Apt repo key handling

[gregharvey]

The recent expiry of the Yarn repo key was a bit of a pain, each affected server needed someone to login and run apt-key adv --refresh-keys. While we could add this to a role, it's deprecated in favour of keyring files managed via GPG. We could do with a role to manage this and potentially keep keys fresh. Here's a possibly useful stack exchange post on the matter:

• https://stackoverflow.com/questions/71585303/how-can-i-manage-keyring-files-in-trusted-gpg-d-with-ansible-playbook-since-apt

[gregharvey]

Expanding on this, we have realised that all apt key handling needs to happen at the start, either just after the _init role or as part of it. The issue is if keys have expired then all builds will fail at the first apt-get update run!

So we need a new debian/apt_repositories role that needs to take over handling all apt repos and associated GPG keys, so any repo and key handling needs removing from other roles and handling by the new role. It should accept a list of repos and ensure they are all properly installed before ce-provision continues. It should also force remove and re-install each key so we can be sure it's up to date before it tries to refresh any repo contents.

[gregharvey]

WIP: https://github.com/codeenigma/ce-provision/pull/1620/files

[gregharvey]

That's merged, now working through the roles one by one.

[gregharvey]

This was done, it should now be reasonably safe to assume systemd timers will handle expiring keys.