Improvements for APT keys management

[bkabrda]

• By default, get keys from keys.datadoghq.com, not Ubuntu keyserver
• Always add the DATADOG_APT_KEY_CURRENT.public key (contains key used to sign current repodata)
• Add 'signed-by' option to all sources list lines
• On Debian >= 9 and Ubuntu >= 16, only add keys to /usr/share/keyrings/datadog-archive-keyring.gpg
• On older systems, also add the same keyring to /etc/apt/trusted.gpg.d

[apigirl]

just one small content suggestion

[KSerrania]

The main thing that's worrying me is that the role cannot be idempotent (since we always perform at least one action, importing the current key, each run). While that does reflect the truth, it may not sit well with customers (we've already had issues open because our role would show as doing a change every run).

However, making the role idempotent seems to be a non-trivial effort: one way to do it could be to import the key, and check if something was really imported or changed in the GPG command output (and if not, mark the task as not changed), but I don't know how feasible / easy that is in practice.

[bkabrda]

@KSerrania that's a good point about idempotency. I think perhaps this might be doable, I'll try to take a look.

[bkabrda]

@KSerrania I think I managed to implement a reasonable solution. Here's the comment that I included in the code:

# NOTE: in order to display Ansible's `changed: [hostname]` properly throughout
# tasks in this file, we added `changed_when: false` to a lot of them, even if
# they actually run every time (e.g. importing the CURRENT key). The reason is
# that they operate inside a temporary directory and they don't have a
# permanent effect on the host (nothing will actually change on the host
# whether these tasks run or not) except the last one - the actual import of
# the key to `datadog_apt_usr_share_keyring`.