Setting `reverse_proxy_proxy_protocol: true` and
`nginx_proxy_protocol: true` in nginx roles enable the forwarding of
the original connection address from the reverse_proxy to the target
nginx instance, using the established TCP PROXY PROTOCOL (adding a TCP
header, so working also for TLS connections that are not terminated at
the reverse proxy).

**Warning**

The `reverse_proxy_proxy_protocol` settings acts globally on the
reverse proxy nodes, so every virtual server on the reverse proxy must
accept and correctly handle proxy protocol headers.

This settings must be the same for every host sharing the same reverse
proxy, otherwise the setting will be changed globally at every run.

commont task to create lxc vm in separete file `prepare_lxc_host`,
avoid redundancy of statements in each vm-specific playbook file.

Playbooks updated to import `prepare_lxc_host`:
- ldap
- matrix
- nextcloud
- projects
- status

Role to configure nextcloud with LDAP User backend.

First test passed.

New modules:

- occ:
  set coniguration values using `php occ` nextcloud command-line tool.

- Coherent quotation style
    Single quotes for text variable (even if implicit), no quotes for
    variable and conditional statements, if not required.

- Some useful tags added:
  * ssh_certs
	  renewal of server SSH certificates and configuration of authorized
      CA.
  * tls_pub
	  renewal of public TLS certificates (let's encrypt) and certbot
	  configuration.
  * tls_int
	  renewal of internal TLS certificates (service authorizations) and
	  configuration of authorized internal CA.
	  *(ToDo: deployment of Certificate Revokation Lists)*
  * lxc
      deployment of new containers (deployment of configuration file
	  excluded, for instance change in ip address are always applied and
	  trigger a container restart even if you skip this tag.
  * packages
	  installation and upgrade of software packages (apt, opkg or
	  tarballs)
  * service_password
     create new random password for services-only password, for routine
	 rotation. Not meant to be skipped (some roles need to know the
	 service password, so they do a rotation).

- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab

- x509_subject_prefix
- x509_ldap_suffix
	*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
	Used in roles/certbot and roles/gitlab
- root_ca_cert
	*Replaces:* ssl_ca_cert and files/lilik_x1.crt

New defaults:

- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
	*Replaces:* fqdn_domain

Removed:

- fqdn_dmain
- x509_suffix
	*Replaced by:* x509_ldap_suffix in common

New defaults:

- server_fqdn | default: `${hostname}.${domain}`
   *Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`

New defaults:

- server_fqdn | default: `${hostname}.${domain}`

Now which *host* is hosting a specific container is not defined in the
playbook yaml file but centrally in the invetory under the
`ansible_lxc_host` variable.

The `lxc_guest` role is runned directly against the guest, even if it
doesn't exist yet, and lxc tasks are delegated to the lxc-running
physical host.

In this way it should be easier to scale-up and configure multiple
istance of a service on different containers without changing the
playbook.

Look at `/ldap.yaml` for a commented example.

`lxc-ssh.py` removed.

All Playbbooks now user `ssh_lxc` connection.

`ansible_ssh_lxc_name` variable used to specify container name.

Tested and worked correctly with `python==3.8.2` and `ansible==2.9.6` on the
controller and `python==2.7` on the target.