Merge pull request #999 from mira-miracoli/jenkins-changes-2

bump roles jenkins, chrony
usegalaxy-eu · Nov 20, 2023 · f9ab4aa · f9ab4aa
2 parents 2bfa95b + 96587c7
commit f9ab4aa
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 8 deletions.
diff --git a/build.yml b/build.yml
@@ -10,8 +10,17 @@
   pre_tasks:
     - name: Install Dependencies
       package:
-        name: ['policycoreutils-python']
+        enablerepo: crb
+        name: ["policycoreutils-python-utils", "python3-wheel-wheel"]
       become: true
+    - name: permit traffic in default zone for http and https service
+      ansible.posix.firewalld:
+        service: "{{ item }}"
+        permanent: true
+        state: enabled
+      loop:
+        - http
+        - https
   collections:
     - devsec.hardening
   roles:
@@ -21,7 +30,7 @@
     - hxr.admin-tools
     - influxdata.chrony
     - hxr.monitor-email
-    - linuxhq.yum_cron
+    - usegalaxy-eu.autoupdates
     - galaxyproject.nginx
     - ssh-host-sign
     # - hxr.autofs-format-n-mount
@@ -31,6 +40,6 @@
     - usegalaxy-eu.jenkins-ssh-key
     ## END CUSTOM
     - dj-wasabi.telegraf
-    # - os_hardening
+    - os_hardening
     # - nginx_hardening
-    # - ssh_hardening
+    - ssh_hardening
diff --git a/group_vars/build.yml b/group_vars/build.yml
@@ -1,4 +1,29 @@
 ---
+# Admin Tools
+admin_packages:
+  - nano
+  - vim
+  - htop
+  - strace
+  - jq
+  - iftop
+  - wget
+  - curl
+  - tmux
+  - git
+  - nmap
+  - tcpdump
+  - net-tools
+  - unzip
+  - tmpwatch
+  - rclone
+  - "{{ 'byobu' if ansible_distribution_major_version < '9' else omit }}"
+  # centos specific
+  - setools-console
+  - yum-utils
+  - bind-utils
+  - nfs-utils
+
 # Jenkins
 jenkins_home: /opt/jenkins/jenkins
 jenkins_prefer_lts: true
@@ -8,7 +33,7 @@ jenkins_admin_token: "{{ jenkins_admin_token_secret }}"
 
 # runSetupWizard=false is default
 # Add the CSP so we can embed galaxy on WF testing pages / display HTML
-jenkins_java_options: "--enable-future-java -Dhudson.model.ParametersAction.keepUndefinedParameters=true -Djenkins.install.runSetupWizard=false -Dhudson.model.DirectoryBrowserSupport.CSP=\\\"default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'unsafe-inline'; frame-src *;\\\""
+jenkins_java_options: "-Dhudson.model.ParametersAction.keepUndefinedParameters=true -Djenkins.install.runSetupWizard=false -Dhudson.model.DirectoryBrowserSupport.CSP=\\\"default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'unsafe-inline'; frame-src *;\\\""
 
 # Certbot
 certbot_auth_method: --webroot
@@ -17,10 +42,12 @@ certbot_share_key_users:
   - nginx
 
 certbot_post_renewal: |
-    systemctl restart nginx || true
+  systemctl restart nginx || true
 
 # NGINX
 nginx_enable_default_server: false
+nginx_servers:
+  - redirect-ssl
 nginx_ssl_servers:
   - build
 nginx_conf_http:

diff --git a/requirements.yaml b/requirements.yaml
@@ -61,12 +61,12 @@ roles:
   - name: geerlingguy.java
     version: 2.3.2
   - name: geerlingguy.jenkins
-    version: 4.3.0
+    version: 5.1.0
   - name: geerlingguy.repo-epel
     version: 3.1.0
   - name: influxdata.chrony
     src: https://github.com/usegalaxy-eu/ansible-chrony
-    version: 0.1.0
+    version: 0.1.1
   - name: linuxhq.yum_cron
     version: master
   - name: galaxyproject.gxadmin