install custom OCI OS image on bare metal (first manually, then automatically/unattended for scalability)

This issue is to track the work on EU OS provisioning to end user computers. The conclusions and results should be incorporated in the documentation at:

• specification/requirements: https://eu-os.eu/spec (source: spec.md)
• proof-of-concept: https://eu-os.eu/poc/ (source: index.md)
  • specific page on https://eu-os.eu/poc/provisioning/ (source: index.md)

Goals

Proof of Concept (emphasis on flexibility and automation)

For the proof of concept, it is better to assume that no changes to the network (DNS, DHCP) are made.

• prepare a USB pendrive with hard-coded user credentials and full-disk-encryption (fde) passphrase for hands-off provisioning without enrolment to foreman
• automate enrolment to foreman (pre-provisioning?)
• define per-device fde passphrases centrally and set them up during (or just after) provisioning without leaking secrets
• consider pros and cons of provisioning with Foreman discovery image
• secure-boot with possible custom signing key (specific issue: #48)

Production (emphasis on scalability and automation)

For a production setup, it can be considered to rely on modification to the network (DNS, DHCP).

• more automation for more scalability (e.g. with PXE provisioning)

References:

• foreman provisioning (with kickstart),
• Anaconda with kickstart for OCI images,
• kickstart config loaded from OCI repo
• use Foreman discovery image booted from USB to provision PXE-less: https://theforeman.org/plugins/foreman_discovery/18.0/index.html#5.3PXE-lessdiscovery

For Full-Disk-Encryption (FDE), (computer-specific) keys should be generated on the server side, and setup during provisioning – most likely through kickstart files with variables.