Fix Apache's configuration for version 2.4.8 and above.  See
https://community.letsencrypt.org/t/untrusted-on-mobile-newbe/7903

Don't copy the LE certificates.  Instead use the ssl-cert group to
manage access to the LE certificates directly.  See
https://github.com/letsencrypt/letsencrypt/issues/1425 for a request to
have the LE client do this itself.

Let's Encrypt uses DNS to verify domain ownership, so DNS records must
be set up before the paybook is run the first time.

This method uses Subjective Alternative Names (SANs) to get one
certificate for all the subdomains that Sovereign employs, whether or
not the user configured their site with the roles.

Remove references to Trusty and Wheezy (jessie)

Fix systemd configuration of OpenVPN server

The server was not starting.  As a result, the dnsmasq service failed to
start, and the playbook thus failed to run when using the vpn role.
This patch corrects the configuration per instructions from
https://help.ubuntu.com/community/OpenVPN.

OpenVPN PAM configuration moved up to reduce server bouncing as the
playbook runs.  The dependency on service (re)starts between openvpn and
dnsmasq works but feels brittle.

Roundcube is not available on Jessie except in backports.  This role is
also out of date and needs reviewed and updated for the release included
in backports.  Roundcube could alternatively be installed from source as
recommended by the maintainers.

Make a clean distinction between Debian 7 and Debian 8.  Anticipate the
next Ubuntu LTS release (Xenial) that is planned for support.

Update rspamd repository to the official one.

Fix znc configuration

Correct typo

Upgrade to cgit 0.12 and gitolite 3.6.4

Clean up Apache SSL configuration

Fix version of tomcat

The znc package installs the client but does not set it up as a
service.  This patch restores the service configuration that
was done on wheezy/trusty.

Take changes to the tomcat6 default configuration and apply to tomcat7
configuration.  This was done by review of the diff between sovereign's
tomcat6 configuration and the default tomcat7 configuration.

The package solr installs and uses tomcat7.  Installing tomcat8 appears
to be a mistake for Debian Jessie.

Avoid using the Include directive.  Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.

Include commits to master which were missing in jessie

Fix links to Ansible website in readme

Correct special-casing of z-push Apache configuration

Writing clarifies thinking and leaves behind guidance for future
maintainers.  Design descriptions shouldn't be required, though,
especially for trivial modules.

Users expect role authors to make decisions.  The role author is
supposed to be the expert who knows what choices to make on behalf of
the user.

I probably got this wrong, but I'm putting a stake in the ground based
on work I've done on the Roundcube module and adding Let's Encrypt
support to the common module.

Conflicts:
	CONTRIBUTING.md

see: http://undeadly.org/cgi?action=article&sid=2016011414