Mailu/MSMTP: split token mgmt, idempotent reload, safer guards

• Rename: 02_create-user.yml → 02_manage_user.yml; 03_create-token.yml → 03a_manage_user_token.yml + 03b_create_user_token.yml
• Only (re)run sys-svc-msmtp when no-reply token exists; set run_once_sys_svc_msmtp=true in 01_core
• Reset by setting run_once_sys_svc_msmtp=false after creating no-reply token; then include sys-svc-msmtp
• Harden when-guards (no '{{ }}' in when, safe .get lookups)
• Minor formatting and failed_when readability

Conversation: https://chatgpt.com/share/68ebd196-a264-800f-a215-3a89d0f96c79

roles/web-app-mailu/tasks/02_manage_user.yml

@@ -0,0 +1,29 @@
+- name: "Ensure Mailu user '{{ mailu_user_key }};{{ mailu_user_name }}@{{ MAILU_DOMAIN }}'' exists"
+  command: >
+    {{ docker_compose_command_exec }} admin flask mailu {{ mailu_action }}
+      {{ mailu_user_name }} {{ MAILU_DOMAIN }} '{{ mailu_password }}'
+  args:
+    chdir: "{{ MAILU_DOCKER_DIR }}"
+  register: mailu_user_result
+  failed_when: >
+    mailu_user_result.rc != 0 and
+    (
+      "exists, not created" not in mailu_user_result.stderr and
+      "Duplicate entry"   not in mailu_user_result.stderr
+    )
+  changed_when: mailu_user_result.rc == 0
+  when: "'mail-bot' in item.value.roles or 'administrator' in item.value.roles"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: "Change password for user '{{ mailu_user_key }};{{ mailu_user_name }}@{{ MAILU_DOMAIN }}'"
+  command: >
+    {{ docker_compose_command_exec }} admin flask mailu password
+      {{ mailu_user_name }} {{ MAILU_DOMAIN }} '{{ mailu_password }}'
+  args:
+    chdir: "{{ MAILU_DOCKER_DIR }}"
+  when: "'mail-bot' in item.value.roles or 'administrator' in item.value.roles"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: "Create Mailu API Token for {{ mailu_user_name }}"
+  include_tasks: 03a_manage_user_token.yml
+  when: "'mail-bot' in item.value.roles"