Add a mkosi based setup, that allows building a custom image-based OS
with:
- Secure Boot support with auto-enrollment of provided certificate
- read-only rootfs (verity enabled)
- LUKS encrypted (using TPM2-backed keys) /var partition
- A/B boot support
- Auto-updating with the help of systemd-sysupdate
- A simple show-case setup for dummy users with an enforced command
  over SSH

The required changes to mkosi have also led to the writing of dedicated
documentation for this type of setup:
https://github.com/systemd/mkosi/blob/main/docs/root-verity.md



Big thanks to Daan De Meyer for helping to get this working!

Signed-off-by: David Runge <dvzrv@archlinux.org>