg_state }} update_cache=yes cache_valid_time=3600
+    apt: pkg={{ jenkins_packages }} state={{ jenkins_pkg_state }} update_cache=yes cache_valid_time=3600
     register: jenkins_install
-    with_items: '{{ jenkins_packages }}'
 
   - name: Install some jenkins requirements
-    apt: pkg={{ item }} state={{ jenkins_pkg_state }} update_cache=yes cache_valid_time=3600
-    with_items: '{{ jenkins_package_requirements }}'
+    apt: pkg={{ jenkins_deb_package_requirements }} state={{ jenkins_pkg_state }} update_cache=yes cache_valid_time=3600
 
   - name: install sbt launcher
     copy: src={{ item }} dest=/usr/local/lib/{{ item }}
     with_items: '{{ jenkins_sbt_launch_jars }}'
+    when: jenkins_stb_support
 
   - name: Set the startup jenkins options
     template: src=jenkins.default.j2 dest=/etc/default/jenkins owner=root group=root mode=0444
@@ -45,8 +44,7 @@
       service: name=jenkins state=stopped enabled=no
 
     - name: Remove jenkins
-      apt: pkg={{ item }} state=absent
-      with_items: '{{ jenkins_packages }}'
+      apt: pkg={{ jenkins_packages }} state=absent
 
     - name: Remove the jenkins stable repository
       apt_repository: repo='{{ jenkins_stable_repo }}' state=absent update_cache=yes
diff --git a/jenkins/master/tasks/jenkins_init.yml b/jenkins/master/tasks/jenkins_init.yml
new file mode 100644
index 0000000..a3845e9
--- /dev/null
+++ b/jenkins/master/tasks/jenkins_init.yml
@@ -0,0 +1,18 @@
+---
+- block:
+  - name: Create the groovy directory
+    file: dest={{ jenkins_dest }}/init.groovy.d state=directory
+
+  - name: Install a groovy script to initialize the Jenkins system
+    template: src=admin_user.groovy dest={{ jenkins_dest }}/init.groovy.d/admin_user.groovy mode=0600
+    register: jenkins_must_be_restarted
+
+  - name: Restart jenkins if needed
+    become_user: root
+    service: name=jenkins state=restarted
+    when: jenkins_must_be_restarted is changed
+
+  become: True
+  become_user: '{{ jenkins_username }}'
+  when: jenkins_install
+  tags: [ 'jenkins', 'jenkins_master' ]
diff --git a/jenkins/master/tasks/jenkins_plugins.yml b/jenkins/master/tasks/jenkins_plugins.yml
index f52cfe4..79dd3e3 100644
--- a/jenkins/master/tasks/jenkins_plugins.yml
+++ b/jenkins/master/tasks/jenkins_plugins.yml
@@ -3,7 +3,7 @@
     # Handle plugins
     # If Jenkins is installed or updated, wait for pulling the Jenkins CLI, assuming 10s should be sufficiant
     - name: Wait for jenkins
-      wait_for: port={{ jenkins_http_port }} delay={{ jenkins_restart_delay }}
+      wait_for: port={{ jenkins_http_port }} delay={{ jenkins_restart_delay }} state=started timeout={{ jenkins_restart_wait_timeout }}
       when: jenkins_has_been_restarted is changed or jenkins_has_been_started is changed
 
     # Create Jenkins CLI destination directory
@@ -13,6 +13,19 @@
     - name: Get Jenkins CLI
       get_url: url={{ jenkins_local_url}}/jnlpJars/jenkins-cli.jar dest={{ jenkins_cli_dest }} mode=0440
 
+    # - name: Check if Jenkins has been initialized already
+    #   stat: path={{ jenkins_admin_user_pwd_file }}
+    #   register: jenkins_pwd_path
+
+    # - name: Get the initial admin password, if we have to initialize the service
+    #   shell: cat '{{ jenkins_dest }}/secrets/initialAdminPassword'
+    #   register: jenkins_admin_pwd
+    #   when: not jenkins_pwd_path.stat.exists
+
+    # # Create the Jenkins administrative user password file
+    # - name: Create the Jenkins administrative user password file
+    #   copy: content={{ jenkins_admin_pwd.stdout }} dest={{ jenkins_admin_user_pwd_file }} mode=600
+
     # Create the Jenkins administrative user password file
     - name: Create the Jenkins administrative user password file
       copy: content={{ jenkins_admin_pwd }} dest={{ jenkins_admin_user_pwd_file }} mode=600
diff --git a/jenkins/master/tasks/jenkins_rh_pkgs.yml b/jenkins/master/tasks/jenkins_rh_pkgs.yml
index d5e3e34..d329cf7 100644
--- a/jenkins/master/tasks/jenkins_rh_pkgs.yml
+++ b/jenkins/master/tasks/jenkins_rh_pkgs.yml
@@ -28,6 +28,9 @@
     yum: pkg={{ jenkins_packages }} state={{ jenkins_pkg_state }}
     register: jenkins_install
 
+  - name: Install jenkins additional packages
+    yum: pkg={{ jenkins_rh_package_requirements }} state={{ jenkins_pkg_state }}
+
   - name: Set the startup jenkins options
     template: src=jenkins.default.j2 dest=/etc/sysconfig/jenkins owner=root group=root mode=0444
     register: jenkins_must_be_restarted
diff --git a/jenkins/master/tasks/main.yml b/jenkins/master/tasks/main.yml
index 8a696f5..d938919 100644
--- a/jenkins/master/tasks/main.yml
+++ b/jenkins/master/tasks/main.yml
@@ -5,6 +5,8 @@
 - import_tasks: jenkins_rh_pkgs.yml
   when: ansible_distribution_file_variety != "Debian"
 
+- import_tasks: jenkins_init.yml
+
 - import_tasks: jenkins_plugins.yml
   when: jenkins_install
 
diff --git a/jenkins/master/templates/admin_user.groovy b/jenkins/master/templates/admin_user.groovy
new file mode 100644
index 0000000..ce29d54
--- /dev/null
+++ b/jenkins/master/templates/admin_user.groovy
@@ -0,0 +1,24 @@
+#!groovy
+import java.util.logging.Level
+import java.util.logging.Logger
+import hudson.security.*
+import jenkins.model.*
+
+def instance = Jenkins.getInstance()
+def logger = Logger.getLogger(Jenkins.class.getName())
+
+logger.log(Level.INFO, "Ensuring that local user '{{ jenkins_admin_user }}' is created.")
+
+if (!instance.isUseSecurity()) {
+    logger.log(Level.INFO, "Creating local admin user '{{ jenkins_admin_user }}'.")
+
+    def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
+    strategy.setAllowAnonymousRead(false)
+
+    def hudsonRealm = new HudsonPrivateSecurityRealm(false)
+    hudsonRealm.createAccount("{{ jenkins_admin_user }}", "{{ jenkins_admin_pwd }}")
+
+    instance.setSecurityRealm(hudsonRealm)
+    instance.setAuthorizationStrategy(strategy)
+    instance.save()
+}