Core Infrastructure System (CIS)

Setup a new host

Preconditions

To deploy the system you have to clone this repository to the host as root user. Therefore you have to register the SSH public key of that root user as deploy key to allow readonly access to this repository. We use the modern ed25519 keys, so the public key of root is stored at this location:

1. First become root:

   sudo -i
   

2. Set the long hostname:

   hostnamectl set-hostname "the-new-unique-long-hostname (fqdn, eg.: host1.example.net)"
   

3. Update Ubuntu:

   # DO NOT SKIP THIS STEP
   apt update; apt upgrade -y
   

4. Install git if needed:

   git --version > /dev/null || apt install git
   

5. If not exist generate the ssh key pair and print the public key of the user root:

   # -t    type of the key pair
   # -f    defines the filenames (we use the standard for the selected type here)
   # -q    quiet, no output or interaction
   # -N "" means the private key will not be secured by a passphrase
   # -C    defines a comment
   cat "/root/.ssh/id_ed25519.pub" \
       || (ssh-keygen \
           -t ed25519 \
           -f "/root/.ssh/id_ed25519" -q -N "" \
           -C "$(date +%Y%m%d):root@$(hostname -b)" \
       && cat "/root/.ssh/id_ed25519.pub")
   

   This key has to be registerd via gitea web ui as deploy key into the repositories as documented in chapter "Register public host key".

Register public host key

This is an example for example.net as domain of the host owner.

1. Repository cis, allow readonly access only.
2. Repository cis-definition-example.net, allow readonly access only.
3. Repository cis-state-example.net, allow writable access.

Clone the Infrastructure System (cis) repository

After you registered the printed root's public key of this host you can clone the repository and execute the setup script:

# Note the tailing '/cis', because we want to clone the repository to that folder
git clone ssh://git@git.example.dev:22448/cis.git /cis

# Execute the setup script
/cis/setupCoreOntoThisHost.sh

How it works

We add a webhook to each gitea repository that belongs to CIS:

• Taget URL: https://YOUR.JENKINS.DOMAIN/generic-webhook-trigger/invoke?token=YOUR_TOKEN
• HTTP-Method: POST
• Trigger On: Push Events
• Branch filter: main

Then we configure a jenkins job with no SCM, but 'Generic Webhook Trigger' as build-trigger.
Here the same token must be used as for the 'Target URL' in gitea.

Finally we add 'shell execution' as build step there with this content:

cat <<EOD
Following public-key has to be authorized for user jenkins on the corresponding host:
=====================================================================================
EOD

cat "${JENKINS_HOME}/.ssh/id_ed25519.pub" \
    || (ssh-keygen \
        -t ed25519 \
        -f "${JENKINS_HOME}/.ssh/id_ed25519" -q -N "" \
        -C "$(date +%Y%m%d):$(whoami)@$(echo ${JENKINS_URL} | cut -d/ -f3)" \
    && cat "${JENKINS_HOME}/.ssh/id_ed25519.pub")

# add your host here, note the tailing '&' to run it in parallel
ssh -o StrictHostKeyChecking=no jenkins@192.168.X.Y /cis/update_repositories.sh ( --scripts | --definitions | --states ) &

#wait for all background processes to complete
wait
echo "All complete"