gustavomcarmo · July 25, 2018 07:59
diff --git a/config-maven.groovy b/config-maven.groovy
 #!groovy

 import jenkins.model.Jenkins
 import hudson.tasks.*
 import hudson.tools.*
 import hudson.util.DescribableList

 Jenkins jenkins = Jenkins.getInstance()
 def mavenDesc = jenkins.getExtensionList(Maven.DescriptorImpl.class)[0]

 def isp = new InstallSourceProperty()
 def autoInstaller = new Maven.MavenInstaller("3.5.3")
 isp.installers.add(autoInstaller)

 def proplist = new DescribableList<ToolProperty<?>, ToolPropertyDescriptor>()
 proplist.add(isp)

 def installation = new Maven.MavenInstallation("M3", "", proplist)
 mavenDesc.setInstallations(installation)
 mavenDesc.save()
diff --git a/default-user.groovy b/default-user.groovy
 #!groovy

 import jenkins.model.Jenkins
 import hudson.security.*

 def jenkins = Jenkins.getInstance()
 jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false))
 jenkins.setAuthorizationStrategy(new GlobalMatrixAuthorizationStrategy())

 def env = System.getenv()
 def user = jenkins.getSecurityRealm().createAccount(env.JENKINS_USER, env.JENKINS_PASS)
 user.save()

 jenkins.getAuthorizationStrategy().add(Jenkins.ADMINISTER, env.JENKINS_USER)
 jenkins.save()
diff --git a/Dockerfile b/Dockerfile
 FROM jenkins/jenkins:lts
 LABEL maintainer "Gustavo Muniz do Carmo <[email protected]>"

 ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"

 COPY config-maven.groovy /usr/share/jenkins/ref/init.groovy.d/
 COPY config-sonarqube.groovy /usr/share/jenkins/ref/init.groovy.d/
 COPY harden-jenkins.groovy /usr/share/jenkins/ref/init.groovy.d/

 COPY default-user.groovy /usr/share/jenkins/ref/init.groovy.d/
 ENV JENKINS_USER jenkins-admin
 ENV JENKINS_PASS jenkins-admin-password

 COPY plugins.txt /usr/share/jenkins/ref/
 RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt
diff --git a/harden-jenkins.groovy b/harden-jenkins.groovy
 #!groovy

 import jenkins.model.Jenkins
 import jenkins.security.s2m.*
 import hudson.security.csrf.DefaultCrumbIssuer

 Jenkins jenkins = Jenkins.getInstance()

 // CSRF protection
 jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true))

 // Disable CLI remoting
 jenkins.getDescriptor("jenkins.CLI").get().setEnabled(false)

 // Enable Agent to master security subsystem
 jenkins.injector.getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false);

 // Disable old Non-Encrypted protocols
 HashSet<String> newProtocols = new HashSet<>(jenkins.getAgentProtocols());
 newProtocols.removeAll(Arrays.asList("JNLP2-connect", "JNLP-connect"));
 jenkins.setAgentProtocols(newProtocols);
 jenkins.save()
diff --git a/jenkins-docker-build-and-run.yml b/jenkins-docker-build-and-run.yml
 - hosts: jenkins
  gather_facts: no
  tasks:
  - name: Copy files for custom Jenkins Docker image building
    copy:
      src: '{{item}}'
      dest: './{{item}}'
    loop:
      - Dockerfile
      - config-maven.groovy
      - harden-jenkins.groovy
      - default-user.groovy
      - plugins.txt
  - name: Build the custom Jenkins Docker image
    docker_image:
      path: ./
      name: custom/jenkins
  - name: Run Jenkins Docker image
    docker_container:
      name: jenkins
      image: custom/jenkins
      published_ports: 8080:8080
diff --git a/plugins.txt b/plugins.txt
 ace-editor
 ant
 antisamy-markup-formatter
 apache-httpcomponents-client-4-api
 authentication-tokens
 blueocean
 blueocean-autofavorite
 blueocean-bitbucket-pipeline
 blueocean-commons
 blueocean-config
 blueocean-core-js
 blueocean-dashboard
 blueocean-display-url
 blueocean-events
 blueocean-git-pipeline
 blueocean-github-pipeline
 blueocean-i18n
 blueocean-jira
 blueocean-jwt
 blueocean-personalization
 blueocean-pipeline-api-impl
 blueocean-pipeline-editor
 blueocean-pipeline-scm-api
 blueocean-rest
 blueocean-rest-impl
 blueocean-web
 bouncycastle-api
 branch-api
 build-timeout
 cloudbees-bitbucket-branch-source
 cloudbees-folder
 command-launcher
 credentials
 credentials-binding
 display-url-api
 docker-commons
 docker-workflow
 durable-task
 email-ext
 favorite
 git
 git-client
 git-server
 github
 github-api
 github-branch-source
 gradle
 handlebars
 handy-uri-templates-2-api
 htmlpublisher
 jackson2-api
 jenkins-design-language
 jira
 jquery-detached
 jsch
 junit
 ldap
 mailer
 mapdb-api
 matrix-auth
 matrix-project
 mercurial
 momentjs
 pam-auth
 pipeline-build-step
 pipeline-github-lib
 pipeline-graph-analysis
 pipeline-input-step
 pipeline-milestone-step
 pipeline-model-api
 pipeline-model-declarative-agent
 pipeline-model-definition
 pipeline-model-extensions
 pipeline-rest-api
 pipeline-stage-step
 pipeline-stage-tags-metadata
 pipeline-stage-view
 plain-credentials
 pubsub-light
 resource-disposer
 scm-api
 script-security
 sonar
 sse-gateway
 ssh-credentials
 ssh-slaves
 structs
 subversion
 timestamper
 token-macro
 variant
 workflow-aggregator
 workflow-api
 workflow-basic-steps
 workflow-cps
 workflow-cps-global-lib
 workflow-durable-task-step
 workflow-job
 workflow-multibranch
 workflow-scm-step
 workflow-step-api
 workflow-support
 ws-cleanup
	#!groovy

	import jenkins.model.Jenkins
	import hudson.tasks.*
	import hudson.tools.*
	import hudson.util.DescribableList

	Jenkins jenkins = Jenkins.getInstance()
	def mavenDesc = jenkins.getExtensionList(Maven.DescriptorImpl.class)[0]

	def isp = new InstallSourceProperty()
	def autoInstaller = new Maven.MavenInstaller("3.5.3")
	isp.installers.add(autoInstaller)

	def proplist = new DescribableList<ToolProperty<?>, ToolPropertyDescriptor>()
	proplist.add(isp)

	def installation = new Maven.MavenInstallation("M3", "", proplist)
	mavenDesc.setInstallations(installation)
	mavenDesc.save()
	#!groovy

	import jenkins.model.Jenkins
	import hudson.security.*

	def jenkins = Jenkins.getInstance()
	jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false))
	jenkins.setAuthorizationStrategy(new GlobalMatrixAuthorizationStrategy())

	def env = System.getenv()
	def user = jenkins.getSecurityRealm().createAccount(env.JENKINS_USER, env.JENKINS_PASS)
	user.save()

	jenkins.getAuthorizationStrategy().add(Jenkins.ADMINISTER, env.JENKINS_USER)
	jenkins.save()
	FROM jenkins/jenkins:lts
	LABEL maintainer "Gustavo Muniz do Carmo <[email protected]>"

	ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"

	COPY config-maven.groovy /usr/share/jenkins/ref/init.groovy.d/
	COPY config-sonarqube.groovy /usr/share/jenkins/ref/init.groovy.d/
	COPY harden-jenkins.groovy /usr/share/jenkins/ref/init.groovy.d/

	COPY default-user.groovy /usr/share/jenkins/ref/init.groovy.d/
	ENV JENKINS_USER jenkins-admin
	ENV JENKINS_PASS jenkins-admin-password

	COPY plugins.txt /usr/share/jenkins/ref/
	RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt
	#!groovy

	import jenkins.model.Jenkins
	import jenkins.security.s2m.*
	import hudson.security.csrf.DefaultCrumbIssuer

	Jenkins jenkins = Jenkins.getInstance()

	// CSRF protection
	jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true))

	// Disable CLI remoting
	jenkins.getDescriptor("jenkins.CLI").get().setEnabled(false)

	// Enable Agent to master security subsystem
	jenkins.injector.getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false);

	// Disable old Non-Encrypted protocols
	HashSet<String> newProtocols = new HashSet<>(jenkins.getAgentProtocols());
	newProtocols.removeAll(Arrays.asList("JNLP2-connect", "JNLP-connect"));
	jenkins.setAgentProtocols(newProtocols);
	jenkins.save()
	- hosts: jenkins
	gather_facts: no
	tasks:
	- name: Copy files for custom Jenkins Docker image building
	copy:
	src: '{{item}}'
	dest: './{{item}}'
	loop:
	- Dockerfile
	- config-maven.groovy
	- harden-jenkins.groovy
	- default-user.groovy
	- plugins.txt
	- name: Build the custom Jenkins Docker image
	docker_image:
	path: ./
	name: custom/jenkins
	- name: Run Jenkins Docker image
	docker_container:
	name: jenkins
	image: custom/jenkins
	published_ports: 8080:8080
	ace-editor
	ant
	antisamy-markup-formatter
	apache-httpcomponents-client-4-api
	authentication-tokens
	blueocean
	blueocean-autofavorite
	blueocean-bitbucket-pipeline
	blueocean-commons
	blueocean-config
	blueocean-core-js
	blueocean-dashboard
	blueocean-display-url
	blueocean-events
	blueocean-git-pipeline
	blueocean-github-pipeline
	blueocean-i18n
	blueocean-jira
	blueocean-jwt
	blueocean-personalization
	blueocean-pipeline-api-impl
	blueocean-pipeline-editor
	blueocean-pipeline-scm-api
	blueocean-rest
	blueocean-rest-impl
	blueocean-web
	bouncycastle-api
	branch-api
	build-timeout
	cloudbees-bitbucket-branch-source
	cloudbees-folder
	command-launcher
	credentials
	credentials-binding
	display-url-api
	docker-commons
	docker-workflow
	durable-task
	email-ext
	favorite
	git
	git-client
	git-server
	github
	github-api
	github-branch-source
	gradle
	handlebars
	handy-uri-templates-2-api
	htmlpublisher
	jackson2-api
	jenkins-design-language
	jira
	jquery-detached
	jsch
	junit
	ldap
	mailer
	mapdb-api
	matrix-auth
	matrix-project
	mercurial
	momentjs
	pam-auth
	pipeline-build-step
	pipeline-github-lib
	pipeline-graph-analysis
	pipeline-input-step
	pipeline-milestone-step
	pipeline-model-api
	pipeline-model-declarative-agent
	pipeline-model-definition
	pipeline-model-extensions
	pipeline-rest-api
	pipeline-stage-step
	pipeline-stage-tags-metadata
	pipeline-stage-view
	plain-credentials
	pubsub-light
	resource-disposer
	scm-api
	script-security
	sonar
	sse-gateway
	ssh-credentials
	ssh-slaves
	structs
	subversion
	timestamper
	token-macro
	variant
	workflow-aggregator
	workflow-api
	workflow-basic-steps
	workflow-cps
	workflow-cps-global-lib
	workflow-durable-task-step
	workflow-job
	workflow-multibranch
	workflow-scm-step
	workflow-step-api
	workflow-support
	ws-cleanup