Added reset condition for openresty

- Swap role includes: sys-systemctl → sys-service in all roles
- Rename variables everywhere: systemctl_* → system_service_* (incl. systemctl_id → system_service_id)
- Templates: ExecStart now uses {{ system_service_script_exec }}; add optional RuntimeMaxSec via SYS_SERVICE_DEFAULT_RUNTIME
- Move SYS_SERVICE defaults into roles/sys-service/defaults (remove SYS_SERVICE_ALL_ENABLED & SYS_SERVICE_DEFAULT_STATE from group_vars/07_services.yml)
- Tidy group_vars/all/08_timer.yml formatting
- Introduce roles/sys-daemon:
  - default manager timeouts (timeouts.conf)
  - optional purge of /etc/systemd/system.conf.d
  - validation via systemd-analyze verify
  - handlers for daemon-reload & daemon-reexec
- Refactor sys-timer to system_service_* variables (docs and templates updated)
- Move filter_plugins/filetype.py under sys-service
- Update meta/README to point to official systemd docs
- Touch many roles (backup/cleanup/health/repair/certs/nginx/csp/wireguard/ssd-hdd/keyboard/update-docker/alarm compose/email/telegram/etc.) to new naming

BREAKING CHANGE:
- Role path/name change: use `sys-service` instead of `sys-systemctl`
- All `systemctl_*` vars are now `system_service_*` (e.g., on_calendar, state, timer_enabled, script_exec, id)
- If you have custom templates, adopt RuntimeMaxSec and new variable names

Chat context: https://chatgpt.com/share/68a47568-312c-800f-af3f-e98575446327

group_vars/all/07_services.yml

@@ -3,21 +3,18 @@
 
 ## Meta
 SYS_SERVICE_SUFFIX:                   ".{{ SOFTWARE_NAME | lower }}.service"
-SYS_SERVICE_ALL_ENABLED:              false # Flush all services
-SYS_SERVICE_DEFAULT_STATE:            "{{ omit }}"
 
 ## Names
-SYS_SERVICE_CLEANUP_BACKUPS_OLD:      "{{ 'sys-ctl-cln-backups'     | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_CLEANUP_BACKUPS_OLD:      "{{ 'sys-ctl-cln-bkps'        | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_CLEANUP_BACKUPS_FAILED:   "{{ 'sys-ctl-cln-faild-bkps'  | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_OPTIMIZE_DRIVE:           "{{ 'svc-opt-ssd-hdd'         | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_BACKUP_RMT_2_LOC:         "{{ 'svc-bkp-rmt-2-loc'       | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_REPAIR_DOCKER_SOFT:       "{{ 'sys-ctl-rpr-docker-soft' | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_REPAIR_DOCKER_HARD:       "{{ 'sys-ctl-rpr-docker-hard' | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_UPDATE_DOCKER:            "{{ 'update-docker'           | get_service_name(SOFTWARE_NAME) }}"
 
 ## On Failure
-SYS_SERVICE_ON_FAILURE_COMPOSE:   "{{ 'sys-ctl-alm-compose'   | get_service_name(SOFTWARE_NAME,'%i.service') }}"
-SYS_SERVICE_ON_FAILURE_EMAIL:     "{{ 'sys-ctl-alm-email'     | get_service_name(SOFTWARE_NAME,'%i.service') }}"
-SYS_SERVICE_ON_FAILURE_TELEGRAM:  "{{ 'sys-ctl-alm-telegram'  | get_service_name(SOFTWARE_NAME,'%i.service') }}"
+SYS_SERVICE_ON_FAILURE_COMPOSE:       "{{ 'sys-ctl-alm-compose'   | get_service_name(SOFTWARE_NAME,'%i.service') }}"
 
 ## Groups
 SYS_SERVICE_GROUP_BACKUPS: >

group_vars/all/08_timer.yml

@@ -3,12 +3,12 @@
 
 ## Meta
 SYS_TIMER_SUFFIX:       ".{{ SOFTWARE_NAME | lower }}.timer"
-SYS_TIMER_ALL_ENABLED:  false   # Runtime Variables for Process Control - Activates all timers, independend if the handlers had been triggered
+SYS_TIMER_ALL_ENABLED:  "{{ not MODE_DEBUG }}"   # Runtime Variables for Process Control - Activates all timers, independend if the handlers had been triggered
 
 ## Server Tact Variables 
 
-HOURS_SERVER_AWAKE:   "0..23" # Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
-RANDOMIZED_DELAY_SEC: "5min"  # Random delay for systemd timers to avoid peak loads.
+HOURS_SERVER_AWAKE:            "0..23" # Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
+RANDOMIZED_DELAY_SEC:          "5min"  # Random delay for systemd timers to avoid peak loads.
 
 ## Timeouts for all services
 SYS_TIMEOUT_CLEANUP_SERVICES:  "15min"

roles/svc-bkp-loc-2-usb/tasks/main.yml

@@ -23,4 +23,4 @@
       to non‑empty values in your configuration file.
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service

roles/svc-bkp-loc-2-usb/templates/systemctl.service.j2

@@ -5,7 +5,7 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStart=/bin/python {{ systemctl_id | get_service_script_path('py') }} {{ BACKUP_TO_USB_SOURCE }} {{ BACKUP_TO_USB_DESTINATION }}
+ExecStart={{ system_service_script_exec }} {{ BACKUP_TO_USB_SOURCE }} {{ BACKUP_TO_USB_DESTINATION }}
 ExecStartPost=/bin/systemctl start {{ SYS_SERVICE_CLEANUP_BACKUPS_OLD }}
 
 [Install]

roles/svc-bkp-loc-2-usb/vars/main.yml

@@ -1,5 +1,5 @@
 application_id:                 "svc-bkp-loc-2-usb"
-systemctl_id:                   "{{ application_id }}"
+system_service_id:                   "{{ application_id }}"
 
 BACKUP_TO_USB_DESTINATION:      '{{ BACKUP_TO_USB_MOUNT}}{{ BACKUP_TO_USB_TARGET }}'
 BACKUPS_SERVICE_MNT_NAME:       '{{ BACKUP_TO_USB_MOUNT | trim(''/'') | replace(''/'',''-'') }}.mount'

roles/svc-bkp-rmt-2-loc/tasks/main.yml

@@ -23,8 +23,8 @@
     mode: "0755"
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_timer_enabled:  true
-    systemctl_on_calendar:    "{{ SYS_SCHEDULE_BACKUP_REMOTE_TO_LOCAL }}"
+    system_service_timer_enabled:  true
+    system_service_on_calendar:    "{{ SYS_SCHEDULE_BACKUP_REMOTE_TO_LOCAL }}"
 

roles/svc-bkp-rmt-2-loc/templates/systemctl.service.j2

@@ -4,5 +4,6 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }} {{ SYS_SERVICE_CLEANUP_BACKUPS_FA
 
 [Service]
 Type=oneshot
-ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_BACKUPS| join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"'
-ExecStart=/bin/sh -c '/usr/bin/bash {{ systemctl_id | get_service_script_path('sh') }}'
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_BACKUPS| join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"
+ExecStart={{ system_service_script_exec }}
+ExecStartPost=/bin/systemctl start {{ SYS_SERVICE_CLEANUP_BACKUPS_OLD }}

roles/svc-bkp-rmt-2-loc/vars/main.yml

@@ -1,5 +1,5 @@
 application_id:                                 svc-bkp-rmt-2-loc
-systemctl_id:                                   "{{ application_id }}"  
+system_service_id:                                   "{{ application_id }}"  
 DOCKER_BACKUP_REMOTE_2_LOCAL_DIR:               '{{ PATH_ADMINISTRATOR_SCRIPTS }}{{ application_id }}/'
 DOCKER_BACKUP_REMOTE_2_LOCAL_SCRIPT:            "{{ DOCKER_BACKUP_REMOTE_2_LOCAL_DIR }}svc-bkp-rmt-2-loc.sh"
 DOCKER_BACKUP_REMOTE_2_LOCAL_BACKUP_PROVIDERS:  "{{ applications | get_app_conf(application_id, 'backup_providers')  }}"

roles/svc-net-wireguard-plain/tasks/main.yml

@@ -1,2 +1,2 @@
 - include_role:
-    name: sys-systemctl
+    name: sys-service

roles/svc-net-wireguard-plain/templates/systemctl.service.j2

@@ -4,7 +4,7 @@ Before=wg-quick@wg0.service
 
 [Service]
 Type=oneshot
-ExecStart=bash {{ systemctl_id | get_service_script_path('sh') }}
+ExecStart={{ system_service_script_exec }}
 
 [Install]
 RequiredBy=wg-quick@wg0.service

roles/svc-net-wireguard-plain/vars/main.yml

@@ -1,2 +1,2 @@
 application_id: svc-net-wireguard-plain
-systemctl_id:   "{{ application_id }}"
+system_service_id:   "{{ application_id }}"

roles/svc-opt-keyboard-color/tasks/01_core.yml

@@ -11,8 +11,8 @@
     - msi-perkeyrgb
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar:    "{{ SYS_SCHEDULE_ANIMATION_KEYBOARD_COLOR }}"
-    systemctl_timer_enabled:  true
+    system_service_on_calendar:    "{{ SYS_SCHEDULE_ANIMATION_KEYBOARD_COLOR }}"
+    system_service_timer_enabled:  true
     persistent:               true

roles/svc-opt-keyboard-color/templates/systemctl.service.j2

@@ -4,4 +4,4 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStart=/bin/python {{ systemctl_id | get_service_script_path('py') }} {{ vendor_and_product_id }}
+ExecStart={{ system_service_script_exec }} {{ vendor_and_product_id }}

roles/svc-opt-keyboard-color/vars/main.yml

@@ -1,3 +1,3 @@
 application_id: svc-opt-keyboard-color
-systemctl_id:   "{{ application_id }}"
+system_service_id:   "{{ application_id }}"
 vendor_and_product_id:  "{{ applications | get_app_conf(application_id, 'vendor_and_product_id') }}"

roles/svc-opt-ssd-hdd/tasks/main.yml

@@ -1,2 +1,2 @@
 - include_role:
-    name: sys-systemctl
+    name: sys-service

roles/svc-opt-ssd-hdd/templates/systemctl.service.j2

@@ -4,5 +4,5 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_OPTIMIZE_DRIVE }} {{ SYS_SERVICE_BACKUP_RMT_2_LOC }} --timeout "{{ SYS_TIMEOUT_STORAGE_OPTIMIZER }}"'
-ExecStart=/bin/sh -c '/usr/bin/python {{ systemctl_id | get_service_script_path('sh') }} --rapid-storage-path {{ OPT_DRIVE_RAPID_STORAGE_PATH }} --mass-storage-path {{ OPT_DRIVE_MASS_STORAGE_PATH }}'
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_OPTIMIZE_DRIVE }} {{ SYS_SERVICE_BACKUP_RMT_2_LOC }} --timeout "{{ SYS_TIMEOUT_STORAGE_OPTIMIZER }}"
+ExecStart={{ system_service_script_exec }} --mass-storage-path {{ OPT_DRIVE_MASS_STORAGE_PATH }}

roles/svc-opt-ssd-hdd/vars/main.yml

@@ -1,4 +1,4 @@
 application_id:               svc-opt-ssd-hdd
-systemctl_id:                 "{{ application_id }}"
+system_service_id:                 "{{ application_id }}"
 OPT_DRIVE_RAPID_STORAGE_PATH: "{{ applications | get_app_conf(application_id, 'volumes.rapid_storage') }}"
 OPT_DRIVE_MASS_STORAGE_PATH:  "{{ applications | get_app_conf(application_id, 'volumes.mass_storage') }}"

roles/svc-prx-openresty/handlers/main.yml

@@ -1,4 +1,13 @@
 ---
+- name: Wait until OpenResty container is running
+  command: docker inspect -f '{{.State.Running}}' {{ OPENRESTY_CONTAINER }}
+  register: openresty_status
+  retries: 10
+  delay: 3
+  until: openresty_status.stdout.strip() == "true"
+  changed_when: false
+  listen: restart openresty
+
 - name: Validate OpenResty configuration
   command: >
     docker exec {{ OPENRESTY_CONTAINER }} openresty -t -q

roles/sys-ctl-alm-compose/tasks/01_core.yml

@@ -0,0 +1,25 @@
+- name: "Include dependent services for '{{ system_service_id  }}'"
+  include_role:
+    name: '{{ item }}'
+  loop:
+    - sys-ctl-alm-telegram
+    - sys-ctl-alm-email
+  vars:
+    flush_handlers: true
+    systemctl_timer_enabled: false
+    systemctl_copy_files: true
+
+- name: "Include core service for '{{ system_service_id  }}'"
+  include_role:
+    name: sys-service
+  vars:
+    flush_handlers: true
+    systemctl_timer_enabled: false
+    systemctl_copy_files: true
+    systemctl_tpl_exec_start: "{{ system_service_script_exec }} %i"
+    systemctl_tpl_on_failure: "" # No on failure needed, because it's anyhow the default on failure procedure
+
+- name: "Send message to test service."
+  systemd:
+    name: "sys-ctl-alm-compose@{{ SYSTEMCTL_ALARM_COMPOSER_DUMMY_MESSAGE }}.service"
+    state: started

roles/sys-ctl-alm-compose/tasks/main.yml

@@ -1,14 +1,4 @@
 - block:
-  - name: "Include '{{ systemctl_id }}'"
-    include_role:
-      name: '{{ item }}'
-    loop:
-      - sys-ctl-alm-telegram
-      - sys-ctl-alm-email
-      - sys-systemctl
-    vars:
-      flush_handlers: true
-      systemctl_timer_enabled: false
-      systemctl_copy_files: false
+  - include_tasks: 01_core.yml
   - include_tasks: utils/run_once.yml
   when: run_once_sys_ctl_alm_compose is not defined

roles/sys-ctl-alm-compose/templates/script.sh.j2

@@ -0,0 +1,11 @@
+#!/bin/bash
+err=0
+set -u
+{% for alarm_service in SYSTEMCTL_ALARM_COMPOSER_SUBSERVICES %}
+{% set alarm_service_full_name = alarm_service | get_service_name(SOFTWARE_NAME, '"$1".service') %}
+if ! /usr/bin/systemctl start {{ alarm_service_full_name }}; then
+  echo "ERROR: Failed to start {{ alarm_service_full_name }}" >&2
+  err=1
+fi
+{% endfor %}
+exit $err

roles/sys-ctl-alm-compose/templates/systemctl@.service.j2

@@ -1,8 +0,0 @@
-[Unit]
-Description=Notifier for %i
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/systemctl start {{ SYS_SERVICE_ON_FAILURE_EMAIL }} {{ SYS_SERVICE_ON_FAILURE_TELEGRAM }}
-User=root
-Group=systemd-journal

roles/sys-ctl-alm-compose/vars/main.yml

@@ -1 +1,7 @@
-systemctl_id: sys-ctl-alm-compose@
+system_service_id: sys-ctl-alm-compose@
+
+SYSTEMCTL_ALARM_COMPOSER_SUBSERVICES:
+  - 'sys-ctl-alm-email'
+  - 'sys-ctl-alm-telegram'
+
+SYSTEMCTL_ALARM_COMPOSER_DUMMY_MESSAGE: "[Info] Dummy Message: No Failure; Ansible is initializing {{ SOFTWARE_NAME }} on {{ inventory_hostname }}."

roles/sys-ctl-alm-email/README.md

@@ -2,7 +2,7 @@
 
 ## Description
 
-This role installs and configures the necessary components for sending email notifications via systemd when a service fails. It sets up the `{{ systemctl_id }}` service and configures email parameters and templates using msmtp.
+This role installs and configures the necessary components for sending email notifications via systemd when a service fails. It sets up the `{{ system_service_id }}` service and configures email parameters and templates using msmtp.
 
 ## Overview
 

roles/sys-ctl-alm-email/tasks/01_core.yml

@@ -5,8 +5,8 @@
   - sys-svc-msmtp
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_copy_files: true
+    system_service_copy_files: true
 
 

roles/sys-ctl-alm-email/templates/systemctl@.service.j2

@@ -3,6 +3,6 @@ Description=status email for %i to user
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash {{ systemctl_id | get_service_script_path('sh') }} %i
+ExecStart={{ system_service_script_exec }} %i
 User=root
 Group=systemd-journal

roles/sys-ctl-alm-email/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-alm-email@
+system_service_id: sys-ctl-alm-email@

roles/sys-ctl-alm-telegram/tasks/01_core.yml

@@ -10,9 +10,9 @@
         - telegram_chat_id     # The Telegram chat ID to send messages to
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_copy_files: true
+    system_service_copy_files: true
 
 - name: install curl
   community.general.pacman:

roles/sys-ctl-alm-telegram/templates/systemctl@.service.j2

@@ -3,6 +3,6 @@ Description=status Telegram message for %i to user
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash {{ systemctl_id | get_service_script_path('sh') }} %i
+ExecStart={{ system_service_script_exec }} %i
 User=root
 Group=systemd-journal

roles/sys-ctl-alm-telegram/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-alm-telegram@
+system_service_id: sys-ctl-alm-telegram@

roles/sys-ctl-bkp-docker-2-loc/tasks/01_core.yml

@@ -15,8 +15,8 @@
   when: MODE_RESET | bool
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_copy_files:     false
-    systemctl_timer_enabled:  false
-    systemctl_on_calendar:    "{{ SYS_SCHEDULE_BACKUP_DOCKER_TO_LOCAL }}"
+    system_service_copy_files:     false
+    system_service_timer_enabled:  false
+    system_service_on_calendar:    "{{ SYS_SCHEDULE_BACKUP_DOCKER_TO_LOCAL }}"

roles/sys-ctl-bkp-docker-2-loc/templates/systemctl.service.j2

@@ -4,6 +4,6 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }} {{ SYS_SERVICE_CLEANUP_BACKUPS_FA
 
 [Service]
 Type=oneshot
-ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_BACKUPS | reject('equalto', role_name ~ '-everything') | join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"'
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_BACKUPS | reject('equalto', role_name ~ '-everything') | join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"
 ExecStart=/bin/sh -c '{{ BKP_DOCKER_2_LOC_EXEC }}'
-ExecStartPost=/bin/sh -c '/bin/systemctl start {{ 'sys-ctl-rpr-docker-soft' | get_service_name(SOFTWARE_NAME) }} &'
+ExecStartPost=/bin/systemctl start {{ SYS_SERVICE_CLEANUP_BACKUPS_OLD }}

roles/sys-ctl-bkp-docker-2-loc/vars/main.yml

@@ -5,7 +5,7 @@
 # - BKP_DOCKER_2_LOC_DISABLED:         All images where backup.disabled is set (for --images-no-backup-required)
 # CLI-ready variables render these lists as argument strings.
 
-systemctl_id: sys-ctl-bkp-docker-2-loc
+system_service_id: sys-ctl-bkp-docker-2-loc
 
 # Verify if DB is enabled
 BKP_DOCKER_2_LOC_DB_ENABLED: "{{ database_type | default('') | bool }}"

roles/sys-ctl-cln-bkps/tasks/01_core.yml

@@ -14,4 +14,4 @@
     state: present
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service

roles/sys-ctl-cln-bkps/tasks/main.yml

@@ -1,5 +1,6 @@
 - block:
     - include_tasks: 01_core.yml
     - include_tasks: utils/run_once.yml
+      vars:
+        flush_handlers: true
   when: run_once_sys_ctl_cln_bkps is not defined
-

roles/sys-ctl-cln-bkps/templates/systemctl.service.j2

@@ -4,5 +4,5 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP| join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"'
-ExecStart=/bin/sh -c '/usr/bin/python {{ systemctl_id | get_service_script_path('sh') }} --backups-folder-path {{ BACKUPS_FOLDER_PATH }} --maximum-backup-size-percent {{SIZE_PERCENT_MAXIMUM_BACKUP}}'
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP | join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"
+ExecStart={{ system_service_script_exec }} --backups-folder-path {{ BACKUPS_FOLDER_PATH }} --maximum-backup-size-percent {{SIZE_PERCENT_MAXIMUM_BACKUP}}

roles/sys-ctl-cln-bkps/vars/main.yml

@@ -1 +1 @@
-systemctl_id: "sys-ctl-cln-bkps"
+system_service_id: "sys-ctl-cln-bkps"

roles/sys-ctl-cln-certs/tasks/01_core.yml

@@ -12,8 +12,8 @@
     package_name: certreap
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_timer_enabled:  true
-    systemctl_on_calendar:    "{{ SYS_SCHEDULE_CLEANUP_CERTS }}"
-    systemctl_copy_files:     false
+    system_service_timer_enabled:  true
+    system_service_on_calendar:    "{{ SYS_SCHEDULE_CLEANUP_CERTS }}"
+    system_service_copy_files:     false

roles/sys-ctl-cln-certs/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-cln-certs
+system_service_id: sys-ctl-cln-certs

roles/sys-ctl-cln-disc-space/tasks/01_core.yml

@@ -6,7 +6,7 @@
   - sys-lock
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_timer_enabled:  true
-    systemctl_on_calendar: "{{SYS_SCHEDULE_CLEANUP_DISC_SPACE}}"
+    system_service_timer_enabled:  true
+    system_service_on_calendar: "{{SYS_SCHEDULE_CLEANUP_DISC_SPACE}}"

roles/sys-ctl-cln-disc-space/templates/script.sh.j2

@@ -24,7 +24,7 @@ if [ "$force_freeing" = true ]; then
   
   {% if BACKUPS_FOLDER_PATH is defined and SIZE_PERCENT_MAXIMUM_BACKUP is defined %}
   echo "cleaning up backups" &&
-  python {{ 'sys-ctl-cln-backups' | get_service_script_path('sh') }} --backups-folder-path {{ BACKUPS_FOLDER_PATH }} --maximum-backup-size-percent {{SIZE_PERCENT_MAXIMUM_BACKUP}} || exit 2
+  python {{ 'sys-ctl-cln-bkps' | get_service_script_path('sh') }} --backups-folder-path {{ BACKUPS_FOLDER_PATH }} --maximum-backup-size-percent {{ SIZE_PERCENT_MAXIMUM_BACKUP }} || exit 2
   {% endif %}
 
   if pacman -Qs $package > /dev/null ; then

roles/sys-ctl-cln-disc-space/templates/systemctl.service.j2

@@ -4,5 +4,5 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP| join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"'
-ExecStart=/bin/sh -c '/bin/bash {{ systemctl_id | get_service_script_path('sh') }} {{SIZE_PERCENT_CLEANUP_DISC_SPACE}}'
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP| join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"
+ExecStart={{ system_service_script_exec }} {{ SIZE_PERCENT_CLEANUP_DISC_SPACE }}

roles/sys-ctl-cln-disc-space/vars/main.yml

@@ -1 +1 @@
-systemctl_id:  "sys-ctl-cln-disc-space"
+system_service_id:  "sys-ctl-cln-disc-space"

roles/sys-ctl-cln-faild-bkps/tasks/01_core.yml

@@ -24,8 +24,8 @@
   changed_when: false
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_timer_enabled:  true
-    systemctl_on_calendar: "{{SYS_SCHEDULE_CLEANUP_FAILED_BACKUPS}}"
-    systemctl_copy_files: false
+    system_service_timer_enabled:  true
+    system_service_on_calendar: "{{SYS_SCHEDULE_CLEANUP_FAILED_BACKUPS}}"
+    system_service_copy_files: false

roles/sys-ctl-cln-faild-bkps/templates/systemctl.service.j2

@@ -4,5 +4,5 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP| join(' ') }} --timeout "{{ SYS_TIMEOUT_CLEANUP_SERVICES }}"'
-ExecStart=/bin/sh -c '/usr/bin/yes | /usr/bin/bash {{ BACKUP_CLEANUP_SCRIPT }}'
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP| join(' ') }} --timeout "{{ SYS_TIMEOUT_CLEANUP_SERVICES }}"
+ExecStart=/bin/sh -c '/usr/bin/yes | /usr/bin/bash {{ BACKUP_CLEANUP_SCRIPT | quote }}'

roles/sys-ctl-cln-faild-bkps/vars/main.yml

@@ -1,2 +1,2 @@
-systemctl_id: sys-ctl-cln-faild-bkps
+system_service_id: sys-ctl-cln-faild-bkps
 CLN_FAILED_DOCKER_BACKUPS_PKG: cleanup-failed-docker-backups

roles/sys-ctl-hlth-btrfs/tasks/01_core.yml

@@ -4,7 +4,7 @@
   when: run_once_sys_ctl_alm_compose is not defined
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar: "{{SYS_SCHEDULE_HEALTH_BTRFS}}"
-    systemctl_timer_enabled:  true
+    system_service_on_calendar: "{{SYS_SCHEDULE_HEALTH_BTRFS}}"
+    system_service_timer_enabled:  true

roles/sys-ctl-hlth-btrfs/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-hlth-btrfs
+system_service_id: sys-ctl-hlth-btrfs

roles/sys-ctl-hlth-csp/tasks/01_core.yml

@@ -11,7 +11,7 @@
     package_notify: rebuild checkcsp docker image
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar: "{{ SYS_SCHEDULE_HEALTH_CSP_CRAWLER }}"
-    systemctl_timer_enabled: true
+    system_service_on_calendar: "{{ SYS_SCHEDULE_HEALTH_CSP_CRAWLER }}"
+    system_service_timer_enabled: true

roles/sys-ctl-hlth-csp/templates/systemctl.service.j2

@@ -4,4 +4,4 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/python3 {{ systemctl_id | get_service_script_path('py') }} --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}
+ExecStart={{ system_service_script_exec }} --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}

roles/sys-ctl-hlth-csp/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-hlth-csp
+system_service_id: sys-ctl-hlth-csp

roles/sys-ctl-hlth-disc-space/tasks/main.yml

@@ -7,7 +7,7 @@
   when: run_once_sys_ctl_hlth_disc_space is not defined
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar:    "{{ SYS_SCHEDULE_HEALTH_DISC_SPACE }}"
-    systemctl_timer_enabled:  true
+    system_service_on_calendar:    "{{ SYS_SCHEDULE_HEALTH_DISC_SPACE }}"
+    system_service_timer_enabled:  true

roles/sys-ctl-hlth-disc-space/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-hlth-disc-space
+system_service_id: sys-ctl-hlth-disc-space

roles/sys-ctl-hlth-docker-container/tasks/01_core.yml

@@ -4,7 +4,7 @@
   when: run_once_sys_ctl_alm_compose is not defined
   
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_timer_enabled:  true
-    systemctl_on_calendar:    "{{ SYS_SCHEDULE_HEALTH_DOCKER_CONTAINER }}"
+    system_service_timer_enabled:  true
+    system_service_on_calendar:    "{{ SYS_SCHEDULE_HEALTH_DOCKER_CONTAINER }}"

roles/sys-ctl-hlth-docker-container/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-hlth-docker-container
+system_service_id: sys-ctl-hlth-docker-container

roles/sys-ctl-hlth-docker-volumes/tasks/01_core.yml

@@ -4,7 +4,7 @@
   when: run_once_sys_ctl_alm_compose is not defined
   
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar: "{{SYS_SCHEDULE_HEALTH_DOCKER_VOLUMES}}"
-    systemctl_timer_enabled: true
+    system_service_on_calendar: "{{SYS_SCHEDULE_HEALTH_DOCKER_VOLUMES}}"
+    system_service_timer_enabled: true

roles/sys-ctl-hlth-docker-volumes/templates/systemctl.service.j2

@@ -4,4 +4,4 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash {{ systemctl_id | get_service_script_path('sh') }} "{{ DOCKER_WHITELISTET_ANON_VOLUMES | join(' ') }}"
+ExecStart={{ system_service_script_exec }} "{{ DOCKER_WHITELISTET_ANON_VOLUMES | join(' ') }}"

roles/sys-ctl-hlth-docker-volumes/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-hlth-docker-volumes
+system_service_id: sys-ctl-hlth-docker-volumes

roles/sys-ctl-hlth-journalctl/tasks/01_core.yml

@@ -4,7 +4,7 @@
   when: run_once_sys_ctl_alm_compose is not defined
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar: "{{SYS_SCHEDULE_HEALTH_JOURNALCTL}}"
-    systemctl_timer_enabled:  true
+    system_service_on_calendar: "{{SYS_SCHEDULE_HEALTH_JOURNALCTL}}"
+    system_service_timer_enabled:  true

roles/sys-ctl-hlth-journalctl/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-hlth-journalctl
+system_service_id: sys-ctl-hlth-journalctl

roles/sys-ctl-hlth-msmtp/tasks/01_core.yml

@@ -4,7 +4,7 @@
   when: run_once_sys_ctl_alm_telegram is not defined
   
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar:    "{{ SYS_SCHEDULE_HEALTH_MSMTP }}"
-    systemctl_timer_enabled:  true
+    system_service_on_calendar:    "{{ SYS_SCHEDULE_HEALTH_MSMTP }}"
+    system_service_timer_enabled:  true

roles/sys-ctl-hlth-msmtp/vars/main.yml

@@ -1,2 +1,2 @@
-systemctl_id: sys-ctl-hlth-msmtp
+system_service_id: sys-ctl-hlth-msmtp
 

roles/sys-ctl-hlth-webserver/tasks/01_core.yml

@@ -14,7 +14,7 @@
     state: present
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar: "{{SYS_SCHEDULE_HEALTH_NGINX}}"
-    systemctl_timer_enabled:  true
+    system_service_on_calendar: "{{SYS_SCHEDULE_HEALTH_NGINX}}"
+    system_service_timer_enabled:  true

roles/sys-ctl-hlth-webserver/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-hlth-webserver
+system_service_id: sys-ctl-hlth-webserver

roles/sys-ctl-mtn-cert-deploy/tasks/01_core.yml

@@ -4,9 +4,9 @@
   when: run_once_sys_ctl_alm_compose is not defined
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_state: restarted
-    systemctl_on_calendar:  "{{ SYS_SCHEDULE_MAINTANANCE_LETSENCRYPT_DEPLOY }}"
+    system_service_state: restarted
+    system_service_on_calendar:  "{{ SYS_SCHEDULE_MAINTANANCE_LETSENCRYPT_DEPLOY }}"
     persistent:   "true"
-    systemctl_timer_enabled:  true
+    system_service_timer_enabled:  true

roles/sys-ctl-mtn-cert-deploy/templates/systemctl.service.j2

@@ -4,4 +4,4 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStart={{ systemctl_id | get_service_script_path('sh') }} {{ ssl_cert_folder }} {{ docker_compose.directories.instance }} {{ LETSENCRYPT_LIVE_PATH }}
+ExecStart={{ system_service_script_exec }} {{ ssl_cert_folder }} {{ docker_compose.directories.instance }} {{ LETSENCRYPT_LIVE_PATH }}

roles/sys-ctl-mtn-cert-deploy/vars/main.yml

@@ -1 +1 @@
-systemctl_id:                        "sys-ctl-mtn-cert-deploy"
+system_service_id:                        "sys-ctl-mtn-cert-deploy"

roles/sys-ctl-mtn-cert-renew/tasks/01_core.yml

@@ -13,9 +13,9 @@
     state: present
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_copy_files: false
-    systemctl_on_calendar: "{{ SYS_SCHEDULE_MAINTANANCE_LETSENCRYPT_RENEW }}"
+    system_service_copy_files: false
+    system_service_on_calendar: "{{ SYS_SCHEDULE_MAINTANANCE_LETSENCRYPT_RENEW }}"
     persistent: true
-    systemctl_timer_enabled:  true
+    system_service_timer_enabled:  true

roles/sys-ctl-mtn-cert-renew/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-mtn-cert-renew
+system_service_id: sys-ctl-mtn-cert-renew

roles/sys-ctl-rpr-btrfs-balancer/tasks/01_core.yml

@@ -10,8 +10,8 @@
     package_name: btrfs-auto-balancer
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_copy_files: false
-    systemctl_on_calendar: "{{SYS_SCHEDULE_REPAIR_BTRFS_AUTO_BALANCER}}"
-    systemctl_timer_enabled:  true
+    system_service_copy_files: false
+    system_service_on_calendar: "{{SYS_SCHEDULE_REPAIR_BTRFS_AUTO_BALANCER}}"
+    system_service_timer_enabled:  true

roles/sys-ctl-rpr-btrfs-balancer/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-rpr-btrfs-balancer
+system_service_id: sys-ctl-rpr-btrfs-balancer

roles/sys-ctl-rpr-docker-hard/tasks/01_core.yml

@@ -4,7 +4,7 @@
   when: run_once_sys_lock is not defined
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar: "{{SYS_SCHEDULE_REPAIR_DOCKER_HARD}}"
-    systemctl_timer_enabled:  true
+    system_service_on_calendar: "{{SYS_SCHEDULE_REPAIR_DOCKER_HARD}}"
+    system_service_timer_enabled:  true

roles/sys-ctl-rpr-docker-hard/templates/systemctl.service.j2

@@ -4,5 +4,5 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP | join(' ') }} {{ SYS_SERVICE_REPAIR_DOCKER_HARD }} --timeout "{{ SYS_TIMEOUT_RESTART_DOCKER }}"'
-ExecStart=/bin/sh -c '/usr/bin/python {{ systemctl_id | get_service_script_path('py') }}'
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP | join(' ') }} {{ SYS_SERVICE_REPAIR_DOCKER_HARD }} --timeout "{{ SYS_TIMEOUT_RESTART_DOCKER }}"
+ExecStart={{ system_service_script_exec }}

roles/sys-ctl-rpr-docker-hard/vars/main.yml

@@ -1,2 +1,2 @@
-systemctl_id: sys-ctl-rpr-docker-hard
+system_service_id: sys-ctl-rpr-docker-hard
 

roles/sys-ctl-rpr-docker-soft/tasks/01_core.yml

@@ -4,7 +4,7 @@
   when: run_once_sys_lock is not defined
 
 - include_role:
-    name: sys-systemctl
+    name: sys-service
   vars:
-    systemctl_on_calendar: "{{SYS_SCHEDULE_REPAIR_DOCKER_SOFT}}"
-    systemctl_timer_enabled:  true
+    system_service_on_calendar: "{{SYS_SCHEDULE_REPAIR_DOCKER_SOFT}}"
+    system_service_timer_enabled:  true

roles/sys-ctl-rpr-docker-soft/templates/systemctl.service.j2

@@ -4,5 +4,5 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP| join(' ') }} sys-ctl-rpr-docker-soft --timeout "{{ SYS_TIMEOUT_HEAL_DOCKER }}"'
-ExecStart=/bin/sh -c '/bin/python {{ systemctl_id | get_service_script_path('py') }} {{ PATH_DOCKER_COMPOSE_INSTANCES }}'
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP| join(' ') }} {{ SYS_SERVICE_REPAIR_DOCKER_SOFT }} --timeout "{{ SYS_TIMEOUT_HEAL_DOCKER }}"
+ExecStart=/bin/sh -c '{{ system_service_script_exec }} {{ PATH_DOCKER_COMPOSE_INSTANCES }}'

roles/sys-ctl-rpr-docker-soft/vars/main.yml

@@ -1 +1 @@
-systemctl_id: sys-ctl-rpr-docker-soft
+system_service_id: sys-ctl-rpr-docker-soft

roles/sys-daemon/README.md

@@ -1,44 +1,26 @@
-# Core Daemon Reset
+# sys-daemon
 
 ## Description
 
-This role resets and cleans up all **Infinito.Nexus** core daemon `systemd` service units that match the configured suffix (`SYS_SERVICE_SUFFIX`).  
-It is primarily used in maintenance or reset scenarios when a full service cleanup is required.
+Role to reset and configure the **systemd manager** for Infinito.Nexus.  
+It ensures a clean state of the manager configuration and applies default timeout values.
 
 ## Overview
 
-When the `MODE_RESET` flag is enabled, the role will:
-
-1. **Run Once Per Play:** Guarded by `run_once_sys_daemon` to avoid duplicate execution.
-2. **Identify Service Units:** Finds all `/etc/systemd/system/*{{ SYS_SERVICE_SUFFIX }}` units.
-3. **Stop and Disable Services:** Gracefully stops and disables matching services.
-4. **Remove Unit Files:** Deletes the corresponding unit files from the system.
-5. **Reload systemd:** Ensures the service manager state is updated after cleanup.
-
-## Purpose
-
-The main goal of this role is to ensure a clean and consistent state for core daemon services by removing obsolete or stale systemd units.  
-This is particularly useful when re-deploying or performing a full environment reset.
+- Purges the systemd manager drop-in directory if requested.  
+- Validates all active unit files before reload/reexec.  
+- Applies default timeout values for systemd manager behavior.  
+- Provides handler-based reload/reexec for systemd.  
 
 ## Features
 
-- **Automated Cleanup:** Stops, disables, and removes targeted systemd units.
-- **Idempotent Execution:** Runs only once per playbook run.
-- **Configurable Targeting:** Matches services using `SYS_SERVICE_SUFFIX`.
-- **Systemd Integration:** Reloads daemon state after changes.
+- **Drop-in Purge:** Optionally remove `/etc/systemd/system.conf.d` contents.  
+- **Manager Defaults:** Deploys custom timeouts via `timeouts.conf`.  
+- **Validation:** Uses `systemd-analyze verify` before reload.  
+- **Integration:** Triggers `daemon-reload` or `daemon-reexec` safely.  
 
 ## Further Resources
 
-- [systemd Service Management](https://www.freedesktop.org/software/systemd/man/systemctl.html)
-- [Infinito.Nexus License](https://s.infinito.nexus/license)
-
-## License
-
-This role is released under the Infinito.Nexus NonCommercial License.
-See [license details](https://s.infinito.nexus/license)
-
-## Author Information
-
-Kevin Veen-Birkenbach
-Consulting & Coaching Solutions
-[https://www.veen.world](https://www.veen.world)
+- [systemd - Manager Configuration](https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html)  
+- [systemd-analyze](https://www.freedesktop.org/software/systemd/man/systemd-analyze.html)  
+- [systemctl](https://www.freedesktop.org/software/systemd/man/systemctl.html)

roles/sys-daemon/defaults/main.yml

@@ -0,0 +1,8 @@
+# General
+SYSTEMD_MANAGER_CONF_DIR:       "/etc/systemd/system.conf.d"
+
+# Defaults
+SYSTEMD_DEFAULT_TIMEOUT_START:  "90s"      # Maximum time a service is allowed to reach the 'active' state during startup
+SYSTEMD_DEFAULT_TIMEOUT_STOP:   "90s"      # Maximum time a service is allowed to stop gracefully before being killed
+SYSTEMD_DEFAULT_TIMEOUT_ABORT:  "90s"      # Additional grace period after Stop timeout before systemd sends SIGKILL
+

roles/sys-daemon/handlers/main.yml

@@ -1,4 +1,49 @@
-- name: "reload system daemon"
+- name: collect systemd unit files
+  shell: |
+    shopt -s nullglob
+    files=({{ PATH_SYSTEM_SERVICE_DIR }}*.service {{ PATH_SYSTEM_SERVICE_DIR }}*.timer)
+    printf "%s\n" "${files[@]}"
+  args:
+    executable: /bin/bash
+  register: _unit_files
+  changed_when: false
+  failed_when: false
+  become: true
+  listen:
+    - reload system daemon
+    - reexec systemd manager
+
+- name: validate systemd units
+  shell: |
+    systemd-analyze verify {{ _unit_files.stdout_lines | join(' ') }}
+  register: _verify_units
+  changed_when: false
+  failed_when: _unit_files.stdout | length > 0 and _verify_units.rc != 0
+  become: true
+  when: _unit_files.stdout | length > 0
+  listen:
+    - reload system daemon
+    - reexec systemd manager
+
+- name: show merged manager config
+  command: systemd-analyze cat-config systemd/system.conf
+  register: _catcfg
+  changed_when: false
+  become: true
+  listen:
+    - reload system daemon
+    - reexec systemd manager
+
+- name: reload system daemon
   command: systemctl daemon-reload
+  become: true
+  listen: reload system daemon
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+
+- name: reexec systemd manager
+  command: systemctl daemon-reexec
+  become: true
+  listen: reexec systemd manager
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"

roles/sys-daemon/meta/main.yml

@@ -1,19 +1,19 @@
+---
 galaxy_info:
   author: "Kevin Veen-Birkenbach"
-  description: "Role to reset and clean up Infinito.Nexus systemd service units for the core daemon."
-  company: |
+  description: "Role to reset and configure the systemd manager (drop-ins, defaults, validation)."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: | 
     Kevin Veen-Birkenbach
     Consulting & Coaching Solutions
     https://www.veen.world
-  license: "Infinito.Nexus NonCommercial License"
-  license_url: "https://s.infinito.nexus/license"
-  min_ansible_version: "2.9"
   galaxy_tags:
     - systemd
-    - cleanup
     - infinito
+    - daemon
+    - cleanup
   repository: "https://s.infinito.nexus/code"
   issue_tracker_url: "https://s.infinito.nexus/issues"
-  documentation: "https://s.infinito.nexus/code/#sys-daemon-role"
-
+  documentation: "https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html"
 dependencies: []

roles/sys-daemon/tasks/01_reset.yml

@@ -0,0 +1,16 @@
+- name: reload system daemon
+  command: /bin/true
+  notify: "reload system daemon"
+
+- name: "Sanity check SYSTEMD_MANAGER_CONF_DIR"
+  assert:
+    that:
+      - SYSTEMD_MANAGER_CONF_DIR | regex_search('^/etc/systemd/system\.conf\.d/?$')
+    fail_msg: "SYSTEMD_MANAGER_CONF_DIR must be /etc/systemd/system.conf.d"
+  when: SYSTEMD_MANAGER_RESET_PURGE | bool
+
+- name: "Purge manager drop-in directory (remove)"
+  file:
+    path: "{{ SYSTEMD_MANAGER_CONF_DIR }}"
+    state: absent
+  notify: reexec systemd manager

roles/sys-daemon/tasks/02_defaults.yml

@@ -0,0 +1,12 @@
+- name: "Ensure {{ SYSTEMD_MANAGER_CONF_DIR }} exists"
+  file:
+    path: "{{ SYSTEMD_MANAGER_CONF_DIR }}"
+    state: directory
+    mode: "0755"
+
+- name: Deploy systemd manager default timeout settings
+  template:
+    src:  timeouts.conf.j2
+    dest: "{{ SYSTEMD_MANAGER_CONF_DIR }}/timeouts.conf"
+    mode: "0644"
+  notify: reexec systemd manager

roles/sys-daemon/tasks/main.yml

@@ -1,8 +1,8 @@
-- name: "reset (if enabled)"
-  include_tasks: reset.yml 
-  when: MODE_RESET | bool and run_once_sys_daemon is not defined
-
-- name: run {{ role_name }} once
-  set_fact:
-    run_once_sys_daemon: true
+- block:
+  - name: "reset (if enabled)"
+    include_tasks: 01_reset.yml
+    when: MODE_RESET | bool and run_once_sys_daemon is not defined
+  - name: Apply systemd manager defaults
+    include_tasks: 02_defaults.yml
+  - include_tasks: utils/run_once.yml
   when: run_once_sys_daemon is not defined

roles/sys-daemon/tasks/reset.yml

@@ -1,3 +0,0 @@
-- name: reload system daemon
-  command: /bin/true
-  notify: "reload system daemon"

roles/sys-daemon/templates/timeouts.conf.j2

@@ -0,0 +1,4 @@
+[Manager]
+DefaultTimeoutStartSec={{ SYSTEMD_DEFAULT_TIMEOUT_START }}
+DefaultTimeoutStopSec={{ SYSTEMD_DEFAULT_TIMEOUT_STOP }}
+DefaultTimeoutAbortSec={{ SYSTEMD_DEFAULT_TIMEOUT_ABORT }}

roles/sys-service/README.md

@@ -0,0 +1,27 @@
+# sys-service
+
+## Description
+
+Role to manage **systemd service units** for Infinito.Nexus software stacks.  
+It installs or removes unit files, configures runtime behavior, and ensures services are properly deployed.
+
+## Overview
+
+- Resets service units by removing old or obsolete definitions.  
+- Deploys new service unit files and service scripts.  
+- Optionally sets up timers linked to the services.  
+- Ensures correct reload/restart behavior across the stack.  
+
+## Features
+
+- **Unit Cleanup:** Automated removal of old service units.  
+- **Custom Templates:** Supports both `systemctl.service.j2` and `systemctl@.service.j2`.  
+- **Timers:** Integrates with `sys-timer` for scheduled execution.  
+- **Runtime Limits:** Configurable `RuntimeMaxSec` per service.  
+- **Handlers:** Automatic reload/restart of services when definitions change.  
+
+## Further Resources
+
+- [systemd - Service Units](https://www.freedesktop.org/software/systemd/man/systemd.service.html)  
+- [systemd - Timer Units](https://www.freedesktop.org/software/systemd/man/systemd.timer.html)  
+- [systemctl](https://www.freedesktop.org/software/systemd/man/systemctl.html)

roles/sys-service/defaults/main.yml

@@ -0,0 +1,3 @@
+SYS_SERVICE_ALL_ENABLED:      "{{ not MODE_DEBUG }}"
+SYS_SERVICE_DEFAULT_STATE:    "{{ 'restarted' if MODE_DEBUG else omit }}"
+SYS_SERVICE_DEFAULT_RUNTIME:  "86400s"    # Maximum total runtime a service is allowed to run before being stopped

roles/sys-service/handlers/main.yml

@@ -1,8 +1,8 @@
 - name: "refresh systemctl service"
   systemd:
-    name: "{{ systemctl_id | get_service_name(SOFTWARE_NAME) }}"
+    name: "{{ system_service_id | get_service_name(SOFTWARE_NAME) }}"
     daemon_reload: yes
     enabled: yes
-    state: "{{ systemctl_state }}"
+    state: "{{ system_service_state }}"
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
   poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"

roles/sys-service/meta/main.yml

@@ -1,10 +1,10 @@
 ---
 galaxy_info:
   author: "Kevin Veen-Birkenbach"
-  description: "Utility role to reset/clean up systemd units for a given software stack."
+  description: "Role to manage systemd service units, including cleanup, deployment, and runtime configuration."
   license: "Infinito.Nexus NonCommercial License"
   license_url: "https://s.infinito.nexus/license"
-  company: |
+  company: | 
     Kevin Veen-Birkenbach
     Consulting & Coaching Solutions
     https://www.veen.world
@@ -16,9 +16,9 @@ galaxy_info:
   galaxy_tags:
     - systemd
     - services
-    - cleanup
-    - reset
     - automation
+    - infinito
   repository: "https://s.infinito.nexus/code"
   issue_tracker_url: "https://s.infinito.nexus/issues"
-  documentation: "https://docs.infinito.nexus"
+  documentation: "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
+dependencies: []

roles/sys-service/tasks/03_base.yml

@@ -1,7 +1,6 @@
-# roles/sys-systemctl/tasks/03_base.yml
 - name: "find best matching source for service script"
   set_fact:
-    service_src: >-
+    system_service_script_src: >-
       {{ lookup('first_found',
         {
           'files': [
@@ -10,21 +9,21 @@
             'files/script.sh',
             'files/script.py'
           ],
-          'paths': [ systemctl_role_dir ]
+          'paths': [ system_service_role_dir ]
         },
         errors='strict'
       ) }}
-  when: systemctl_copy_files | bool
+  when: system_service_copy_files | bool
 
-- name: "Load file logic for '{{ systemctl_id }}'"
+- name: "Load file logic for '{{ system_service_id }}'"
   include_tasks: 04_files.yml
   when:
-    - systemctl_copy_files | bool
-    - service_src
+    - system_service_copy_files | bool
+    - system_service_script_src
 
-- name: "Load systemctl logic for '{{ systemctl_id }}'"
+- name: "Load systemctl logic for '{{ system_service_id }}'"
   include_tasks: 05_service.yml
 
-- name: "Load timer logic for '{{ systemctl_id }}'"
+- name: "Load timer logic for '{{ system_service_id }}'"
   include_tasks: 06_timer.yml
-  when: systemctl_timer_enabled | bool
+  when: system_service_timer_enabled | bool

roles/sys-service/tasks/04_files.yml

@@ -0,0 +1,23 @@
+
+- name: "create {{ system_service_script_dir }}"
+  file:
+    path: "{{ system_service_script_dir }}"
+    state: directory
+    mode: "0755"
+
+- name: "template or copy script"
+  block:
+    - name: "render template"
+      template:
+        src:  "{{ system_service_script_src }}"
+        dest: "{{ [system_service_script_dir, (system_service_script_src | basename | regex_replace('\\.j2$', ''))] | path_join }}"
+        mode: "0755"
+      when: system_service_script_src.endswith('.j2')
+
+    - name: "copy raw file"
+      copy:
+        src:  "{{ system_service_script_src }}"
+        dest: "{{ [system_service_script_dir, (system_service_script_src | basename)] | path_join }}"
+        mode: "0755"
+      when: not system_service_script_src.endswith('.j2')
+  when: system_service_copy_files | bool

roles/sys-service/tasks/05_service.yml

@@ -1,7 +1,7 @@
 # 1) Find the template (prefer target role, then fall back to this role)
 - name: Resolve systemctl template source
   set_fact:
-    systemctl_template_src: >-
+    system_service_template_src: >-
       {{ lookup(
            'first_found',
            {
@@ -10,7 +10,7 @@
                'templates/systemctl.service.j2'
              ],
              'paths': [
-               systemctl_role_dir,
+               system_service_role_dir,
                role_path
              ]
            },
@@ -20,22 +20,22 @@
 # Optional: sanity check with a clear error if truly nothing found
 - name: Ensure a systemctl template was found
   assert:
-    that: systemctl_template_src | length > 0
+    that: system_service_template_src | length > 0
     fail_msg: >-
       Could not resolve any systemctl template. Looked in:
-      {{ systemctl_role_dir }}/templates/ and {{ role_path }}/templates/.
+      {{ system_service_role_dir }}/templates/ and {{ role_path }}/templates/.
 
 # 2) Now we may safely derive whether it’s the “@” variant
 - name: Flag whether @-template is used
   set_fact:
-    systemctl_uses_at: "{{ (systemctl_template_src | basename) is search('@\\.service\\.j2$') }}"
+    system_service_uses_at: "{{ (system_service_template_src | basename) is search('@\\.service\\.j2$') }}"
 
 # 3) Use it
-- name: "setup systemctl '{{ systemctl_id }}'"
+- name: "setup systemctl '{{ system_service_id }}'"
   template:
-    src:  "{{ systemctl_template_src }}"
-    dest: "{{ [ PATH_SYSTEM_SERVICE_DIR, systemctl_id | get_service_name(SOFTWARE_NAME) ] | path_join }}"
-  notify: "{{ 'reload system daemon' if systemctl_uses_at else 'refresh systemctl service' }}"
+    src:  "{{ system_service_template_src }}"
+    dest: "{{ [ PATH_SYSTEM_SERVICE_DIR, system_service_id | get_service_name(SOFTWARE_NAME) ] | path_join }}"
+  notify: "{{ 'reload system daemon' if system_service_uses_at else 'refresh systemctl service' }}"
 
 - name:   refresh systemctl service when SYS_SERVICE_ALL_ENABLED
   command: /bin/true
@@ -44,4 +44,4 @@
     - refresh systemctl service
   when: 
     - SYS_SERVICE_ALL_ENABLED | bool
-    - not systemctl_uses_at
+    - not system_service_uses_at

roles/sys-service/tasks/06_timer.yml

@@ -0,0 +1,13 @@
+- name: Fail if system_service_id contains "@"
+  assert:
+    that:
+      - "'@' not in system_service_id"
+    fail_msg: "Invalid system_service_id '{{ system_service_id }}' → must not contain '@'."
+
+- name: "Make '{{ system_service_id }}' available for sys-timer"
+  set_fact:
+    system_service_timer_service: "{{ system_service_id }}"
+
+- name: "include role for sys-timer for {{ system_service_timer_service }}"
+  include_role:
+    name: sys-timer

roles/sys-service/tasks/main.yml

@@ -1,14 +1,14 @@
 - block:
   - include_tasks: 01_core.yml
   - include_tasks: utils/run_once.yml
-  when: run_once_sys_systemctl is not defined
+  when: run_once_sys_service is not defined
 
-- name: "Execute service routines for '{{ systemctl_id }}'"
+- name: "Execute service routines for '{{ system_service_id }}'"
   block:
-  - name: "Load base routine for '{{ systemctl_id }}'"
+  - name: "Load base routine for '{{ system_service_id }}'"
     include_tasks: 03_base.yml
   - include_tasks: utils/run_once.yml
     vars:
-      # Necessary to flush after every service which uses an 'systemctl_id' otherwise wrong one will be used
+      # Necessary to flush after every service which uses an 'system_service_id' otherwise wrong one will be used
       flush_handlers: true
-  when: systemctl_id is defined
+  when: system_service_id is defined

roles/sys-service/templates/systemctl.service.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description={{ SOFTWARE_NAME }} - Service for role '{{ system_service_id }}'
+OnFailure={{ system_service_tpl_on_failure }}
+
+[Service]
+Type={{ system_service_tpl_type }}
+ExecStart={{ system_service_tpl_exec_start }}
+{% if system_service_tpl_runtime |length > 0 %}
+RuntimeMaxSec={{ system_service_tpl_runtime }}
+{% endif %}

roles/sys-service/vars/main.yml

@@ -0,0 +1,23 @@
+UNIT_SUFFIX_REMOVER_PACKAGE:  "unsure"
+
+## Paths
+system_service_role_name:      "{{ system_service_id | regex_replace('@','') }}"
+system_service_role_dir:       "{{ [ playbook_dir, 'roles', system_service_role_name ] | path_join }}"
+system_service_script_dir:     "{{ [ PATH_SYSTEMCTL_SCRIPTS, system_service_id ] | path_join }}"
+
+## Settings
+system_service_copy_files:     true  # When set to false file copying will be skipped
+system_service_timer_enabled:  false # When set to true timer will be loaded
+system_service_state:          "{{ SYS_SERVICE_DEFAULT_STATE }}"
+
+# Dynamic Loaded ( Just available when dependencies are loaded )
+system_service_script_base:    "{{ system_service_script_src | basename | regex_replace('\\.j2$', '') }}"
+system_service_script_type:    "{{ system_service_script_base | filetype }}"
+system_service_script_inter:   "/bin/{{ 'bash' if system_service_script_type == 'sh' else 'python3'}}"
+system_service_script_exec:    "{{ system_service_script_inter }} {{ system_service_id | get_service_script_path( system_service_script_type ) }}"
+
+# Service template
+system_service_tpl_on_failure: "{{ SYS_SERVICE_ON_FAILURE_COMPOSE }}"
+system_service_tpl_type:       "oneshot"
+system_service_tpl_exec_start: "{{ system_service_script_exec }}"
+system_service_tpl_runtime:    "{{ SYS_SERVICE_DEFAULT_RUNTIME }}"