create a hardened bastion host for the cymru management network

in #40097 (closed), we setup a network for management but currently all nodes have access to it. we should restrict this to only a subset, and create a hardened host (or a Ganeti instance?) that has access to this, but is only accessible through ipsec.

Next steps are:

• renumber iDRACs to point to a floating IP (say 172.30.140.100/24) as a gateway, instead of the current, which is the iDRAC of chi-node-01 (172.30.140.10) so that routing works correctly
• configure two chi-node-X machines (or an instance spread over those two?) with that IP, in Puppet
• investigate alternatives to packet forwarding or, failing that, configure routing on that node (net.ipv4.ip_forward=1)
• allow access to the VLAN to only those two chi-node-X machines
• restrict usage of those boxes?