Add freeipa (not containerised)

[sjpb]

Adds FreeIPA integration. See ansible/roles/freeipa/README.md for full documentation. In summary:

• FreeIPA clients can be defined by adding hosts to the freeipa_client group.
• For production use, an external FreeIPA server should be utilised. For development/testing, the appliance can deploy a FreeIPA server by adding a host to the freeipa_server group. However the FreeIPA state on this server is not persisted and will be lost by a reimage or redeploy.
• FreeIPA clients have keytabs copied to persistent storage after enrolment so they can be re-enrolled after reimaging or redeploying. However re-enrolment is not automatic if compute nodes are rebuilt via Slurm.

The default Terraform (which is copied when creating an environment with cookecutter) has been changed to provide fully-qualified domain names for all nodes to allow them to enrol with FreeIPA. These changes also provide the new Ansible host/group variables cluster_domain_suffix and node_fqdn used by the freeipa role defaults. Note that retrofitting these changes to an existing deployment will result in Terraform requesting to destroy and recreate instances due to userdata changes.

CI status

FreeIPA is not tested in CI as the server it takes ages to install and I don't think it is a "default" configuration. However the .stackhpc environment does contain a tested configuration - see commented-out config in environments/.stackhpc/inventory/extra_groups.

Orderings

Changes have been made to the ordering in {site,iam,extras}.yml to satisify the following restraints:

• freeipa server setup is required before nfs mounts, as hosts which are nfs+freeipa clients will use the freeipa server for name resolution of the nfs server
• basic_users must be performed after nfs mount of $HOME (otherwise the ssh key creation etc is done on a local disk)
• kerberised nfs mount (which becomes possible with freeipa) requires freeipa client enrolment before nfs mounts.