ansible_pull(role): introduce ansible_pull role

Introduce ansible_pull role for setting up automatic ansible_pull runs.
Also add accompanying host group and playbook play.

roles/ansible_pull/templates/ansible-pull.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=ansible-pull for configuration and maintenance
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key"
+ExecStart=/usr/local/lib/ansible_pull_venv/bin/ansible-pull \
+          --directory /home/chaos/ansible_pull_checkout \
+          --clean \
+          --url "{{ ansible_pull__repo_url }}" \
+          --checkout "{{ ansible_pull__checkout }}" \
+          --inventory "{{ ansible_pull__inventory }}" \
+          "{{ ansible_pull__playbook }}"
+User={{ ansible_pull__user }}