When using multiples server names in `server_name`, the NGINX variable
`$server_name` will always point only to the first entry. `$host`
variable, instead, point to the selected host from the user (HTTP
request or Host: header).

Otherwise certbot challenge may fail when reverse_proxy is included at
the same time.

Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).

Affected roles:

- reverse_proxy:
    Pass PROXY PROTOCOL by default to all upstream server. May cause
    problem with upstream server unable to understand PROXY
    PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
    Expect PROXY PROTOCOL for all incoming TLS connection on nginx
    clients.
    *Warning:* now you can access local server only passing by the
    firewall reverse proxy, not directly.
- gitlab:
    Built-in nginx instance configured to expect PROXY PROTOCOL for
    tls incoming connections.

- Coherent quotation style
    Single quotes for text variable (even if implicit), no quotes for
    variable and conditional statements, if not required.

- Some useful tags added:
  * ssh_certs
	  renewal of server SSH certificates and configuration of authorized
      CA.
  * tls_pub
	  renewal of public TLS certificates (let's encrypt) and certbot
	  configuration.
  * tls_int
	  renewal of internal TLS certificates (service authorizations) and
	  configuration of authorized internal CA.
	  *(ToDo: deployment of Certificate Revokation Lists)*
  * lxc
      deployment of new containers (deployment of configuration file
	  excluded, for instance change in ip address are always applied and
	  trigger a container restart even if you skip this tag.
  * packages
	  installation and upgrade of software packages (apt, opkg or
	  tarballs)
  * service_password
     create new random password for services-only password, for routine
	 rotation. Not meant to be skipped (some roles need to know the
	 service password, so they do a rotation).

- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab

- x509_subject_prefix
- x509_ldap_suffix
	*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
	Used in roles/certbot and roles/gitlab
- root_ca_cert
	*Replaces:* ssl_ca_cert and files/lilik_x1.crt

New defaults:

- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
	*Replaces:* fqdn_domain

Removed:

- fqdn_dmain
- x509_suffix
	*Replaced by:* x509_ldap_suffix in common

New defaults:

- server_fqdn | default: `${hostname}.${domain}`
   *Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`

New defaults:

- server_fqdn | default: `${hostname}.${domain}`

Because we are using openwrt and we would like to mantain LUCI running
on it's interface we can't bind on 0.0.0.0. or 127.0.0.1 hence we must
listen on a specific ip. This will set the public ip from the group
vars to be the one where we listen

This role split the reverse proxy configuration in three files per
host. Every file belong to a different directory that is created on
the reverse proxy we use (nginx).

The server, map and upstream directives can be splitted into
different files to be included into the nginx.conf configuration.

We decided to split the reverse proxy configuration from one file to
three different files. One is the http configuration and the remaining
are the https configuration.