pikvm: Add role/playbook for PiKVM

PiKVM comes with its own custom Arch Linux-based operating systems.  We
want to be able to manage it with our configuration policy, especially
for setting up authentication, etc.  It won't really work with the
host-provisioner without some pretty significant changes to the base
playbooks, but we can control some bits directly.

group_vars/pikvm.yml

@@ -0,0 +1,9 @@
+root_authorized_keys: |
+  {{ dustin_ssh_keys_sk }}
+
+root_password_hash: ''
+
+pikvm_users:
+- username: dustin
+  password: >-
+    {{ lookup('pipe','rbw get --folder Pyrocufflink ' + ansible_hostname + ' dustin') }}

hosts

@@ -175,6 +175,8 @@ vm-hosts
 chromie.pyrocufflink.blue
 nvr2.pyrocufflink.blue
 
+[pikvm]
+
 [postgresql]
 db0.pyrocufflink.blue
 

pikvm.yml

@@ -0,0 +1,19 @@
+- hosts: pikvm
+  pre_tasks:
+  - name: remount rootfs read-write
+    command: rw
+    tags:
+    - remount-rw
+    - remount
+  roles:
+  - role: hostname
+  - role: base
+  - role: pikvm
+    tags:
+    - pikvm
+  tasks:
+  - name: remount rootfs read-only
+    command: ro
+    tags:
+    - remount-ro
+    - remount

roles/pikvm/defaults/main.yml

@@ -0,0 +1,6 @@
+pikvm_users:  []
+
+pikvm_meta:
+  server:
+    host: '{{ ansible_fqdn }}'
+  kvm: {}

roles/pikvm/files/sshd_config

@@ -0,0 +1,2 @@
+PermitRootLogin prohibit-password
+PasswordAuthentication no

roles/pikvm/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded

roles/pikvm/tasks/main.yml

@@ -0,0 +1,48 @@
+- name: ensure sshd is configured for pikvm
+  copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config.d/pikvm.conf
+    owner: root
+    group: root
+    mode: u=rw,go=
+  notify:
+  - reload sshd
+
+- name: ensure kvmd-webterm is disabled
+  service:
+    name: kvmd-webterm
+    state: stopped
+    enabled: false
+  tags:
+  - service
+
+- name: ensure pikvm users are configured
+  htpasswd:
+    name: '{{ item.username }}'
+    password: '{{ item.password }}'
+    path: /etc/kvmd/htpasswd
+    hash_scheme: ldap_salted_sha512
+    state: present
+  loop: '{{ pikvm_users }}'
+  loop_control:
+    label: '{{ item.username }}'
+  tags:
+  - htpasswd
+
+- name: ensure pikvm admin user is removed
+  htpasswd:
+    name: admin
+    path: /etc/kvmd/htpasswd
+    state: absent
+  tags:
+  - htpasswd
+
+- name: ensure pikvm meta info is set
+  copy:
+    content: '{{ pikvm_meta | to_nice_yaml(indent=2) }}'
+    dest: /etc/kvmd/meta.yaml
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config