Add Jenkins, and requisites for building The Booke Of Dottes.

This commit is contained in:
Jim Hague 2023-02-26 00:37:35 +00:00
parent 6f23b71595
commit d33ae10f29
9 changed files with 283 additions and 0 deletions

View File

@ -10,6 +10,18 @@ apache_cgid_module:
apache_module.enabled:
- name: cgid
apache_headers_module:
apache_module.enabled:
- name: headers
apache_proxy_module:
apache_module.enabled:
- name: proxy
apache_proxy_http_module:
apache_module.enabled:
- name: proxy_http
apache_remoteip_module:
apache_module.enabled:
- name: remoteip

Binary file not shown.

View File

@ -0,0 +1,92 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policymap [
<!ELEMENT policymap (policy)*>
<!ATTLIST policymap xmlns CDATA #FIXED ''>
<!ELEMENT policy EMPTY>
<!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
]>
<!--
Configure ImageMagick policies.
Domains include system, delegate, coder, filter, path, or resource.
Rights include none, read, write, execute and all. Use | to combine them,
for example: "read | write" to permit read from, or write to, a path.
Use a glob expression as a pattern.
Suppose we do not want users to process MPEG video images:
<policy domain="delegate" rights="none" pattern="mpeg:decode" />
Here we do not want users reading images from HTTP:
<policy domain="coder" rights="none" pattern="HTTP" />
The /repository file system is restricted to read only. We use a glob
expression to match all paths that start with /repository:
<policy domain="path" rights="read" pattern="/repository/*" />
Lets prevent users from executing any image filters:
<policy domain="filter" rights="none" pattern="*" />
Any large image is cached to disk rather than memory:
<policy domain="resource" name="area" value="1GP"/>
Use the default system font unless overwridden by the application:
<policy domain="system" name="font" value="/usr/share/fonts/favorite.ttf"/>
Define arguments for the memory, map, area, width, height and disk resources
with SI prefixes (.e.g 100MB). In addition, resource policies are maximums
for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
exceeds policy maximum so memory limit is 1GB).
Rules are processed in order. Here we want to restrict ImageMagick to only
read or write a small subset of proven web-safe image types:
<policy domain="delegate" rights="none" pattern="*" />
<policy domain="filter" rights="none" pattern="*" />
<policy domain="coder" rights="none" pattern="*" />
<policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
-->
<policymap>
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="map" value="512MiB"/>
<policy domain="resource" name="width" value="16KP"/>
<policy domain="resource" name="height" value="16KP"/>
<!-- <policy domain="resource" name="list-length" value="128"/> -->
<policy domain="resource" name="area" value="128MP"/>
<policy domain="resource" name="disk" value="1GiB"/>
<!-- <policy domain="resource" name="file" value="768"/> -->
<!-- <policy domain="resource" name="thread" value="4"/> -->
<!-- <policy domain="resource" name="throttle" value="0"/> -->
<!-- <policy domain="resource" name="time" value="3600"/> -->
<!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
<!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
<!-- <policy domain="path" rights="none" pattern="@*" /> -->
<!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
<!-- <policy domain="cache" name="synchronize" value="True"/> -->
<!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
<!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
<!-- <policy domain="system" name="shred" value="2"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<!-- <policy domain="system" name="font" value="/path/to/font.ttf"/> -->
<!-- <policy domain="system" name="pixel-cache-memory" value="anonymous"/> -->
<!-- <policy domain="system" name="shred" value="2"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<!-- not needed due to the need to use explicitly by mvg: -->
<!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->
<!-- use curl -->
<policy domain="delegate" rights="none" pattern="URL" />
<policy domain="delegate" rights="none" pattern="HTTPS" />
<policy domain="delegate" rights="none" pattern="HTTP" />
<!-- in order to avoid to get image with password text -->
<policy domain="path" rights="none" pattern="@*"/>
</policymap>

View File

@ -0,0 +1,31 @@
#!/bin/sh
#
# hg-tag-project <version> <change>
#
# Called with the current directory at a Mercurial project, this
# adds a tag at the given change with the value 'build-<branch>-<version>'.
# It then pushes the tag to the parent repo.
#
# This is to be used as the final Jenkins build step where a
# build-on-success tag is wanted.
#
usage()
{
echo "Usage: hg-tag-project <version> <change ID>"
exit 1
}
if [ $# -ne 2 ]; then
usage
fi
branch=`hg branch`
echo "hg pull -u"
hg pull -u
echo "hg tag -u 'Jenkins Build Manager <jenkins@lunch.org.uk>' -f -r $2 build-$branch-$1"
hg tag -u "Jenkins Build Manager <jenkins@lunch.org.uk>" -f -r $2 build-$branch-$1
echo "hg push -f"
hg push -f
exit 0

71
states/jenkins/init.sls Normal file
View File

@ -0,0 +1,71 @@
base:
pkgrepo.managed:
- name: deb https://pkg.jenkins.io/debian binary/
- key_url: https://pkg.jenkins.io/debian/jenkins.io.key
- file: /etc/apt/sources.list.d/jenkins.list
java:
pkg.installed:
- name: openjdk-17-jre
jenkins_user:
user.present:
- name: jenkins
- usergroup: true
- home: /srv/jenkins
- system: true
- fullname: Jenkins CI
jenkins_group:
group.present:
- name: mercurial
- system: true
- addusers:
- jenkins
- require:
- sls: mercurial
jenkins:
pkg.installed:
- name: jenkins
- require:
- java
jenkins_defaults_directory:
file.directory:
- name: /etc/systemd/system/jenkins.service.d
- makedirs: true
jenkins_tag_project:
file.managed:
- name: /usr/local/bin/hg-tag-project
- source: salt://jenkins/hg-tag-project
- mode: 0755
jenkins_defaults:
file.managed:
- name: /etc/systemd/system/jenkins.service.d/override.conf
- source: salt://jenkins/jenkins-systemd-override.conf
service.running:
- name: jenkins
- restart: true
- watch:
- file: /etc/systemd/system/jenkins.service.d/override.conf
jenkins_web:
file.managed:
- require:
- sls: apache
- sls: certificates
- names:
- /etc/apache2/sites-available/jenkins.lunch.org.uk.conf:
- source: salt://jenkins/jenkins.lunch.org.uk.conf
apache_site.enabled:
- require:
- file: /etc/apache2/sites-available/jenkins.lunch.org.uk.conf
- name: jenkins.lunch.org.uk
service.running:
- name: apache2
- reload: true
- watch:
- file: /etc/apache2/sites-available/jenkins.lunch.org.uk.conf

View File

@ -0,0 +1,7 @@
[Service]
Environment="JENKINS_HOME=/srv/jenkins"
WorkingDirectory=/srv/jenkins
Environment="JENKINS_PREFIX=/"
Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Addresses=false -Djava.net.preferIPv6Addresses=true -Dhudson.plugins.mercurial.MercurialSCM.ALLOW_LOCAL_CHECKOUT=true"

View File

@ -0,0 +1,47 @@
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName jenkins.lunch.org.uk
ErrorLog /var/log/apache2/jenkins-error.log
CustomLog /var/log/apache2/jenkins-access.log combined
RemoteIPProxyProtocol On
# Jenkins
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080
ProxyRequests Off
AllowEncodedSlashes NoDecode
# Local reverse proxy authorization override
# Most unix distribution deny proxy by default
<Proxy http://localhost:8080/*>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile /var/lib/dehydrated/certs/jenkins.lunch.org.uk/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/jenkins.lunch.org.uk/privkey.pem
</VirtualHost>
</IfModule>
<VirtualHost *:80>
ServerName jenkins.lunch.org.uk
ErrorLog /var/log/apache2/jenkins-error.log
CustomLog /var/log/apache2/jenkins-access.log combined
RemoteIPProxyProtocol On
<IfModule rewrite_module>
#
# This redirects all accesses to the HTTPS version of the site.
#
RewriteEngine On
RewriteRule ^/?(.*) https://jenkins.lunch.org.uk/$1 [R=301,L]
</IfModule>
</VirtualHost>

21
states/jenkins/worker.sls Normal file
View File

@ -0,0 +1,21 @@
dottes:
pkg.installed:
- pkgs:
- abcm2ps
- abcmidi
- imagemagick
- lame
- pandoc
- texlive
- texlive-extra-utils
- texlive-font-utils
- texlive-xetex
- timidity
- ttf-mscorefonts-installer
- vorbis-tools
file.managed:
- names:
- /etc/ImageMagick-6/policy.xml:
- source: salt://jenkins/ImageMagick-6-policy.xml
- /usr/local/share/fonts/EnglishTowne.ttf:
- source: salt://jenkins/EnglishTowne.ttf

View File

@ -9,4 +9,6 @@ base:
- debian
- certificates
- apache
- jenkins
- jenkins/worker
- mercurial