Make Weblate push to GitLab's tails.git in a safe way

A number of checks have to be performed in order to prevent Weblate from messing up the main Tails repository. These checks are effective against privilege escalation in Weblate VM only if they are performed outside of that VM. Currenly, it's done in a Gitolite tails.git update hook. We want Weblate to push to GitLab without passing through tails.git anymore, because it'll become a mirror of GitLab. So we have to find a new way to perform these checks.

Current proposal advocates for having a new Gatekeeper repository in puppet-git.lizard to be an intermediate, and then push to GitLab using a sane merge strategy.