I found myself in a bit of a conundrum the other day. I’ve been using Jenkins on my laptop for a while, and it’s worked great, but I thought it’d be neat to turn one of my Raspberry Pis into a slave and get cross builds working. The problem though, is that I take my laptop with me to work and when I travel, and that means I’d have an offline build slave more than I’d like. I’d have the problem in reverse if I turned the Pi into the Jenkins master, but there was another problem: I’m addicted to Gentoo, and they don’t have Jenkins available for arm machines via portage.
The solution was obvious: set up another system that I could use as a Jenkins master that’d reliably be able to send jobs to the Pis. And, so long as I’m going to do that, I might as well get Gitea running on the new box.
The point of this post is more to keep notes for myself, since I haven’t done this level of server stuff before.
Install the Operating System
I’m a Gentoo fan, so that’s what I went with. The system was a stock install with nothing special, and other than a few changes to use flags I didn’t deviate from the handbook very much (a notable exception was installing the latest Intel microcode).
Install and Configure Nginx
Going off past experience, I knew it’d take a while to get Jenkins running since I’d have to install icedtea, and that package likes to take its time. Figuring I could kill two birds with one stone, I installed nginx first.
Gentoo’s default configuration for ngnix worked out of the box, but I wanted https enabled. I don’t use openssl often enough to know how to generate a certificate off memory, but that’s what Google is for. I started by following a helpful guide, but the command I ended up using looks like this:
openssl req -x509 -nodes -days 180 -newkey rsa:4096 -keyout openssl.key -out nachobox.crt -config sslkey.confI had a certificate, but I’m lazy don’t want to have to keep making new ones manually, so I knocked out a quick script.
#!/bin/sh
HOME_DIR=/var/lib/nginx
/usr/bin/openssl req -x509 -nodes -days 180 -key "${HOME_DIR}/openssl.key" -out "${HOME_DIR}/nachobot.cert" -config "${HOME_DIR}/sslkey.conf"Next, I added a cron entry to run the script every other month.
0 0 1 2,4,6,8,10,12 * /var/lib/nginx/regenerate_key.shIf all goes well, this should generate a new certificate every other month, each good for six months.
The next step was to get ssl working on nginx, which was a simple matter of editing nginx.conf.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nachobox;
ssl_certificate /var/lib/nginx/nachobot.cert;
ssl_certificate_key /var/lib/nginx/openssl.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
}At this point, I could accept nachobox with firefox over https. I wanted to get http requests redirecting to https. Luckily, this is pretty simple.
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}After reloading the confguration, all requests to http://nachobox were redirected to https://nachobox.
Since I was still waiting for Jenkins to install (more specifically, icedtea), I decided to try getting the reverse proxy configuration working. Luckily, the Jenkins project actually documents this process, so I tweaked their configuration for my (expected) setup:
location ^~ /jenkins/ {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http:// https://;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_temp_file_write_size 64k;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
}When I started getting 502 errors after reloading nginx, this seemed like a good sign.
Starting Jenkins
By now, Jenkins had finished installing and it was time to actually test my configuration. I did a quick sanity check on the Jenkins configuration, and set the following option:
JENKINS_ARGS="--httpListenAddress=127.0.0.1 --prefix=/jenkins"That should have Jenkins automatically update each URL to include /jenkins, and only permit connections from localhost (i.e., the only way to get to Jenkins is to go through nginx). After starting Jenkins, I verified these assumptions by trying to connect directly to port 8080 via my laptop; mission accomplished.
I was greeted by the initial Jenkins admin screen:
This was enough for now, since I had to get Gitea working before any of my Jenkins jobs would work.
Starting Gitea
Gitea proved much more difficult to get starting than Jenkins. The app.ini file installed by default was a bare minimum, and wasn’t close to complete. The Gitea package also provided its own sample app.ini though, so I started from there.
cat /usr/share/doc/gitea-1.8.0/app.ini.sample.bz2 | bzip2 -d >/etc/gitea/app.iniUnder the [server] section, I changed the ROOT_URL to the path I’m exposing via ngnix (https://nachobox/gitea/) and changed HTTP_ADDR to stop listening for all inbound connections (i.e., I changed 0.0.0.0 to 127.0.0.1).
Trying to install (via the web interface) still failed, and the logs showed a weird error:
2019/05/31 21:56:40 [...itea/routers/init.go:95 GlobalInit()] [E] Failed to initialize issue indexer: mkdir indexers: permission deniedGoogle came to the rescue again, this time in the form of a comment on a Github issue. The trick ended up being to use full paths everywhere under the [indexer] section.
grep INDEXER_PATH /etc/gitea/app.ini
ISSUE_INDEXER_PATH = /var/lib/gitea/indexers/issues.bleve
REPO_INDEXER_PATH = /var/lib/gitea/indexers/repos.bleveAt this point, I was able to register an account (the first account is the admin).
This is enough for now, since I’ve got clang installing and don’t want to bother with anything else for the evening. Future posts will go through the process of adding repos to Gitea, configuring Jenkins to build everything, and making both tools customized to my needs.
One thought on “Setting up a Private Jenkins and Git Server”