Move highly sensitive secrets to new "super" vault

The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's.

group_vars/all/root_access.yml

@@ -24,9 +24,10 @@ root_ssh_keys:
   - key: klausenbusk.pub
     additional_keys: [klausenbusk_2.pub]
 
-# run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
+# run 'playbooks/tasks/reencrypt-vault-super-key.yml' when this changes
 # before running it, make sure to gpg --lsign-key all of the below keys
-root_gpgkeys:
+# NOTE: adding a key to this list gives access to both default and super vaults
+vault_super_pgpkeys: &vault_super_pgpkeys
   - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
   - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
   - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB  # grazzolini
@@ -35,3 +36,8 @@ root_gpgkeys:
   - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
   - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx
   - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
+
+# run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
+# before running it, make sure to gpg --lsign-key all of the below keys
+vault_default_pgpkeys:
+  - *vault_super_pgpkeys