migrate from letsencrypt-domains to Puppet for TLS certificates (TPA-RFC-64)

@weasel has a nice Puppet module to manage TLS certificates, let's use that instead of a git repository with a custom hook.

• phase I: add dehydrated parameter to ssl::service, test cert issuance
• phase II: use cert issued on phase I
• phase III: set dehydrated for more and more services
• phase IV: profit
• phase XCIX: retire letsencrypt-domains.git and switch to dehydrated::certificate directly (or keep ssl::service wrapper since we need TLSA?)
• Get /opt/dehydrated/status.json or monitoring.status into monitoring