v2: deploy. improve tls management in icaro role

Add icaro.tls config, with values:

* "self_signed": a self signed https certificate will be generate by
caddy
* "manual": the certifcate must provided by the admin:
  - certificate file: /opt/icaro/{$ICARO_HOSTNAME}_cert.pem
  - private key file: /opt/icaro/{$ICARO_HOSTNAME}_private_key.pem
* "auto" or any other values: the certifcate will be generate by caddy
via Let's encypt.