Postgres is used by several roles, but the setup is currently part of the 'mailserver' role. By moving it to 'common', it's possible to disable the mailserver without breaking the others.

Clean up some artifacts from the merge to match the `jessie` branch.
Keep the changes on master made with commits bfe6fe84 and e229c551.

The `private_key` variable used to check for changes was never
registered.

While adding the Let's Encrypt offline testing block in 1746afcc we
accidentially duplicated a the 'when' statement. Ansible only looks at
the last when statement for a given block meaning the earlier one has no
use. This commit merges both lines in one.

See https://docs.ansible.com/ansible/playbooks_lookups.html

This is done to suppress warnings from ansible-lint.

Depending on when the client is run, there are no certificates to
update.  By default, the client runs in interactive mode and wants to
notify the user of this.  This causes Ansible to hang waiting for an
acknowledgement that will never come.  Adding the non-interactive flag
fixes this.

as per discussion in https://github.com/sovereign/sovereign/pull/504

The ``sudo`` and ``sudo_user`` directives are replaced with ``become``
and ``become_user`` in Ansible 1.9.

The installer automatically updates itself, which registers as a change
in the git repo.  To maintain idempotency of the task list, the repo
download must be forced.

Fix Apache's configuration for version 2.4.8 and above.  See
https://community.letsencrypt.org/t/untrusted-on-mobile-newbe/7903

Don't copy the LE certificates.  Instead use the ssl-cert group to
manage access to the LE certificates directly.  See
https://github.com/letsencrypt/letsencrypt/issues/1425 for a request to
have the LE client do this itself.

This method uses Subjective Alternative Names (SANs) to get one
certificate for all the subdomains that Sovereign employs, whether or
not the user configured their site with the roles.

Make a clean distinction between Debian 7 and Debian 8.  Anticipate the
next Ubuntu LTS release (Xenial) that is planned for support.

Avoid using the Include directive.  Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.

see: http://undeadly.org/cgi?action=article&sid=2016011414

resolves #453

Conflicts:
	roles/common/tasks/ufw.yml

Fixes #406