r/vmhost: Add autostart script

*libvirt*'s native autostart functionality does not work well for
machines that migrate between hosts.  Machines lose their auto-start
flag when they are migrated, and the flag is not restored if they are
migrated back.  This makes the feature pretty useless for us.

To work around this limitation, I've added a script that is run during
boot that will start the machines listed in `/etc/vm-autostart`, if they
exist.  That file can also insert a delay between starting two machines,
which may be useful to allow services to fully start on one machine
before starting another that may depend on them.

roles/vmhost/files/vm-autostart.service

@@ -0,0 +1,45 @@
+[Unit]
+Description=Start virtual machines
+After=libvirt.service
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=LIBVIRT_DEFAULT_URI=qemu:///system
+ExecStart=/usr/local/libexec/vm-autostart.sh
+Restart=on-failure
+
+DynamicUser=yes
+SupplementaryGroups=libvirt
+CapabilityBoundingSet=
+DeviceAllow=
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0027
+
+[Install]
+WantedBy=multi-user.target