Skip to content

Commit

Permalink
jenkins-controller: Initial Jenkins configuration
Browse files Browse the repository at this point in the history
- Configure Jenkins: install pipeline and github plugins,
  allow anonymous read access, disable setup wizard, install packages
  required by Jenkins pipeline.
- Configure build pipeline job based on the pipeline script now
  maintained at: https://github.com/tiiuae/ghaf-jenkins-pipeline

Signed-off-by: Henri Rosten <[email protected]>
  • Loading branch information
henrirosten committed Feb 26, 2024
1 parent 7789ce1 commit 88d0be2
Showing 1 changed file with 95 additions and 4 deletions.
99 changes: 95 additions & 4 deletions hosts/azure/jenkins-controller/configuration.nix
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,28 @@
exec nix --extra-experimental-features nix-command copy --to 'http://localhost:8080?secret-key=/etc/secrets/nix-signing-key&compression=zstd' $OUT_PATHS
'';

# TODO: sort out jenkins authentication e.g.:
# https://plugins.jenkins.io/github-oauth/
# Below config requires admin to trigger builds or manage jenkins
# allowing read access for anonymous users:
jenkins-groovy = pkgs.writeText "groovy" ''
#!groovy
import jenkins.model.*
import jenkins.install.*
import hudson.security.*
def instance = Jenkins.getInstance()
// Disable Setup Wizard
instance.setInstallState(InstallState.INITIAL_SETUP_COMPLETED)
// Allow anonymous read access
def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
strategy.setAllowAnonymousRead(true)
instance.setAuthorizationStrategy(strategy)
instance.save()
'';

get-secret =
pkgs.writers.writePython3 "get-secret" {
libraries = with pkgs.python3.pkgs; [azure-keyvault-secrets azure-identity];
Expand Down Expand Up @@ -73,19 +95,88 @@ in {
listenAddress = "localhost";
port = 8081;
withCLI = true;
packages = with pkgs; [
bashInteractive # 'sh' step in jenkins pipeline requires this
coreutils
nix
git
zstd
];
extraJavaOptions = [
# Useful when the 'sh' step fails:
"-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.LAUNCH_DIAGNOSTICS=true"
];
# Configure jenkins job(s):
# https://jenkins-job-builder.readthedocs.io/en/latest/project_pipeline.html
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/continuous-integration/jenkins/job-builder.nix
jobBuilder = {
enable = true;
nixJobs = [
{
job = {
name = "ghaf-pipeline";
project-type = "pipeline";
pipeline-scm = {
scm = [
{
git = {
# TODO: eventually the Jenkins pipeline script should probably
# be part of Ghaf repo at: https://github.com/tiiuae/ghaf,
# but we are not ready for that yet. For now, we read the
# Jenkinsfile from the following repo:
url = "https://github.com/tiiuae/ghaf-jenkins-pipeline.git";
clean = true;
branches = ["*/main"];
};
}
];
script-path = "ghaf-build-pipeline.groovy";
lightweight-checkout = true;
};
};
}
];
};
};
systemd.services.jenkins.after = ["multi-user.target"];
systemd.services.jenkins.requires = ["multi-user.target"];
systemd.services.jenkins.serviceConfig = {
systemd.services.jenkins.serviceConfig = {Restart = "on-failure";};
systemd.services.jenkins-job-builder.serviceConfig = {
Restart = "on-failure";
RestartSec = 1;
RestartSec = 5;
};

# set StateDirectory=jenkins, so state volume has the right permissions
# and we wait on the mountpoint to appear.
# https://github.com/NixOS/nixpkgs/pull/272679
systemd.services.jenkins.serviceConfig.StateDirectory = "jenkins";

# Install jenkins plugins, apply initial jenkins config
systemd.services.jenkins-config = {
after = ["jenkins-job-builder.service"];
wantedBy = ["multi-user.target"];
# Make `jenkins-cli` available
path = with pkgs; [jenkins];
# Implicit URL parameter for `jenkins-cli`
environment = {
JENKINS_URL = "http://localhost:8081";
};
serviceConfig = {
Restart = "on-failure";
RestartSec = 5;
};
script = let
jenkins-auth = "-auth admin:\"$(cat /var/lib/jenkins/secrets/initialAdminPassword)\"";
in ''
# Install plugins
jenkins-cli ${jenkins-auth} install-plugin "workflow-aggregator" "github" -deploy
# Jenkins groovy config
jenkins-cli ${jenkins-auth} groovy = < ${jenkins-groovy}
# Restart jenkins
jenkins-cli ${jenkins-auth} safe-restart
'';
};

# Define a fetch-remote-build-ssh-key unit populating
# /etc/secrets/remote-build-ssh-key from Azure Key Vault.
# Make it before and requiredBy nix-daemon.service.
Expand Down

0 comments on commit 88d0be2

Please sign in to comment.