init

.gitignore

@@ -0,0 +1,10 @@
+.DS_Store
+scratch/*
+*.box
+.vagrant
+puppet/modules
+puppet/**/hieradata/sensitive.yaml
+puppet/.tmp
+puppet/.librarian
+nolibrarian
+puppet/hiera.yaml.rpmsave

README.md

@@ -0,0 +1,10 @@
+
+Only the master Jenkins server is provisioned at this time. Provisioning
+a separate worker node has not been implemented. Of course the master
+server can also serve as a worker so this single node will be sufficient
+for most use cases.
+
+Manual Puppet Run
+=======
+
+    sudo /opt/puppetlabs/bin/puppet apply --environment=production /etc/puppetlabs/code/environments/production/manifests/site.pp

Vagrantfile

@@ -0,0 +1,80 @@
+BOX = 'ebrc/centos-7-64-puppet'
+BOX_URL = ''
+TLD = 'jenkins.vm'
+
+JENKINS_HOSTS = {
+  :master => {
+    :vagrant_box     => BOX,
+    :vagrant_box_url => BOX_URL,
+    :wf_hostname     => 'ci.' + TLD,
+    :puppet_manifest => 'site.pp'
+  },
+#   :node => {
+#     :vagrant_box     => BOX,
+#     :vagrant_box_url => BOX_URL,
+#     :wf_hostname     => 'node1.' + TLD,
+#     :puppet_manifest => 'site.pp'
+#   },
+}
+
+[
+  { :name => 'vagrant-librarian-puppet', :version => '>= 0.9.2' },
+].each do |plugin|
+  if not Vagrant.has_plugin?(plugin[:name], plugin[:version])
+    raise "#{plugin[:name]} #{plugin[:version]} is required. Please run `vagrant plugin install #{plugin[:name]}`"
+  end
+end
+
+Vagrant.configure(2) do |config|
+
+  JENKINS_HOSTS.each do |name,cfg|
+    config.vm.define name do |vm_config|
+
+      vm_config.vm.provider 'virtualbox' do |v|
+        v.gui = false
+      end
+
+      if Vagrant.has_plugin?('landrush')
+        vm_config.landrush.enabled = true
+        vm_config.landrush.tld = TLD
+      end
+
+      vm_config.vm.box      = cfg[:vagrant_box]     if cfg[:vagrant_box]
+      vm_config.vm.box_url  = cfg[:vagrant_box_url] if cfg[:vagrant_box_url]
+      vm_config.vm.hostname = cfg[:wf_hostname]     if cfg[:wf_hostname]
+
+      vm_config.vm.synced_folder 'puppet/',
+        '/etc/puppetlabs/code/',
+        owner: 'root', group: 'root'
+
+      vm_config.ssh.forward_agent = true
+      vm_config.ssh.pty = true
+
+      if ! File.exist?(File.dirname(__FILE__) + '/nolibrarian')
+        vm_config.librarian_puppet.puppetfile_dir = 'puppet'
+        vm_config.librarian_puppet.destructive = false
+      end
+
+      if ( Vagrant.has_plugin?('landrush') and vm_config.landrush.enabled)
+        # The Puppet manifests includes a firewalld reload that clobbers
+        # the iptables dns nat rule added by Landrush. So save iptables
+        # for restoration after Puppet provisioning.
+        vm_config.vm.provision :shell, inline: '/sbin/iptables-save -t nat > /root/landrush.iptables'
+      end
+      vm_config.vm.provision :puppet do |puppet|
+        puppet.environment = 'production'
+        puppet.environment_path = 'puppet/environments'
+        puppet.manifests_path = 'puppet/environments/production/manifests'
+        puppet.manifest_file = cfg[:puppet_manifest]
+        puppet.hiera_config_path = 'puppet/hiera.yaml'
+        #puppet.options = ['--debug --trace --verbose']
+      end
+      if ( Vagrant.has_plugin?('landrush') and vm_config.landrush.enabled)
+        vm_config.vm.provision :shell, inline: '/sbin/iptables-restore < /root/landrush.iptables'
+      end
+
+    end
+  end
+
+
+end

puppet/Puppetfile

@@ -0,0 +1,21 @@
+forge 'https://forgeapi.puppetlabs.com'
+
+mod 'crayfishx/firewalld'
+mod 'jlambert121/trusted_ca'
+mod 'puppet/archive'
+mod 'puppetlabs/java_ks'
+mod 'puppetlabs/stdlib'
+mod 'stahnma/epel'
+
+mod 'ebrc/ebrc_yum_repo',
+  :git => 'git@github.com:EuPathDB/puppet-ebrc_yum_repo.git'
+
+mod 'ebrc/ebrc_java',
+  :git => 'git@github.com:EuPathDB/puppet-ebrc_java.git'
+
+mod 'ebrc/ebrc_jenkins',
+  :git => 'git@github.com:EuPathDB/puppet-ebrc_jenkins.git'
+
+mod 'local/profiles',
+  :path => './src/profiles'
+  :latest

puppet/Puppetfile.lock

@@ -0,0 +1,55 @@
+FORGE
+  remote: https://forgeapi.puppetlabs.com
+  specs:
+    crayfishx-firewalld (3.1.4)
+      puppetlabs-stdlib (< 5.0.0, >= 4.2.0)
+    jlambert121-trusted_ca (1.1.0)
+      puppetlabs-stdlib (< 5.0.0, >= 3.2.0)
+    puppet-archive (1.1.2)
+      puppetlabs-stdlib (< 5.0.0, >= 4.2.0)
+    puppetlabs-java_ks (1.4.1)
+    puppetlabs-stdlib (4.12.0)
+    stahnma-epel (1.2.2)
+      puppetlabs-stdlib (>= 3.0.0)
+
+GIT
+  remote: git@github.com:EuPathDB/puppet-ebrc_java.git
+  ref: master
+  sha: 5434fa8c13d2dc4987530b5d9e713f05b9d93841
+  specs:
+    ebrc-ebrc_java (0.1.0)
+
+GIT
+  remote: git@github.com:EuPathDB/puppet-ebrc_jenkins.git
+  ref: master
+  sha: 133ce0f678faa7af1a3a2a743c67baba09adee20
+  specs:
+    ebrc-ebrc_jenkins (0.0.1)
+
+GIT
+  remote: git@github.com:EuPathDB/puppet-ebrc_yum_repo.git
+  ref: master
+  sha: 2e75a0de6b7e4da022a1a4de7ee5306b5fcc0a4d
+  specs:
+    ebrc-ebrc_yum_repo (0.1.0)
+      puppetlabs-stdlib (>= 1.0.0)
+
+PATH
+  remote: ./src/profiles
+  specs:
+    local-profiles (0.0.0)
+      crayfishx-firewalld (>= 0)
+      ebrc-ebrc_jenkins (>= 0)
+
+DEPENDENCIES
+  crayfishx-firewalld (>= 0)
+  ebrc-ebrc_java (>= 0)
+  ebrc-ebrc_jenkins (>= 0)
+  ebrc-ebrc_yum_repo (>= 0)
+  jlambert121-trusted_ca (>= 0)
+  local-profiles (>= 0)
+  puppet-archive (>= 0)
+  puppetlabs-java_ks (>= 0)
+  puppetlabs-stdlib (>= 0)
+  stahnma-epel (>= 0)
+

puppet/environments/production/hieradata/common.yaml

@@ -0,0 +1,19 @@
+---
+ebrc_jenkins::user_home: /usr/local/home/jenkins
+ebrc_jenkins::instances:
+  CI:
+    version: 1.638
+    http_port: 9181
+    jmx_port:  9120
+
+ebrc_ca::cacert: apidb-ca-rsa.crt
+ebrc_java::java_home: /usr/java/jdk1.8.0_92
+ebrc_java::packages:
+  - jdk1.8.0_92
+ebrc_java::java_home: /usr/java/jdk1.8.0_92
+ebrc_java::default_ver: /usr/java/jdk1.8.0_92
+
+java_keystore_target: /etc/pki/tls/certs/cacerts
+java_keystore_passwd: graeo5locza
+
+local_home: /usr/local/home

puppet/environments/production/hieradata/nodes/ci.jenkins.vm.yaml

@@ -0,0 +1,3 @@
+---
+roles:
+  - profiles::ebrc_jenkins

puppet/environments/production/hieradata/nodes/node1.jenkins.vm.yaml

@@ -0,0 +1,2 @@
+---
+roles:

puppet/environments/production/manifests/site.pp

@@ -0,0 +1,4 @@
+node default {
+  hiera_include('roles')
+}
+

puppet/hiera.yaml

@@ -0,0 +1,12 @@
+---
+:backends:
+    - yaml
+    
+:yaml:
+    :datadir: "%{settings::codedir}/environments/%{::environment}/hieradata"
+
+:hierarchy:
+    - "nodes/%{::fqdn}"
+    - "%{::domain}"
+    - sensitive
+    - common

puppet/src/README.md

@@ -0,0 +1,4 @@
+This `src` directory contains Puppet modules only available in this
+Vagrant project. Because Puppet librarian can clean out the `modules`
+directory, we put local modules here, out of librarian's scope, and
+reference them for in the Puppetfile for installation to `modules`.

puppet/src/profiles/files/ssl/apidb-ca-rsa.crt

@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGujCCBKKgAwIBAgIJAJ88X2Ge/QNVMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD
+VQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRl
+bHBoaWExLTArBgNVBAoTJEFwaURCIEJpb2luZm9ybWF0aWNzIFJlc291cmNlIENl
+bnRlcjEOMAwGA1UEAxMFQXBpREIxHTAbBgkqhkiG9w0BCQEWDmhlbHBAYXBpZGIu
+b3JnMB4XDTEyMDgzMTE5MTMyNFoXDTIyMDgyOTE5MTMyNFowgZkxCzAJBgNVBAYT
+AlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTATBgNVBAcTDFBoaWxhZGVscGhp
+YTEtMCsGA1UEChMkQXBpREIgQmlvaW5mb3JtYXRpY3MgUmVzb3VyY2UgQ2VudGVy
+MQ4wDAYDVQQDEwVBcGlEQjEdMBsGCSqGSIb3DQEJARYOaGVscEBhcGlkYi5vcmcw
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDWjz2aYcFph78mYHXI92QG
+RetOwW8Sp8bSaI3j3/MsG/+0zAesAub3qAldizZSnPGT62Ok9CwloKno8xl5k08D
+tdK1PBy1KTcOhpVGDpGpQIWC5cZ3WmLkT9VciE25MSsmBsShqP7jmDy9tBAOQ5mJ
+YeFxnnkiZfNMkeW+fMv/SUIutebUVMi+ZnRqj5DDlgLbcNUzH533SauYXTkehbyY
+Awwx2BtPhjINWn4PFv11NGM8P5mri6+M0l8twCIUKFi9SoCjYAM0uOd3AS3EJxxK
+M3QBYJVrykbqxHF/MaD3z/hbXCrhmIQm96ApnVnmxpc1DtkPKkkfhbnkDbOJqVfe
+6IOHxxzRN1a1Igb12dR+nRAf6vZNCMZ1YFzC01rw1bkKlYrcaX+ZM1El1n1mgHtP
+OrQZLeNzCCl0LACBAC1Ky4/2OdyAP7A3Hrlo4dT8rTC+5ZWn+vuhwZV6KMk7rElf
+n1HpBvKwypSJqc5jHq7f9hTQyktWdg1rfvn+TPPfZHehKsYQrR1oEGJVynouvQMG
+YrDnGTbg12xpMv+zWDpRsuTx6zpSwbS/S3/PnEndhQBx8eRrHbHkV/9zP1qPt7Xl
+mX5XLQz+zJV801rx00Jadfta8SZBohV6uhhwFdBuc1z7+VOhKjKVG5EzfhINY4a/
+3CaoTF51sAHuLl6q67T9FQIDAQABo4IBATCB/jAdBgNVHQ4EFgQUasR0PhZJaGRx
+tVXJleUI6PJXEvUwgc4GA1UdIwSBxjCBw4AUasR0PhZJaGRxtVXJleUI6PJXEvWh
+gZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTAT
+BgNVBAcTDFBoaWxhZGVscGhpYTEtMCsGA1UEChMkQXBpREIgQmlvaW5mb3JtYXRp
+Y3MgUmVzb3VyY2UgQ2VudGVyMQ4wDAYDVQQDEwVBcGlEQjEdMBsGCSqGSIb3DQEJ
+ARYOaGVscEBhcGlkYi5vcmeCCQCfPF9hnv0DVTAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBBQUAA4ICAQAgiSwGDZvC9GVErm8m7DNdLU17lP8V1aUXMLbwAm2hwp6C
+snUR3TzJ0MOPSPy67NIMYMWwkRKDILKUXOvfsnE295ZmqmTaUZk+Uv3DoU3xcaIw
+LbAOhlIrgPvGQyWXUwAdGacBTrJM4dzQ+pAPnt9ZVu5X9+BYD7ic0H0WNimurjtk
+4l+X+wxibJB8Mj3zMnkBRm3wNS1teeU3HRjByEX3HoHuxMYWhWX6tOosBIXiV/9c
+12jVPseogPROziiMxqpkyDqUXWiZhzvL/MK0NGYGPlevAodvTWh4CG8Ld1ErFy07
+Sk6YVxBQhz5+HAyHQNLjySh8UeX4EdF9Y1Fpmmy7M2afV+YEjB0ahIGmYfUqt4rj
+KbeRdmqobpzjQ7iH53xBS8JMUw1EOP4Evjsi7/62XqB4MgRQ9EM85T0W3zhiwFF2
+6h7BJ11ElhPjmTzzz12p/MBnnYmrMNwYKzDobfdlDoC4dAz1U5RDI1D7w8RyZbOk
+5FOxGCS2/8Hk8vBL6/ZF5sTD3iqb7YDdEgvkrnAnPk3UAQ6FHPzp7tfC3IBQr7Jf
+BmkZhG9oGg8WIkGPKxUqMJuoQAb5UB6GwE6nz2dCnAM62qUVLljs0XNWK1lgRpYy
+JM0ZtsohoVcerth4vUVwrxATaSJ5N+9e9uitABWEOdkiT6l0Fv8aLrjv/ZkLCA==
+-----END CERTIFICATE-----

puppet/src/profiles/manifests/ebrc_ca_bundle.pp

@@ -0,0 +1,26 @@
+# install EuPathDB BRC's Certificate Authority to filesystem and add to
+# system CA bundle using ca-certificates utilities.
+# Hiera
+#
+#  The following hiera data should be set for use by the underlying
+#  modules. Defaults are set in common.yaml
+#  - ebrc_ca::cacert - filename of certificate
+class profiles::ebrc_ca_bundle {
+
+  include ::trusted_ca
+
+  $ca_name = hiera('ebrc_ca::cacert')
+
+  trusted_ca::ca { $ca_name:
+    source => "puppet:///modules/profiles/ssl/${ca_name}",
+  }
+
+  file { "/etc/pki/tls/certs/${ca_name}":
+    ensure => file,
+    source => "puppet:///modules/profiles/ssl/${ca_name}",
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+  }
+
+}

puppet/src/profiles/manifests/ebrc_ca_keystore.pp

@@ -0,0 +1,40 @@
+# install EuPathDB BRC's Certificate Authority to java keystore.
+# Leverages puppetlabs/java_ks
+#
+# Requirements
+#   - EuPathDB's CA must already be on the file system 
+#     (see profile::ebrc_ca_bundle).
+#   - keytool command must be available (provided by modern Java packages)
+# Hiera
+#
+#  The following hiera data should be set for use by the underlying
+#  modules. Defaults are set in common.yaml
+#  - ebrc_ca::cacert - filename for certificate
+#  - ebrc_java::java_home - java base directory
+#  - java_keystore_target - path for keystore
+#  - java_keystore_passwd - password for keystore
+class profiles::ebrc_ca_keystore {
+
+  $alias = 'eupathdbinternalca'
+  $cacert = hiera('ebrc_ca::cacert')
+  $java_home = hiera('ebrc_java::java_home')
+  $java_ks_target = hiera('java_keystore_target')
+  $java_ks_passwd = hiera('java_keystore_passwd')
+
+  if $::osfamily == 'redhat' {
+    $certdir = '/etc/pki/tls/certs'
+  } else {
+    fail("profiles::ebrc_ca_keystore: Unsupported osfamily: ${::osfamily}")
+  }
+
+  java_ks { $alias:
+    ensure       => latest,
+    path         => ["${java_home}/bin", '/usr/bin'],
+    certificate  => "${certdir}/${cacert}",
+    target       => $java_ks_target,
+    password     => $java_ks_passwd,
+    trustcacerts => true,
+  }
+
+
+}

puppet/src/profiles/manifests/ebrc_java_stack.pp

@@ -0,0 +1,48 @@
+# Full java deployment for EuPathDB BRC servers
+# Includes
+#  - installing one or more Java packages from EuPathDB YUM repo
+#  - adds EuPathDB's certificate authority to cacerts keystore.
+#
+# Hiera
+#
+#  The following hiera data should be set for use by the underlying
+#  modules.
+#
+#  Used by ebrc_java
+#    ebrc_java::packages - an array of Java packages to install, e.g
+#        ebrc_java::packages:
+#          - jdk-1.7.0_80
+#          - jdk-1.8.0_01
+#    ebrc_java::java_home - the full path to $JAVA_HOME, e.g.
+#         ebrc_java::java_home: /usr/java/jdk1.7.0_80
+#
+#  Used by ::profiles::ebrc_ca_keystore
+#   java_keystore_target - the full path to the Java keystore file, e.g.
+#         java_keystore_target: /etc/pki/tls/certs/cacerts
+#   java_keystore_passwd - the keystore password
+#         java_keystore_passwd: graeo5locza
+#
+#  Used by ::profiles::ebrc_ca_bundle
+#    ebrc_ca::cacert - the file name of EBRC's CA
+#       ebrc_ca::cacert: apidb-ca-rsa.crt
+#
+class profiles::ebrc_java_stack {
+
+  include ::ebrc_yum_repo
+  include ::profiles::ebrc_ca_bundle
+  include ::profiles::ebrc_ca_keystore
+
+  $java_home     = hiera('ebrc_java::java_home')
+  $java_packages = hiera('ebrc_java::packages')
+
+  class { '::ebrc_java':
+    packages  => $java_packages,
+    java_home => $java_home,
+  }
+
+  Class['::ebrc_yum_repo'] ->
+  Class['::ebrc_java'] ->
+  Class['::profiles::ebrc_ca_bundle'] ->
+  Class['::profiles::ebrc_ca_keystore']
+
+}

puppet/src/profiles/manifests/ebrc_jenkins.pp

@@ -0,0 +1,44 @@
+# manage requirements for Jenkins server instances
+# for EuPathDB
+class profiles::ebrc_jenkins {
+
+    include ::profiles::ebrc_java_stack
+    include ::profiles::local_home
+    include ::ebrc_jenkins
+
+    Class['::profiles::ebrc_java_stack'] ->
+    Class['::profiles::local_home'] ->
+    Class['::ebrc_jenkins']
+    
+    firewalld::custom_service{ 'Allow jenkins in public zone':
+      short  => 'jenkins',
+      port   => [
+        {
+          'port'     => 9191,
+          'protocol' => 'tcp'
+        },
+        {
+          'port'     => 9181,
+          'protocol' => 'tcp'
+        },
+        {
+          'port'     => 9130,
+          'protocol' => 'tcp'
+        },
+        {
+          'port'     => 9120,
+          'protocol' => 'tcp'
+        },
+      ],
+      before => Firewalld_service['Allow jenkins in public zone'],
+    }
+
+    firewalld_service {'Allow jenkins in public zone':
+        ensure  => 'present',
+        zone    => 'public',
+        service => 'jenkins',
+    }
+
+
+
+}

puppet/src/profiles/manifests/local_home.pp

@@ -0,0 +1,10 @@
+# manage a home that is on a local filesystem
+# as opposed to NFS
+class profiles::local_home {
+
+    $local_home = hiera('local_home')
+
+    file{ [$local_home]:
+      ensure => directory,
+    }
+}

puppet/src/profiles/metadata.json

@@ -0,0 +1,15 @@
+{
+  "name": "local/profiles",
+  "version": "0.0.0",
+  "author": "ebrc",
+  "summary": "Local profiles to install Jenkins master",
+  "license": "Apache-2.0",
+  "source": "",
+  "project_page": null,
+  "issues_url": null,
+  "dependencies": [
+    {"name":"ebrc/ebrc_jenkins"},
+    {"name":"crayfishx/firewalld"}
+  ]
+}
+

scratch/.gitignore

@@ -0,0 +1,5 @@
+.DS_Store
+.vagrant
+
+!.gitignore
+