feature/jenkins-proxy (#182)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/182 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
2025-07-01 11:58:20 +02:00
parent ad1537b856
commit fee080dbf4
9 changed files with 220 additions and 22 deletions
--- a/Jenkins/Makefile
+++ b/Jenkins/Makefile
@@ -1,54 +1,169 @@
-DOCKER := docker
+include .env
+export
+
 SOCKET := /var/run/docker.sock
 VOLUME := jenkins_home

-.PHONY: build run bash init-pw unprotected protected start stop rm purge
+CERTBOT_CONF := $(PWD)/.generated/certbot/lib/conf
+CERTBOT_WWW := $(PWD)/.generated/certbot/lib/www
+CERTBOT_LOG := $(PWD)/.generated/certbot/log
+NGINX_LOG := $(PWD)/.generated/certbot/nginx/log

-# building the Jenkins image
+.PHONY: provision \
+	build run bash init-pw unprotected protected start stop rm purge \
+	nginx-prepare nginx-proxy nginx-start nginx-letsencrypt-init nginx-letsencrypt-timer nginx-restart nginx-stop
+
+## lists all documented targets
+help:
+	@awk '/^##/ {sub(/^## /, "", $$0); desc=$$0; next} /^[a-zA-Z0-9][^:]*:/ { \
+		print "\033[1m" $$1 "\033[0m"; \
+		print "    " desc "\n" \
+	}' $(MAKEFILE_LIST)
+
+## initially, run this once to provision te nginx
+provision: nginx-prepare nginx-letsencrypt-init nginx-letsencrypt-timer nginx-start build start
+
+## removes all generated files
+clean: nginx-stop stop
+	rm -rf .generated/
+
+## builds the Jenkins image
 build:
-	$(DOCKER) build -t jenkins-docker .
+	docker build -t jenkins-docker .

-# initially running the Jenkins container
+## manually running the Jenkins container
 run:
-	$(DOCKER) run --detach \
+	docker run --detach \
 		--dns 8.8.8.8 \
 		--network bridge \
-		--publish 8080:8080 --publish 50000:50000 \
+		--publish 8090:8080 --publish 50000:50000 \
 		--volume $(SOCKET):/var/run/docker.sock \
 		--volume $(VOLUME):/var/jenkins_home \
 		--restart unless-stopped \
 		--name jenkins jenkins-docker

-# (re-) starts the Jenkins container
+## manually starts the Jenkins container (again)
 start:
-	$(DOCKER) start jenkins
+	docker start jenkins

-# opens a bash within the Jenkins container
+## opens a bash within the Jenkins container
 bash:
-	$(DOCKER) exec -it jenkins bash
+	docker exec -it jenkins bash

-# prints the inital password of a newly setup Jenkins
+## prints the initial password of a newly setup Jenkins
 init-pw:
-	$(DOCKER) exec -it jenkins cat /var/jenkins_home/secrets/initialAdminPassword
+	docker exec -it jenkins sh -c '\
+    		while [ ! -f /var/jenkins_home/secrets/initialAdminPassword ]; do \
+    			sleep 1; \
+    		done; \
+    		cat /var/jenkins_home/secrets/initialAdminPassword \
+    	'

-# disables security for the Jenkins, allows login without credentials
+## disables security for the Jenkins => allows login to Jenkins without credentials
 unprotected:
 	docker exec -it jenkins sed -i 's|<useSecurity>true</useSecurity>|<useSecurity>false</useSecurity>|' /var/jenkins_home/config.xml
 	docker exec -it jenkins grep useSecurity /var/jenkins_home/config.xml

-# enables security for the Jenkins, requires login with credentials
+## enables security for the Jenkins => Jenkins requires login with credentials
 protected:
 	docker exec -it jenkins sed -i 's|<useSecurity>true</useSecurity>|<useSecurity>true</useSecurity>|' /var/jenkins_home/config.xml
 	docker exec -it jenkins grep useSecurity /var/jenkins_home/config.xml

-# stops the Jenkins container
+## stops the Jenkins container
 stop:
-	$(DOCKER) stop jenkins
+	docker stop jenkins

-# removes the Jenkins container
+## removes the Jenkins container
 rm: stop
-	$(DOCKER) rm jenkins
+	docker rm jenkins

-# purges the Jenkins volume (finally deletes the configuration)
+## purges the Jenkins volume (finally deletes the configuration)
 purge: rm
-	$(DOCKER) volume rm $(VOLUME)
+	docker volume rm $(VOLUME)
+
+# (internal) generates the files for nginx-proxy and certbot
+nginx-prepare:
+	mkdir -p $(CERTBOT_WWW) $(CERTBOT_LOG) $(CERTBOT_CONF)/live/$(SERVER_NAME) $(NGINX_LOG)
+	chmod 755 $(CERTBOT_WWW) $(CERTBOT_LOG) $(CERTBOT_CONF)/live/$(SERVER_NAME) $(NGINX_LOG)
+	sed -e 's/%SERVER_NAME/$(SERVER_NAME)/g' <nginx-proxy/nginx.conf >.generated/nginx.conf
+	cp nginx-proxy/options-ssl-nginx.conf $(CERTBOT_CONF)/options-ssl-nginx.conf
+	chmod 644 $(CERTBOT_CONF)/options-ssl-nginx.conf
+	test -f $(CERTBOT_CONF)/ssl-dhparams.pem || curl -o $(CERTBOT_CONF)/ssl-dhparams.pem \
+		https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem
+	chmod 644 $(CERTBOT_CONF)/ssl-dhparams.pem
+	openssl req -x509 -nodes -newkey rsa:2048 \
+	  -keyout $(CERTBOT_CONF)/live/$(SERVER_NAME)/privkey.pem \
+	  -out /$(CERTBOT_CONF)/live/$(SERVER_NAME)/fullchain.pem \
+	  -subj "/CN=dummy"
+
+## opens a bash within the Nginx-proxy container
+nginx-bash:
+	docker exec -it nginx bash
+
+# (internal) fetches an initial certificate from letsencrypt
+nginx-letsencrypt-init: nginx-start
+	# wait for nginx actually running (could be improved)
+	@sleep 5
+	# delete the previous (dummy) config to avoid file creation with suffix -0001 etc.
+	rm -rf $(CERTBOT_CONF)/etc/letsencrypt/live/$(SERVER_NAME) \
+       $(CERTBOT_CONF)/etc/letsencrypt/archive/$(SERVER_NAME) \
+       $(CERTBOT_CONF)/etc/letsencrypt/renewal/$(SERVER_NAME).conf
+    # request the certificate via letsencrypt
+	docker run --rm \
+	  -v $(CERTBOT_CONF):/etc/letsencrypt \
+	  -v $(CERTBOT_WWW):/var/www/certbot \
+	  -v $(CERTBOT_LOG):/var/log/letsencrypt \
+	  certbot/certbot \
+	  certonly --webroot --webroot-path /var/www/certbot \
+	  --email $(EMAIL) --cert-name $(SERVER_NAME) \
+	  -d $(SERVER_NAME) --rsa-key-size 4096 \
+	  --agree-tos --force-renewal
+	# restart nginx
+	docker stop nginx || true
+	docker start nginx
+
+## opens a shell in the letsencrypt certbot
+nginx-letsencrypt-sh:
+	docker run -it --rm \
+	  -v $(CERTBOT_CONF):/etc/letsencrypt \
+	  -v $(CERTBOT_WWW):/var/www/certbot \
+	  -v $(CERTBOT_LOG):/var/log/letsencrypt \
+	  --entrypoint /bin/sh \
+	  certbot/certbot
+
+# (internal) installs the letsencrypt certbot timer for automatic renewal
+nginx-letsencrypt-timer:
+	@mkdir -p $(HOME)/.config/systemd/user
+	@cp nginx-proxy/nginx-letsencrypt-renew.timer $(HOME)/.config/systemd/user/nginx-letsencrypt-renew.timer
+	@cp nginx-proxy/nginx-letsencrypt-renew.service $(HOME)/.config/systemd/user/nginx-letsencrypt-renew.service
+	systemctl --user daemon-reload
+	systemctl --user enable --now nginx-letsencrypt-renew.timer
+
+## renews the cert, if already renewable - this is also called from the timer
+nginx-letsencrypt-renew:
+	docker run --rm \
+	  -v $(CERTBOT_CONF):/etc/letsencrypt \
+	  -v $(CERTBOT_WWW):/var/www/certbot \
+	  -v $(CERTBOT_LOG):/var/log/letsencrypt \
+	  certbot/certbot renew -q
+
+## starts the nginx proxy server
+nginx-start: nginx-stop
+	docker run -d --name nginx \
+	  --publish 8080:80 \
+	  --publish 8443:443 \
+	  --network bridge \
+	  -v $(CERTBOT_CONF):/etc/letsencrypt \
+	  -v $(CERTBOT_WWW):/var/www/certbot \
+	  -v $(NGINX_LOG):/var/log/nginx \
+	  -v $(PWD)/.generated/nginx.conf:/etc/nginx/nginx.conf \
+	  nginx
+
+## restarts the nginx proxy server
+nginx-restart: nginx-stop nginx-start
+
+## stops the nginx proxy server
+nginx-stop:
+	docker stop nginx || true
+	docker rm nginx || true
+