pikvm: Add role/playbook for PiKVM

PiKVM comes with its own custom Arch Linux-based operating systems.  We
want to be able to manage it with our configuration policy, especially
for setting up authentication, etc.  It won't really work with the
host-provisioner without some pretty significant changes to the base
playbooks, but we can control some bits directly.

roles/pikvm/defaults/main.yml

@@ -0,0 +1,6 @@
+pikvm_users:  []
+
+pikvm_meta:
+  server:
+    host: '{{ ansible_fqdn }}'
+  kvm: {}

roles/pikvm/files/sshd_config

@@ -0,0 +1,2 @@
+PermitRootLogin prohibit-password
+PasswordAuthentication no

roles/pikvm/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded

roles/pikvm/tasks/main.yml

@@ -0,0 +1,48 @@
+- name: ensure sshd is configured for pikvm
+  copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config.d/pikvm.conf
+    owner: root
+    group: root
+    mode: u=rw,go=
+  notify:
+  - reload sshd
+
+- name: ensure kvmd-webterm is disabled
+  service:
+    name: kvmd-webterm
+    state: stopped
+    enabled: false
+  tags:
+  - service
+
+- name: ensure pikvm users are configured
+  htpasswd:
+    name: '{{ item.username }}'
+    password: '{{ item.password }}'
+    path: /etc/kvmd/htpasswd
+    hash_scheme: ldap_salted_sha512
+    state: present
+  loop: '{{ pikvm_users }}'
+  loop_control:
+    label: '{{ item.username }}'
+  tags:
+  - htpasswd
+
+- name: ensure pikvm admin user is removed
+  htpasswd:
+    name: admin
+    path: /etc/kvmd/htpasswd
+    state: absent
+  tags:
+  - htpasswd
+
+- name: ensure pikvm meta info is set
+  copy:
+    content: '{{ pikvm_meta | to_nice_yaml(indent=2) }}'
+    dest: /etc/kvmd/meta.yaml
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config