add jenkins sudoer - https://gitlab.confdroid.com/internal/confdroid_management/-/issues/283

2025-10-21 17:14:08 +02:00
parent 94b6c68d9c
commit 7e35fcaa2b
25 changed files with 42 additions and 3243 deletions
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -8,5 +8,23 @@ class jenkins_cd::main::files (
 ) inherits jenkins_cd::params {
  if $fqdn == $js_host_fqdn {
    require jenkins_cd::main::dirs
+    if $js_use_sudo == true {
+      file { $js_sudoers_file:
+        ensure   => file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0440',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => etc_t,
+        seluser  => system_u,
+        content  => template($js_sudoers_erb),
+      }
+    }
+    if $js_use_sudo != true {
+      file { $js_sudoers_file:
+        ensure   => absent,
+      }
+    }
  }
 }
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -2,13 +2,14 @@
 # Module name: jenkins_cd
 # Author: Arne Teuke (arne_teuke@confdroid.com)
 # @summary Class holds all parameters for the jenkins_cd module.
-# @param [array] reqpackages which packages to install
-# @param [string] pkg_ensure which packages to install
-# @param [string] js_host_fqdn fqdn of the host where Jenkins should run
-# @param [boolean] js_enable_fw whether to enable firewall control
-# @param [string] js_fw_rule the prefix for the firewall rule order
-# @param [string] js_jenkins_port the port to open for Jenkins
-# @param [string] js_source_net the source range to open
+# @param [Array] reqpackages which packages to install
+# @param [String] pkg_ensure which packages to install
+# @param [String] js_host_fqdn fqdn of the host where Jenkins should run
+# @param [Boolean] js_enable_fw whether to enable firewall control
+# @param [String] js_fw_rule the prefix for the firewall rule order
+# @param [String] js_jenkins_port the port to open for Jenkins
+# @param [String] js_source_net the source range to open
+# @param [Boolean] js_use_sudo whether to add Jenkins to sudoers list
 ##############################################################################
 class jenkins_cd::params (

@@ -24,6 +25,9 @@ class jenkins_cd::params (
  String $js_jenkins_port = '8080',
  String $js_source_net   = '0.0.0.0/0',

+  # user
+  Boolean $js_use_sudo    = false,
+
 ) {
  # facts
  $fqdn                   = $facts['networking']['fqdn']
@@ -36,6 +40,9 @@ class jenkins_cd::params (
  $js_key_url             = "${js_base_url}/jenkins.io-2023.key"
  $js_key_code            = 'gpg-pubkey-ef5975ca-6421ce2b'

+  $js_sudoers_file        = '/etc/sudoers.d/jenkins_sudo'
+  $js_sudoers_erb         = 'jenkins_cd/sudoers.erb'
+
  # Service
  $js_service             = 'jenkins'