Refactor role naming for TLS and proxy stack

- Renamed role `srv-tls-core` → `sys-svc-certs`
- Renamed role `srv-https-stack` → `sys-stk-front-pure`
- Renamed role `sys-stk-front` → `sys-stk-front-proxy`
- Updated all includes, READMEs, meta, and dependent roles accordingly

This improves clarity and consistency of naming conventions for certificate management and proxy orchestration.

See: https://chatgpt.com/share/68b19f2c-22b0-800f-ba9b-3f2c8fd427b0

roles/sys-svc-certs/tasks/flavors/_san.yml

@@ -0,0 +1,38 @@
+# Necessary to have this seperat file to pass performance tests
+- name: Install certbundle
+  include_role:
+    name: pkgmgr-install
+  vars:
+    package_name: certbundle
+
+- name: Generate SAN certificate with certbundle
+  command: >-
+    certbundle
+    --domains "{{ current_play_domains_all | join(',') }}"
+    --certbot-email "{{ users.administrator.email }}"
+    --certbot-acme-challenge-method "{{ CERTBOT_ACME_CHALLENGE_METHOD }}"
+    --chunk-size 100
+    {% if CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' %}
+    --certbot-credentials-file "{{ CERTBOT_CREDENTIALS_FILE }}"
+    --certbot-dns-propagation-seconds "{{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}"
+    {% else %}
+    --letsencrypt-webroot-path "{{ LETSENCRYPT_WEBROOT_PATH }}"
+    {% endif %}
+    {{ '--mode-test' if MODE_TEST | bool else '' }}
+  register: certbundle_result
+  changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout"
+  failed_when: >
+    certbundle_result.rc != 0
+    and 'too many certificates' not in (certbundle_result.stderr | lower | default(''))
+    and 'the service is down for maintenance or had an internal error' not in (certbundle_result.stderr | lower | default(''))
+
+- name: Warn if LetsEncrypt was down
+  when: "'the service is down for maintenance or had an internal error' in (certbundle_result.stderr | lower | default(''))"
+  debug:
+    msg: >
+      WARNING: Let's Encrypt responded with "service down for maintenance / internal error".
+      Certificate request skipped; please retry later.
+
+- name: run the san tasks once
+  set_fact:
+    run_once_san_certs: true

roles/sys-svc-certs/tasks/flavors/dedicated.yml

@@ -0,0 +1,30 @@
+- name: "Check if certificate already exists for '{{ domain }}'"
+  cert_check_exists:
+    domain: "{{ domain }}"
+    cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}"
+  register: cert_check
+
+- name: "receive certificate for '{{ domain }}'"
+  command: >-
+    certbot certonly 
+    --agree-tos 
+    --email {{ users.administrator.email }}
+    --non-interactive 
+    {% if CERTBOT_ACME_CHALLENGE_METHOD != "webroot" %}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-credentials {{ CERTBOT_CREDENTIALS_FILE }}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-propagation-seconds {{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}
+    {% else %}
+    --webroot 
+    -w {{ LETSENCRYPT_WEBROOT_PATH }}
+    {% endif %}
+    {% if wildcard_domain is defined and ( wildcard_domain | bool ) %}
+    -d {{ PRIMARY_DOMAIN }} 
+    -d *.{{ PRIMARY_DOMAIN }}
+    {% else %}
+    -d {{ domain }}
+    {% endif %}
+    {{ '--test-cert' if MODE_TEST | bool else '' }}
+  register: certbot_result
+  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
+  when: not cert_check.exists

roles/sys-svc-certs/tasks/flavors/san.yml

@@ -0,0 +1,3 @@
+# Neccessary encapsulation to pass performance tests
+- include_tasks: "_san.yml"
+  when: run_once_san_certs is not defined

roles/sys-svc-certs/tasks/flavors/wildcard.yml

@@ -0,0 +1,19 @@
+- name: "Load wildcard certificate for domain"
+  include_tasks: "dedicated.yml"
+  vars:
+    wildcard_domain: true
+  when: 
+    - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
+    - run_once_receive_certificate is not defined  
+
+- name: "Load dedicated certificate for domain"
+  include_tasks: "dedicated.yml"
+  vars:
+    wildcard_domain: false
+  when: 
+    - not (domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN))
+
+- name: run the receive_certificate tasks once
+  set_fact:
+    run_once_receive_certificate: true
+  when: run_once_receive_certificate is not defined