fix(certbot): harden renewal hook and fix permission errors

The renewal deploy-hook ran as the certbot user but lacked permissions to
write the combined PEM to /etc/haproxy/certs and to reload HAProxy,
causing silent failures that left a stale certificate in production until
expiry.

- Add certbot user to the haproxy group so it can write the combined PEM
- Grant certbot NOPASSWD sudo for `systemctl reload haproxy` only
- Make the Prometheus textfile directory group-owned by certbot (0775)
  so cert-metrics.sh can atomically update ssl_cert.prom
- Refactor renewal-hook.sh to always refresh cert metrics on exit via a
  trap, ensuring expiry alerts fire when the hook itself is broken
- Replace `set -e` with explicit error handling and structured logging

ansible/haproxy/deploy.yml

@@ -74,10 +74,14 @@
         state: directory
         mode: '0755'
 
+    # Mode 0770: the certbot renewal deploy-hook (running as the certbot user,
+    # a member of the haproxy group) must be able to create the temporary PEM
+    # file here. With 0750 the hook fails with "Permission denied" and HAProxy
+    # keeps serving a stale cert until it expires.
     - name: Ensure /etc/haproxy/certs directory exists
       ansible.builtin.file:
         path: /etc/haproxy/certs
         owner: "{{ haproxy_user | default('haproxy') }}"
         group: "{{ haproxy_group | default('haproxy') }}"
         state: directory
-        mode: '0750'
+        mode: '0770'