Fix Matomo bootstrap logic and dependency ordering to prevent recursion (see conversation: https://chatgpt.com/share/692cb23b-fb3c-800f-98b6-ce7f61595305 )

This commit introduces several improvements to the Matomo initialization workflow:

- Moves the Matomo reachability check into sys-front-inj-all/tasks/01_dependencies.yml.
- Ensures web-app-matomo is only initialized when the endpoint is unreachable.
- Avoids condition inheritance on include_role by removing block-level when conditions.
- Adds explicit guarding conditions (inj_enabled.matomo, run_once_web_app_matomo usage).
- Ensures Matomo-dependent injections (CSS, Desktop, Logout, CDN) are skipped for Matomo itself.
- Fixes incorrect status_code format (now using YAML list format).
- Moves utils/run_once.yml to the top of 01_core.yml to prevent recursive re-invocation of web-app-matomo.
- Cleans Matomo config/main.yml feature definitions and clarifies which features are disabled during initial bootstrap.
- Removes legacy global Matomo bootstrap from 02_server.yml, centralizing logic in sys-front-inj-all.
- Fixes typo in inj_enabled task name.

This results in a robust, idempotent, recursion-safe Matomo bootstrap sequence that works across all injected web domains.

roles/web-app-matomo/tasks/01_core.yml

@@ -1,3 +1,6 @@
+# Required to be set on the top to prevent infinite recursions appearing in roles/sys-front-inj-all/tasks/01_dependencies.yml
+- include_tasks: utils/run_once.yml
+
 - name: "load docker, db and proxy for {{ application_id }}"
   include_role:
     name: sys-stk-full-stateful
@@ -40,5 +43,3 @@
       token_auth: "{{ matomo_auth_token }}"
     return_content: yes
     status_code: 200
-
-- include_tasks: utils/run_once.yml