Give TPA access to Tails infra

Assuming that (1) we'll merge auth systems at some point and (2) we'll not hire more sysadmins in the near future, I think the simplest for this is to just go through the Tails onboarding doc.

Do the following for all TPA folks that comply with TPA-RFC-18:

• Gather TPA's OpenPGP and SSH keys
• Give access to Gitolite
• Give TPA access to sysadmin-private
• Make sure everyone in TPA has users in Tails' GitLab
• Add users to the TPA group in Tails' GitLab
• Give the TPA group access to gitlab-config and password-store
• Give TPA access to the Puppet repository
• Give TPA SSH access to machines
• Ensure that access to the backup machine works (it's a masterless Puppet setup)
• Setup OOB access to all machines
  • Coloclue (chameleon, stone)
  • Tachanka! (ecours, gecko)
  • Riseup (dragon, iguana, lizard)
  • PauLLA (skink)
• Send relevant information to TPA:
  • Icingaweb2 access
  • XMPP channels → Skipped, see comment below
  • Mailing lists
  • Relevant GitLab projects and labels
  • Gitolite access
  • SSH info (including Dropbear)
• Inform other Tails folks about all this
• Decide about subscription to sysadmins@tails.net and tails-notifications@lists.puscii.nl
• Subscribe everyone to the sysadmins@ schleuder list
  • anarcat
  • lavamind
  • lelutin
• Subscribe those who are insterested to the tails-notifications@ list.
  • anarcat
• Update / cleanup the onboarding process documentation
• give TPA folks a tour of all of those accesses

Skipped items:

• Configure SSH keys for SSH access from trusted machines (lizard, iguana) → Not really needed now that we turned on SSH TCP forwarding
• Make them Schleuder "super admins" → Skipped, see comment below

Pending decision:

• Add TPA members to mailing lists (sysadmins@tails.net, weblate@tails.net, others?)