Add Nextcloud cloud storage role with split Redis caching strategy

## New Features

- **Nextcloud Role**: Complete cloud storage deployment using Podman Quadlet
  - FPM variant with Caddy reverse proxy and FastCGI
  - PostgreSQL database via Unix socket
  - Valkey/Redis for app-level caching and file locking
  - Automatic HTTPS with Let's Encrypt via Caddy
  - Dual-root pattern: Caddy serves static assets, FPM handles PHP

- **Split Caching Strategy**: Redis caching WITHOUT Redis sessions
  - Custom redis.config.php template for app-level caching only
  - File-based PHP sessions for stability (avoids session lock issues)
  - Prevents cascading failures from session lock contention
  - Documented in role README with detailed rationale

## Infrastructure Updates

- **Socket Permissions**: Update PostgreSQL and Valkey to mode 777
  - Required for containers that switch users (root → www-data)
  - Nextcloud container loses supplementary groups on user switch
  - Security maintained via password authentication (scram-sha-256, requirepass)
  - Documented socket permission architecture in docs/

- **PostgreSQL**: Export client group GID as fact for dependent roles
- **Valkey**: Export client group GID as fact, update socket fix service

## Documentation

- New: docs/socket-permissions-architecture.md
  - Explains 777 vs 770 socket permission trade-offs
  - Documents why group-based access doesn't work for user-switching containers
  - Provides TCP alternative for stricter security requirements

- Updated: All role READMEs with socket permission notes
- New: Nextcloud README with comprehensive deployment, troubleshooting, and Redis architecture documentation

## Configuration

- host_vars: Add Nextcloud vault variables and configuration
- site.yml: Include Nextcloud role in main playbook

## Technical Details

**Why disable Redis sessions?**

The official Nextcloud container enables Redis session handling via REDIS_HOST env var,
which causes severe performance issues:

1. Session lock contention under high concurrency (browser parallel asset requests)
2. Infinite lock retries (default lock_retries=-1) blocking FPM workers
3. Timeout orphaning: reverse proxy kills connection, worker keeps lock
4. Worker pool exhaustion: all 5 default workers blocked on same session lock
5. Cascading failure: new requests queue, more timeouts, more orphaned locks

Solution: Use file-based sessions (reliable, fast for single-server) while keeping
Redis for distributed cache and transactional file locking via custom config file.

This provides optimal performance without the complexity of Redis session debugging.

Tested: Fresh deployment on arch-vps (69.62.119.31)
Domain: https://cloud.jnss.me/

roles/nextcloud/defaults/main.yml

@@ -0,0 +1,95 @@
+---
+# =================================================================
+# Nextcloud Cloud Storage Role - Default Variables
+# =================================================================
+# Self-contained Nextcloud deployment with FPM, PostgreSQL, and Valkey
+
+# =================================================================
+# Service Configuration
+# =================================================================
+
+# Service user and directories
+nextcloud_user: nextcloud
+nextcloud_group: nextcloud
+nextcloud_home: /opt/nextcloud
+nextcloud_html_dir: "{{ nextcloud_home }}/html"
+nextcloud_data_dir: "{{ nextcloud_home }}/data"
+nextcloud_config_dir: "{{ nextcloud_home }}/config"
+nextcloud_custom_apps_dir: "{{ nextcloud_home }}/custom_apps"
+
+# Container configuration (FPM variant)
+nextcloud_version: "stable-fpm"
+nextcloud_image: "docker.io/library/nextcloud"
+nextcloud_fpm_port: 9001  # Internal FPM port (published to 127.0.0.1, Authentik uses 9000)
+
+# Service management
+nextcloud_service_enabled: true
+nextcloud_service_state: "started"
+
+# =================================================================
+# Database Configuration (Self-managed)
+# =================================================================
+
+nextcloud_db_name: "nextcloud"
+nextcloud_db_user: "nextcloud"
+nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
+
+# =================================================================
+# Cache Configuration (Self-managed)
+# =================================================================
+
+nextcloud_valkey_db: 2  # Use database 2 (Authentik uses 1)
+
+# =================================================================
+# Network Configuration
+# =================================================================
+
+nextcloud_domain: "cloud.jnss.me"
+
+# =================================================================
+# Nextcloud Core Configuration
+# =================================================================
+
+# Admin user (auto-configured on first run)
+nextcloud_admin_user: "admin"
+nextcloud_admin_password: "{{ vault_nextcloud_admin_password }}"
+
+# Trusted domains (space-separated)
+nextcloud_trusted_domains: "{{ nextcloud_domain }}"
+
+# Reverse proxy configuration
+nextcloud_overwriteprotocol: "https"
+
+# =================================================================
+# PHP Configuration
+# =================================================================
+
+nextcloud_php_memory_limit: "512M"
+nextcloud_php_upload_limit: "512M"
+
+# =================================================================
+# Caddy Integration
+# =================================================================
+
+# Caddy configuration (assumes caddy role provides these variables)
+caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
+caddy_log_dir: "/var/log/caddy"
+caddy_user: "caddy"
+
+# =================================================================
+# Infrastructure Dependencies (Read-only)
+# =================================================================
+# These variables reference infrastructure services defined by their roles
+# Applications MUST NOT modify these values - they are provided by infrastructure
+
+# PostgreSQL socket configuration (managed by postgresql role)
+postgresql_unix_socket_directories: "/var/run/postgresql"
+postgresql_client_group: "postgres-clients"
+postgresql_port: 5432
+postgresql_unix_socket_enabled: true
+
+# Valkey socket configuration (managed by valkey role)
+valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
+valkey_password: "{{ vault_valkey_password }}"
+valkey_client_group: "valkey-clients"
+valkey_unix_socket_enabled: true