jenkins-deploy's Introduction

Jenkins Bootstrap

This repository is reusable deployment code/configuration of Jenkins, which gets you up and running with a production-grade Jenkins quickly.

Integration

See the documentation.

Reusable pieces

Terraform modules

See the documentation.

Ansible role

Requirements

None.

Role variables

For any variables marked sensitive, you are strongly encouraged to store the values in an Ansible Vault.

Required

jenkins_admin_password - store in a Vault
jenkins_external_hostname
SSH key - information about how to generate in Usage section below.
- jenkins_ssh_key_passphrase (sensitive)
- jenkins_ssh_private_key_data (sensitive)
- jenkins_ssh_public_key_data
SSL configuration (sensitive)
- The key data approach is recommended.

Optional

See defaults/main.yml.

Dependencies

Usage

Generate an SSH key.

ssh-keygen -t rsa -b 4096 -f temp.key -C "[email protected]"
# enter a passphrase - store in Vault as vault_jenkins_ssh_key_passphrase

cat temp.key
# store in Vault as vault_jenkins_ssh_private_key_data

cat temp.key.pub
# store as jenkins_ssh_public_key_data

rm temp.key*

Include the role and required variables. Example:

# requirements.yml
- src: https://github.com/GSA/jenkins-deploy
  name: gsa.jenkins

# group_vars/all/vars.yml
jenkins_ssh_user: jenkins
jenkins_ssh_public_key_data: |
  ssh-rsa ... [email protected]

# group_vars/jenkins/vars.yml
jenkins_external_hostname: ...
jenkins_ssh_key_passphrase: "{{ vault_jenkins_ssh_key_passphrase }}"
jenkins_ssh_private_key_data: "{{ vault_jenkins_ssh_private_key_data }}"
ssl_certs_local_cert_data: "{{ vault_ssl_certs_local_cert_data }}"
ssl_certs_local_privkey_data: "{{ vault_ssl_certs_local_privkey_data }}"

# group_vars/jenkins/vault.yml (encrypted)
vault_jenkins_ssh_key_passphrase: ...
vault_jenkins_ssh_private_key_data: |
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
vault_ssl_certs_local_cert_data: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
vault_ssl_certs_local_privkey_data: |
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----

# playbooks/jenkins.yml
- hosts: jenkins
  become: true
  roles:
    - gsa.jenkins

# playbooks/other.yml
# hosts that Jenkins is going to run playbooks against
- hosts: other
  become: true
  tasks:
    - name: Create Jenkins user
      user:
        name: "{{ jenkins_ssh_user }}"
        group: wheel
    - name: Set up SSH key for Jenkins
      authorized_key:
        user: "{{ jenkins_ssh_user }}"
        key: "{{ jenkins_ssh_public_key_data }}"
    # ...other host setup tasks...

Run the Terraform (if applicable) and the playbook.
Ensure you can log into Jenkins (at jenkins_external_hostname).
Follow the manual configuration steps

License

CC0

jenkins-deploy's People

Contributors

Stargazers

Watchers

harden nginx

From @maverickquant:

Other General Nginx Security concerns and recommendations:

~~Disable Unwanted HTTP Methods in Nginx~~

if ($request_method !~ ^(GET|HEAD|POST)$) {
  return 444;
}

Disable weak cipher suites-Enable Strong TLS Ciphers

Set your cipher strength to something secure, yet compatible. Add following under server block in ssl.conf file:
```
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SH
```
Not sure if there is a GSA standard for this ciphers-.Will confirm and let you know.
Avoid self-signed certs especially in prod.
Remove Unnecessary Modules in Nginx -if any
Setup Monitor Logs for Nginx
~~proxy_ssl_verify: on :: ensure on:: Verifies the validity of certificates.~~
Restrict Access by IP from Nginx.
Limit Input Traffic via IPTables.
Disable server_tokens Directive in Nginx. The server_tokens directive tells Nginx to display its current version on error pages.