|
#!/usr/bin/env bash |
|
|
|
set -eu -o pipefail |
|
|
|
DEFAULT_JENKINS_VERSION=2.263.4 |
|
DEFAULT_JENKINS_WAR_SHA256=1d4a7409784236a84478b76f3f2139939c0d7a3b4b2e53b1fcef400c14903ab6 |
|
|
|
JENKINS_INIT_SCRIPT=$(cat << 'EOF' |
|
// https://wiki.jenkins.io/display/JENKINS/Groovy+Hook+Script |
|
import hudson.security.* |
|
import hudson.security.csrf.* |
|
import jenkins.model.* |
|
import jenkins.security.s2m.* |
|
|
|
def env = System.getenv() |
|
def jenkins = Jenkins.getInstance() |
|
|
|
// set url |
|
urlConfig = JenkinsLocationConfiguration.get() |
|
urlConfig.setUrl(env.JENKINS_URL) |
|
urlConfig.save() |
|
|
|
// configure security |
|
if (jenkins.getSecurityRealm().equals(HudsonPrivateSecurityRealm.NO_AUTHENTICATION)) { |
|
|
|
jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false)) |
|
|
|
// create admin user |
|
def password = new File(env.JENKINS_INITIAL_ADMIN_PASSWORD_FILE).getText().trim() |
|
def user = jenkins.getSecurityRealm().createAccount(env.JENKINS_ADMIN_USER_NAME, password) |
|
user.save() |
|
|
|
def strategy = new FullControlOnceLoggedInAuthorizationStrategy() |
|
strategy.setAllowAnonymousRead(false) |
|
jenkins.setAuthorizationStrategy(strategy) |
|
} |
|
|
|
// enable csrf protection |
|
if (jenkins.getCrumbIssuer() == null) { |
|
jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true)) |
|
} |
|
|
|
// https://wiki.jenkins.io/display/JENKINS/Slave+To+Master+Access+Control |
|
jenkins.getInjector().getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false) |
|
|
|
jenkins.save() |
|
EOF |
|
) |
|
|
|
run() { |
|
: "${JVM_OPTS:=""}" |
|
: "${JENKINS_HOME:="$(pwd)/jenkins_home"}" |
|
: "${JENKINS_WAR:="$(pwd)/jenkins.war"}" |
|
: "${JENKINS_VERSION:="$DEFAULT_JENKINS_VERSION"}" |
|
: "${JENKINS_WAR_SHA256:="$DEFAULT_JENKINS_WAR_SHA256"}" |
|
: "${JENKINS_PORT:=8080}" |
|
: "${JENKINS_LISTEN_ADDRESS:=127.0.0.1}" |
|
: "${JENKINS_URL_PREFIX:=/jenkins}" |
|
: "${JENKINS_URL:="http://$JENKINS_LISTEN_ADDRESS:$JENKINS_PORT$JENKINS_URL_PREFIX"}" |
|
: "${JENKINS_ADMIN_USER_NAME:=admin}" |
|
: "${JENKINS_INITIAL_ADMIN_PASSWORD_FILE:="$JENKINS_HOME/.initial_admin_password"}" |
|
: "${JENKINS_ACCESS_LOG:=$(pwd)/access.log}" |
|
# https://www.jenkins.io/doc/book/system-administration/security/configuring-content-security-policy/ |
|
: "${JENKINS_CSP:="sandbox; default-src 'none'; img-src 'self'; style-src 'self';"}" |
|
: "${JENKINS_OPTS:=""}" |
|
|
|
if test "$(sha256sum "$JENKINS_WAR" | awk '{ print $1 }')" != "${JENKINS_WAR_SHA256}"; then |
|
wget -O "$JENKINS_WAR" "http://mirrors.jenkins.io/war-stable/$JENKINS_VERSION/jenkins.war" |
|
fi |
|
|
|
if test "$(sha256sum "$JENKINS_WAR" | awk '{ print $1 }')" != "${JENKINS_WAR_SHA256}"; then |
|
echo "error: jenkins.war does not match checksum." >&2 |
|
fi |
|
|
|
mkdir -p "$JENKINS_HOME" |
|
echo "$JENKINS_INIT_SCRIPT" > "$JENKINS_HOME/init.groovy" |
|
|
|
if test ! -f "$JENKINS_INITIAL_ADMIN_PASSWORD_FILE"; then |
|
openssl rand -base64 32 > "$JENKINS_INITIAL_ADMIN_PASSWORD_FILE" |
|
echo "Admin password file created. -> $JENKINS_INITIAL_ADMIN_PASSWORD_FILE" |
|
fi |
|
|
|
exec env \ |
|
JENKINS_HOME="$JENKINS_HOME" \ |
|
JENKINS_URL="$JENKINS_URL" \ |
|
JENKINS_ADMIN_USER_NAME="$JENKINS_ADMIN_USER_NAME" \ |
|
JENKINS_INITIAL_ADMIN_PASSWORD_FILE="$JENKINS_INITIAL_ADMIN_PASSWORD_FILE" \ |
|
java \ |
|
$JVM_OPTS \ |
|
-Djenkins.install.runSetupWizard=false \ |
|
-Dhudson.model.DirectoryBrowserSupport.CSP="$JENKINS_CSP" \ |
|
-jar "$JENKINS_WAR" \ |
|
--httpPort="$JENKINS_PORT" \ |
|
--httpListenAddress="$JENKINS_LISTEN_ADDRESS" \ |
|
--prefix="$JENKINS_URL_PREFIX" \ |
|
--accessLoggerClassName=winstone.accesslog.SimpleAccessLogger \ |
|
--simpleAccessLogger.format=rproxycombined \ |
|
--simpleAccessLogger.file="$JENKINS_ACCESS_LOG" \ |
|
$JENKINS_OPTS |
|
} |
|
|
|
cli() { |
|
: "${JENKINS_URL:="http://127.0.0.1:8080/jenkins"}" |
|
: "${JENKINS_CLI_JAR:="$(pwd)/jenkins-cli.jar"}" |
|
: "${JENKINS_USER_ID?}" |
|
: "${JENKINS_API_TOKEN?}" |
|
|
|
if test ! -f "$JENKINS_CLI_JAR"; then |
|
wget -q -O "$JENKINS_CLI_JAR" "$JENKINS_URL/jnlpJars/jenkins-cli.jar" |
|
fi |
|
|
|
exec java -jar "$JENKINS_CLI_JAR" -s "$JENKINS_URL" "$@" |
|
} |
|
|
|
|
|
if test "${BASH_SOURCE[0]}" = "$0"; then |
|
set -eu -o pipefail |
|
"$@" |
|
fi |