Skip to content
This repository has been archived by the owner on Jul 11, 2020. It is now read-only.

Commit

Permalink
Put jenkins behind https and add dns entry for ci
Browse files Browse the repository at this point in the history
Sam Kottler committed Jun 25, 2014
1 parent b59cabf commit b0d70f5
Showing 6 changed files with 100 additions and 3 deletions.
3 changes: 2 additions & 1 deletion Berksfile.lock
Original file line number Diff line number Diff line change
@@ -202,8 +202,9 @@ GRAPH
rubygems-chef (0.0.8)
chef-client (>= 0.0.0)
omnibus_updater (>= 0.0.0)
rubygems-ci (0.0.5)
rubygems-ci (0.0.6)
jenkins (>= 0.0.0)
nginx (>= 0.0.0)
rubygems (>= 0.0.0)
rubygems-database (0.0.22)
chef-vault (>= 0.0.0)
3 changes: 2 additions & 1 deletion cookbooks/rubygems-ci/metadata.rb
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
name 'rubygems-ci'
maintainer 'RubyGems.org ops team'

version '0.0.5'
version '0.0.6'

depends 'jenkins'
depends 'nginx'
depends 'rubygems'
5 changes: 4 additions & 1 deletion cookbooks/rubygems-ci/recipes/default.rb
Original file line number Diff line number Diff line change
@@ -9,10 +9,13 @@
include_recipe 'jenkins::java'
include_recipe 'jenkins::master'

include_recipe 'rubygems-ci::dns'
include_recipe 'rubygems-ci::nginx'

plugins = data_bag_item('jenkins', 'plugins')['plugins']

plugins.each do |plugin|
jenkins_plugin plugin do
action [ :install, :enable ]
action :install
end
end
15 changes: 15 additions & 0 deletions cookbooks/rubygems-ci/recipes/dns.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
include_recipe 'chef-vault'

dnsimple_credentials = chef_vault_item('dnsimple', 'credentials')

include_recipe 'dwradcliffe-dnsimple'

dwradcliffe_dnsimple_record "create CNAME point ci.rubygems.org to #{node.name}" do
name 'ci.rubygems.org'
content node['cloud_v2']['public_hostname']
type 'CNAME'
domain 'rubygems.org'
username dnsimple_credentials['username']
password dnsimple_credentials['password']
action :create
end
49 changes: 49 additions & 0 deletions cookbooks/rubygems-ci/recipes/nginx.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
#
# Cookbook Name:: rubygems-sensu
# Recipe:: nginx
#

node.default['nginx']['server_tokens'] = 'off'
node.default['nginx']['default_site_enabled'] = false

include_recipe 'chef-vault'

include_recipe 'nginx'

directory "#{node['nginx']['dir']}/certs" do
owner 'root'
group 'root'
mode '0644'
end

item = chef_vault_item('certs', 'production')

file "#{node['nginx']['dir']}/certs/rubygems.org.key" do
content item['key']
owner 'root'
group 'root'
mode '0644'
notifies :reload, 'service[nginx]'
end

file "#{node['nginx']['dir']}/certs/rubygems.org.crt" do
content item['crt']
owner 'root'
group 'root'
mode '0644'
notifies :reload, 'service[nginx]'
end

template "#{node['nginx']['dir']}/sites-available/jenkins" do
source 'nginx.conf.erb'
owner 'root'
group 'root'
mode '0644'
variables(
ssl_key: File.join(node['nginx']['dir'], 'certs', 'rubygems.org.key'),
ssl_cert: File.join(node['nginx']['dir'], 'certs', 'rubygems.org.crt')
)
notifies :reload, 'service[nginx]'
end

nginx_site 'jenkins'
28 changes: 28 additions & 0 deletions cookbooks/rubygems-ci/templates/default/nginx.conf.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
server {

listen 443 default ssl;

server_name ci.rubygems.org;

ssl on;
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

add_header Strict-Transport-Security max-age=31536000;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Content-Length $content_length;
proxy_set_header Host $host;
proxy_redirect off;

location / {
proxy_pass http://localhost:8080;
}

}

0 comments on commit b0d70f5

Please sign in to comment.