ci: Use lockable resource to enforce serial runs

It is important that only one configuration management job run at a
time. Currently, this is enforced by having only one agent with the
*ansible* label, and that agent has only one executor. This is not an
ideal solution, because it requires maintaining a separate machine for
this purpose.

The *Lockable Resources Plugin* provides an alternate solution to this
problem. Using this plugin, jobs can acquire an exclusive lock on a
"resource" that prevents other jobs that require the same resource from
running. Any job that starts while the lock is held will wait until it
is released before executing. This will enforce the same serial
execution policy, but does not require a separate, dedicated machine.
Jobs will be able to run on any executor with the appropriate label.

Using this option, it is now possible to run configuration management
jobs on the normal agents, defining the execution environment in a
Docker image, so the *cm0.pyrocufflink.blue* agent can be
decommissioned.

ci/Dockerfile

@@ -0,0 +1,15 @@
+FROM fedora:29
+
+RUN useradd -l -u 3000018 jenkins
+
+RUN dnf install -y \
+	ansible \
+	krb5-workstation \
+	openssh-clients \
+	python3-dns \
+	python3-netaddr \
+	--
+
+COPY default-realm.krb5.conf /etc/krb5.conf.d/default-realm.conf
+
+ENV LANG=en_US.UTF-8

ci/default-realm.krb5.conf

@@ -0,0 +1,2 @@
+[libdefaults]
+default_realm = PYROCUFFLINK.BLUE

ci/radius.jenkinsfile

@@ -2,13 +2,29 @@
 
 pipeline {
     agent {
-        label 'ansible'
+        dockerfile {
+            dir 'ci'
+            args '''\
+            -v /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+            '''
+        }
     }
 
+    options {
+        lock 'cfgpol'
+        timeout(time: 1, unit: 'HOURS')
+    }
+
+
     triggers {
         cron 'H H * * *'
     }
 
+
+    environment {
+        KRB5CCNAME = "${WORKSPACE}/.krb5cc"
+    }
+
     stages {
         stage('kinit') {
             steps {