Refactor run-once logic across multiple roles and integrate unified utils/run_once.yml

This commit standardizes all run-once implementations across the following roles:
- desk-git
- dev-fakeroot
- dev-git
- dev-python-yaml
- sys-lock
- sys-svc-certs (wildcard flavor)
- update-apt
- update-pacman
- update-compose
- user-root (moved logic to 01_core.yml + unified run-once handling)
- web-app-matomo
- web-svc-libretranslate

All roles now:
- Use a block guarded by 'run_once_<role>' facts
- Trigger run-once state through utils/run_once.yml
- Optionally disable handler flushing via 'flush_handlers: false'
- Achieve consistent per-host one-time execution semantics

Conversation reference: https://chatgpt.com/share/692c7fbb-ff68-800f-8cb4-4b132cffc8e4

roles/sys-svc-certs/tasks/flavors/wildcard.yml

@@ -1,10 +1,14 @@
-- name: "Load wildcard certificate for domain"
-  include_tasks: "dedicated.yml"
-  vars:
-    wildcard_domain: true
-  when: 
-    - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
-    - run_once_receive_certificate is not defined  
+- block:
+    - name: "Load wildcard certificate for domain"
+      include_tasks: "dedicated.yml"
+      vars:
+        wildcard_domain: true
+      when: 
+        - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
+    - name: run the receive_certificate tasks once
+      set_fact:
+        run_once_receive_certificate: true
+  when: run_once_receive_certificate is not defined
 
 - name: "Load dedicated certificate for domain"
   include_tasks: "dedicated.yml"
@@ -12,8 +16,4 @@
     wildcard_domain: false
   when: 
     - not (domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN))
-
-- name: run the receive_certificate tasks once
-  set_fact:
-    run_once_receive_certificate: true
-  when: run_once_receive_certificate is not defined
+