refactor: improve service handling and introduce MODE_ASSERT

- Improved get_service_name filter plugin (clearer suffix handling, consistent var names).
- Added MODE_ASSERT flag to optionally execute validation/assertion tasks.
- Fixed systemd unit handling: consistent use of %I instead of %i, correct escaping of instance names.
- Unified on_failure behavior and alarm composer scripts.
- Cleaned up redundant logging, handlers, and debug config.
- Strengthened sys-service template resolution with assert (only active when MODE_ASSERT).
- Simplified timer and suffix handling with get_service_name filter.
- Hardened sensitive tasks with no_log.
- Added conditional asserts across roles (Keycloak, DNS, Mailu, Discourse, etc.).

These changes improve consistency, safety, and validation across the automation stack.

Conversation: https://chatgpt.com/share/68a4ae28-483c-800f-b2f7-f64c7124c274

roles/web-app-keycloak/tasks/06_ldap.yml

@@ -26,6 +26,7 @@
   assert:
     that: [ "(ldap_cmp_id.stdout | trim) not in ['', 'null']" ]
     fail_msg: "LDAP component '{{ KEYCLOAK_LDAP_CMP_NAME }}' not found in Keycloak."
+  when: MODE_ASSERT | bool
 
 - name: Pull LDAP component from dictionary (by name)
   set_fact:
@@ -42,6 +43,7 @@
       - ldap_component_tpl | length > 0
       - (ldap_component_tpl.subComponents | default({})) | length > 0
     fail_msg: "LDAP component '{{ KEYCLOAK_LDAP_CMP_NAME }}' not found in KEYCLOAK_DICTIONARY_REALM."
+  when: MODE_ASSERT | bool
 
 - name: Extract mapper 'ldap-roles' from template (raw)
   set_fact:
@@ -59,6 +61,7 @@
   assert:
     that: [ "desired_group_mapper_raw | length > 0" ]
     fail_msg: "'ldap-roles' mapper not found in dictionary under LDAP component."
+  when: MODE_ASSERT | bool
 
 - name: Build clean mapper payload
   set_fact: