From 02e4df023c06a8658b0c6fbef7f7165c1e8b034a Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 17 Mar 2022 15:15:04 -0500
Subject: [PATCH] r/pxe: Set up a PXE server

The *pxe* role configures the TFTP and NBD stages of PXE network
booting.  The TFTP server provides the files used for the boot stage,
which may either be a kernel and initramfs, or another bootloader like
SYSLINUX/PXELINUX or GRUB.  The NBD server provides the root filesystem,
typically mounted by code in early userspace/initramfs.

The *pxe* role also creates a user group called *pxeadmins*.  Users in
this group can publish content via TFTP; they have write-access to the
`/var/lib/tftpboot` directory.
---
 hosts                    |  2 ++
 pxe.yml                  |  6 ++++++
 roles/pxe/meta/main.yml  |  5 +++++
 roles/pxe/tasks/main.yml | 36 ++++++++++++++++++++++++++++++++++++
 4 files changed, 49 insertions(+)
 create mode 100644 pxe.yml
 create mode 100644 roles/pxe/meta/main.yml
 create mode 100644 roles/pxe/tasks/main.yml

diff --git a/hosts b/hosts
index 09db448..4508e11 100644
--- a/hosts
+++ b/hosts
@@ -113,6 +113,8 @@ pyrocufflink-dns
 [public-web]
 web0.pyrocufflink.blue
 
+[pxe]
+
 [pyrocufflink]
 build0-amd64.pyrocufflink.blue
 burp1.pyrocufflink.blue
diff --git a/pxe.yml b/pxe.yml
new file mode 100644
index 0000000..ff55bec
--- /dev/null
+++ b/pxe.yml
@@ -0,0 +1,6 @@
+- hosts: pxe
+  roles:
+  - role: pxe
+    tags: pxe
+  - role: netboot/jenkins-agent
+    tags: netboot/jenkins-agent
diff --git a/roles/pxe/meta/main.yml b/roles/pxe/meta/main.yml
new file mode 100644
index 0000000..e6e8658
--- /dev/null
+++ b/roles/pxe/meta/main.yml
@@ -0,0 +1,5 @@
+dependencies:
+- role: tftp
+  tags: tftp
+- role: nbd-server
+  tags: nbd
diff --git a/roles/pxe/tasks/main.yml b/roles/pxe/tasks/main.yml
new file mode 100644
index 0000000..5772f0f
--- /dev/null
+++ b/roles/pxe/tasks/main.yml
@@ -0,0 +1,36 @@
+- name: ensure pxeadmins group exists
+  group:
+    name: pxeadmins
+    state: present
+  tags:
+  - group
+
+- name: ensure pxeadmins can write to tftpboot directory
+  acl:
+    path: /var/lib/tftpboot
+    entity: pxeadmins
+    etype: group
+    permissions: rwX
+    recursive: True
+    default: '{{ item == "default" }}'
+    state: present
+  loop:
+  - default
+  - current
+  tags:
+  - permissions
+
+- name: ensure pxeadmins can write to nbd directory
+  acl:
+    path: /var/lib/nbd
+    entity: pxeadmins
+    etype: group
+    permissions: rwX
+    recursive: True
+    default: '{{ item == "default" }}'
+    state: present
+  loop:
+  - default
+  - current
+  tags:
+  - permissions