Instead of crontab entry, place a script in /etc/cron.daily (more package like, more portable to a different CM) for backups.

Move TLS certificate handling and initial firewall handling each to a seperate file, preparing to have them shared between roles or a to be a depended role.

Limit rules in UFW implies allow, remove allow rules (caused every run to be marked as changed). The internal_tls_{key,cert} variable were ignoring the playbook variable, so switched to use set_fact (less elegant but works). Copy cert and key after running apt-get install otherwise the group won't be present.

Since OpenLDAP uses gnuTLS and Apache uses OpenSSL, it's silly to keep 2 cipher list variables so the current (gnuTLS) cipher list variable is removed. Apache now uses HTTPS with the same key as OpenLDAP. All open ports are now rate limited.