refactor!: replace sys-systemctl with sys-service, add sys-daemon, and rename systemctl_* → system_service_* across repo

- Swap role includes: sys-systemctl → sys-service in all roles
- Rename variables everywhere: systemctl_* → system_service_* (incl. systemctl_id → system_service_id)
- Templates: ExecStart now uses {{ system_service_script_exec }}; add optional RuntimeMaxSec via SYS_SERVICE_DEFAULT_RUNTIME
- Move SYS_SERVICE defaults into roles/sys-service/defaults (remove SYS_SERVICE_ALL_ENABLED & SYS_SERVICE_DEFAULT_STATE from group_vars/07_services.yml)
- Tidy group_vars/all/08_timer.yml formatting
- Introduce roles/sys-daemon:
  - default manager timeouts (timeouts.conf)
  - optional purge of /etc/systemd/system.conf.d
  - validation via systemd-analyze verify
  - handlers for daemon-reload & daemon-reexec
- Refactor sys-timer to system_service_* variables (docs and templates updated)
- Move filter_plugins/filetype.py under sys-service
- Update meta/README to point to official systemd docs
- Touch many roles (backup/cleanup/health/repair/certs/nginx/csp/wireguard/ssd-hdd/keyboard/update-docker/alarm compose/email/telegram/etc.) to new naming

BREAKING CHANGE:
- Role path/name change: use `sys-service` instead of `sys-systemctl`
- All `systemctl_*` vars are now `system_service_*` (e.g., on_calendar, state, timer_enabled, script_exec, id)
- If you have custom templates, adopt RuntimeMaxSec and new variable names

Chat context: https://chatgpt.com/share/68a47568-312c-800f-af3f-e98575446327

roles/sys-daemon/README.md

@@ -1,44 +1,26 @@
-# Core Daemon Reset
+# sys-daemon
 
 ## Description
 
-This role resets and cleans up all **Infinito.Nexus** core daemon `systemd` service units that match the configured suffix (`SYS_SERVICE_SUFFIX`).  
-It is primarily used in maintenance or reset scenarios when a full service cleanup is required.
+Role to reset and configure the **systemd manager** for Infinito.Nexus.  
+It ensures a clean state of the manager configuration and applies default timeout values.
 
 ## Overview
 
-When the `MODE_RESET` flag is enabled, the role will:
-
-1. **Run Once Per Play:** Guarded by `run_once_sys_daemon` to avoid duplicate execution.
-2. **Identify Service Units:** Finds all `/etc/systemd/system/*{{ SYS_SERVICE_SUFFIX }}` units.
-3. **Stop and Disable Services:** Gracefully stops and disables matching services.
-4. **Remove Unit Files:** Deletes the corresponding unit files from the system.
-5. **Reload systemd:** Ensures the service manager state is updated after cleanup.
-
-## Purpose
-
-The main goal of this role is to ensure a clean and consistent state for core daemon services by removing obsolete or stale systemd units.  
-This is particularly useful when re-deploying or performing a full environment reset.
+- Purges the systemd manager drop-in directory if requested.  
+- Validates all active unit files before reload/reexec.  
+- Applies default timeout values for systemd manager behavior.  
+- Provides handler-based reload/reexec for systemd.  
 
 ## Features
 
-- **Automated Cleanup:** Stops, disables, and removes targeted systemd units.
-- **Idempotent Execution:** Runs only once per playbook run.
-- **Configurable Targeting:** Matches services using `SYS_SERVICE_SUFFIX`.
-- **Systemd Integration:** Reloads daemon state after changes.
+- **Drop-in Purge:** Optionally remove `/etc/systemd/system.conf.d` contents.  
+- **Manager Defaults:** Deploys custom timeouts via `timeouts.conf`.  
+- **Validation:** Uses `systemd-analyze verify` before reload.  
+- **Integration:** Triggers `daemon-reload` or `daemon-reexec` safely.  
 
 ## Further Resources
 
-- [systemd Service Management](https://www.freedesktop.org/software/systemd/man/systemctl.html)
-- [Infinito.Nexus License](https://s.infinito.nexus/license)
-
-## License
-
-This role is released under the Infinito.Nexus NonCommercial License.
-See [license details](https://s.infinito.nexus/license)
-
-## Author Information
-
-Kevin Veen-Birkenbach
-Consulting & Coaching Solutions
-[https://www.veen.world](https://www.veen.world)
+- [systemd - Manager Configuration](https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html)  
+- [systemd-analyze](https://www.freedesktop.org/software/systemd/man/systemd-analyze.html)  
+- [systemctl](https://www.freedesktop.org/software/systemd/man/systemctl.html)

roles/sys-daemon/defaults/main.yml

@@ -0,0 +1,8 @@
+# General
+SYSTEMD_MANAGER_CONF_DIR:       "/etc/systemd/system.conf.d"
+
+# Defaults
+SYSTEMD_DEFAULT_TIMEOUT_START:  "90s"      # Maximum time a service is allowed to reach the 'active' state during startup
+SYSTEMD_DEFAULT_TIMEOUT_STOP:   "90s"      # Maximum time a service is allowed to stop gracefully before being killed
+SYSTEMD_DEFAULT_TIMEOUT_ABORT:  "90s"      # Additional grace period after Stop timeout before systemd sends SIGKILL
+

roles/sys-daemon/handlers/main.yml

@@ -1,4 +1,49 @@
-- name: "reload system daemon"
+- name: collect systemd unit files
+  shell: |
+    shopt -s nullglob
+    files=({{ PATH_SYSTEM_SERVICE_DIR }}*.service {{ PATH_SYSTEM_SERVICE_DIR }}*.timer)
+    printf "%s\n" "${files[@]}"
+  args:
+    executable: /bin/bash
+  register: _unit_files
+  changed_when: false
+  failed_when: false
+  become: true
+  listen:
+    - reload system daemon
+    - reexec systemd manager
+
+- name: validate systemd units
+  shell: |
+    systemd-analyze verify {{ _unit_files.stdout_lines | join(' ') }}
+  register: _verify_units
+  changed_when: false
+  failed_when: _unit_files.stdout | length > 0 and _verify_units.rc != 0
+  become: true
+  when: _unit_files.stdout | length > 0
+  listen:
+    - reload system daemon
+    - reexec systemd manager
+
+- name: show merged manager config
+  command: systemd-analyze cat-config systemd/system.conf
+  register: _catcfg
+  changed_when: false
+  become: true
+  listen:
+    - reload system daemon
+    - reexec systemd manager
+
+- name: reload system daemon
   command: systemctl daemon-reload
+  become: true
+  listen: reload system daemon
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+
+- name: reexec systemd manager
+  command: systemctl daemon-reexec
+  become: true
+  listen: reexec systemd manager
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"

roles/sys-daemon/meta/main.yml

@@ -1,19 +1,19 @@
+---
 galaxy_info:
   author: "Kevin Veen-Birkenbach"
-  description: "Role to reset and clean up Infinito.Nexus systemd service units for the core daemon."
-  company: |
+  description: "Role to reset and configure the systemd manager (drop-ins, defaults, validation)."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: | 
     Kevin Veen-Birkenbach
     Consulting & Coaching Solutions
     https://www.veen.world
-  license: "Infinito.Nexus NonCommercial License"
-  license_url: "https://s.infinito.nexus/license"
-  min_ansible_version: "2.9"
   galaxy_tags:
     - systemd
-    - cleanup
     - infinito
+    - daemon
+    - cleanup
   repository: "https://s.infinito.nexus/code"
   issue_tracker_url: "https://s.infinito.nexus/issues"
-  documentation: "https://s.infinito.nexus/code/#sys-daemon-role"
-
+  documentation: "https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html"
 dependencies: []

roles/sys-daemon/tasks/01_reset.yml

@@ -0,0 +1,16 @@
+- name: reload system daemon
+  command: /bin/true
+  notify: "reload system daemon"
+
+- name: "Sanity check SYSTEMD_MANAGER_CONF_DIR"
+  assert:
+    that:
+      - SYSTEMD_MANAGER_CONF_DIR | regex_search('^/etc/systemd/system\.conf\.d/?$')
+    fail_msg: "SYSTEMD_MANAGER_CONF_DIR must be /etc/systemd/system.conf.d"
+  when: SYSTEMD_MANAGER_RESET_PURGE | bool
+
+- name: "Purge manager drop-in directory (remove)"
+  file:
+    path: "{{ SYSTEMD_MANAGER_CONF_DIR }}"
+    state: absent
+  notify: reexec systemd manager

roles/sys-daemon/tasks/02_defaults.yml

@@ -0,0 +1,12 @@
+- name: "Ensure {{ SYSTEMD_MANAGER_CONF_DIR }} exists"
+  file:
+    path: "{{ SYSTEMD_MANAGER_CONF_DIR }}"
+    state: directory
+    mode: "0755"
+
+- name: Deploy systemd manager default timeout settings
+  template:
+    src:  timeouts.conf.j2
+    dest: "{{ SYSTEMD_MANAGER_CONF_DIR }}/timeouts.conf"
+    mode: "0644"
+  notify: reexec systemd manager

roles/sys-daemon/tasks/main.yml

@@ -1,8 +1,8 @@
-- name: "reset (if enabled)"
-  include_tasks: reset.yml 
-  when: MODE_RESET | bool and run_once_sys_daemon is not defined
-
-- name: run {{ role_name }} once
-  set_fact:
-    run_once_sys_daemon: true
+- block:
+  - name: "reset (if enabled)"
+    include_tasks: 01_reset.yml
+    when: MODE_RESET | bool and run_once_sys_daemon is not defined
+  - name: Apply systemd manager defaults
+    include_tasks: 02_defaults.yml
+  - include_tasks: utils/run_once.yml
   when: run_once_sys_daemon is not defined

roles/sys-daemon/tasks/reset.yml

@@ -1,3 +0,0 @@
-- name: reload system daemon
-  command: /bin/true
-  notify: "reload system daemon"

roles/sys-daemon/templates/timeouts.conf.j2

@@ -0,0 +1,4 @@
+[Manager]
+DefaultTimeoutStartSec={{ SYSTEMD_DEFAULT_TIMEOUT_START }}
+DefaultTimeoutStopSec={{ SYSTEMD_DEFAULT_TIMEOUT_STOP }}
+DefaultTimeoutAbortSec={{ SYSTEMD_DEFAULT_TIMEOUT_ABORT }}