refactor(front-stack): introduce sys-stk-front-base and semi-stateless stack; improve coturn role docs

- Extract common HTTPS + Cloudflare + handler bootstrap into new role sys-stk-front-base
- Update sys-stk-front-proxy, web-svc-cdn, web-svc-file, web-svc-html to depend on sys-stk-front-base
- Add new sys-stk-semi-stateless role combining front-base + back-stateless
- Update web-svc-coturn to use sys-stk-semi-stateless and rewrite README/meta with detailed Coturn description
- Unify sys-util-csp-cert README heading

Ref: ChatGPT conversation https://chatgpt.com/share/68d6cea2-3570-800f-acb3-c3277317f17b

roles/sys-stk-front-base/tasks/01_cloudflare.yml

@@ -0,0 +1,51 @@
+# Initialize cache dict (works within the play; persists if fact cache is enabled)
+- name: "Ensure cf_zone_ids cache dict exists"
+  set_fact:
+    cf_zone_ids: "{{ cf_zone_ids | default({}) }}"
+
+# Use cached zone_id if available for the apex (to_primary_domain)
+- name: "Load cf_zone_id from cache if present"
+  set_fact:
+    cf_zone_id: "{{ (cf_zone_ids | default({})).get(domain | to_primary_domain, false) }}"
+
+# Only look up from Cloudflare if we still don't have it
+- name: "Ensure Cloudflare Zone ID is known for '{{ domain }}'"
+  vars:
+    cf_api_url: "https://api.cloudflare.com/client/v4/zones"
+  ansible.builtin.uri:
+    url: "{{ cf_api_url }}?name={{ domain | to_primary_domain }}"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
+      Content-Type: "application/json"
+    return_content: yes
+  register: cf_zone_lookup_dev
+  changed_when: false
+  when:
+    - not cf_zone_id
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: "Set fact cf_zone_id and update cache dict"
+  set_fact:
+    cf_zone_id: "{{ cf_zone_lookup_dev.json.result[0].id }}"
+    cf_zone_ids: >-
+      {{ (cf_zone_ids | default({}))
+         | combine({ (domain | to_primary_domain): cf_zone_lookup_dev.json.result[0].id }) }}
+  when:
+    - not cf_zone_id
+    - cf_zone_lookup_dev.json.result | length > 0
+
+- name: "Fail if no Cloudflare zone found for {{ domain | to_primary_domain }}"
+  ansible.builtin.fail:
+    msg: "No Cloudflare zone found for {{ domain | to_primary_domain }} — aborting!"
+  when:
+    - not cf_zone_id
+    - cf_zone_lookup_dev.json.result | length == 0
+
+- name: activate cloudflare cache development mode
+  include_tasks: "cloudflare/02_enable_cf_dev_mode.yml"
+  when: (ENVIRONMENT | lower) == 'development' 
+  
+- name: purge cloudflare domain cache
+  include_tasks: "cloudflare/01_cleanup.yml"
+  when: MODE_CLEANUP | bool

roles/sys-stk-front-base/tasks/cloudflare/01_cleanup.yml

@@ -0,0 +1,13 @@
+- name: "Purge everything from Cloudflare cache for domain {{ domain }}"
+  ansible.builtin.uri:
+    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/purge_cache"
+    method: POST
+    headers:
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
+      Content-Type: "application/json"
+    body:
+      purge_everything: true
+    body_format: json
+    return_content: yes
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"

roles/sys-stk-front-base/tasks/cloudflare/02_enable_cf_dev_mode.yml

@@ -0,0 +1,35 @@
+---
+# Enables Cloudflare Development Mode (bypasses cache for ~3 hours).
+# Uses the same auth token as in 01_cleanup.yml: CLOUDFLARE_API_TOKEN
+# Assumes `domain` and (optionally) `cf_zone_id` are available.
+# Safe to run repeatedly; only changes when the mode is not already "on".
+
+- name: "Read current Cloudflare development_mode setting"
+  ansible.builtin.uri:
+    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
+      Content-Type: "application/json"
+    return_content: yes
+  register: cf_dev_mode_current
+  when: ASYNC_ENABLED | bool
+
+- name: "Enable Cloudflare Development Mode"
+  ansible.builtin.uri:
+    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
+    method: PATCH
+    headers:
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
+      Content-Type: "application/json"
+    body:
+      value: "on"
+    body_format: json
+    return_content: yes
+  register: cf_dev_mode_enable
+  changed_when: >
+    ASYNC_ENABLED | bool and
+    cf_dev_mode_current.json.result.value is defined and
+    cf_dev_mode_current.json.result.value != 'on'
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"

roles/sys-stk-front-base/tasks/main.yml

@@ -0,0 +1,14 @@
+- block:
+  - name: Include dependency 'sys-svc-webserver-https'
+    include_role:
+      name: sys-svc-webserver-https
+    when: run_once_sys_svc_webserver_https is not defined
+  - include_tasks: utils/run_once.yml
+  when: run_once_sys_stk_front_base is not defined
+
+- include_tasks: "01_cloudflare.yml"
+  when: DNS_PROVIDER == "cloudflare"
+
+- include_tasks: "{{ [ playbook_dir, 'tasks/utils/load_handlers.yml' ] | path_join }}"
+  vars:
+    handler_role_name: "svc-prx-openresty"