Improve logging and infrastructure variable consistency

Changes:
- Migrate Authentik to journald logging (remove file-based logs)
- Update Gitea to use infrastructure variables for PostgreSQL access
- Add comprehensive logging documentation to deployment guide
- Add infrastructure variable pattern guide to integration docs

Authentik Logging:
- Remove LogDriver=k8s-file from server and worker containers
- Remove logs directory creation from user setup tasks
- Update deployment guide with journald examples and JSON log patterns

Gitea Infrastructure Variables:
- Add infrastructure dependencies section to role defaults
- Replace hardcoded paths with postgresql_unix_socket_directories variable
- Replace hardcoded 'postgres' group with postgresql_client_group variable
- Add infrastructure variable validation in tasks
- Remove manual socket permission override (handled by infrastructure)

Documentation:
- Add journald logging best practices to service integration guide
- Add infrastructure variable pattern documentation with Gitea example
- Update Authentik deployment guide with journald commands and JSON filtering
- Document benefits: centralized logging, single source of truth, maintainability

Validated on arch-vps:
- Authentik logs accessible via journalctl and podman logs (identical output)
- Gitea user added to postgres-clients group (GID 962)
- No PostgreSQL socket permission errors after service restart

roles/authentik/tasks/user.yml

@@ -29,7 +29,6 @@
     - "{{ authentik_home }}"
     - "{{ authentik_home }}/data"
     - "{{ authentik_home }}/media"
-    - "{{ authentik_home }}/logs"
 
 - name: Get authentik user UID and GID for container configuration
   shell: |

roles/authentik/templates/authentik-server.container

@@ -11,11 +11,6 @@ EnvironmentFile={{ authentik_home }}/.env
 User={{ authentik_uid }}:{{ authentik_gid }}
 PodmanArgs=--group-add {{ postgresql_client_group_gid }} --group-add {{ valkey_client_group_gid }}
 
-# Logging configuration
-LogDriver=k8s-file
-LogOpt=path={{ authentik_home }}/logs/server.log
-Volume={{ authentik_home }}/logs:{{ authentik_home }}/logs
-
 # Volume mounts for data and sockets
 Volume={{ authentik_media_dir }}:/media
 Volume={{ authentik_data_dir }}:/data

roles/authentik/templates/authentik-worker.container

@@ -11,11 +11,6 @@ EnvironmentFile={{ authentik_home }}/.env
 User={{ authentik_uid }}:{{ authentik_gid }}
 PodmanArgs=--group-add {{ postgresql_client_group_gid }} --group-add {{ valkey_client_group_gid }}
 
-# Logging configuration
-LogDriver=k8s-file
-LogOpt=path={{ authentik_home }}/logs/worker.log
-Volume={{ authentik_home }}/logs:{{ authentik_home }}/logs
-
 # Volume mounts for data and sockets
 Volume={{ authentik_media_dir }}:/media
 Volume={{ authentik_data_dir }}:/data

roles/gitea/defaults/main.yml

@@ -39,9 +39,10 @@ caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
 # =================================================================
 
 # Gitea manages its own database (Unix socket connection)
+# Uses infrastructure variables for consistent socket path reference
 gitea_db_type: "postgres"
-gitea_db_host: "/run/postgresql"  # Unix socket directory
-gitea_db_port: 5432
+gitea_db_host: "{{ postgresql_unix_socket_directories }}"  # Unix socket from infrastructure
+gitea_db_port: "{{ postgresql_port }}"
 gitea_db_name: "gitea"
 gitea_db_user: "gitea"
 gitea_db_password: "{{ vault_gitea_db_password }}"
@@ -65,6 +66,16 @@ gitea_require_signin: false
 # SSH settings
 gitea_start_ssh_server: true
 
+# =================================================================
+# Infrastructure Dependencies (Read-only)
+# =================================================================
+# These variables reference infrastructure services defined by their roles
+# Applications MUST NOT modify these values - they are provided by infrastructure
+
+postgresql_unix_socket_directories: "/var/run/postgresql"
+postgresql_client_group: "postgres-clients"
+postgresql_port: 5432
+
 # =================================================================
 # Rick-Infra Integration Notes
 # =================================================================

roles/gitea/tasks/main.yml

@@ -2,6 +2,15 @@
 # Gitea Service Role - Self-Contained Implementation
 # Manages Gitea Git service with own database
 
+- name: Validate infrastructure variables are defined
+  assert:
+    that:
+      - postgresql_unix_socket_directories is defined
+      - postgresql_client_group is defined
+      - postgresql_port is defined
+    fail_msg: "Missing required infrastructure variables. Ensure PostgreSQL role has run first."
+    success_msg: "Infrastructure variables validated successfully"
+
 - name: Install Gitea from Arch repository
   pacman:
     name: gitea
@@ -43,23 +52,16 @@
     group: "{{ gitea_group }}"
     mode: '0700'
 
-# Socket access setup (following Authentik pattern)
-- name: Add git user to postgres group for socket access
+# Socket access setup (using infrastructure variables)
+- name: Add git user to PostgreSQL client group for socket access
   user:
     name: "{{ gitea_user }}"
-    groups: postgres
+    groups: "{{ postgresql_client_group }}"
     append: true
 
-- name: Ensure git can access PostgreSQL socket directory
-  file:
-    path: "/var/run/postgresql"
-    mode: '0770'
-    group: postgres
-  become: true
-
 - name: Test PostgreSQL socket connectivity
   postgresql_ping:
-    login_unix_socket: "/var/run/postgresql"
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
     login_user: "{{ gitea_user }}"
   become: true
   become_user: "{{ gitea_user }}"
@@ -70,7 +72,7 @@
     name: "{{ gitea_db_user }}"
     password: "{{ gitea_db_password }}"
     encrypted: yes
-    login_unix_socket: "/var/run/postgresql"
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
     login_user: postgres
   become: true
   become_user: postgres
@@ -81,7 +83,7 @@
     owner: "{{ gitea_db_user }}"
     encoding: UTF8
     template: template0
-    login_unix_socket: "/var/run/postgresql"
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
     login_user: postgres
   become: true
   become_user: postgres
@@ -92,7 +94,7 @@
     privs: ALL
     type: database
     role: "{{ gitea_db_user }}"
-    login_unix_socket: "/var/run/postgresql"
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
     login_user: postgres
   become: true
   become_user: postgres