This is how Jenkins agents currently access the orchestrator: | Connection | URL | URL Source | | ---------- | --- | ---------- | | First connection | `http://jenkins.${::domain}:8080` | configured in the Systemd service unit file | | Subsequent connections | `https://jenkins.tails.boum.org` | uses URL provided by Jenkins | Currently, our Jenkins Agent VMs resolve: - `jenkins.tails.boum.org` → `192.168.122.1` (using `/etc/hosts`) In order for that to work, we have the following extra configs in place: - Jenkins agents firewall: - `192.168.122.1:80` → `192.168.122.6:1180` - `192.168.122.1:443` → `192.168.122.6:11443` - `192.168.122.1:8080` → `192.168.122.11:8080` - `192.168.122.1:42585` → `192.168.122.11:42585` - `192.168.122.1:3004` → `192.168.122.2:22` (`puppet-git.lizard`) - `192.168.122.1:3006` → `192.168.122.14:22` (`misc.lizard`) - `www.lizard` Nginx config: - Unauth access to Jenkins on ports `1180` and `11443`. Let's try to come up with an improved way of resolving names and routing VMs to services to have less manually configured exceptions and make the setup more maintainable.