consider replacing mandos with tang/clevis

we're having significant issues with mandos. lots of false positives (server that are disabled even though they've not been stolen), are missing automation (#40096) and monitoring (#40380)

let's switch to clevis and tang instead. those are well packaged in debian now and there are puppet forge modules for both (https://forge.puppet.com/modules/puppet/clevis/readme and https://forge.puppet.com/modules/puppet/tang/readme), although they'd need porting to debian.

@weasel has been working on this for DSA, and it seems to work well. it can do k out of N as well, so we could (and should) have a fleet of tang servers that clients (clevis) can check.

see also https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening