first cut of rundeck packaging

Techops/rundeck.knownelement.com/Rundeck-BuildNotes.md

@@ -0,0 +1,101 @@
+# Rundeck Cloudron Package Build Notes
+
+## Overview
+This package deploys Rundeck, an open-source automation and job scheduling tool, on Cloudron. It uses PostgreSQL for data storage and can be configured to use either Cloudron's LDAP or OIDC for authentication.
+
+## Package Contents
+- **CloudronManifest.json**: Defines the app for Cloudron
+- **Dockerfile**: Builds the container with Rundeck and dependencies
+- **start.sh**: Initializes the app and manages configuration
+- **nginx.conf**: Configures web server to proxy requests to Rundeck
+- **supervisord.conf**: Manages Rundeck and Nginx processes
+- **Configuration files**:
+  - framework.properties: Core Rundeck configuration
+  - rundeck-config.properties: Database and server settings
+  - jaas-ldap.conf: LDAP authentication configuration
+  - jaas-oidc.conf: OAuth/OIDC authentication configuration
+  - realm.properties: Default user credentials
+
+## Building the Package
+
+1. Create a new directory for your Cloudron package
+2. Place all the files in this package in that directory
+3. Download a Rundeck logo and save it as `logo.png` in the package directory
+4. Build the package with the Cloudron CLI:
+   ```
+   cloudron build
+   ```
+
+## Testing
+
+1. Install the package on a test Cloudron instance:
+   ```
+   cloudron install --image [your-image-name]
+   ```
+2. After installation, access the app at its Cloudron URL
+3. Log in with the credentials shown in the post-install message
+4. Test basic functionality:
+   - Create a project
+   - Define a simple job
+   - Run the job and verify it executes correctly
+   - Check that logs are saved correctly
+5. Test authentication:
+   - If LDAP is enabled, test login with a Cloudron user
+   - If OIDC is enabled, test single sign-on functionality
+   - Verify proper permissions mapping
+
+## Deploying to Production
+
+1. After successful testing, publish the package for your production Cloudron:
+   ```
+   cloudron install --app rundeck --image [your-image-name]
+   ```
+2. Configure backup schedules through the Cloudron UI
+3. Update the admin password immediately after installation
+4. Configure necessary projects and jobs
+
+## Authentication Configuration
+
+The package supports two authentication methods:
+
+### OIDC/OAuth (Preferred)
+- Automatically configured if Cloudron provides OAuth environment variables
+- Uses Cloudron's identity provider for single sign-on
+- User roles mapped from Cloudron groups
+- No additional configuration needed
+
+### LDAP
+- Automatically configured if Cloudron provides LDAP environment variables
+- Uses Cloudron's LDAP server for authentication
+- Groups are mapped to Rundeck roles
+- Works with all Cloudron user accounts
+
+## Troubleshooting
+
+- If the app fails to start, check the Cloudron logs:
+  ```
+  cloudron logs -f
+  ```
+- Common issues:
+  - Database connection problems: Check the PostgreSQL addon status
+  - Authentication issues: Verify LDAP/OIDC configuration
+  - File permissions: Ensure files in /app/data are owned by cloudron:cloudron
+  - Memory limits: If Rundeck is slow or crashing, consider increasing the memory limit
+
+## Updating the Package
+
+1. Update the app version in CloudronManifest.json
+2. Update the Rundeck version in the Dockerfile
+3. Make any necessary changes to configuration files
+4. Rebuild and reinstall the package
+
+## Backup and Restore
+
+Cloudron automatically backs up the /app/data directory and PostgreSQL database. No additional configuration is required for backup functionality.
+
+## Security Notes
+
+- Rundeck stores sensitive data (credentials, private keys) in its database and file system
+- All sensitive data is stored in the /app/data directory, which is backed up by Cloudron
+- API keys and other secrets are encrypted using Jasypt encryption
+- Always use HTTPS (provided by Cloudron) for secure access

Techops/rundeck.knownelement.com/docker-compose.yml

@@ -1 +0,0 @@
-#rundeck docker compose for tsys

Techops/rundeck.knownelement.com/framework.properties

@@ -0,0 +1,57 @@
+# framework.properties
+#
+# The base directory for the rundeck server
+#
+rdeck.base=/app/data
+
+# Indicates a file contains credentials for writing to the output log file.
+#
+# The contents of this file must contain a single line with 2 comma separated
+# strings:
+# <username>,<password>
+framework.output.password.file=/app/data/etc/output.password
+
+# Framework crypto options
+# framework.crypto.keystore.filename=
+# framework.crypto.keystore.password=
+# framework.crypto.secretkey.password=
+
+# SSH connection timeout after a specified number of milliseconds.
+# Default timeout is 30 seconds.
+framework.ssh.timeout=30000
+
+# Set the follow to true if you want ssh-agent forwarding to work.
+framework.ssh.user.enableagentforward=false
+
+# ssh key storage
+framework.ssh.keypath=/app/data/.ssh
+framework.ssh.keystore.path=/app/data/var/storage
+
+# SSH authentication type (password or privateKey)
+framework.ssh.authentication=privateKey
+
+# Set this to true to use the ssh-key storage for ssh plugin tests
+framework.ssh.fileCopier.use.storage=false
+
+#
+# Extra environment variables to pass to throttled/queued commands
+#
+# comma separated list of environment variables to pass from parent process to
+# to child process as is
+framework.env.retain=JVM_OPTS
+
+# API Tokens File
+framework.tokens.file=/app/data/etc/tokens.properties
+
+# For Server URL and Port
+framework.server.name=Rundeck
+framework.server.hostname=${CLOUDRON_APP_DOMAIN}
+framework.server.port=443
+framework.server.url=https://${CLOUDRON_APP_DOMAIN}
+
+# Define auth resources
+framework.authorization.resource.file.path=/app/data/etc/resources.xml
+
+# Logging
+framework.log.dispatch.console.format=[%d{ISO8601}] %-5p %c{2} - %m%n
+framework.log.dispatch.file=/app/data/var/logs/rundeck.log

Techops/rundeck.knownelement.com/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

Techops/rundeck.knownelement.com/jaas-oidc.conf

@@ -0,0 +1,12 @@
+oauth {
+    org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
+    debug="true"
+    useFirstPass="true"
+    supplementalRoles="user"
+    file="/app/data/etc/realm.properties";
+
+    com.dtolabs.rundeck.jetty.jaas.JettyOIDCUserGroupsLoginModule required
+    debug="true"
+    useFirstPass="false"
+    storePass="true";
+};

Techops/rundeck.knownelement.com/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

Techops/rundeck.knownelement.com/realm.properties

@@ -0,0 +1,2 @@
+# Initial Admin User - will be set up by start.sh
+admin:admin,user,admin

Techops/rundeck.knownelement.com/rundeck-config.properties

@@ -0,0 +1,33 @@
+# rundeck-config.properties
+#
+
+# Database connection
+dataSource.driverClassName = org.postgresql.Driver
+dataSource.url = ${RUNDECK_SERVER_DATASTORE_URL}
+dataSource.username = ${CLOUDRON_POSTGRESQL_USERNAME}
+dataSource.password = ${CLOUDRON_POSTGRESQL_PASSWORD}
+dataSource.dbCreate = update
+
+# Plugin installation
+rundeck.plugin.dir = /app/data/libext
+
+# Server settings
+grails.serverURL = https://${CLOUDRON_APP_DOMAIN}
+rundeck.gui.startpage = jobs
+rundeck.enableSelfSignedCertDownload = false
+rundeck.jetty.connector.forwarded = true
+rundeck.security.useHMacRequestTokens = true
+rundeck.security.csrf.referer.filterMethod = NONE
+rundeck.api.tokens.duration.max = 30d
+
+# Logging
+rundeck.log4j.config.file = /app/data/server/config/log4j2.properties
+rundeck.logging.dir = /app/data/var/logs
+
+# File storage
+rundeck.projectsStorageType=filesystem
+rundeck.storage.provider.1.type=file
+rundeck.storage.provider.1.path=/app/data/var/storage
+rundeck.storage.converter.1.type=jasypt-encryption
+rundeck.storage.converter.1.key=keys
+rundeck.storage.converter.1.path=keys

Techops/rundeck.knownelement.com/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory