ansible: Fix sync-secrets playbook to not clobber s3-keys alias symlinks

The psi/image-cache playbook installs the s3-keys/ symlink for the local
S3 mirror on rhos-01-1. But sync-secrets clobbers that (as it always
removes the entire existing secrets dir before re-syncing it).

Fix this by factoring out the symlink creation into a nwe
"local-s3-alias" role and calling it from both places.

ansible/maintenance/sync-secrets.yml

@@ -12,3 +12,4 @@
   gather_facts: false
   roles:
     - install-secrets-dir
+    - local-s3-alias

ansible/psi/image-cache.yml

@@ -7,6 +7,7 @@
       vars:
         # we have no stable IP and no DNS, and subjectAltNames don't support IP patterns
         disable_tls: 1
+    - role: local-s3-alias
 
 - name: Configure image cache on all task runners
   hosts: openstack_tasks
@@ -19,13 +20,5 @@
         content: |
           http://{{ hostvars[groups["psi_s3"][0]].ansible_host }}/images/
 
-    - name: Create s3-keys alias
-      file:
-        src: self-hosted
-        dest: "/var/lib/cockpit-secrets/tasks/s3-keys/{{ hostvars[groups['psi_s3'][0]].ansible_host }}"
-        state: link
-        owner: cockpituous
-        group: cockpituous
-
     - name: Tell tasks containers to drain and restart
       command: pkill -ex cockpit-tasks

ansible/roles/local-s3-alias/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: Create s3-keys alias
+  file:
+    src: self-hosted
+    dest: "/var/lib/cockpit-secrets/tasks/s3-keys/{{ hostvars[groups['psi_s3'][0]].ansible_host }}"
+    state: link
+    owner: cockpituous
+    group: cockpituous