Deploy /etc/puppet as a role account

On our puppet master (pauli.tpo), the post-receive git hook deploys the tor-puppet repo in /etc/puppet as the user pushing. As long as umask is correct and the stars are aligned, things are good. Sometimes files end up with 0644 when we need them to be 0664 in order for other accounts (in group 'adm') to be able to change existing files.

Start using a role account instead of individual admin accounts for deploying to /etc/puppet.

• determine if we need gitolite or some other access control system (no)
• create a new user (git? in ldap? in puppet?)
• populate user with admin keys (in puppet?)
• remove write permissions to other users, grant only to the new user
• add hooks to indicate the URL change pre-receive doesn't run soon enough
• update documentation in https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#problems-pushing-to-the-puppet-server or remove that section
• notify the team
• update the mrconfig