*: add Ignition LUKS support

[arithx]

Adds LUKS related packages

[arithx]

Ignition LUKS Overview:

PR Links:
Ignition
Ignition-Dracut
fedora-coreos-config

Ignition now supports configuring LUKS devices that can be unlocked via either key-files, TPM2, or tang. TPM2 & tang based devices are handled internally via clevis while key-file based devices are entirely handled via cryptsetup.

First boot workflow:

1. Ignition Disks creates LUKS devices
   • Every device has a key-file, if one was not provided to Ignition then one will be created (NOTE: this can only happen for clevis based devices). If the key-file was created via Ignition it will be removed, provided key-files will be persisted to the real root at /etc/luks/<device_name>
   • Devices are closed when the Disks stage ends
2. A new script ignition-copy-keyfiles runs copying the key-files to the real root
3. Ignition Mount unlocks all LUKS devices before attempting mounts
4. Ignition Files runs, appends content based on LUKS devices into /etc/crypttab (for key-file based devices) & /etc/clevistab (for clevis based devices).
   • /etc/crypttab format: <name> UUID=<device_uuid> <key_file_path> luks
   • /etc/clevistab format: <name> UUID=<device_uuid> <is_net>, if <is_net> is _netdev then the resulting unlock unit will be generated targeting running before remote-cryptsetup.target instead of the default cryptsetup.target (NOTE: the mount unit for the filesystem will also need to contain Before=remote-fs.target, After=network-online.target and DefaultDependencies=no)
5. Ignition Umount runs and closes LUKS devices after unmounting filesystems

This set of changes will require updates to the Ignition specfile. In the ignition-dracut change set the ignition-firstboot-complete unit has it's directory moved (from systemd/ to systemd/system/) and a new generator unit ignition-clevis-generator (in systemd/system-generators/). Example change from my local setup:

%files
%license LICENSE LICENSE.dracut
%doc README.md doc/
%{dracutlibdir}/modules.d/*
%{_prefix}/lib/systemd/system/*.service
%{_prefix}/lib/systemd/system-generators/*

&

%install
# ignition-dracut
install -d -p %{buildroot}/%{dracutlibdir}/modules.d
install -d -p %{buildroot}/%{_prefix}/lib/systemd/system
install -d -p %{buildroot}/%{_prefix}/lib/systemd/system-generators
pushd %{dracutrepo}-%{dracutcommit} >/dev/null
cp -r dracut/* %{buildroot}/%{dracutlibdir}/modules.d/
install -m 0644 -t %{buildroot}/%{_prefix}/lib/systemd/system/ systemd/system/*
install -m 0755 -t %{buildroot}/%{_prefix}/lib/systemd/system-generators/ systemd/system-generators/*
popd >/dev/null

[jlebon]

This is folded into #503.