When feasible, allows better tag/task filtering.

Add role prefix to role specifig variable to avoid conflicts when
using multiples role on the same machine on the same play.

(IcingaWeb2) Move configuration (user preferences) backend from INI
files to a dedicated pgSQL db.

- (Icinga2) Preseed correctly all the debconf variables to have IDO db created
  and populated by `icinga2-ido-pgsql` deb installation script.

- (IcingaWeb2) Use a different user, `www-data`, with lower
  privileges, to access the IDO db in read-only mode.

- Use everywhere socket (local ident) authentication to PostgreSQL to
  avoid local service password.

(IcingaWeb2) Configuration issues fixed:

- Missing `php-fpm` requirement.

- Migrating php7.0 -> php 7.3 in nginx config location config file.

- Fixed `rewrite` rule in nginx configuration:
    When usign `/icingaweb2` as rewrite target nginx automatically
    expand the redirect 302 response as
    `$scheme://$remote_host:$remote_port/icingaweb2`, causing
    connection to fail when behind a *reverse proxy*, because
    remote_post and remote_host are incorrect.

- Remove hardcoded `status.lilik.it` in `meta/main.yaml`,
  `server_fqdn` is already defined in `defaults/main.yaml` as
  `{{ ansible_hostname }}.{{ domain }}`.

(IcingaWeb2) LDAP:

- procedure to automatically issue service credetinals to authenticate
  with the ldap server.

- starttls secured ldap connection with service account.

- use of the variable `base_dn` instead of hard-coded values in config
  files.

(IcingaWeb2) CONFIGURATION:

- fixed rsync parameters.

- resource renaming.

- Update to 18.0.4
- Version defined as variable in defaults/mail.yaml

Now it's possible to configure LDAP with servers that only support
plain-text authentication over insercure channels.

Do not enforce the use of TLS for plain text authentication ONLY if
tls is not enabled for this LDAP instance.

- `hide_log` was used instead of `no_log`.

- password was set to literal `new_passwd.passwd` instead of the
  variable value.

Needed to have multiple certbot calls for differents domain in the
same host in the same playbook.

When using multiples server names in `server_name`, the NGINX variable
`$server_name` will always point only to the first entry. `$host`
variable, instead, point to the selected host from the user (HTTP
request or Host: header).

Otherwise certbot challenge may fail when reverse_proxy is included at
the same time.

Do not apply tag `packages` to role `service`. Tags are already
applied inside the role. If we apply the tag `package` at the role
level handlers defined inside the role (restart, reload) are not
available in the play!

server_fqdn: {{ ansible_hostname }}.{{ domain }} specification in
defaults/main.yaml

Waiting for merge in `ca_manager`.

Fix an error when `ssh_server` last task, the one that checks if the
server has actually started to listen on port 22.

This error occurred while using the `ssh_server` role on a physical
host, not while running on lxc_guests.

Use openwrt-init module instead of command when possible. Keep fix for
`ssh` service that in OpenWRT is still called `sshd` while in Debian
is `ssh`.

Configure a TURN/STUN server, where user can be authenticated using a
REST-API with a shared secret (for example Matrix-Synapse users).

Role to configure port forwarding in a OpenWRT firewall.
Import this role in any host playbook to open a redirect to the
current host from the host labelled as firewall.

Example:

    - set_fact:
        firewall: 'inventory_name_of_firewall'
    - import_role: name=port_forwarding
      vars:
	name: 'stun'
	proto: 'tcp'
	port: 3478

This is beacause nginx will do canonization of URIs before
proxy-passing if you add anything after the port host:port.

For example, with:

     location /anything {
          proxy_pass http://127.0.0.1:8008/anything;
     }

NGINX will perform canonization, but with:

     location /anything {
          proxy_pass http://127.0.0.1:8008
	  # With NO Trailing slash
     }

NGINX will pass the unaltered original request, included /anything, to
the upstream server.

Canonization leads to problem when federating to other matrix-synapse
instances. The observed bug was:

- User A on our server (@A:our.server) invites User B on external
server (@B:matrix.org).

- User B correctly receive the invite.

- User B try to join the room but the request timeout.

- On our.sever logs we see "signature tampered" errors related to
  incoming connection from the external server (matrix.org).

This commit fix the issue.

- Don't advertise NGINX version.

- Comply with last Mozilla TLS Guidelines, for modern configuration.

- More comments for better readability.

If proxy-protocol is enabled use alternative port 10443 for PROXY
Protocol traffic on both gitlab and mattermost and keep port 443 for
standard HTTPS Traffic.

If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol
HTTPS connections and keedp using port 443 for standard HTTPS connection.

New variables:

- proxy_protocol | default(true)

- User last official deb package from matrix.org

- Revised LDAP integration:
  * ldap_server, ldap_domain [ ldap_basedn ] config vraiables.
  * Bind a protected service account with a service password and
    start-tls

- Hardcoded matrix.lilik.it --> {{ ansible_hostname }}.{{ domain }}

- Sqlite -> Postgres

New variables:

- matrix_domain | default($domain)

- TLSv1.3 mandatory

- Pushed routes not hardcoded but defined by `routes` list

- TLS Private Key ED25519 instead of RSA

- Signing request refactored

- Topology switched from `net30` to `subnet`

- Ready for separated user and server CA

- Server certificate validity is assessed

- `tls_int` and `packages` tags added.

Role to configure nextcloud with LDAP User backend.

First test passed.

New modules:

- occ:
  set coniguration values using `php occ` nextcloud command-line tool.