add bootstrap related files

* bootstrap is the main script to run
* bootstrap.yml is the playbook that does the actual job

(This is still work in progress, see bootstrap.yml for comments)

bootstrap

@@ -0,0 +1,18 @@
+#! /bin/sh
+#
+# This script invokes bootstrap.yml while settings special parameters
+#
+# Usage: ./bootstrap [-i <inventory>] -k <ansible-playbook-options>
+#
+# -i <inventory> is needed when you deploy on hosts other than listed in 'dev-hosts'
+# 
+# Note: `-k` option would require a sshpass program.  For some reason, this
+# approach hangs on Dustin and Mikhail.  As a workaround, the `ControlPersist`
+# parameter below is set to 10m, so ssh would keep the connection after the
+# first authentication.
+#
+
+export ANSIBLE_HOST_KEY_CHECKING=False
+export ANSIBLE_SSH_ARGS="-o PreferredAuthentications=password,keyboard-interactive -o ControlPersist=10m"
+
+exec ansible-playbook bootstrap.yml $*

bootstrap.yml

@@ -0,0 +1,63 @@
+# Playbook to bootstrap new service hosts
+#
+# Prerequisites:
+# * basic system is installed (FreeBSD 10.0+) on the target machines
+# * there's only root account that allows to connect to those machines
+# * root passwords are known for all target machines so we can connect as root
+# * ssh access for 'root' is enabled (`PermitRootLogin yes`)
+#
+# Outcome:
+# * machine has basic infrastructure so it can be managed by Ansible:
+#   * user "{{ service_account }}" is created
+#   * this user is granted passwordless sudo right (added to wheel group)
+#   * a crontab entry for running ansible-pull is added
+---
+- name: perform initial bootstrap of service hosts
+  hosts: servicehosts
+  gather_facts: no
+  # we do not have admin users on the target hosts yet, hence using root
+  # directly
+  remote_user: root
+
+  tasks:
+  # This is the only task that requires 'raw' module
+  - name: install ansible
+    raw: "env ASSUME_ALWAYS_YES=YES pkg install ansible"
+
+  - name: install mandatory packages
+    pkgng:
+      name: "{{item}}"
+      state: present
+    with_items: mandatory_packages
+
+  - name: add service account
+    user:
+      name: "{{ service_account }}"
+      comment: Buildbot Service Account
+      state: present
+      groups: wheel
+
+  - name: enable sudo modular configuration
+    lineinfile:
+      dest: "/usr/local/etc/sudoers"
+      line: "#includedir /usr/local/etc/sudoers.d"
+      state: present
+      validate: "visudo -cf %s"
+
+  - name: enable passwordless sudo for members of the wheel group
+    copy:
+      src: "files/sudoers-wheel"
+      dest: "/usr/local/etc/sudoers.d/sudoers-wheel"
+
+  # As Sean suggested, this could be an item for periodic(8)
+  # Things to decide/understand:
+  # * how to run the things under correct user
+  # * how to make sure the environment is correct (e.g. PATH)
+  # * whether to send a mail or keep things in a log or both
+  # * how often this needs to be run (Misha: daily sounds reasonable with an
+  #   option to force deployment when neccessary)
+  - name: add crontab entry to run ansible-pull
+    debug:
+      msg: "We will!"
+
+# vim:ft=yaml:nosi:noai:ts=2:sw=2

files/sudoers-wheel

@@ -0,0 +1 @@
+%wheel ALL=(ALL) NOPASSWD: ALL

group_vars/all

@@ -24,12 +24,20 @@ admin_users:
 - username: sean
   state: present
 
+service_account: bbinfra
+
+# Mandatory packages are the ones that must be installed on every host.
+# Ansible installation is taken care of depending on what kind of host is that
+# (service host, jail, vm)
+mandatory_packages:
+- sudo
+- git       # this is a mandatory package since we rely on ansible-pull
+
 # TODO: make use of these
 # Utility packages are the ones that must be installed on service host only (at
 # least, at the moment).
 # The original list is based on http://trac.buildbot.net/ticket/3036
 utility_packages:
 - bash
-- git
 - screen
 - vim-lite  # we probably do not want to bring all the stuff