iskandarsaleh/Dockerfile

## config-maven.groovy
#!groovy

import jenkins.model.Jenkins
import hudson.tasks.*
import hudson.tools.*
import hudson.util.DescribableList

Jenkins jenkins = Jenkins.getInstance()
def mavenDesc = jenkins.getExtensionList(Maven.DescriptorImpl.class)[0]

def isp = new InstallSourceProperty()
def autoInstaller = new Maven.MavenInstaller("3.5.3")
isp.installers.add(autoInstaller)

def proplist = new DescribableList<ToolProperty<?>, ToolPropertyDescriptor>()
proplist.add(isp)

def installation = new Maven.MavenInstallation("M3", "", proplist)
mavenDesc.setInstallations(installation)
mavenDesc.save()

## default-user.groovy
#!groovy

import jenkins.model.Jenkins
import hudson.security.*

def jenkins = Jenkins.getInstance()
jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false))
jenkins.setAuthorizationStrategy(new GlobalMatrixAuthorizationStrategy())

def env = System.getenv()
def user = jenkins.getSecurityRealm().createAccount(env.JENKINS_USER, env.JENKINS_PASS)
user.save()

jenkins.getAuthorizationStrategy().add(Jenkins.ADMINISTER, env.JENKINS_USER)
jenkins.save()

## Dockerfile
FROM jenkins/jenkins:lts
LABEL maintainer "Gustavo Muniz do Carmo <gustavo@esign.com.br>"

ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"

COPY config-maven.groovy /usr/share/jenkins/ref/init.groovy.d/
COPY config-sonarqube.groovy /usr/share/jenkins/ref/init.groovy.d/
COPY harden-jenkins.groovy /usr/share/jenkins/ref/init.groovy.d/

COPY default-user.groovy /usr/share/jenkins/ref/init.groovy.d/
ENV JENKINS_USER jenkins-admin
ENV JENKINS_PASS jenkins-admin-password

COPY plugins.txt /usr/share/jenkins/ref/
RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt

## harden-jenkins.groovy
#!groovy

import jenkins.model.Jenkins
import jenkins.security.s2m.*
import hudson.security.csrf.DefaultCrumbIssuer

Jenkins jenkins = Jenkins.getInstance()

// CSRF protection
jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true))

// Disable CLI remoting
jenkins.getDescriptor("jenkins.CLI").get().setEnabled(false)

// Enable Agent to master security subsystem
jenkins.injector.getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false);

// Disable old Non-Encrypted protocols
HashSet<String> newProtocols = new HashSet<>(jenkins.getAgentProtocols());
newProtocols.removeAll(Arrays.asList("JNLP2-connect", "JNLP-connect"));
jenkins.setAgentProtocols(newProtocols);
jenkins.save()

## jenkins-docker-build-and-run.yml
- hosts: jenkins
  gather_facts: no
  tasks:
  - name: Copy files for custom Jenkins Docker image building
    copy:
      src: '{{item}}'
      dest: './{{item}}'
    loop:
      - Dockerfile
      - config-maven.groovy
      - harden-jenkins.groovy
      - default-user.groovy
      - plugins.txt
  - name: Build the custom Jenkins Docker image
    docker_image:
      path: ./
      name: custom/jenkins
  - name: Run Jenkins Docker image
    docker_container:
      name: jenkins
      image: custom/jenkins
      published_ports: 8080:8080

## plugins.txt
ace-editor
ant
antisamy-markup-formatter
apache-httpcomponents-client-4-api
authentication-tokens
blueocean
blueocean-autofavorite
blueocean-bitbucket-pipeline
blueocean-commons
blueocean-config
blueocean-core-js
blueocean-dashboard
blueocean-display-url
blueocean-events
blueocean-git-pipeline
blueocean-github-pipeline
blueocean-i18n
blueocean-jira
blueocean-jwt
blueocean-personalization
blueocean-pipeline-api-impl
blueocean-pipeline-editor
blueocean-pipeline-scm-api
blueocean-rest
blueocean-rest-impl
blueocean-web
bouncycastle-api
branch-api
build-timeout
cloudbees-bitbucket-branch-source
cloudbees-folder
command-launcher
credentials
credentials-binding
display-url-api
docker-commons
docker-workflow
durable-task
email-ext
favorite
git
git-client
git-server
github
github-api
github-branch-source
gradle
handlebars
handy-uri-templates-2-api
htmlpublisher
jackson2-api
jenkins-design-language
jira
jquery-detached
jsch
junit
ldap
mailer
mapdb-api
matrix-auth
matrix-project
mercurial
momentjs
pam-auth
pipeline-build-step
pipeline-github-lib
pipeline-graph-analysis
pipeline-input-step
pipeline-milestone-step
pipeline-model-api
pipeline-model-declarative-agent
pipeline-model-definition
pipeline-model-extensions
pipeline-rest-api
pipeline-stage-step
pipeline-stage-tags-metadata
pipeline-stage-view
plain-credentials
pubsub-light
resource-disposer
scm-api
script-security
sonar
sse-gateway
ssh-credentials
ssh-slaves
structs
subversion
timestamper
token-macro
variant
workflow-aggregator
workflow-api
workflow-basic-steps
workflow-cps
workflow-cps-global-lib
workflow-durable-task-step
workflow-job
workflow-multibranch
workflow-scm-step
workflow-step-api
workflow-support
ws-cleanup
	#!groovy

	import jenkins.model.Jenkins
	import hudson.tasks.*
	import hudson.tools.*
	import hudson.util.DescribableList

	Jenkins jenkins = Jenkins.getInstance()
	def mavenDesc = jenkins.getExtensionList(Maven.DescriptorImpl.class)[0]

	def isp = new InstallSourceProperty()
	def autoInstaller = new Maven.MavenInstaller("3.5.3")
	isp.installers.add(autoInstaller)

	def proplist = new DescribableList<ToolProperty<?>, ToolPropertyDescriptor>()
	proplist.add(isp)

	def installation = new Maven.MavenInstallation("M3", "", proplist)
	mavenDesc.setInstallations(installation)
	mavenDesc.save()
	#!groovy

	import jenkins.model.Jenkins
	import hudson.security.*

	def jenkins = Jenkins.getInstance()
	jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false))
	jenkins.setAuthorizationStrategy(new GlobalMatrixAuthorizationStrategy())

	def env = System.getenv()
	def user = jenkins.getSecurityRealm().createAccount(env.JENKINS_USER, env.JENKINS_PASS)
	user.save()

	jenkins.getAuthorizationStrategy().add(Jenkins.ADMINISTER, env.JENKINS_USER)
	jenkins.save()
	FROM jenkins/jenkins:lts
	LABEL maintainer "Gustavo Muniz do Carmo <gustavo@esign.com.br>"

	ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"

	COPY config-maven.groovy /usr/share/jenkins/ref/init.groovy.d/
	COPY config-sonarqube.groovy /usr/share/jenkins/ref/init.groovy.d/
	COPY harden-jenkins.groovy /usr/share/jenkins/ref/init.groovy.d/

	COPY default-user.groovy /usr/share/jenkins/ref/init.groovy.d/
	ENV JENKINS_USER jenkins-admin
	ENV JENKINS_PASS jenkins-admin-password

	COPY plugins.txt /usr/share/jenkins/ref/
	RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt
	#!groovy

	import jenkins.model.Jenkins
	import jenkins.security.s2m.*
	import hudson.security.csrf.DefaultCrumbIssuer

	Jenkins jenkins = Jenkins.getInstance()

	// CSRF protection
	jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true))

	// Disable CLI remoting
	jenkins.getDescriptor("jenkins.CLI").get().setEnabled(false)

	// Enable Agent to master security subsystem
	jenkins.injector.getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false);

	// Disable old Non-Encrypted protocols
	HashSet<String> newProtocols = new HashSet<>(jenkins.getAgentProtocols());
	newProtocols.removeAll(Arrays.asList("JNLP2-connect", "JNLP-connect"));
	jenkins.setAgentProtocols(newProtocols);
	jenkins.save()
	- hosts: jenkins
	gather_facts: no
	tasks:
	- name: Copy files for custom Jenkins Docker image building
	copy:
	src: '{{item}}'
	dest: './{{item}}'
	loop:
	- Dockerfile
	- config-maven.groovy
	- harden-jenkins.groovy
	- default-user.groovy
	- plugins.txt
	- name: Build the custom Jenkins Docker image
	docker_image:
	path: ./
	name: custom/jenkins
	- name: Run Jenkins Docker image
	docker_container:
	name: jenkins
	image: custom/jenkins
	published_ports: 8080:8080
	ace-editor
	ant
	antisamy-markup-formatter
	apache-httpcomponents-client-4-api
	authentication-tokens
	blueocean
	blueocean-autofavorite
	blueocean-bitbucket-pipeline
	blueocean-commons
	blueocean-config
	blueocean-core-js
	blueocean-dashboard
	blueocean-display-url
	blueocean-events
	blueocean-git-pipeline
	blueocean-github-pipeline
	blueocean-i18n
	blueocean-jira
	blueocean-jwt
	blueocean-personalization
	blueocean-pipeline-api-impl
	blueocean-pipeline-editor
	blueocean-pipeline-scm-api
	blueocean-rest
	blueocean-rest-impl
	blueocean-web
	bouncycastle-api
	branch-api
	build-timeout
	cloudbees-bitbucket-branch-source
	cloudbees-folder
	command-launcher
	credentials
	credentials-binding
	display-url-api
	docker-commons
	docker-workflow
	durable-task
	email-ext
	favorite
	git
	git-client
	git-server
	github
	github-api
	github-branch-source
	gradle
	handlebars
	handy-uri-templates-2-api
	htmlpublisher
	jackson2-api
	jenkins-design-language
	jira
	jquery-detached
	jsch
	junit
	ldap
	mailer
	mapdb-api
	matrix-auth
	matrix-project
	mercurial
	momentjs
	pam-auth
	pipeline-build-step
	pipeline-github-lib
	pipeline-graph-analysis
	pipeline-input-step
	pipeline-milestone-step
	pipeline-model-api
	pipeline-model-declarative-agent
	pipeline-model-definition
	pipeline-model-extensions
	pipeline-rest-api
	pipeline-stage-step
	pipeline-stage-tags-metadata
	pipeline-stage-view
	plain-credentials
	pubsub-light
	resource-disposer
	scm-api
	script-security
	sonar
	sse-gateway
	ssh-credentials
	ssh-slaves
	structs
	subversion
	timestamper
	token-macro
	variant
	workflow-aggregator
	workflow-api
	workflow-basic-steps
	workflow-cps
	workflow-cps-global-lib
	workflow-durable-task-step
	workflow-job
	workflow-multibranch
	workflow-scm-step
	workflow-step-api
	workflow-support
	ws-cleanup