Add Valkey infrastructure role as Redis-compatible cache service

- Implemented complete Valkey infrastructure role following PostgreSQL patterns
- Provides 100% Redis-compatible high-performance data structure store
- Configured for multi-application support with database isolation
- Security-focused: localhost-only binding, password auth, systemd hardening
- Arch Linux compatible: uses native Valkey package with Redis compatibility
- Database allocation strategy: DB 0 reserved, DB 1+ for applications
- Full systemd integration with security overrides and proper service management
- Redis client compatibility maintained for seamless application integration
- Ready for Authentik and future container workloads requiring cache services

roles/valkey/defaults/main.yml

@@ -0,0 +1,88 @@
+---
+# =================================================================
+# Valkey Infrastructure Role - Simplified Configuration  
+# =================================================================
+# Provides Valkey (Redis-compatible) as shared infrastructure for applications
+# Applications manage their own Valkey database selections and usage
+
+# =================================================================
+# Essential Configuration
+# =================================================================
+
+# Service Management
+valkey_service_enabled: true
+valkey_service_state: "started"
+
+# Network Security (localhost only - matches PostgreSQL pattern)
+valkey_bind: "127.0.0.1"
+valkey_port: 6379
+valkey_protected_mode: true
+
+# Authentication
+valkey_requirepass: "{{ vault_valkey_password }}"
+
+# =================================================================
+# Performance Settings (Conservative Defaults)
+# =================================================================
+
+# Memory Management
+valkey_maxmemory: "256mb"
+valkey_maxmemory_policy: "allkeys-lru"
+
+# Persistence (balanced approach)
+valkey_save_enabled: true
+valkey_save_intervals:
+  - "900 1"     # Save if 1 key changed in 900s
+  - "300 10"    # Save if 10 keys changed in 300s  
+  - "60 10000"  # Save if 10000 keys changed in 60s
+
+# RDB and AOF settings
+valkey_rdbcompression: true
+valkey_rdbchecksum: true
+valkey_appendonly: false  # RDB only for simplicity
+
+# =================================================================
+# Security Configuration
+# =================================================================
+
+# Systemd security hardening
+valkey_systemd_security: true
+
+# Valkey security settings
+valkey_timeout: 300
+valkey_tcp_keepalive: 300
+valkey_tcp_backlog: 511
+
+# =================================================================
+# Database Configuration
+# =================================================================
+
+# Database allocation for applications
+# Applications should use different database numbers:
+# - authentik: database 1
+# - nextcloud: database 2
+# - future services: database 3, 4, etc.
+valkey_databases: 16
+
+# =================================================================
+# Logging Configuration  
+# =================================================================
+
+valkey_loglevel: "notice"
+valkey_syslog_enabled: true
+valkey_syslog_ident: "valkey"
+
+# =================================================================
+# Infrastructure Notes
+# =================================================================
+# This role provides minimal Valkey infrastructure
+# Applications should configure their own Valkey usage:
+#
+# Environment variables in application configs:
+# - VALKEY_HOST: "{{ ansible_default_ipv4.address }}" or "127.0.0.1"  
+# - VALKEY_PORT: "6379"
+# - VALKEY_PASSWORD: "{{ vault_valkey_password }}"
+# - VALKEY_DB: "1" (or 2, 3, etc. - unique per application)
+#
+# Note: Applications can also use REDIS_* environment variables
+# for compatibility since Valkey is fully Redis-compatible