docs: rewrite README with structured overview and quick start guide

Replaces the minimal project description with a comprehensive README
including a component overview table, quick start instructions, common
Ansible operations, and links to detailed documentation. Aligns with
Red Panda Approval™ standards.

ansible/certbot/cert-metrics.sh.j2

@@ -0,0 +1,71 @@
+#!/bin/bash
+# Certificate metrics for Prometheus node_exporter textfile collector
+# Managed by Ansible - DO NOT EDIT MANUALLY
+#
+# Writes metrics to: {{ prometheus_node_exporter_text_directory }}/ssl_cert.prom
+# Metrics:
+#   ssl_certificate_expiry_timestamp - Unix timestamp when cert expires
+#   ssl_certificate_expiry_seconds - Seconds until expiry
+#   ssl_certificate_valid - 1 if valid, 0 if expired or missing
+
+set -euo pipefail
+
+METRICS_DIR="{{ prometheus_node_exporter_text_directory }}"
+METRICS_FILE="${METRICS_DIR}/ssl_cert.prom"
+CERT_FILE="{{ haproxy_cert_path }}"
+DOMAIN="{{ haproxy_domain }}"
+
+# Create temp file for atomic write
+TEMP_FILE=$(mktemp "${METRICS_DIR}/.ssl_cert.prom.XXXXXX")
+
+# Write metric headers
+cat > "${TEMP_FILE}" << 'EOF'
+# HELP ssl_certificate_expiry_timestamp Unix timestamp when the SSL certificate expires
+# TYPE ssl_certificate_expiry_timestamp gauge
+# HELP ssl_certificate_expiry_seconds Seconds until the SSL certificate expires
+# TYPE ssl_certificate_expiry_seconds gauge
+# HELP ssl_certificate_valid Whether the SSL certificate is valid (1) or expired/missing (0)
+# TYPE ssl_certificate_valid gauge
+EOF
+
+if [[ -f "${CERT_FILE}" ]]; then
+    # Extract expiry date from certificate
+    EXPIRY_DATE=$(openssl x509 -enddate -noout -in "${CERT_FILE}" 2>/dev/null | cut -d= -f2)
+    
+    if [[ -n "${EXPIRY_DATE}" ]]; then
+        # Convert to Unix timestamp
+        EXPIRY_TIMESTAMP=$(date -d "${EXPIRY_DATE}" +%s 2>/dev/null || echo "0")
+        CURRENT_TIMESTAMP=$(date +%s)
+        EXPIRY_SECONDS=$((EXPIRY_TIMESTAMP - CURRENT_TIMESTAMP))
+        
+        # Check if certificate is valid (not expired)
+        if [[ ${EXPIRY_SECONDS} -gt 0 ]]; then
+            VALID=1
+        else
+            VALID=0
+        fi
+        
+        # Extract issuer for label
+        ISSUER=$(openssl x509 -issuer -noout -in "${CERT_FILE}" 2>/dev/null | sed 's/.*O = \([^,]*\).*/\1/' | tr -d '"' || echo "unknown")
+        
+        # Write metrics
+        echo "ssl_certificate_expiry_timestamp{domain=\"${DOMAIN}\",issuer=\"${ISSUER}\"} ${EXPIRY_TIMESTAMP}" >> "${TEMP_FILE}"
+        echo "ssl_certificate_expiry_seconds{domain=\"${DOMAIN}\",issuer=\"${ISSUER}\"} ${EXPIRY_SECONDS}" >> "${TEMP_FILE}"
+        echo "ssl_certificate_valid{domain=\"${DOMAIN}\",issuer=\"${ISSUER}\"} ${VALID}" >> "${TEMP_FILE}"
+    else
+        # Could not parse certificate
+        echo "ssl_certificate_expiry_timestamp{domain=\"${DOMAIN}\",issuer=\"unknown\"} 0" >> "${TEMP_FILE}"
+        echo "ssl_certificate_expiry_seconds{domain=\"${DOMAIN}\",issuer=\"unknown\"} 0" >> "${TEMP_FILE}"
+        echo "ssl_certificate_valid{domain=\"${DOMAIN}\",issuer=\"unknown\"} 0" >> "${TEMP_FILE}"
+    fi
+else
+    # Certificate file does not exist
+    echo "ssl_certificate_expiry_timestamp{domain=\"${DOMAIN}\",issuer=\"none\"} 0" >> "${TEMP_FILE}"
+    echo "ssl_certificate_expiry_seconds{domain=\"${DOMAIN}\",issuer=\"none\"} 0" >> "${TEMP_FILE}"
+    echo "ssl_certificate_valid{domain=\"${DOMAIN}\",issuer=\"none\"} 0" >> "${TEMP_FILE}"
+fi
+
+# Set permissions and atomic move
+chmod 644 "${TEMP_FILE}"
+chown prometheus:prometheus "${TEMP_FILE}" 2>/dev/null || true
+mv "${TEMP_FILE}" "${METRICS_FILE}"