Add Jenkins, and requisites for building The Booke Of Dottes.
This commit is contained in:
parent
6f23b71595
commit
d33ae10f29
|
@ -10,6 +10,18 @@ apache_cgid_module:
|
|||
apache_module.enabled:
|
||||
- name: cgid
|
||||
|
||||
apache_headers_module:
|
||||
apache_module.enabled:
|
||||
- name: headers
|
||||
|
||||
apache_proxy_module:
|
||||
apache_module.enabled:
|
||||
- name: proxy
|
||||
|
||||
apache_proxy_http_module:
|
||||
apache_module.enabled:
|
||||
- name: proxy_http
|
||||
|
||||
apache_remoteip_module:
|
||||
apache_module.enabled:
|
||||
- name: remoteip
|
||||
|
|
Binary file not shown.
|
@ -0,0 +1,92 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE policymap [
|
||||
<!ELEMENT policymap (policy)*>
|
||||
<!ATTLIST policymap xmlns CDATA #FIXED ''>
|
||||
<!ELEMENT policy EMPTY>
|
||||
<!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
|
||||
name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
|
||||
stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
|
||||
]>
|
||||
<!--
|
||||
Configure ImageMagick policies.
|
||||
|
||||
Domains include system, delegate, coder, filter, path, or resource.
|
||||
|
||||
Rights include none, read, write, execute and all. Use | to combine them,
|
||||
for example: "read | write" to permit read from, or write to, a path.
|
||||
|
||||
Use a glob expression as a pattern.
|
||||
|
||||
Suppose we do not want users to process MPEG video images:
|
||||
|
||||
<policy domain="delegate" rights="none" pattern="mpeg:decode" />
|
||||
|
||||
Here we do not want users reading images from HTTP:
|
||||
|
||||
<policy domain="coder" rights="none" pattern="HTTP" />
|
||||
|
||||
The /repository file system is restricted to read only. We use a glob
|
||||
expression to match all paths that start with /repository:
|
||||
|
||||
<policy domain="path" rights="read" pattern="/repository/*" />
|
||||
|
||||
Lets prevent users from executing any image filters:
|
||||
|
||||
<policy domain="filter" rights="none" pattern="*" />
|
||||
|
||||
Any large image is cached to disk rather than memory:
|
||||
|
||||
<policy domain="resource" name="area" value="1GP"/>
|
||||
|
||||
Use the default system font unless overwridden by the application:
|
||||
|
||||
<policy domain="system" name="font" value="/usr/share/fonts/favorite.ttf"/>
|
||||
|
||||
Define arguments for the memory, map, area, width, height and disk resources
|
||||
with SI prefixes (.e.g 100MB). In addition, resource policies are maximums
|
||||
for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
|
||||
exceeds policy maximum so memory limit is 1GB).
|
||||
|
||||
Rules are processed in order. Here we want to restrict ImageMagick to only
|
||||
read or write a small subset of proven web-safe image types:
|
||||
|
||||
<policy domain="delegate" rights="none" pattern="*" />
|
||||
<policy domain="filter" rights="none" pattern="*" />
|
||||
<policy domain="coder" rights="none" pattern="*" />
|
||||
<policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
|
||||
-->
|
||||
<policymap>
|
||||
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
|
||||
<policy domain="resource" name="memory" value="256MiB"/>
|
||||
<policy domain="resource" name="map" value="512MiB"/>
|
||||
<policy domain="resource" name="width" value="16KP"/>
|
||||
<policy domain="resource" name="height" value="16KP"/>
|
||||
<!-- <policy domain="resource" name="list-length" value="128"/> -->
|
||||
<policy domain="resource" name="area" value="128MP"/>
|
||||
<policy domain="resource" name="disk" value="1GiB"/>
|
||||
<!-- <policy domain="resource" name="file" value="768"/> -->
|
||||
<!-- <policy domain="resource" name="thread" value="4"/> -->
|
||||
<!-- <policy domain="resource" name="throttle" value="0"/> -->
|
||||
<!-- <policy domain="resource" name="time" value="3600"/> -->
|
||||
<!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
|
||||
<!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
|
||||
<!-- <policy domain="path" rights="none" pattern="@*" /> -->
|
||||
<!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
|
||||
<!-- <policy domain="cache" name="synchronize" value="True"/> -->
|
||||
<!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
|
||||
<!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
|
||||
<!-- <policy domain="system" name="shred" value="2"/> -->
|
||||
<!-- <policy domain="system" name="precision" value="6"/> -->
|
||||
<!-- <policy domain="system" name="font" value="/path/to/font.ttf"/> -->
|
||||
<!-- <policy domain="system" name="pixel-cache-memory" value="anonymous"/> -->
|
||||
<!-- <policy domain="system" name="shred" value="2"/> -->
|
||||
<!-- <policy domain="system" name="precision" value="6"/> -->
|
||||
<!-- not needed due to the need to use explicitly by mvg: -->
|
||||
<!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->
|
||||
<!-- use curl -->
|
||||
<policy domain="delegate" rights="none" pattern="URL" />
|
||||
<policy domain="delegate" rights="none" pattern="HTTPS" />
|
||||
<policy domain="delegate" rights="none" pattern="HTTP" />
|
||||
<!-- in order to avoid to get image with password text -->
|
||||
<policy domain="path" rights="none" pattern="@*"/>
|
||||
</policymap>
|
|
@ -0,0 +1,31 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# hg-tag-project <version> <change>
|
||||
#
|
||||
# Called with the current directory at a Mercurial project, this
|
||||
# adds a tag at the given change with the value 'build-<branch>-<version>'.
|
||||
# It then pushes the tag to the parent repo.
|
||||
#
|
||||
# This is to be used as the final Jenkins build step where a
|
||||
# build-on-success tag is wanted.
|
||||
#
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "Usage: hg-tag-project <version> <change ID>"
|
||||
exit 1
|
||||
}
|
||||
|
||||
if [ $# -ne 2 ]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
branch=`hg branch`
|
||||
|
||||
echo "hg pull -u"
|
||||
hg pull -u
|
||||
echo "hg tag -u 'Jenkins Build Manager <jenkins@lunch.org.uk>' -f -r $2 build-$branch-$1"
|
||||
hg tag -u "Jenkins Build Manager <jenkins@lunch.org.uk>" -f -r $2 build-$branch-$1
|
||||
echo "hg push -f"
|
||||
hg push -f
|
||||
exit 0
|
|
@ -0,0 +1,71 @@
|
|||
base:
|
||||
pkgrepo.managed:
|
||||
- name: deb https://pkg.jenkins.io/debian binary/
|
||||
- key_url: https://pkg.jenkins.io/debian/jenkins.io.key
|
||||
- file: /etc/apt/sources.list.d/jenkins.list
|
||||
|
||||
java:
|
||||
pkg.installed:
|
||||
- name: openjdk-17-jre
|
||||
|
||||
jenkins_user:
|
||||
user.present:
|
||||
- name: jenkins
|
||||
- usergroup: true
|
||||
- home: /srv/jenkins
|
||||
- system: true
|
||||
- fullname: Jenkins CI
|
||||
|
||||
jenkins_group:
|
||||
group.present:
|
||||
- name: mercurial
|
||||
- system: true
|
||||
- addusers:
|
||||
- jenkins
|
||||
- require:
|
||||
- sls: mercurial
|
||||
|
||||
jenkins:
|
||||
pkg.installed:
|
||||
- name: jenkins
|
||||
- require:
|
||||
- java
|
||||
|
||||
jenkins_defaults_directory:
|
||||
file.directory:
|
||||
- name: /etc/systemd/system/jenkins.service.d
|
||||
- makedirs: true
|
||||
|
||||
jenkins_tag_project:
|
||||
file.managed:
|
||||
- name: /usr/local/bin/hg-tag-project
|
||||
- source: salt://jenkins/hg-tag-project
|
||||
- mode: 0755
|
||||
|
||||
jenkins_defaults:
|
||||
file.managed:
|
||||
- name: /etc/systemd/system/jenkins.service.d/override.conf
|
||||
- source: salt://jenkins/jenkins-systemd-override.conf
|
||||
service.running:
|
||||
- name: jenkins
|
||||
- restart: true
|
||||
- watch:
|
||||
- file: /etc/systemd/system/jenkins.service.d/override.conf
|
||||
|
||||
jenkins_web:
|
||||
file.managed:
|
||||
- require:
|
||||
- sls: apache
|
||||
- sls: certificates
|
||||
- names:
|
||||
- /etc/apache2/sites-available/jenkins.lunch.org.uk.conf:
|
||||
- source: salt://jenkins/jenkins.lunch.org.uk.conf
|
||||
apache_site.enabled:
|
||||
- require:
|
||||
- file: /etc/apache2/sites-available/jenkins.lunch.org.uk.conf
|
||||
- name: jenkins.lunch.org.uk
|
||||
service.running:
|
||||
- name: apache2
|
||||
- reload: true
|
||||
- watch:
|
||||
- file: /etc/apache2/sites-available/jenkins.lunch.org.uk.conf
|
|
@ -0,0 +1,7 @@
|
|||
[Service]
|
||||
Environment="JENKINS_HOME=/srv/jenkins"
|
||||
WorkingDirectory=/srv/jenkins
|
||||
|
||||
Environment="JENKINS_PREFIX=/"
|
||||
|
||||
Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Addresses=false -Djava.net.preferIPv6Addresses=true -Dhudson.plugins.mercurial.MercurialSCM.ALLOW_LOCAL_CHECKOUT=true"
|
|
@ -0,0 +1,47 @@
|
|||
<IfModule mod_ssl.c>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName jenkins.lunch.org.uk
|
||||
|
||||
ErrorLog /var/log/apache2/jenkins-error.log
|
||||
CustomLog /var/log/apache2/jenkins-access.log combined
|
||||
|
||||
RemoteIPProxyProtocol On
|
||||
|
||||
# Jenkins
|
||||
ProxyPass / http://localhost:8080/ nocanon
|
||||
ProxyPassReverse / http://localhost:8080
|
||||
ProxyRequests Off
|
||||
AllowEncodedSlashes NoDecode
|
||||
|
||||
# Local reverse proxy authorization override
|
||||
# Most unix distribution deny proxy by default
|
||||
<Proxy http://localhost:8080/*>
|
||||
Order deny,allow
|
||||
Allow from all
|
||||
</Proxy>
|
||||
|
||||
SSLEngine on
|
||||
SSLCertificateFile /var/lib/dehydrated/certs/jenkins.lunch.org.uk/fullchain.pem
|
||||
SSLCertificateKeyFile /var/lib/dehydrated/certs/jenkins.lunch.org.uk/privkey.pem
|
||||
</VirtualHost>
|
||||
|
||||
</IfModule>
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName jenkins.lunch.org.uk
|
||||
|
||||
ErrorLog /var/log/apache2/jenkins-error.log
|
||||
CustomLog /var/log/apache2/jenkins-access.log combined
|
||||
|
||||
RemoteIPProxyProtocol On
|
||||
|
||||
<IfModule rewrite_module>
|
||||
#
|
||||
# This redirects all accesses to the HTTPS version of the site.
|
||||
#
|
||||
RewriteEngine On
|
||||
|
||||
RewriteRule ^/?(.*) https://jenkins.lunch.org.uk/$1 [R=301,L]
|
||||
</IfModule>
|
||||
</VirtualHost>
|
|
@ -0,0 +1,21 @@
|
|||
dottes:
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
- abcm2ps
|
||||
- abcmidi
|
||||
- imagemagick
|
||||
- lame
|
||||
- pandoc
|
||||
- texlive
|
||||
- texlive-extra-utils
|
||||
- texlive-font-utils
|
||||
- texlive-xetex
|
||||
- timidity
|
||||
- ttf-mscorefonts-installer
|
||||
- vorbis-tools
|
||||
file.managed:
|
||||
- names:
|
||||
- /etc/ImageMagick-6/policy.xml:
|
||||
- source: salt://jenkins/ImageMagick-6-policy.xml
|
||||
- /usr/local/share/fonts/EnglishTowne.ttf:
|
||||
- source: salt://jenkins/EnglishTowne.ttf
|
|
@ -9,4 +9,6 @@ base:
|
|||
- debian
|
||||
- certificates
|
||||
- apache
|
||||
- jenkins
|
||||
- jenkins/worker
|
||||
- mercurial
|
||||
|
|
Loading…
Reference in New Issue