WIP: feat(jenkins): add role to deploy jenkins

roles/jenkins/defaults/main/container.yml

@@ -36,15 +36,24 @@ jenkins_container_image_tag: ~
 jenkins_container_image_flavour: "jdk17"
 
 jenkins_container_env: ~
+jenkins_container_user: >-2
+  {{ jenkins_user_uid }}:{{ jenkins_user_gid }}
 jenkins_container_ports: ~
 jenkins_container_state: >-2
   {{ (jenkins_state == 'present') | ternary('started', 'absent') }}
+jenkins_container_labels:
+  version: "{{ jenkins_container_image_tag | default(jenkins_version, true) }}"
 jenkins_container_networks: ~
 jenkins_container_etc_hosts: ~
 jenkins_container_base_volumes:
-  - "{{ jenkins_home_path }}:/var/jenkins_home"
+  - "{{ jenkins_home_path }}:{{ jenkins_container_home_path }}:rw"
+  - "{{ jenkins_etc_passwd_shim_path }}:/etc/passwd:ro"
 jenkins_container_volumes: ~
 jenkins_container_all_volumes: >-2
   {{ jenkins_container_base_volumes | default([], true)
      + jenkins_container_volumes | default([], true) }}
 jenkins_container_restart_policy: "on-failure"
+
+# Determined by upstream image
+jenkins_container_home_path: "/var/jenkins_home"
+jenkins_container_tcp_listen_port: "8080"

roles/jenkins/defaults/main/main.yml

@@ -1,5 +1,7 @@
 ---
 jenkins_user: "jenkins"
+jenkins_user_is_system: true
+jenkins_user_create_home: false
 jenkins_versions:
   lts: "2.479.3"
   weekly: "2.496"
@@ -10,3 +12,6 @@ jenkins_state: present
 jenkins_deployment_method: docker
 
 jenkins_home_path: "/var/lib/jenkins"
+jenkins_etc_passwd_shim_path: "/etc/jenkins/docker-passwd"
+jenkins_user_uid: "{{ jenkins_user_info.uid }}"
+jenkins_user_gid: "{{ jenkins_user_info.group }}"

roles/jenkins/handlers/default.yml

@@ -0,0 +1,13 @@
+---
+- name: Restart jenkins container '{{ jenkins_container_name }}'
+  community.docker.docker_container:
+    name: "{{ jenkins_container_name }}"
+    state: "started"
+    restart: true
+    comparisons:
+      '*': "ignore"
+  when:
+    - jenkins_state == 'present'
+    - jenkins_deployment_method == 'docker'
+  listen: jenkins_restart
+  ignore_errors: "{{ ansible_check_mode }}"

roles/jenkins/tasks/deploy-docker.yml

@@ -6,12 +6,34 @@
     source: "{{ jenkins_container_image_source }}"
     force_source: "{{ jenkins_container_image_force_source }}"
 
+- name: Ensure jenkins configuration folder is created
+  ansible.builtin.file:
+    path: "{{ jenkins_etc_passwd_shim_path | dirname }}"
+    state: directory
+    mode: "0755"
+    owner: "root"
+    group: "root"
+  when: jenkins_state == 'present'
+
+- name: Ensure jenkins fake '/etc/passwd' is created
+  ansible.builtin.template:
+    src: "docker-passwd.j2"
+    dest: "{{ jenkins_etc_passwd_shim_path }}"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  when: jenkins_state == 'present'
+  notify:
+    - jenkins_restart
+
 - name: Ensure jenkins container '{{ jenkins_container_name }}' is {{ jenkins_container_state }}
   community.docker.docker_container:
     name: "{{ jenkins_container_name }}"
     image: "{{ jenkins_container_image }}"
     env: "{{ jenkins_container_env | default(omit, true) }}"
+    user: "{{ jenkins_container_user | default(omit, true) }}"
     ports: "{{ jenkins_container_ports | default(omit, true) }}"
+    labels: "{{ jenkins_container_labels | default(omit, true) }}"
     networks: "{{ jenkins_container_networks | default(omit, true) }}"
     volumes: "{{ jenkins_container_all_volumes }}"
     restart_policy: "{{ jenkins_container_restart_policy }}"

roles/jenkins/tasks/main.yml

@@ -7,7 +7,8 @@
   ansible.builtin.user:
     name: "{{ jenkins_user }}"
     state: "{{ jenkins_state }}"
-    system: true
+    system: "{{ jenkins_user_is_system }}"
+    create_home: "{{ jenkins_user_create_home }}"
   register: jenkins_user_info
 
 - name: Ensure jenkins home '{{ jenkins_home_path }}' is {{ jenkins_state }}
@@ -15,6 +16,10 @@
     path: "{{ jenkins_home_path }}"
     state: "{{ (jenkins_state == 'present') | ternary('directory', 'absent') }}"
     mode: "{{ jenkins_home_path_mode | default('0750', true) }}"
+    owner: "{{ jenkins_user_uid | default(jenkins_user, true) }}"
+    group: "{{ jenkins_user_gid | default(jenkins_user, true) }}"
+  notify:
+    - jenkins_restart
 
 - name: Ensure jenkins is deployed using {{ jenkins_deployment_method }}
   ansible.builtin.include_tasks:

roles/jenkins/templates/docker-passwd.j2

@@ -0,0 +1,19 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+jenkins:x:{{ jenkins_user_uid }}:{{ jenkins_user_gid }}::/var/jenkins_home:/bin/bash