From 8e132c16333a619a98b682a0559d1f6ebf0245c9 Mon Sep 17 00:00:00 2001
From: Chl <chl@xlii.si>
Date: Sat, 18 Jan 2020 23:48:17 +0100
Subject: [PATCH] Add a conclusion/todo-list

+ more generic on the gitea username
+ several corrections
---
 roles/jenkins-php-v1/defaults/main.yml        | 12 +++++++++-
 .../tasks/10_jenkins-repository.yml           |  5 ++++
 .../tasks/20_install-plugins.yml              |  2 +-
 roles/jenkins-php-v1/tasks/30_users.yml       | 24 +++++++++++++++----
 .../tasks/40_configure-jenkins.yml            |  9 ++-----
 roles/jenkins-php-v1/tasks/90_conclusion.yml  | 10 ++++++++
 .../tasks/include_jobinstall.yml              |  6 +++++
 roles/jenkins-php-v1/tasks/main.yml           |  3 +++
 roles/jenkins-php-v1/templates/config.xml.j2  |  8 +++----
 9 files changed, 62 insertions(+), 17 deletions(-)
 create mode 100644 roles/jenkins-php-v1/tasks/90_conclusion.yml

diff --git a/roles/jenkins-php-v1/defaults/main.yml b/roles/jenkins-php-v1/defaults/main.yml
index 310b17c..b6de62e 100644
--- a/roles/jenkins-php-v1/defaults/main.yml
+++ b/roles/jenkins-php-v1/defaults/main.yml
@@ -1,12 +1,21 @@
 ---
 
 jenkins_home: /var/lib/jenkins
-jenkins_cli_jar_location: /var/cache/jenkins/war/WEB-INF/jenkins-cli.jar
 #jenkins_updates_url:
 #jenkins_plugins_install_dependencies:
+# Where to find the 'admin' password
 jenkins_admin_password_file: "{{ jenkins_home }}/secrets/initialAdminPassword"
+# Where to find/generate the 'gitea' password which will be used
+# by Gitea to push the webhook on the notifyCommit URL
 jenkins_gitea_password_file: "{{ jenkins_home }}/secrets/giteaAnsiblePassword"
+# Jenkin's username dedicated to launch the jobs via the webhook
+giteaUsername: gitea
+
+jenkins_cli_jar_location: /var/cache/jenkins/war/WEB-INF/jenkins-cli.jar
 jenkins_cli_command: java -jar "{{ jenkins_cli_jar_location }}" -s http://localhost:8080/  -auth admin:$( cat "{{ jenkins_admin_password_file | quote }}" )
+
+# Id of the SSH key used to clone/pull from the repository
+# and eventually to connect to the deploy host
 jenkins_credential_keyid: deploykey1
 jenkins_credential_keydesc: Deploy key n.1
 
@@ -23,6 +32,7 @@ nginx_vhost_ssl:
 
 jenkins_plugins:
   - credentials
+  - git
   - git-client
   - ssh
   - ant
diff --git a/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml b/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml
index b773613..f5526c5 100644
--- a/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml
+++ b/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml
@@ -1,6 +1,11 @@
 ---
 
 # Add Jenkins repository for Debian
+- name: Install GPG - needed to add the repository key
+  apt:
+    name:
+      - gpg
+    state: present
 - name: Add Jenkins-stable.io repository key
   apt_key:
     id: "150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6"
diff --git a/roles/jenkins-php-v1/tasks/20_install-plugins.yml b/roles/jenkins-php-v1/tasks/20_install-plugins.yml
index d179293..1575586 100644
--- a/roles/jenkins-php-v1/tasks/20_install-plugins.yml
+++ b/roles/jenkins-php-v1/tasks/20_install-plugins.yml
@@ -44,7 +44,7 @@
   when: item not in current_plugin_list.stdout_lines
   notify: safe-restart jenkins and wait
 
-- name: Install system package needed by Jenkins plugins
+- name: Install system packages needed by Jenkins plugins
   apt:
     name: "{{ jenkins_plugins_system_dependency }}"
     state: present
diff --git a/roles/jenkins-php-v1/tasks/30_users.yml b/roles/jenkins-php-v1/tasks/30_users.yml
index 60aa9b7..73470c7 100644
--- a/roles/jenkins-php-v1/tasks/30_users.yml
+++ b/roles/jenkins-php-v1/tasks/30_users.yml
@@ -11,12 +11,26 @@
 
 - name: Generate a password for the Gitea user
   set_fact:
-    giteaPassword: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
+    giteaPassword: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"  # preferably no colons in password, for HTTP's URL simplicity
   when: createGiteaUser
+  no_log: yes
 
-- name: Create Gitea user
-  shell: echo 'jenkins.model.Jenkins.instance.securityRealm.createAccount("gitea", "{{ giteaPassword | quote }}")' | "{{ jenkins_cli_command }}" groovy =
+- name: Retrieve the password for the post_install message
+  slurp:
+    src: "{{ jenkins_gitea_password_file }}"
+  register: tmp
+  when: not createGiteaUser
+  no_log: yes
+- name: Set the password as a fact
+  set_fact:
+    giteaPassword: "{{ tmp.content | b64decode | trim }}"
+  when: not createGiteaUser
+  no_log: yes
+
+- name: Create webhook dedicated user
+  shell: echo 'jenkins.model.Jenkins.instance.securityRealm.createAccount("{{ giteaUsername | quote }}", "{{ giteaPassword | quote }}")' | {{ jenkins_cli_command }} groovy =
   when: createGiteaUser
+  no_log: yes
 
 - name: Upload the new password
   copy:
@@ -26,4 +40,6 @@
     group: jenkins
     mode: 0600
   when: createGiteaUser
-  #no_log: yes  # FIXME: actually, we want to know it to tell the user to set a URL with it in Gitea. Add a debug msg maybe ?
+  # Note : We still need a way to tell the user how to be authenticated for the webhook.
+  #        For the time being, we store it here and display it at the end of the playbook.
+  no_log: yes
diff --git a/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml b/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml
index e6eddb8..6cd4ff6 100644
--- a/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml
+++ b/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml
@@ -59,15 +59,10 @@
   #become_user: jenkins  # permission denied
   #become: yes
   register: result
-- name: Retrieve the SSH private key
+- name: Retrieve the SSH public key
   slurp:
     src: "{{ jenkins_home }}/.ssh/id_rsa.pub"
-  register: tmp
-  when: result.changed
-- name: Ouput public key
-  debug:
-    msg: "Don't forget to set the public key on the Git repository and the deploy target : {{ tmp.content | b64decode | trim }}"
-  when: result.changed
+  register: jenkins_ssh_public_key
 
 # Upload this new key to the Jenkins credentials plugin system
 # (the create/update/import-credential-as-xml is kinda cumbersome for our
diff --git a/roles/jenkins-php-v1/tasks/90_conclusion.yml b/roles/jenkins-php-v1/tasks/90_conclusion.yml
new file mode 100644
index 0000000..802f0d6
--- /dev/null
+++ b/roles/jenkins-php-v1/tasks/90_conclusion.yml
@@ -0,0 +1,10 @@
+---
+
+# Display the tasks that still need to be done manually
+- name: Add intro to conclusion
+  set_fact:
+    jenkins_post_install: "{{ [ 'For host ' + ansible_fqdn + ', please check :', '- SSH public key : ' +  jenkins_ssh_public_key.content|b64decode|trim ] + jenkins_post_install|default([]) }}"
+
+- name: Please check the following
+  debug:
+    var: jenkins_post_install
diff --git a/roles/jenkins-php-v1/tasks/include_jobinstall.yml b/roles/jenkins-php-v1/tasks/include_jobinstall.yml
index 629384c..79a8b75 100644
--- a/roles/jenkins-php-v1/tasks/include_jobinstall.yml
+++ b/roles/jenkins-php-v1/tasks/include_jobinstall.yml
@@ -26,3 +26,9 @@
 - name: Reload the job
   shell: "{{ jenkins_cli_command }} reload-job {{ job.key | quote }}"
   when: jobconfig.changed
+
+- name : Add info for the manual todo list at the end
+  set_fact:
+    jenkins_post_install: |-
+      {{ jenkins_post_install|default([]) + [ "- in project '" + job.key + "', add webhook '" + nginx_vhost_ssl|ternary('https', 'http') + '://' + giteaUsername + ':' + giteaPassword + '@' + nginx_vhost_main_hostname + '/git/notifyCommit?url=' + job.value.repository_url ] }}
+  when: job.value.repository_url is defined
diff --git a/roles/jenkins-php-v1/tasks/main.yml b/roles/jenkins-php-v1/tasks/main.yml
index cc1249f..8502202 100644
--- a/roles/jenkins-php-v1/tasks/main.yml
+++ b/roles/jenkins-php-v1/tasks/main.yml
@@ -24,3 +24,6 @@
 - include_tasks: roles/jenkins-php-v1/tasks/50_create-jobs.yml
 
 - include_tasks: roles/jenkins-php-v1/tasks/60_install-nginx-proxy.yml
+
+# Display the list of things to manually check (wekhooks, ssh keys, etc.)
+- include_tasks: roles/jenkins-php-v1/tasks/90_conclusion.yml
diff --git a/roles/jenkins-php-v1/templates/config.xml.j2 b/roles/jenkins-php-v1/templates/config.xml.j2
index 3ea6083..cff5f91 100644
--- a/roles/jenkins-php-v1/templates/config.xml.j2
+++ b/roles/jenkins-php-v1/templates/config.xml.j2
@@ -20,18 +20,18 @@
     <permission>hudson.model.Computer.Disconnect:admin</permission>
     <permission>hudson.model.Hudson.Administer:admin</permission>
     <permission>hudson.model.Hudson.Read:admin</permission>
-    <permission>hudson.model.Hudson.Read:gitea</permission>
+    <permission>hudson.model.Hudson.Read:{{ giteaUsername }}</permission>
     <permission>hudson.model.Item.Build:admin</permission>
-    <permission>hudson.model.Item.Build:gitea</permission>
+    <permission>hudson.model.Item.Build:{{ giteaUsername }}</permission>
     <permission>hudson.model.Item.Cancel:admin</permission>
     <permission>hudson.model.Item.Configure:admin</permission>
     <permission>hudson.model.Item.Create:admin</permission>
     <permission>hudson.model.Item.Delete:admin</permission>
     <permission>hudson.model.Item.Discover:admin</permission>
     <permission>hudson.model.Item.Read:admin</permission>
-    <permission>hudson.model.Item.Read:gitea</permission>
+    <permission>hudson.model.Item.Read:{{ giteaUsername }}</permission>
     <permission>hudson.model.Item.Workspace:admin</permission>
-    <permission>hudson.model.Item.Workspace:gitea</permission>
+    <permission>hudson.model.Item.Workspace:{{ giteaUsername }}</permission>
     <permission>hudson.model.Run.Delete:admin</permission>
     <permission>hudson.model.Run.Update:admin</permission>
     <permission>hudson.model.View.Configure:admin</permission>