Draft: Add role for lego ACME client

Our current ACME client, acmebot, is not packaged in Debian and currently broken (see !48 (closed)). There are surprisingly few ACME clients in Debian, lego is one of them.

Unfortunately, it does not have a nice config file, but operates mostly using CLI arguments. These can be abstracted away in systemd units and a little templating magic.

lego/defaults/main.yml

+---
+
+lego_acme_server_base: acme-v02.api.letsencrypt.org
+
+# lego_account_mail: root@example.org
+
+# The following two variables are defaults for the respective entries in a
+# `lego_certificates` entry.
+lego_method:
+  type: http
+  subtype: webroot
+lego_hooks:
+  services: {}
+  extra: {}
+
+lego_global_args: []
+
+# lego_certificates:
+#   # Default case, only one domain
+#   foo.example.org: {}
+#   bar.example.org:
+#     domains:
+#       # bar.example.org is already included
+#       - baz.example.org
+#       - qux.example.org
+#     account_mail: other@example.org
+#     method:
+#       type: dns
+#       subtype: rfc2136
+#     extra_args:
+#       - --foo
+#       - --bar baz
+#     extra_env:
+#       RFC2136_NAMESERVER: 127.0.0.1
+#     hooks:
+#       services:
+#         nginx.service: try-restart
+#         httpd.service: try-reload-or-restart
+#       extra:
+#         10-install.sh: |
+#           #!/bin/sh
+#           set -e
+#           install -u foo -g foo -m 0644 "$LEGO_CERT_PATH" /etc/foo/cert.pem
+#           install -u foo -g foo -m 0600 "$LEGO_CERT_KEY_PATH" /etc/foo/key.pem