automate/puppetize (or replace) mandos installation

we use Mandos to unlock server's LUKS-encrypted partitions on boot, but the setup is done manually. that is error-prone and slow, it's actually one of the slowest part of our install procedure.

in #31239, we identified the following steps to get this ball rolling:

export/import firewall rules (in roles::fde)
generate and export new LUKS key in Puppet
import new key on mandos server
rebuild initramfs

We should also consider alternatives to Mandos, if this "Puppetization" is too complicated. On the top of my head, there is also:

arver
secure enclaves and secureboot, e.g. this, this, or this, this, or mortar
clevis (in Debian since buster), introduced by RedHat as NDBE

Edited Nov 23, 2020 by anarcat