Add litewitness role

• Deploy rgdd.se/poc-witness with this role -- which then also means bastion host have been tested (molecule only does localhost listening). Also test reboot (services come up again as expected).
• Test manually that added witness -> reconfigure script is triggered
• Test manually that changed start script -> restart is triggered
• Test manually that changed systemd file -> reload and restart triggered
• Test manually that the constraints check is working (bailout on omitted addr, bailout on bastion and listen addr)

It would probably be nice to have molecule tests for the above manual things, but leaving that out of scope for now. We would benefit from similar tests in all our roles.

(What the litewitness test does: check that the witness is up and running, and we can increment its state from 0->4 with an add-checkpoint request. And we can rollback with an initial database backup. The latter ensures one can run molecule verify -s litewitness >1.)

Open question: should there be any backup script or similar in this role. It's a one-liner to do it periodically with sqlite3. If we want this maybe we can do it in a separate MR. Related to this i filed:

• https://github.com/FiloSottile/litetlog/issues/18
• https://github.com/FiloSottile/litetlog/issues/19