hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity
Files
3aab0ba3c22d054107593f22dcf201d25eb4e866
hs.hsadmin.ng/Jenkins/Makefile
Michael Hoennig fee080dbf4 feature/jenkins-proxy (#182) 
Co-authored-by: Michael Hoennig <michael@hoennig.de>
Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/182
Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
2025-07-01 11:58:20 +02:00

170 lines
5.7 KiB
Makefile
Raw Blame History

include .env
export
SOCKET := /var/run/docker.sock
VOLUME := jenkins_home
CERTBOT_CONF := $(PWD)/.generated/certbot/lib/conf
CERTBOT_WWW := $(PWD)/.generated/certbot/lib/www
CERTBOT_LOG := $(PWD)/.generated/certbot/log
NGINX_LOG := $(PWD)/.generated/certbot/nginx/log
.PHONY: provision \
build run bash init-pw unprotected protected start stop rm purge \
nginx-prepare nginx-proxy nginx-start nginx-letsencrypt-init nginx-letsencrypt-timer nginx-restart nginx-stop
## lists all documented targets
help:
@awk '/^##/ {sub(/^## /, "", $$0); desc=$$0; next} /^[a-zA-Z0-9][^:]*:/ { \
print "\033[1m" $$1 "\033[0m"; \
print " " desc "\n" \
}' $(MAKEFILE_LIST)
## initially, run this once to provision te nginx
provision: nginx-prepare nginx-letsencrypt-init nginx-letsencrypt-timer nginx-start build start
## removes all generated files
clean: nginx-stop stop
rm -rf .generated/
## builds the Jenkins image
build:
docker build -t jenkins-docker .
## manually running the Jenkins container
run:
docker run --detach \
--dns 8.8.8.8 \
--network bridge \
--publish 8090:8080 --publish 50000:50000 \
--volume $(SOCKET):/var/run/docker.sock \
--volume $(VOLUME):/var/jenkins_home \
--restart unless-stopped \
--name jenkins jenkins-docker
## manually starts the Jenkins container (again)
start:
docker start jenkins
## opens a bash within the Jenkins container
bash:
docker exec -it jenkins bash
## prints the initial password of a newly setup Jenkins
init-pw:
docker exec -it jenkins sh -c '\
while [ ! -f /var/jenkins_home/secrets/initialAdminPassword ]; do \
sleep 1; \
done; \
cat /var/jenkins_home/secrets/initialAdminPassword \
'
## disables security for the Jenkins => allows login to Jenkins without credentials
unprotected:
docker exec -it jenkins sed -i 's|<useSecurity>true</useSecurity>|<useSecurity>false</useSecurity>|' /var/jenkins_home/config.xml
docker exec -it jenkins grep useSecurity /var/jenkins_home/config.xml
## enables security for the Jenkins => Jenkins requires login with credentials
protected:
docker exec -it jenkins sed -i 's|<useSecurity>true</useSecurity>|<useSecurity>true</useSecurity>|' /var/jenkins_home/config.xml
docker exec -it jenkins grep useSecurity /var/jenkins_home/config.xml
## stops the Jenkins container
stop:
docker stop jenkins
## removes the Jenkins container
rm: stop
docker rm jenkins
## purges the Jenkins volume (finally deletes the configuration)
purge: rm
docker volume rm $(VOLUME)
# (internal) generates the files for nginx-proxy and certbot
nginx-prepare:
mkdir -p $(CERTBOT_WWW) $(CERTBOT_LOG) $(CERTBOT_CONF)/live/$(SERVER_NAME) $(NGINX_LOG)
chmod 755 $(CERTBOT_WWW) $(CERTBOT_LOG) $(CERTBOT_CONF)/live/$(SERVER_NAME) $(NGINX_LOG)
sed -e 's/%SERVER_NAME/$(SERVER_NAME)/g' <nginx-proxy/nginx.conf >.generated/nginx.conf
cp nginx-proxy/options-ssl-nginx.conf $(CERTBOT_CONF)/options-ssl-nginx.conf
chmod 644 $(CERTBOT_CONF)/options-ssl-nginx.conf
test -f $(CERTBOT_CONF)/ssl-dhparams.pem || curl -o $(CERTBOT_CONF)/ssl-dhparams.pem \
https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem
chmod 644 $(CERTBOT_CONF)/ssl-dhparams.pem
openssl req -x509 -nodes -newkey rsa:2048 \
-keyout $(CERTBOT_CONF)/live/$(SERVER_NAME)/privkey.pem \
-out /$(CERTBOT_CONF)/live/$(SERVER_NAME)/fullchain.pem \
-subj "/CN=dummy"
## opens a bash within the Nginx-proxy container
nginx-bash:
docker exec -it nginx bash
# (internal) fetches an initial certificate from letsencrypt
nginx-letsencrypt-init: nginx-start
# wait for nginx actually running (could be improved)
@sleep 5
# delete the previous (dummy) config to avoid file creation with suffix -0001 etc.
rm -rf $(CERTBOT_CONF)/etc/letsencrypt/live/$(SERVER_NAME) \
$(CERTBOT_CONF)/etc/letsencrypt/archive/$(SERVER_NAME) \
$(CERTBOT_CONF)/etc/letsencrypt/renewal/$(SERVER_NAME).conf
# request the certificate via letsencrypt
docker run --rm \
-v $(CERTBOT_CONF):/etc/letsencrypt \
-v $(CERTBOT_WWW):/var/www/certbot \
-v $(CERTBOT_LOG):/var/log/letsencrypt \
certbot/certbot \
certonly --webroot --webroot-path /var/www/certbot \
--email $(EMAIL) --cert-name $(SERVER_NAME) \
-d $(SERVER_NAME) --rsa-key-size 4096 \
--agree-tos --force-renewal
# restart nginx
docker stop nginx || true
docker start nginx
## opens a shell in the letsencrypt certbot
nginx-letsencrypt-sh:
docker run -it --rm \
-v $(CERTBOT_CONF):/etc/letsencrypt \
-v $(CERTBOT_WWW):/var/www/certbot \
-v $(CERTBOT_LOG):/var/log/letsencrypt \
--entrypoint /bin/sh \
certbot/certbot
# (internal) installs the letsencrypt certbot timer for automatic renewal
nginx-letsencrypt-timer:
@mkdir -p $(HOME)/.config/systemd/user
@cp nginx-proxy/nginx-letsencrypt-renew.timer $(HOME)/.config/systemd/user/nginx-letsencrypt-renew.timer
@cp nginx-proxy/nginx-letsencrypt-renew.service $(HOME)/.config/systemd/user/nginx-letsencrypt-renew.service
systemctl --user daemon-reload
systemctl --user enable --now nginx-letsencrypt-renew.timer
## renews the cert, if already renewable - this is also called from the timer
nginx-letsencrypt-renew:
docker run --rm \
-v $(CERTBOT_CONF):/etc/letsencrypt \
-v $(CERTBOT_WWW):/var/www/certbot \
-v $(CERTBOT_LOG):/var/log/letsencrypt \
certbot/certbot renew -q
## starts the nginx proxy server
nginx-start: nginx-stop
docker run -d --name nginx \
--publish 8080:80 \
--publish 8443:443 \
--network bridge \
-v $(CERTBOT_CONF):/etc/letsencrypt \
-v $(CERTBOT_WWW):/var/www/certbot \
-v $(NGINX_LOG):/var/log/nginx \
-v $(PWD)/.generated/nginx.conf:/etc/nginx/nginx.conf \
nginx
## restarts the nginx proxy server
nginx-restart: nginx-stop nginx-start
## stops the nginx proxy server
nginx-stop:
docker stop nginx || true
docker rm nginx || true
View Git Blame Copy Permalink