- Don't advertise NGINX version.

- Comply with last Mozilla TLS Guidelines, for modern configuration.

- More comments for better readability.

If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol
HTTPS connections and keedp using port 443 for standard HTTPS connection.

New variables:

- proxy_protocol | default(true)

Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).

Affected roles:

- reverse_proxy:
    Pass PROXY PROTOCOL by default to all upstream server. May cause
    problem with upstream server unable to understand PROXY
    PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
    Expect PROXY PROTOCOL for all incoming TLS connection on nginx
    clients.
    *Warning:* now you can access local server only passing by the
    firewall reverse proxy, not directly.
- gitlab:
    Built-in nginx instance configured to expect PROXY PROTOCOL for
    tls incoming connections.

Affected roles:

- gitlab
- nginx
- ldap

- remove the handling of which template to use
- do not access parent role
- update riot-web nginx configuration
- update icinga role to use new nginx templating
- update synapse nginx configuration
- update matrix role to use new nginx templates
- update dokuwiki to use new nginx template
- extend nginx template in dokuwiki
- update login role to new nginx templates
- add protocol for default option
- add extra block to nginx template
- update riote-web version
- fix template extension for riot web nginx definition
- update login template for nginx endpoint