bundles/jenkins-ci: add systemd unit file

2022-02-19 18:53:49 +01:00 · 2022-02-19 18:53:49 +01:00 · 945e349d61
commit 945e349d61
parent bd45def053
4 changed files with 59 additions and 0 deletions
--- a/bundles/jenkins-ci/files/jenkins.service
+++ b/bundles/jenkins-ci/files/jenkins.service
@ -0,0 +1,40 @@
+[Unit]
+Description=Jenkins Continuous Integration Server
+Requires=network.target
+After=network.target
+
+[Service]
+Type=simple
+NotifyAccess=main
+ExecStart=/usr/bin/java -Djava.awt.headless=true -Xmx512m -Djava.net.preferIPv4Stack=true -jar /usr/share/jenkins/jenkins.war --httpPort=22010 --httpListenAddress=127.0.0.1
+Restart=always
+RestartSec=10
+
+User=jenkins
+Group=jenkins
+
+Environment="JENKINS_HOME=/var/lib/jenkins"
+WorkingDirectory=/var/lib/jenkins
+
+LimitNOFILE=8192
+LimitNPROC=256
+
+UMask=0022
+
+NoNewPrivileges=true
+ProtectSystem=true
+ReadOnlyPaths=/
+ReadWritePaths=${' '.join(sorted(read_write_paths))}
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+
+[Install]
+WantedBy=multi-user.target
--- a/bundles/jenkins-ci/items.py
+++ b/bundles/jenkins-ci/items.py
@ -22,6 +22,16 @@ files = {
    '/var/lib/jenkins/.ssh/config': {
        'source': 'ssh-config',
    },
+    '/etc/systemd/system/jenkins.service': {
+        'content_type': 'mako',
+        'context': {
+            'read_write_paths': node.metadata.get('jenkins-ci/writeable_paths'),
+        },
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:jenkins:restart',
+        },
+    }
 }

 if node.metadata.get('jenkins-ci/install_ssh_key', False):
--- a/bundles/jenkins-ci/metadata.py
+++ b/bundles/jenkins-ci/metadata.py
@ -21,6 +21,11 @@ defaults = {
            '/var/lib/jenkins',
        },
    },
+    'jenkins-ci': {
+        'writeable_paths': {
+            '/var/lib/jenkins',
+        },
+    },
    'zfs': {
        'datasets': {
            'tank/jenkins': {
--- a/nodes/rx300.py
+++ b/nodes/rx300.py
@ -152,6 +152,10 @@ nodes['rx300'] = {
        'jenkins-ci': {
            'install_ssh_key': True,
            'domain': 'jenkins.franzi.business',
+            'writeable_paths': {
+                '/var/www/franzi.business', # for deployment task
+                '/var/www/unicornsden', # for deployment task
+            },
        },
        'letsencrypt': {
            'concat_and_deploy': {