Port 8008 is forwarded in our case, so unless we adjust
`x_forwaded` for it, Docker's local network IPs are
logged/displayed for devices.
The TLS port (8448) is not proxied in our setup,
so its `x_forwarded` setting remains `false`.
Otherwise certains values in the config file,
such as `macaroon_secret_key`, would be regenerated,
which is not something that we want.
If `macaroon_secret_key` is regenerated, all users'
auth tokens will become invalid (effectively logging out
all users).
It was trying to omit the `-a` flag, but that wasn't enough,
because the underlying `register_new_matrix_user` command
prompts interactively if it doesn't see the `-a` flag
(it doesn't default to non-admin).
We need to answer such interactive prompts.
Some CentOS 7 hosts may not have firewalld installed.
We shouldn't expect it to be, but should ensure by ourselves that it is.
Docker likes to mess around with iptables forwarding rules,
so it ought to start after firewalld.
matrix-nginx-proxy will be occupying port 80 soon,
so that we can be more user-friendly and have
http->https forwarding for the Riot hostname.
During the playbook run, acmetool also expects to use
port 80 for domain verification.
During an initial playbook run, this wouldn't cause trouble
because matrix-nginx-proxy is not installed yet.
However, on subsequent playbook runs, it would cause trouble.
This ensures that if matrix-nginx-proxy is available
and running, it would be stopped before running acmetool
and started right after.
