Add Valkey infrastructure role as Redis-compatible cache service

- Implemented complete Valkey infrastructure role following PostgreSQL patterns
- Provides 100% Redis-compatible high-performance data structure store
- Configured for multi-application support with database isolation
- Security-focused: localhost-only binding, password auth, systemd hardening
- Arch Linux compatible: uses native Valkey package with Redis compatibility
- Database allocation strategy: DB 0 reserved, DB 1+ for applications
- Full systemd integration with security overrides and proper service management
- Redis client compatibility maintained for seamless application integration
- Ready for Authentik and future container workloads requiring cache services

roles/valkey/templates/systemd-override.conf.j2

@@ -0,0 +1,49 @@
+# Redis Systemd Security Override
+# Generated by rick-infra Redis role
+#
+# This file provides additional security hardening for the Redis service
+# following the same security patterns as the PostgreSQL role.
+
+[Service]
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+# Network security
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Filesystem permissions
+ReadWritePaths=/var/lib/valkey
+ReadOnlyPaths=/etc/valkey
+
+# System call filtering
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
+
+# Memory and resource limits
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+
+# Capabilities
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# User and group isolation
+DynamicUser=no
+User=valkey
+Group=valkey
+
+# Process isolation
+PrivateUsers=yes
+RemoveIPC=yes
+
+# Additional Redis-specific security
+UMask=0027

roles/valkey/templates/valkey.conf.j2

@@ -0,0 +1,130 @@
+# Valkey Configuration - Generated by Ansible
+# rick-infra Valkey Infrastructure Role
+# 
+# This configuration provides a secure, performant Valkey instance
+# for use by multiple applications on the same host.
+
+# =================================================================
+# Network Configuration
+# =================================================================
+
+# Bind to localhost only for security (like PostgreSQL)
+bind {{ valkey_bind }}
+
+# Valkey port
+port {{ valkey_port }}
+
+# Protected mode - requires authentication
+protected-mode {{ 'yes' if valkey_protected_mode else 'no' }}
+
+# Connection timeout
+timeout {{ valkey_timeout }}
+
+# TCP listen backlog
+tcp-backlog {{ valkey_tcp_backlog }}
+
+# TCP keepalive
+tcp-keepalive {{ valkey_tcp_keepalive }}
+
+# =================================================================
+# Authentication
+# =================================================================
+
+# Require password for all operations
+requirepass {{ valkey_requirepass }}
+
+# =================================================================
+# Memory Management
+# =================================================================
+
+# Maximum memory usage
+maxmemory {{ valkey_maxmemory }}
+
+# Eviction policy when max memory is reached
+maxmemory-policy {{ valkey_maxmemory_policy }}
+
+# =================================================================
+# Persistence Configuration
+# =================================================================
+
+# Working directory for RDB files
+dir /var/lib/valkey
+
+{% if valkey_save_enabled %}
+# RDB persistence - save snapshots
+{% for interval in valkey_save_intervals %}
+save {{ interval }}
+{% endfor %}
+
+# RDB file compression and checksums
+rdbcompression {{ 'yes' if valkey_rdbcompression else 'no' }}
+rdbchecksum {{ 'yes' if valkey_rdbchecksum else 'no' }}
+{% else %}
+# RDB persistence disabled
+save ""
+{% endif %}
+
+# AOF persistence
+appendonly {{ 'yes' if valkey_appendonly else 'no' }}
+
+# =================================================================
+# Database Configuration
+# =================================================================
+
+# Number of databases (0 to databases-1)
+databases {{ valkey_databases }}
+
+# =================================================================
+# Logging Configuration
+# =================================================================
+
+# Log level
+loglevel {{ valkey_loglevel }}
+
+# Syslog integration
+{% if valkey_syslog_enabled %}
+syslog-enabled yes
+syslog-ident {{ valkey_syslog_ident }}
+{% endif %}
+
+# =================================================================
+# Security Settings
+# =================================================================
+
+# Disable dangerous commands
+rename-command FLUSHDB ""
+rename-command FLUSHALL ""
+rename-command KEYS ""
+rename-command CONFIG ""
+rename-command SHUTDOWN VALKEY_SHUTDOWN
+rename-command DEBUG ""
+rename-command EVAL ""
+
+# =================================================================
+# Performance Tuning
+# =================================================================
+
+# Disable automatic rehashing for better performance
+activerehashing yes
+
+# Client output buffer limits for normal clients
+client-output-buffer-limit normal 0 0 0
+
+# Client output buffer limits for replica clients  
+client-output-buffer-limit replica 256mb 64mb 60
+
+# Client output buffer limits for pubsub clients
+client-output-buffer-limit pubsub 32mb 8mb 60
+
+# =================================================================
+# Application Notes
+# =================================================================
+# 
+# Applications should use different database numbers:
+# - Database 0: Reserved for system/testing
+# - Database 1: Authentik (sessions, cache)
+# - Database 2: Nextcloud (sessions, file locking, cache)
+# - Database 3+: Future applications
+#
+# Connection example:
+# redis-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a {{ valkey_requirepass }} -n 1