diff --git a/roles/jenkins-php-v1/defaults/main.yml b/roles/jenkins-php-v1/defaults/main.yml
index 310b17c..b6de62e 100644
--- a/roles/jenkins-php-v1/defaults/main.yml
+++ b/roles/jenkins-php-v1/defaults/main.yml
@@ -1,12 +1,21 @@
---
jenkins_home: /var/lib/jenkins
-jenkins_cli_jar_location: /var/cache/jenkins/war/WEB-INF/jenkins-cli.jar
#jenkins_updates_url:
#jenkins_plugins_install_dependencies:
+# Where to find the 'admin' password
jenkins_admin_password_file: "{{ jenkins_home }}/secrets/initialAdminPassword"
+# Where to find/generate the 'gitea' password which will be used
+# by Gitea to push the webhook on the notifyCommit URL
jenkins_gitea_password_file: "{{ jenkins_home }}/secrets/giteaAnsiblePassword"
+# Jenkin's username dedicated to launch the jobs via the webhook
+giteaUsername: gitea
+
+jenkins_cli_jar_location: /var/cache/jenkins/war/WEB-INF/jenkins-cli.jar
jenkins_cli_command: java -jar "{{ jenkins_cli_jar_location }}" -s http://localhost:8080/ -auth admin:$( cat "{{ jenkins_admin_password_file | quote }}" )
+
+# Id of the SSH key used to clone/pull from the repository
+# and eventually to connect to the deploy host
jenkins_credential_keyid: deploykey1
jenkins_credential_keydesc: Deploy key n.1
@@ -23,6 +32,7 @@ nginx_vhost_ssl:
jenkins_plugins:
- credentials
+ - git
- git-client
- ssh
- ant
diff --git a/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml b/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml
index b773613..f5526c5 100644
--- a/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml
+++ b/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml
@@ -1,6 +1,11 @@
---
# Add Jenkins repository for Debian
+- name: Install GPG - needed to add the repository key
+ apt:
+ name:
+ - gpg
+ state: present
- name: Add Jenkins-stable.io repository key
apt_key:
id: "150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6"
diff --git a/roles/jenkins-php-v1/tasks/20_install-plugins.yml b/roles/jenkins-php-v1/tasks/20_install-plugins.yml
index d179293..1575586 100644
--- a/roles/jenkins-php-v1/tasks/20_install-plugins.yml
+++ b/roles/jenkins-php-v1/tasks/20_install-plugins.yml
@@ -44,7 +44,7 @@
when: item not in current_plugin_list.stdout_lines
notify: safe-restart jenkins and wait
-- name: Install system package needed by Jenkins plugins
+- name: Install system packages needed by Jenkins plugins
apt:
name: "{{ jenkins_plugins_system_dependency }}"
state: present
diff --git a/roles/jenkins-php-v1/tasks/30_users.yml b/roles/jenkins-php-v1/tasks/30_users.yml
index 60aa9b7..73470c7 100644
--- a/roles/jenkins-php-v1/tasks/30_users.yml
+++ b/roles/jenkins-php-v1/tasks/30_users.yml
@@ -11,12 +11,26 @@
- name: Generate a password for the Gitea user
set_fact:
- giteaPassword: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
+ giteaPassword: "{{ lookup('password', '/dev/null chars=ascii_letters') }}" # preferably no colons in password, for HTTP's URL simplicity
when: createGiteaUser
+ no_log: yes
-- name: Create Gitea user
- shell: echo 'jenkins.model.Jenkins.instance.securityRealm.createAccount("gitea", "{{ giteaPassword | quote }}")' | "{{ jenkins_cli_command }}" groovy =
+- name: Retrieve the password for the post_install message
+ slurp:
+ src: "{{ jenkins_gitea_password_file }}"
+ register: tmp
+ when: not createGiteaUser
+ no_log: yes
+- name: Set the password as a fact
+ set_fact:
+ giteaPassword: "{{ tmp.content | b64decode | trim }}"
+ when: not createGiteaUser
+ no_log: yes
+
+- name: Create webhook dedicated user
+ shell: echo 'jenkins.model.Jenkins.instance.securityRealm.createAccount("{{ giteaUsername | quote }}", "{{ giteaPassword | quote }}")' | {{ jenkins_cli_command }} groovy =
when: createGiteaUser
+ no_log: yes
- name: Upload the new password
copy:
@@ -26,4 +40,6 @@
group: jenkins
mode: 0600
when: createGiteaUser
- #no_log: yes # FIXME: actually, we want to know it to tell the user to set a URL with it in Gitea. Add a debug msg maybe ?
+ # Note : We still need a way to tell the user how to be authenticated for the webhook.
+ # For the time being, we store it here and display it at the end of the playbook.
+ no_log: yes
diff --git a/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml b/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml
index e6eddb8..6cd4ff6 100644
--- a/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml
+++ b/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml
@@ -59,15 +59,10 @@
#become_user: jenkins # permission denied
#become: yes
register: result
-- name: Retrieve the SSH private key
+- name: Retrieve the SSH public key
slurp:
src: "{{ jenkins_home }}/.ssh/id_rsa.pub"
- register: tmp
- when: result.changed
-- name: Ouput public key
- debug:
- msg: "Don't forget to set the public key on the Git repository and the deploy target : {{ tmp.content | b64decode | trim }}"
- when: result.changed
+ register: jenkins_ssh_public_key
# Upload this new key to the Jenkins credentials plugin system
# (the create/update/import-credential-as-xml is kinda cumbersome for our
diff --git a/roles/jenkins-php-v1/tasks/90_conclusion.yml b/roles/jenkins-php-v1/tasks/90_conclusion.yml
new file mode 100644
index 0000000..802f0d6
--- /dev/null
+++ b/roles/jenkins-php-v1/tasks/90_conclusion.yml
@@ -0,0 +1,10 @@
+---
+
+# Display the tasks that still need to be done manually
+- name: Add intro to conclusion
+ set_fact:
+ jenkins_post_install: "{{ [ 'For host ' + ansible_fqdn + ', please check :', '- SSH public key : ' + jenkins_ssh_public_key.content|b64decode|trim ] + jenkins_post_install|default([]) }}"
+
+- name: Please check the following
+ debug:
+ var: jenkins_post_install
diff --git a/roles/jenkins-php-v1/tasks/include_jobinstall.yml b/roles/jenkins-php-v1/tasks/include_jobinstall.yml
index 629384c..79a8b75 100644
--- a/roles/jenkins-php-v1/tasks/include_jobinstall.yml
+++ b/roles/jenkins-php-v1/tasks/include_jobinstall.yml
@@ -26,3 +26,9 @@
- name: Reload the job
shell: "{{ jenkins_cli_command }} reload-job {{ job.key | quote }}"
when: jobconfig.changed
+
+- name : Add info for the manual todo list at the end
+ set_fact:
+ jenkins_post_install: |-
+ {{ jenkins_post_install|default([]) + [ "- in project '" + job.key + "', add webhook '" + nginx_vhost_ssl|ternary('https', 'http') + '://' + giteaUsername + ':' + giteaPassword + '@' + nginx_vhost_main_hostname + '/git/notifyCommit?url=' + job.value.repository_url ] }}
+ when: job.value.repository_url is defined
diff --git a/roles/jenkins-php-v1/tasks/main.yml b/roles/jenkins-php-v1/tasks/main.yml
index cc1249f..8502202 100644
--- a/roles/jenkins-php-v1/tasks/main.yml
+++ b/roles/jenkins-php-v1/tasks/main.yml
@@ -24,3 +24,6 @@
- include_tasks: roles/jenkins-php-v1/tasks/50_create-jobs.yml
- include_tasks: roles/jenkins-php-v1/tasks/60_install-nginx-proxy.yml
+
+# Display the list of things to manually check (wekhooks, ssh keys, etc.)
+- include_tasks: roles/jenkins-php-v1/tasks/90_conclusion.yml
diff --git a/roles/jenkins-php-v1/templates/config.xml.j2 b/roles/jenkins-php-v1/templates/config.xml.j2
index 3ea6083..cff5f91 100644
--- a/roles/jenkins-php-v1/templates/config.xml.j2
+++ b/roles/jenkins-php-v1/templates/config.xml.j2
@@ -20,18 +20,18 @@
hudson.model.Computer.Disconnect:admin
hudson.model.Hudson.Administer:admin
hudson.model.Hudson.Read:admin
- hudson.model.Hudson.Read:gitea
+ hudson.model.Hudson.Read:{{ giteaUsername }}
hudson.model.Item.Build:admin
- hudson.model.Item.Build:gitea
+ hudson.model.Item.Build:{{ giteaUsername }}
hudson.model.Item.Cancel:admin
hudson.model.Item.Configure:admin
hudson.model.Item.Create:admin
hudson.model.Item.Delete:admin
hudson.model.Item.Discover:admin
hudson.model.Item.Read:admin
- hudson.model.Item.Read:gitea
+ hudson.model.Item.Read:{{ giteaUsername }}
hudson.model.Item.Workspace:admin
- hudson.model.Item.Workspace:gitea
+ hudson.model.Item.Workspace:{{ giteaUsername }}
hudson.model.Run.Delete:admin
hudson.model.Run.Update:admin
hudson.model.View.Configure:admin