r/pxe: Set up a PXE server

The *pxe* role configures the TFTP and NBD stages of PXE network
booting.  The TFTP server provides the files used for the boot stage,
which may either be a kernel and initramfs, or another bootloader like
SYSLINUX/PXELINUX or GRUB.  The NBD server provides the root filesystem,
typically mounted by code in early userspace/initramfs.

The *pxe* role also creates a user group called *pxeadmins*.  Users in
this group can publish content via TFTP; they have write-access to the
`/var/lib/tftpboot` directory.

hosts

@@ -113,6 +113,8 @@ pyrocufflink-dns
 [public-web]
 web0.pyrocufflink.blue
 
+[pxe]
+
 [pyrocufflink]
 build0-amd64.pyrocufflink.blue
 burp1.pyrocufflink.blue

pxe.yml

@@ -0,0 +1,6 @@
+- hosts: pxe
+  roles:
+  - role: pxe
+    tags: pxe
+  - role: netboot/jenkins-agent
+    tags: netboot/jenkins-agent

roles/pxe/meta/main.yml

@@ -0,0 +1,5 @@
+dependencies:
+- role: tftp
+  tags: tftp
+- role: nbd-server
+  tags: nbd

roles/pxe/tasks/main.yml

@@ -0,0 +1,36 @@
+- name: ensure pxeadmins group exists
+  group:
+    name: pxeadmins
+    state: present
+  tags:
+  - group
+
+- name: ensure pxeadmins can write to tftpboot directory
+  acl:
+    path: /var/lib/tftpboot
+    entity: pxeadmins
+    etype: group
+    permissions: rwX
+    recursive: True
+    default: '{{ item == "default" }}'
+    state: present
+  loop:
+  - default
+  - current
+  tags:
+  - permissions
+
+- name: ensure pxeadmins can write to nbd directory
+  acl:
+    path: /var/lib/nbd
+    entity: pxeadmins
+    etype: group
+    permissions: rwX
+    recursive: True
+    default: '{{ item == "default" }}'
+    state: present
+  loop:
+  - default
+  - current
+  tags:
+  - permissions