Add jenkins nomad job seriously god, kill me

docker/jenkins/Dockerfile

@@ -10,9 +10,11 @@ RUN apk add --no-cache \
   bash \
   coreutils \
   curl \
+  expect \
   git \
   git-lfs \
   openssh-client \
+  openssl \
   tini \
   ttf-dejavu \
   tzdata \

docker/jenkins/files/jenkins.sh

@@ -1,5 +1,22 @@
 #! /bin/bash -e
 
+# cert prep
+for i in /secrets/jenkins.crt /etc/ssl/certs/ca-cert-MaskedName_Root_CA.pem; do
+    cat $i >> /tmp/jenkins_bundle.crt
+    echo >> /tmp/jenkins_bundle.crt
+done
+
+expect <(cat <<EOH
+spawn openssl pkcs12 -inkey /secrets/jenkins.key -in /tmp/jenkins_bundle.crt -export -out /secrets/jenkins.jks
+expect "Enter Export Password:"
+send -- "password\r"
+expect "Verifying - Enter Export Password:"
+send -- "password\r"
+interact
+EOH
+)
+
+# defaultish jenkins stuff
 : "${JENKINS_WAR:="/usr/share/jenkins/jenkins.war"}"
 : "${JENKINS_HOME:="/var/jenkins_home"}"
 : "${COPY_REFERENCE_FILE_LOG:="${JENKINS_HOME}/copy_reference_file.log"}"

nomad/jenkins.nomad

@@ -13,6 +13,10 @@ job "jenkins" {
     value     = "true"
   }
 
+  vault {
+    policies    = ["default", "ansible"]
+    change_mode = "restart"
+  }
   group "jenkins" {
     count = 1
 
@@ -26,19 +30,41 @@ job "jenkins" {
         ]
       }
 
+      template {
+        data = <<EOH
+            {{- with secret "pki_int/issue/masked-dot-name" "common_name=jenkins.service.masked.name" "alt_names=jenkins.service.columbia.masked.name" -}}
+            {{- .Data.certificate -}}
+            {{- end -}}
+        EOH
+        destination   = "${NOMAD_SECRETS_DIR}/jenkins.crt"
+        change_mode   = "restart"
+      }
+
+      template {
+        data = <<EOH
+            {{- with secret "pki_int/issue/masked-dot-name" "common_name=jenkins.service.masked.name" "alt_names=jenkins.service.columbia.masked.name" -}}
+            {{- .Data.private_key -}}
+            {{- end -}}
+        EOH
+        destination   = "${NOMAD_SECRETS_DIR}/jenkins.key"
+        change_mode   = "restart"
+      }
+
       env {
-        ROOT_URL    = "${NOMAD_ADDR_https}"
+        ROOT_URL     = "${NOMAD_ADDR_https}"
+        JAVA_ARGS = "-Xmx2048m"
+        JENKINS_OPTS = "--httpsPort=8443 --httpsKeyStore=/secrets/jenkins.jks --httpsKeyStorePassword=password"
       }
 
       resources {
         cpu    = 2000
-        memory = 2048
+        memory = 2560
       }
     }
 
     network {
       port "https" {
-        to = 8080
+        to = 8443
        }
     }
 

vault/policies/nomad-server-policy.hcl

@@ -0,0 +1,30 @@
+# Allow creating tokens under "nomad-cluster" role.
+path "auth/token/create/nomad-cluster" {
+  capabilities = ["update"]
+}
+
+# Allow looking up "nomad-cluster" role.
+path "auth/token/roles/nomad-cluster" {
+  capabilities = ["read"]
+}
+
+# Allow looking up incoming tokens to validate they have permissions to access
+# the tokens they are requesting.
+path "auth/token/lookup" {
+  capabilities = ["update"]
+}
+
+# Allow revoking tokens that should no longer exist.
+path "auth/token/revoke-accessor" {
+  capabilities = ["update"]
+}
+
+# Allow checking the capabilities of our own token.
+path "sys/capabilities-self" {
+  capabilities = ["update"]
+}
+
+# Allow our own token to be renewed.
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}

vault/roles/nomad-cluster-role.json

@@ -0,0 +1,8 @@
+{
+  "disallowed_policies": "nomad-server,root",
+  "token_explicit_max_ttl": 0,
+  "name": "nomad-cluster",
+  "orphan": true,
+  "token_period": 259200,
+  "renewable": true
+}