Differences between tls and non-tls are minimal, so simplify the generation
as much as possible with simple tls switch.

It seems more readable than creating Jinja2 macros, which would be used only
twice.

notebook is implemented.

caddyserver/builds repository is obsoleted and this commit avoids fetching
it.

BTrees 4.4.1 is from early 2017. BTrees 4.5.0 contains fix for crash
when deallocating items:

https://github.com/zopefoundation/BTrees/issues/75  
https://github.com/zopefoundation/BTrees/commit/16e70dd337

It is similar crash and fix to this one in wendelin.core:

nexedi/wendelin.core@d97641d2

and in Python 2.7.15:

nexedi/slapos@8e098385 (comment 72575)

BTrees 4.5.1 is a small maintenance release over 4.5.0 and is currently
latest BTree release.

/cc @jm, @vpelletier, @kazuhiko, @jerome
/reviewed-on nexedi/slapos!550

A regression from nexedi/slapos!374 is that we made apache listening on one port for each zope backend instance.

/reviewed-on nexedi/slapos!548

For the test suite, all plugins are still loaded if no engine is specified.

Loading TokuDB whereas RocksDB is used is quite annoying because:
- TokuDB creates many threads
- RocksDB opens many files
We had systems where lsof takes a few minutes to output 10 million lines.

This will also make the datadir a bit cleaner.

QUIC implementation module is fixed.

Since Caddy v0.11.4 it is possible to disable log rotation, thus disable it
and rely purely on SlapOS defined log rotation.

See https://github.com/mholt/caddy/releases/tag/v0.11.4

A regression in the apache entries for testrunner used one apache port
for each zope - not one for each family as what was intended.
There was also a problem that these apache ports were used even when no
testrunner.

- Exercise how multiple families are supported
- Check the number of zope in each family respects `instance-count`
argument
- Check the number of listening sockets is what we expect for server
processes
- Check that when we don't request test runner, apache does not listen
for test runner proxy

About Zstd, commit a0d582ab was wrong.
WITH_<engine>_<comp>=ON compilation options are added to force a build
failure if dependencies are broken.

The host needs a name in order to have self_signed certificate generated.

/reviewed-on !546

When there are no shared instances, the file was empty, but caddy
refuses to start when using an import statement on an empty file, with
this error:

```
Error during parsing: Could not read tokens while importing .../etc/log-access.conf: EOF
```

/reviewed-on !545

This also means that caddy source is fetched directly from upstream, as all
required fixes has been incorporated into the upstream.

Since https://github.com/mholt/caddy/releases/tag/v0.11.4 TLS-SNI challenge
is replaced by ACME TLS-ALPN challenge, so switch has changed.

Drop direct usage of gowork for now, in order to have caddy built using go
module, support for gowork with go modules might come later.

/reviewed-on !544

Instance to check custom configuration protection was removed, so follow
this in master partition assertion.

This reverts commit 7993ff81.

Custom configuration checks are hard to be trusted, as they can impact too
many aspects of running frontend.

Frontend administrator knows the risks of custom configuration, and shall take
proper care.

/reviewed-on nexedi/slapos!543

ATS cache fillup is uncontrollable during test run.

Instead of complex architecture in the profiles, reuse kedifa-updater
capability to do backward compatibility certificate management thanks to its
fall-back mechanism.

kedifa-updater uses state file to know, if it ever succeed to download
certificate from KeDiFa, and so it really makes it that pushing at least once
certificate to KeDiFa, even if it is sometimes unresponsive, will switch to
it.

Fallback certificate is used, thus each slave listens immediately on HTTP and
HTTPS. Thanks to this, asynchronous updates do not need to communicate with
slapos node instance, and slapos node instance does not care about the
certificates anymore.

Instead of fetching certificates on each slapos node instance use new
kedifa-updater, which is a tool to asynchronously fetch certificates and
has a hook to reload the server in case if new certificate is available.

custom_ssl_directory is NOT BBB

This mostly useful during tests to have stable results, especially when
some slaves are rejected.

This change is expected to be no-op during normal run.

Note: The slave rejection system does not guarantee any ordering, as the sort
      order can change, because of parameters can reorder slaves. Thus, even
      if slave A was requested before slave B, and they conflict each other,
      slave A can be rejected instead of "expected" slave B.

This is consistent across usage in caddy-frontend and allow better reusage.

Section was not renamed in buildout.hash.cfg

perl was upgraded from version 5.26.1 to 5.28.1 in
8d4fa263

Helloweb is small app, which is very good place to use the most recent go
always.

Contains many bug fixes found since 1.12, see
https://golang.org/doc/devel/release.html#go1.12.minor

SLAPOS-SR-TEST-MASTER sometimes reveal errors:
```
Can't locate Getopt/Long.pm in @INC (you may need to install the Getopt::Long module)
...
makefile:588: recipe for target 'cpan/podlators/pm_to_blib' failed
make: *** [cpan/podlators/pm_to_blib] Error 25
```

Backport a fix for this problem discussed at https://rt.perl.org/Public/Bug/Display.html?id=132360

/reviewed-on nexedi/slapos!542

This folder contains binlogs, which are written on every transaction
commited in mariadb. As it is not an immutable file, it shouldn't be
part of the backup, even if its path is confusing...

/reviewed-on nexedi/slapos!540