feat: vault mlock (#266)

- enable mlock by default
- disable mlock on lxd/incus nodes (lxc doesnt support it)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/266

hieradata/common.yaml

@@ -180,7 +180,7 @@ vault::manage_repo: false
 vault::bin_dir: /usr/bin
 vault::manage_service_file: true
 vault::manage_config_dir: true
-vault::disable_mlock: true
+vault::disable_mlock: false
 
 profiles::dns::master::basedir: '/var/named/sources'
 profiles::dns::base::ns_role: 'roles::infra::dns::resolver'

hieradata/virtual/lxc.yaml

@@ -2,3 +2,6 @@
 profiles::packages::include:
   chrony:
     ensure: absent
+
+# disable mlock for vault nodes on lxd/incus
+vault::disable_mlock: true