roles/nginx: Rework Let's Encrypt stuff

Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.

roles/nginx/files/renew-letsencrypt.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Daily renewal of Let's Encrypt's certificates
+
+[Timer]
+# twice a day, at midnight and noon
+OnCalendar=*-*-* 00,12:00:00
+# Add a random delay of 0–3600 seconds
+RandomizedDelaySec=3600
+Persistent=true
+
+[Install]
+WantedBy=timers.target