Compare commits
5 Commits
ff1b182150
...
16bab4c98e
| Author | SHA1 | Date | |
|---|---|---|---|
|
16bab4c98e | ||
|
|
e7ac45b383 | ||
|
|
b507f60c7a | ||
| c97d093d84 | |||
|
|
f1b95f2852 |
129
Jenkinsfile
vendored
129
Jenkinsfile
vendored
@@ -1,129 +0,0 @@
|
||||
pipeline {
|
||||
agent {
|
||||
label 'puppet'
|
||||
}
|
||||
|
||||
post {
|
||||
always {
|
||||
deleteDir() /* clean up our workspace */
|
||||
}
|
||||
success {
|
||||
updateGitlabCommitStatus state: 'success'
|
||||
}
|
||||
failure {
|
||||
updateGitlabCommitStatus state: 'failed'
|
||||
step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
|
||||
}
|
||||
}
|
||||
|
||||
options {
|
||||
gitLabConnection('gitlab.confdroid.com')
|
||||
}
|
||||
|
||||
stages {
|
||||
|
||||
stage('pull master') {
|
||||
steps {
|
||||
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
|
||||
sh '''
|
||||
git config user.name "Jenkins Server"
|
||||
git config user.email jenkins@confdroid.com
|
||||
# Ensure we're on the development branch (triggered by push)
|
||||
git checkout development
|
||||
# Create jenkins branch from development
|
||||
git checkout -b jenkins-build-$BUILD_NUMBER
|
||||
# Optionally merge master into jenkins to ensure compatibility
|
||||
git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
stage('puppet parser') {
|
||||
steps {
|
||||
sh '''for file in $(find . -iname \'*.pp\'); do
|
||||
/opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
|
||||
done;'''
|
||||
}
|
||||
}
|
||||
|
||||
stage('check templates') {
|
||||
steps{
|
||||
sh '''for file in $(find . -iname \'*.erb\');
|
||||
do erb -P -x -T "-" $file | ruby -c || exit 1;
|
||||
done;'''
|
||||
}
|
||||
}
|
||||
|
||||
stage('puppet-lint') {
|
||||
steps {
|
||||
sh '''/usr/local/bin/puppet-lint . \\
|
||||
--no-variable_scope-check \\
|
||||
|| { echo "Puppet lint failed"; exit 1; }
|
||||
'''
|
||||
}
|
||||
}
|
||||
|
||||
stage('SonarScan') {
|
||||
steps {
|
||||
withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
|
||||
sh '''
|
||||
/opt/sonar-scanner/bin/sonar-scanner \
|
||||
-Dsonar.projectKey=confdroid_ssh \
|
||||
-Dsonar.sources=. \
|
||||
-Dsonar.host.url=https://sonarqube.confdroid.com \
|
||||
-Dsonar.token=$SONAR_TOKEN
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
stage('create Puppet documentation') {
|
||||
steps {
|
||||
sh '/opt/puppetlabs/bin/puppet strings'
|
||||
}
|
||||
}
|
||||
|
||||
stage('update repo') {
|
||||
steps {
|
||||
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
|
||||
sh '''
|
||||
git config user.name "Jenkins Server"
|
||||
git config user.email jenkins@confdroid.com
|
||||
git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
|
||||
git push -o merge_request.create \
|
||||
-o merge_request.target=master \
|
||||
-o merge_request.title="Auto-merge for build $BUILD_NUMBER" \
|
||||
-o merge_request.description="Automated changes from Jenkins build $BUILD_NUMBER" \
|
||||
-o merge_request.merge_when_pipeline_succeeds=true \
|
||||
origin jenkins-build-$BUILD_NUMBER
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
stage('Mirror to Gitea') {
|
||||
steps {
|
||||
withCredentials([usernamePassword(
|
||||
credentialsId: 'Jenkins-gitea',
|
||||
usernameVariable: 'GITEA_USER',
|
||||
passwordVariable: 'GITEA_TOKEN')]) {
|
||||
script {
|
||||
// Checkout from GitLab (already done implicitly)
|
||||
sh '''
|
||||
git checkout master
|
||||
git pull origin master
|
||||
git branch -D development
|
||||
git branch -D jenkins-build-$BUILD_NUMBER
|
||||
git rm -f Jenkinsfile
|
||||
git rm -r --cached .vscode || echo "No .vscode to remove from git"
|
||||
git commit --amend --no-edit --allow-empty
|
||||
git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
|
||||
git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
|
||||
push master --mirror
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -520,6 +520,60 @@
|
||||
—
|
||||
<div class='inline'>
|
||||
<p>LogLevel setting for sshd_config. Default is ‘INFO’.</p>
|
||||
</div>
|
||||
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<span class='name'>ssh_password_authentication</span>
|
||||
|
||||
|
||||
<span class='type'>(<tt>String</tt>)</span>
|
||||
|
||||
|
||||
<em class="default">(defaults to: <tt>'no'</tt>)</em>
|
||||
|
||||
|
||||
—
|
||||
<div class='inline'>
|
||||
<p>PasswordAuthentication setting for sshd_config. Default is ‘no’, which requires key-based authentication. This is a recommended security setting, so passwords do not show up in logs, but can be set to ‘yes’ if password authentication is desired.</p>
|
||||
</div>
|
||||
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<span class='name'>ssh_permit_empty_passwords</span>
|
||||
|
||||
|
||||
<span class='type'>(<tt>String</tt>)</span>
|
||||
|
||||
|
||||
<em class="default">(defaults to: <tt>'no'</tt>)</em>
|
||||
|
||||
|
||||
—
|
||||
<div class='inline'>
|
||||
<p>PermitEmptyPasswords setting for sshd_config. Default is ‘no’, which is a recommended security setting and works in connection with key-based authentication, but can be set to ‘yes’ if password authentication should be allowed and empty passwords should be allowed. Again, this should be used with caution if enabled.</p>
|
||||
</div>
|
||||
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<span class='name'>ssh_kbd_interactive_auth</span>
|
||||
|
||||
|
||||
<span class='type'>(<tt>String</tt>)</span>
|
||||
|
||||
|
||||
<em class="default">(defaults to: <tt>'no'</tt>)</em>
|
||||
|
||||
|
||||
—
|
||||
<div class='inline'>
|
||||
<p>setting for sshd_config. Default is ‘no’, which is a recommended security setting together with password authentication, but can be set to ‘yes’ if keyboard-interactive authentication should be allowed. (not recommended)</p>
|
||||
</div>
|
||||
|
||||
</li>
|
||||
@@ -535,19 +589,6 @@
|
||||
<pre class="lines">
|
||||
|
||||
|
||||
37
|
||||
38
|
||||
39
|
||||
40
|
||||
41
|
||||
42
|
||||
43
|
||||
44
|
||||
45
|
||||
46
|
||||
47
|
||||
48
|
||||
49
|
||||
50
|
||||
51
|
||||
52
|
||||
@@ -585,10 +626,26 @@
|
||||
84
|
||||
85
|
||||
86
|
||||
87</pre>
|
||||
87
|
||||
88
|
||||
89
|
||||
90
|
||||
91
|
||||
92
|
||||
93
|
||||
94
|
||||
95
|
||||
96
|
||||
97
|
||||
98
|
||||
99
|
||||
100
|
||||
101
|
||||
102
|
||||
103</pre>
|
||||
</td>
|
||||
<td>
|
||||
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 37</span>
|
||||
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 50</span>
|
||||
|
||||
class confdroid_ssh::params (
|
||||
|
||||
@@ -618,7 +675,10 @@ class confdroid_ssh::params (
|
||||
String $ssh_hostkey_type = 'rsa',
|
||||
String $ssh_rekeylimit = 'default none',
|
||||
String $ssh_syslog_facility = 'AUTH',
|
||||
String $ssh_log_level = 'INFO'
|
||||
String $ssh_log_level = 'INFO',
|
||||
String $ssh_password_authentication = 'no',
|
||||
String $ssh_permit_empty_passwords = 'no',
|
||||
String $ssh_kbd_interactive_auth = 'no'
|
||||
|
||||
) {
|
||||
# default facts
|
||||
|
||||
@@ -33,6 +33,19 @@
|
||||
# Default is 'AUTH'.
|
||||
# @param [String] ssh_log_level LogLevel setting for sshd_config.
|
||||
# Default is 'INFO'.
|
||||
# @param [String] ssh_password_authentication PasswordAuthentication setting
|
||||
# for sshd_config. Default is 'no', which requires key-based authentication.
|
||||
# This is a recommended security setting, so passwords do not show up in logs,
|
||||
# but can be set to 'yes' if password authentication is desired.
|
||||
# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting
|
||||
# for sshd_config. Default is 'no', which is a recommended security setting
|
||||
# and works in connection with key-based authentication, but can be set
|
||||
# to 'yes' if password authentication should be allowed and empty passwords
|
||||
# should be allowed. Again, this should be used with caution if enabled.
|
||||
# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
|
||||
# Default is 'no', which is a recommended security setting together
|
||||
# with password authentication, but can be set to 'yes' if
|
||||
# keyboard-interactive authentication should be allowed. (not recommended)
|
||||
##############################################################################
|
||||
class confdroid_ssh::params (
|
||||
|
||||
@@ -62,7 +75,10 @@ class confdroid_ssh::params (
|
||||
String $ssh_hostkey_type = 'rsa',
|
||||
String $ssh_rekeylimit = 'default none',
|
||||
String $ssh_syslog_facility = 'AUTH',
|
||||
String $ssh_log_level = 'INFO'
|
||||
String $ssh_log_level = 'INFO',
|
||||
String $ssh_password_authentication = 'no',
|
||||
String $ssh_permit_empty_passwords = 'no',
|
||||
String $ssh_kbd_interactive_auth = 'no'
|
||||
|
||||
) {
|
||||
# default facts
|
||||
|
||||
@@ -8,11 +8,9 @@
|
||||
Port <%= @ssh_fw_port %>
|
||||
AddressFamily <%= @ssh_address_family %>
|
||||
ListenAddress <%= @ssh_listen_address %>
|
||||
|
||||
<% if @ssh_use_specific_hostkey -%>
|
||||
HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
|
||||
<% end -%>
|
||||
|
||||
RekeyLimit <%= @ssh_rekeylimit %>
|
||||
|
||||
SyslogFacility <%= @ssh_syslog_facility %>
|
||||
@@ -30,4 +28,7 @@ AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
|
||||
AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
|
||||
AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
|
||||
|
||||
# test
|
||||
PasswordAuthentication <%= @ssh_password_authentication %>
|
||||
PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
|
||||
KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user