refactor(front-stack): introduce sys-stk-front-base and semi-stateless stack; improve coturn role docs

- Extract common HTTPS + Cloudflare + handler bootstrap into new role sys-stk-front-base
- Update sys-stk-front-proxy, web-svc-cdn, web-svc-file, web-svc-html to depend on sys-stk-front-base
- Add new sys-stk-semi-stateless role combining front-base + back-stateless
- Update web-svc-coturn to use sys-stk-semi-stateless and rewrite README/meta with detailed Coturn description
- Unify sys-util-csp-cert README heading

Ref: ChatGPT conversation https://chatgpt.com/share/68d6cea2-3570-800f-acb3-c3277317f17b

roles/sys-stk-front-base/README.md

@@ -0,0 +1,21 @@
+# Front Base (HTTPS + Cloudflare + Handlers) 🚀
+
+## Description
+**sys-stk-front-base** bootstraps the front layer that most web-facing apps need:
+- Ensures the HTTPS base via `sys-svc-webserver-https`
+- (Optional) Cloudflare bootstrap (zone lookup, dev mode, purge)
+- Wires OpenResty/Nginx handlers
+- Leaves per-domain certificate issuance to consumer roles (or pass-through vars to `sys-util-csp-cert` if needed)
+
+> This role is intentionally small and reusable. It prepares the ground so app roles can just render their vHost.
+
+## Responsibilities
+- Include `sys-svc-webserver-https` (once per host)
+- Include Cloudflare tasks when `DNS_PROVIDER == "cloudflare"`
+- Load handler utilities (e.g., `svc-prx-openresty`)
+- Stay domain-agnostic: expect `domain` to be provided by the consumer
+
+## Outputs
+- Handler wiring completed
+- HTTPS base ready (Nginx, ACME webroot)
+- Cloudflare prepared (optional)

roles/sys-stk-front-base/meta/main.yml

@@ -0,0 +1,24 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Front bootstrap for web apps: HTTPS base, optional Cloudflare setup, and handler wiring."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - https
+    - cloudflare
+    - automation
+    - web
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus/"
+dependencies: []

roles/sys-stk-front-base/tasks/main.yml

@@ -0,0 +1,14 @@
+- block:
+  - name: Include dependency 'sys-svc-webserver-https'
+    include_role:
+      name: sys-svc-webserver-https
+    when: run_once_sys_svc_webserver_https is not defined
+  - include_tasks: utils/run_once.yml
+  when: run_once_sys_stk_front_base is not defined
+
+- include_tasks: "01_cloudflare.yml"
+  when: DNS_PROVIDER == "cloudflare"
+
+- include_tasks: "{{ [ playbook_dir, 'tasks/utils/load_handlers.yml' ] | path_join }}"
+  vars:
+    handler_role_name: "svc-prx-openresty"

roles/sys-stk-front-proxy/tasks/01_base.yml

@@ -1,17 +1,6 @@
-- block:
+- name: Front bootstrap
-  - name: Include dependency 'sys-svc-webserver-https'
+  include_role:
-    include_role:
+    name: sys-stk-front-base
-      name: sys-svc-webserver-https
-    when: run_once_sys_svc_webserver_https is not defined
-  - include_tasks: utils/run_once.yml
-  when: run_once_sys_stk_front_proxy is not defined
-
-- include_tasks: "02_cloudflare.yml"
-  when: DNS_PROVIDER == "cloudflare"
-
-- include_tasks: "{{ [ playbook_dir, 'tasks/utils/load_handlers.yml' ] | path_join }}"
-  vars:
-    handler_role_name: "svc-prx-openresty"
 
 - name: "include role for '{{ domain }}' to receive certificates and do the modification routines"
   include_role:

roles/sys-stk-semi-stateless/README.md

@@ -0,0 +1,13 @@
+# Semi-Stateless Stack (Front + Back) ⚡
+
+## Description
+**sys-stk-semi-stateless** combines the front and back layer into a lightweight, mostly stateless web service stack:
+- Front bootstrap via `sys-stk-front-base` (HTTPS base, optional Cloudflare, handlers)
+- Backend via `sys-stk-back-stateless` (no persistent volumes/DB)
+
+Ideal for services that need TLS/front glue but no database (e.g., TURN/STUN, gateways, simple APIs).
+
+## Responsibilities
+- Prepare the front layer (HTTPS / handlers / optional Cloudflare)
+- Deploy the stateless backend (typically via Docker Compose)
+- Keep domain variables (`domain`) and app-scoped variables (`application_id`) clearly separated

roles/sys-stk-semi-stateless/meta/main.yml

@@ -0,0 +1,24 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Combined semi-stateless app stack: front bootstrap + stateless backend."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - https
+    - stateless
+    - backend
+    - cloudflare
+    - automation
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus/"

roles/sys-stk-semi-stateless/tasks/main.yml

@@ -0,0 +1,11 @@
+# run_once_sys_stk_full_stateless: deactivated
+
+- name: "sys-stk-front-base"
+  include_role:
+    name: sys-stk-front-base
+  vars:
+    domain:   "{{ domains | get_domain(application_id) }}"
+
+- name: "For '{{ application_id }}': Load sys-stk-back-stateless"
+  include_role:
+    name: sys-stk-back-stateless

roles/sys-util-csp-cert/README.md

@@ -1,4 +1,4 @@
-# Role: sys-util-csp-cert
+# sys-util-csp-cert
 
 This Ansible role composes and orchestrates all necessary HTTPS-layer tasks and HTML-content injections for your webserver domains. It integrates two key sub-roles into a unified workflow:
 

roles/web-svc-cdn/tasks/01_core.yml

@@ -2,7 +2,7 @@
   include_role:
     name: '{{ item }}'
   loop:
-  - sys-svc-webserver-https
+  - sys-stk-front-base
   - dev-git
   
 - name: "include role for {{ application_id }} to receive certs & do modification routines"

roles/web-svc-coturn/README.md

@@ -1,9 +1,46 @@
-# Coturn Server (DRAFT)
+# Coturn
-setup an coturn server based on https://hub.docker.com/r/coturn/coturn
 
-## todo
+This folder contains the role to deploy and manage a [Coturn](https://github.com/coturn/coturn) service.
 
-Needs to be implemented so that Nextcloud Talk works
+## Description
 
-## author 
+[Coturn](https://github.com/coturn/coturn) is a free and open-source **TURN (Traversal Using Relays around NAT)** and **STUN (Session Traversal Utilities for NAT)** server.  
-[Kevin Veen-Birkenbach](https://www.veen.world)
+It enables real-time communication (RTC) applications such as **WebRTC** to work reliably across NATs and firewalls.
+
+Without TURN/STUN, video calls, conferencing, and peer-to-peer connections often fail due to NAT traversal issues.  
+Coturn solves this by acting as a **relay server** and/or **discovery service** for public IP addresses.
+
+More background:  
+* Wikipedia: [Traversal Using Relays around NAT](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT)  
+* Wikipedia: [Session Traversal Utilities for NAT](https://en.wikipedia.org/wiki/STUN)  
+* Official Coturn Docs: [https://github.com/coturn/coturn/wiki](https://github.com/coturn/coturn/wiki)
+
+## Overview
+
+This role deploys Coturn via Docker Compose using the `sys-stk-semi-stateless` stack.  
+It automatically configures:
+- TURN and STUN listening ports
+- Relay port ranges
+- TLS certificates (via Let’s Encrypt integration)
+- Long-term credentials and/or REST API secrets
+
+Typical use cases:
+- Nextcloud Talk
+- Jitsi
+- BigBlueButton
+- Any WebRTC-based application
+
+## Features
+
+* Stateless container deployment (no database or persistent volume required)  
+* Automatic TLS handling via `sys-stk-front-base`  
+* TURN and STUN support over TCP and UDP  
+* Configurable relay port ranges for scaling  
+* Integration into Infinito.Nexus inventory/variable system
+
+## Further Resources
+
+* Coturn Project — [https://github.com/coturn/coturn](https://github.com/coturn/coturn)  
+* Coturn Wiki — [https://github.com/coturn/coturn/wiki](https://github.com/coturn/coturn/wiki)  
+* TURN on Wikipedia — [https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT)  
+* STUN on Wikipedia — [https://en.wikipedia.org/wiki/STUN](https://en.wikipedia.org/wiki/STUN)  

roles/web-svc-coturn/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 galaxy_info:
   author: "Kevin Veen-Birkenbach"
-  description: "Deploys a Coturn TURN/STUN server via Docker Compose, with automatic domain and port configuration for Nextcloud Talk."
+  description: "Deploys Coturn, a free and open-source TURN/STUN server"
   license: "Infinito.Nexus NonCommercial License"
   license_url: "https://s.infinito.nexus/license"
   company: |
@@ -12,12 +12,13 @@ galaxy_info:
     - coturn
     - turn
     - stun
+    - webrtc
     - docker
+    - stateless
+    - realtime
   repository: "https://s.infinito.nexus/code"
   issue_tracker_url: "https://s.infinito.nexus/issues"
-  documentation: "https://s.infinito.nexus/code/tree/main/roles/web-svc-coturn"
+  documentation: "https://github.com/coturn/coturn/wiki"
-  min_ansible_version: "2.9"
+  logo:
-  platforms:
+    class: "webrtc"
-    - name: Any
+  run_after: []
-      versions:
-        - all

roles/web-svc-coturn/tasks/main.yml

@@ -1,4 +1,4 @@
 ---
-- name: "For '{{ application_id }}': Load sys-stk-back-stateless"
+- name: "Load 'sys-stk-semi-stateless' for '{{ application_id }}'"
   include_role:
-    name: sys-stk-back-stateless
+    name: sys-stk-semi-stateless

roles/web-svc-file/tasks/main.yml

@@ -3,7 +3,7 @@
     include_role:
       name: '{{ item }}'
     loop:
-    - sys-svc-webserver-https
+    - sys-stk-front-base
     - dev-git
   - include_tasks: utils/run_once.yml
   when: run_once_web_svc_file is not defined

roles/web-svc-html/tasks/main.yml

@@ -3,7 +3,7 @@
     include_role:
       name: '{{ item }}'
     loop:
-    - sys-svc-webserver-https
+    - sys-stk-front-base
     - dev-git
   - include_tasks: utils/run_once.yml
   when: run_once_web_svc_html is not defined