From 9ccd3bc1202498c6c940409aa65124b68ecda735 Mon Sep 17 00:00:00 2001
From: Mattia Rizzolo <mattia@mapreri.org>
Date: Thu, 9 Apr 2015 01:34:42 +0200
Subject: new jenkins-adm user+group and new permissions for its members

* new user jenkins-adm and new group jenkins-adm
* create users and groupp in update_jdn.sh
* files under /srv/jenkins/bin are now jenkins-adm:jenkins-adm, instead of root
* jenkins-specific apache config is now jenkins-adm:jenkins-adm, instead of root
* users in the jenkins-adm group can sudo to the jenkins-adm and jenkins users,
  so its members can actually admin jenkins without passing/being root
---
 etc/sudoers.d/jenkins-adm |  4 ++++
 update_jdn.sh             | 24 +++++++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 etc/sudoers.d/jenkins-adm

diff --git a/etc/sudoers.d/jenkins-adm b/etc/sudoers.d/jenkins-adm
new file mode 100644
index 00000000..5cee89f0
--- /dev/null
+++ b/etc/sudoers.d/jenkins-adm
@@ -0,0 +1,4 @@
+# allow member of the jenkins-adm group to sudo-to the jenkins-adm user (owner
+# of jenkins script) and the jenkins user itself
+%jenkins-adm ALL=(jenkins:jenkins) NOPASSWD: ALL
+%jenkins-adm ALL=(jenkins-amd:jenkins-adm) NOPASSWD: ALL
diff --git a/update_jdn.sh b/update_jdn.sh
index 21b7bb05..19d3ad17 100755
--- a/update_jdn.sh
+++ b/update_jdn.sh
@@ -13,6 +13,23 @@ explain() {
 	echo
 }
 
+#
+# set up users and groups
+#
+if ! getent group jenkins-adm ; then
+	sudo addgroup --system jenkins-adm
+fi
+if ! getent passwd jenkins-adm ; then
+	sudo adduser --system --no-create-home --ingroup jenkins-adm --disable-login --no-create-home jenkins-adm
+	sudo usermod -G jenkins
+fi
+for user in helmut holger mattia ; do
+	if ! getent passwd $user ; then
+		sudo adduser --gecos "" $user
+		sudo usermod -G jenkins,jenkins-adm
+	fi
+done
+
 mkdir -p /srv/workspace
 
 if ! grep -q '^tmpfs\s\+/srv/workspace\s' /etc/fstab; then
@@ -183,7 +200,9 @@ if [ ! -e /etc/apache2/mods-enabled/proxy.load ] ; then
 	sudo a2enmod macro
 fi
 sudo chown root.root /etc/sudoers.d/jenkins ; sudo chmod 700 /etc/sudoers.d/jenkins
+sudo chown root.root /etc/sudoers.d/jenkins-adm ; sudo chmod 700 /etc/sudoers.d/jenkins-adm
 sudo ln -sf /etc/apache2/sites-available/jenkins.debian.net /etc/apache2/sites-enabled/000-default
+sudo chown jenkins-adm.jenkins-adm /etc/apache2/sites-enabled/000-default
 # for reproducible.d.n url rewriting:
 sudo ln -sf /var/lib/jenkins/userContent /var/www/userContent
 sudo service apache2 reload
@@ -196,7 +215,10 @@ sudo service munin-node force-reload
 # install the heart of jenkins.debian.net
 #
 cd $BASEDIR
-cp --preserve=mode,timestamps -r bin logparse job-cfg features live /srv/jenkins/
+for dir in bin logparse job-cfg features live ; do
+	cp --preserve=mode,timestamps -r $dir /srv/jenkins/
+	chmod -R jenkins-adm.jenkins-adm /srv/jenkins/$dir
+done
 cp procmailrc /var/lib/jenkins/.procmailrc
 explain "Jenkins updated."
 cp -pr README INSTALL TODO CONTRIBUTING d-i-preseed-cfgs /var/lib/jenkins/userContent/
-- 
cgit v1.2.3-54-g00ecf