base: Factor out SSH host, user cert roles

Moving the SSH host and user certificate configuration roles out of
`base.yml` into their own playbooks.  This will make it easier to deploy
them separately, and target different sets of hosts.  The main driver
for this change is the OVH VPS; being external, it cannot communicate
with SSHCA and thus cannot have a signed host certificate.  As such, we
do not want to try to configure the SSHCA client on it at all.

ssh-host-certs.yml

@@ -0,0 +1,4 @@
+- hosts: '!vps'
+  roles:
+  - role: ssh-host-certs
+    tags: ssh-host-certs