Refactor run-once logic across multiple roles and integrate unified utils/run_once.yml

This commit standardizes all run-once implementations across the following roles:
- desk-git
- dev-fakeroot
- dev-git
- dev-python-yaml
- sys-lock
- sys-svc-certs (wildcard flavor)
- update-apt
- update-pacman
- update-compose
- user-root (moved logic to 01_core.yml + unified run-once handling)
- web-app-matomo
- web-svc-libretranslate

All roles now:
- Use a block guarded by 'run_once_<role>' facts
- Trigger run-once state through utils/run_once.yml
- Optionally disable handler flushing via 'flush_handlers: false'
- Achieve consistent per-host one-time execution semantics

Conversation reference: https://chatgpt.com/share/692c7fbb-ff68-800f-8cb4-4b132cffc8e4

roles/update-compose/tasks/01_core.yml

@@ -7,11 +7,15 @@
 - name: "Update with pacman"
   include_role:
     name: update-pacman
-  when: ansible_distribution == 'Archlinux'
+  when: 
+    - ansible_distribution == 'Archlinux'
+    - run_once_update_pacman is not defined
   
 - name: "Update with apt"
   include_role:
     name: update-apt
-  when: ansible_distribution == "Debian"
+  when: 
+    - ansible_distribution == "Debian"
+    - run_once_update_apt is not defined
 
 - include_tasks: utils/run_once.yml