Oh wow, TIL you need a special invocation in nginx to listen on IPv6 as
well as IPv4. This was both presumably breaking clients trying to
connect over IPv6 (I guess we never ran into that in a browser?), but
also breaking certbot's certificate renewal attempts, because Let's
Encrypt prefers IPv6 when possible. Okay!
I've learned some more about Ansible, and how to use `ansible.cfg` to
set up `ansible-playbook` to do the same thing as our `run.sh` was
doing! Same number of files, less overhead for the workflow's weirdness.
