Restrict the Tails APT key to the Tails repo
Until now, we've been using apt-key (via the puppetlabs-apt module) to
add the deb.tails.boum.org key to /etc/apt/trusted.gpg, which makes it
able to sign packages to all configured repositories. Let's instead use
a file in /etc/apt/keyrings (as per sources.list(5)) and instruct APT to
use that file to verify packages.
Note: The current Tails APT key is configured via Hiera and will need further cleanup.