server_fqdn: {{ ansible_hostname }}.{{ domain }} specification in
defaults/main.yaml

Waiting for merge in `ca_manager`.

Fix an error when `ssh_server` last task, the one that checks if the
server has actually started to listen on port 22.

This error occurred while using the `ssh_server` role on a physical
host, not while running on lxc_guests.

Use openwrt-init module instead of command when possible. Keep fix for
`ssh` service that in OpenWRT is still called `sshd` while in Debian
is `ssh`.

Configure a TURN/STUN server, where user can be authenticated using a
REST-API with a shared secret (for example Matrix-Synapse users).

Role to configure port forwarding in a OpenWRT firewall.
Import this role in any host playbook to open a redirect to the
current host from the host labelled as firewall.

Example:

    - set_fact:
        firewall: 'inventory_name_of_firewall'
    - import_role: name=port_forwarding
      vars:
	name: 'stun'
	proto: 'tcp'
	port: 3478

This is beacause nginx will do canonization of URIs before
proxy-passing if you add anything after the port host:port.

For example, with:

     location /anything {
          proxy_pass http://127.0.0.1:8008/anything;
     }

NGINX will perform canonization, but with:

     location /anything {
          proxy_pass http://127.0.0.1:8008
	  # With NO Trailing slash
     }

NGINX will pass the unaltered original request, included /anything, to
the upstream server.

Canonization leads to problem when federating to other matrix-synapse
instances. The observed bug was:

- User A on our server (@A:our.server) invites User B on external
server (@B:matrix.org).

- User B correctly receive the invite.

- User B try to join the room but the request timeout.

- On our.sever logs we see "signature tampered" errors related to
  incoming connection from the external server (matrix.org).

This commit fix the issue.

- Don't advertise NGINX version.

- Comply with last Mozilla TLS Guidelines, for modern configuration.

- More comments for better readability.

If proxy-protocol is enabled use alternative port 10443 for PROXY
Protocol traffic on both gitlab and mattermost and keep port 443 for
standard HTTPS Traffic.

If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol
HTTPS connections and keedp using port 443 for standard HTTPS connection.

New variables:

- proxy_protocol | default(true)

- User last official deb package from matrix.org

- Revised LDAP integration:
  * ldap_server, ldap_domain [ ldap_basedn ] config vraiables.
  * Bind a protected service account with a service password and
    start-tls

- Hardcoded matrix.lilik.it --> {{ ansible_hostname }}.{{ domain }}

- Sqlite -> Postgres

New variables:

- matrix_domain | default($domain)

- TLSv1.3 mandatory

- Pushed routes not hardcoded but defined by `routes` list

- TLS Private Key ED25519 instead of RSA

- Signing request refactored

- Topology switched from `net30` to `subnet`

- Ready for separated user and server CA

- Server certificate validity is assessed

- `tls_int` and `packages` tags added.

Role to configure nextcloud with LDAP User backend.

First test passed.

New modules:

- occ:
  set coniguration values using `php occ` nextcloud command-line tool.

Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).

Affected roles:

- reverse_proxy:
    Pass PROXY PROTOCOL by default to all upstream server. May cause
    problem with upstream server unable to understand PROXY
    PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
    Expect PROXY PROTOCOL for all incoming TLS connection on nginx
    clients.
    *Warning:* now you can access local server only passing by the
    firewall reverse proxy, not directly.
- gitlab:
    Built-in nginx instance configured to expect PROXY PROTOCOL for
    tls incoming connections.

Created a reusable tasks list for issung certificates (tls) at the
moment.

Added option for module cert_request to programmatically require
signing of client certificate.

Affected roles:

- gitlab
- nginx
- ldap

- Coherent quotation style
    Single quotes for text variable (even if implicit), no quotes for
    variable and conditional statements, if not required.

- Some useful tags added:
  * ssh_certs
	  renewal of server SSH certificates and configuration of authorized
      CA.
  * tls_pub
	  renewal of public TLS certificates (let's encrypt) and certbot
	  configuration.
  * tls_int
	  renewal of internal TLS certificates (service authorizations) and
	  configuration of authorized internal CA.
	  *(ToDo: deployment of Certificate Revokation Lists)*
  * lxc
      deployment of new containers (deployment of configuration file
	  excluded, for instance change in ip address are always applied and
	  trigger a container restart even if you skip this tag.
  * packages
	  installation and upgrade of software packages (apt, opkg or
	  tarballs)
  * service_password
     create new random password for services-only password, for routine
	 rotation. Not meant to be skipped (some roles need to know the
	 service password, so they do a rotation).

- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab

- x509_subject_prefix
- x509_ldap_suffix
	*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
	Used in roles/certbot and roles/gitlab
- root_ca_cert
	*Replaces:* ssl_ca_cert and files/lilik_x1.crt

New defaults:

- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
	*Replaces:* fqdn_domain

Removed:

- fqdn_dmain
- x509_suffix
	*Replaced by:* x509_ldap_suffix in common

New defaults:

- server_fqdn | default: `${hostname}.${domain}`
   *Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`

New defaults:

- server_fqdn | default: `${hostname}.${domain}`

And minor improvements/refactoring

Replace .lilik.it with {{ domain }}

- Move to omnibus release, with NGINX ang pgSQL managed by GitLab
configuration utilities.

- Move from anonymous to authenticated LDAP bind.

- Tasks splitted in subfiles.
- Static slapd configuration (slapd.conf) moved *properly* to dynamic
conf (slapd.d).
- TLS Enabled by default, with certificate acquired using
  `ca_manager`.
- New default tree
- New default ACL
- Kerberos schema added
- {SSHA512} hash properly configured.

using {{ domain }} instead of hardcoder lilik.it in resolv.conf.

Now xfs is working, `prepare_host.yaml` is modified to add `xfs` to
the list of modules loaded at each boot.

If module is added to that list, than is also loaded with a modprobe
handler.

If xfs is not working with `role/lxc_guest`, run the patched
`prepare_host.yaml` againg.

Debian version upgraded to buster.

New templates compatibile with stable versions of LXC provided with
debian.

Cleaner syntax using `ssh_lxc.py` connection plugin. Now we don't user
`lxc-attach -n ...` in the `shell` module on the host anymore, but we
delegate to `{{ vm_name }}` with `connection: ssh_lxc`, using suitable
Ansible module to do operation directly on the container before it is
online and SSH accessible.

We added an option to force an LVM VG name: if the default naming
convention is not used the vg name can be overriden with the `vg_name`
variable.

The `xfs` filesystem seems to be broken in this release, so we used
`ext4` as default for new container. This point needs further
investigation.

Add support for OpenSSH v8 (ouput of `ssh-keygen` changed slightly) in
module `ssh_cert` and use a better implementation for multiple user CA.

Now we are reading user_ca from `group_vars/all.yaml`.
`user_ca_keys` should be list of each allowed User CA on one host (in
this way is easier to rotate CAs without reissuing keys to each user at
the same time).
The production CA must be the first one in the list. Host certificate
will be checked only against the first CA and updated if their host key
was issued from another CA in the list.

For this reason now we are using a template to create
`/etc/ssh/user_ca.pub` on the target, to preserve the key order.

`group_vars/all.yaml.example` has been updated to reflect the new usage.

The role was still referencing older `ansible_docker_extra_args`
variable.

Replaced with `ansible_ssh_lxc_name`.

move debug messages from roles in task ca-dialog