mirrored "gitolite" repositories are not properly synced to gitlab

in #41574 (closed), i "mirrored" to gitlab a bunch of repositories migrated from gitolite to servers other than gitlab (#41215 (closed)).

but while examining #41916 (closed), i noticed at least the domains.git repo was out of date. looking at nevii, i don't actually see anything that might trigger a mirror automatically.

so it seems this wasn't done properly.

also note that in #41971 (closed), i introduced some ideas about how such mirror repositories might be configured to avoid mistakenly trusting gitlab. just in domains.git, a situation i worried about happened with @hiro mistakenly pushing commits to gitlab instead of the original repo, creating a divergence which would have broken the mirror. i had to merge the branches to be able to push an update, and had to manually check the diff on the divergent branch to make sure it didn't introduce anything (which is not quite trivial to do, and certainly not done by default on merge).

so let's review all the repos in #41574 (closed) and make sure they're migrated properly, and enforce properties similar to those introduced in TPA-RFC-76:

• dns/auto-dns (migrated to nevii, mirrored in auto-dns)
• dns/dns-helpers (migrated to nevii, mirrored in dns-helpers)
• dns/domains (migrated to nevii, mirrored in domains)
• dns/mini-nag (migrated to nevii, archived in mini-nag, disabled pushes on nevii, no auto-mirror setup)
• letsencrypt-domains (migrated to nevii, mirrored to letsencrypt-domains)
• tor-nagios (migrated to tor-nagios, archived in tor-nagios, no mirror required anymore)

i'll also note those repositories that are currently not mirrored anywhere else:

• account-keyring (good candidate? people could submit PRs!)
• tor-passwords (migrated to pauli, probably best to keep that way)
• tor-puppet and tor-puppet-hiera-enc (also on pauli, planned to mirror to gitlab, see #41574 (closed))