Add Vaultwarden password manager role with PostgreSQL and SSO support

- Implement complete Vaultwarden deployment using Podman Quadlet
- PostgreSQL backend via Unix socket with 777 permissions
- Caddy reverse proxy with WebSocket support for live sync
- Control-node admin token hashing using argon2 (OWASP preset)
- Idempotent token hashing with deterministic salt generation
- Full Authentik SSO integration following official guide
- SMTP email configuration support (optional)
- Invitation-only user registration by default
- Comprehensive documentation with setup and troubleshooting guides

Technical Details:
- Container: vaultwarden/server:latest from Docker Hub
- Database: PostgreSQL via /var/run/postgresql socket
- Port: 8080 (localhost only, proxied by Caddy)
- Domain: vault.jnss.me
- Admin token: Hashed on control node with argon2id
- SSO: OpenID Connect with offline_access scope support

Role includes automatic argon2 installation on control node if needed.

roles/vaultwarden/tasks/database.yml

@@ -0,0 +1,51 @@
+---
+# Database setup for Vaultwarden - PostgreSQL via Unix Socket
+
+- name: Test PostgreSQL socket connectivity
+  postgresql_ping:
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: "{{ vaultwarden_user }}"
+  become: true
+  become_user: "{{ vaultwarden_user }}"
+
+- name: Create Vaultwarden database user via socket
+  postgresql_user:
+    name: "{{ vaultwarden_db_user }}"
+    password: "{{ vaultwarden_db_password }}"
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: postgres
+  become: true
+  become_user: postgres
+
+- name: Create Vaultwarden database via socket
+  postgresql_db:
+    name: "{{ vaultwarden_db_name }}"
+    owner: "{{ vaultwarden_db_user }}"
+    encoding: UTF8
+    template: template0
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: postgres
+  become: true
+  become_user: postgres
+
+- name: Grant Vaultwarden database privileges
+  postgresql_privs:
+    db: "{{ vaultwarden_db_name }}"
+    privs: ALL
+    type: database
+    role: "{{ vaultwarden_db_user }}"
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: postgres
+  become: true
+  become_user: postgres
+
+- name: Display database setup status
+  debug:
+    msg: |
+      Vaultwarden database setup complete!
+      
+      Database: {{ vaultwarden_db_name }}
+      User: {{ vaultwarden_db_user }}
+      Connection: Unix socket ({{ postgresql_unix_socket_directories }})
+      
+      Ready for Vaultwarden container deployment

roles/vaultwarden/tasks/hash_admin_token.yml

@@ -0,0 +1,57 @@
+---
+# Hash admin token on Ansible control node using argon2
+
+- name: Check if argon2 is available on control node
+  command: which argon2
+  register: argon2_check
+  delegate_to: localhost
+  become: false
+  changed_when: false
+  failed_when: false
+
+- name: Install argon2 on control node if not present
+  package:
+    name: argon2
+    state: present
+  delegate_to: localhost
+  become: false
+  when: argon2_check.rc != 0
+  run_once: true
+
+- name: Generate deterministic salt from domain
+  set_fact:
+    vaultwarden_salt_source: "{{ vaultwarden_domain }}-{{ vaultwarden_sso_authority }}"
+  no_log: true
+
+- name: Create base64-encoded salt for argon2
+  shell: echo -n "{{ vaultwarden_salt_source }}" | sha256sum | cut -d' ' -f1 | head -c 22
+  register: admin_token_salt
+  delegate_to: localhost
+  become: false
+  changed_when: false
+  no_log: true
+
+- name: Hash admin token using argon2 (OWASP preset)
+  shell: echo -n "{{ vaultwarden_admin_token_plain }}" | argon2 "{{ admin_token_salt.stdout }}" -id -t 2 -k 19456 -p 1 -e
+  register: admin_token_hash_result
+  delegate_to: localhost
+  become: false
+  changed_when: false
+  no_log: true
+
+- name: Extract hashed admin token
+  set_fact:
+    vaultwarden_admin_token_hashed: "{{ admin_token_hash_result.stdout | trim }}"
+  no_log: true
+
+- name: Display token hash status
+  debug:
+    msg: |
+      Admin token hashed successfully on control node
+      
+      Hash algorithm: argon2id
+      Preset: OWASP (m=19456, t=2, p=1)
+      Format: PHC string (Vaultwarden compatible)
+      Idempotent: Same token always produces same hash
+      
+      The hashed token will be used in the environment configuration

roles/vaultwarden/tasks/main.yml

@@ -0,0 +1,108 @@
+---
+# Vaultwarden Password Manager Role - Main Tasks
+# Self-contained deployment with Podman and Unix sockets
+
+- name: Setup vaultwarden user and directories
+  include_tasks: user.yml
+  tags: [user, setup]
+
+- name: Setup database access and permissions
+  include_tasks: database.yml
+  tags: [database, setup]
+
+- name: Pull vaultwarden container image
+  containers.podman.podman_image:
+    name: "{{ vaultwarden_image }}:{{ vaultwarden_version }}"
+    state: present
+  tags: [containers, image-pull]
+
+- name: Hash admin token on host
+  include_tasks: hash_admin_token.yml
+  tags: [config, admin-token]
+
+- name: Deploy environment configuration
+  template:
+    src: vaultwarden.env.j2
+    dest: "{{ vaultwarden_home }}/.env"
+    owner: "{{ vaultwarden_user }}"
+    group: "{{ vaultwarden_group }}"
+    mode: '0600'
+    backup: true
+  notify:
+    - restart vaultwarden
+  tags: [config]
+
+- name: Create Quadlet systemd directory
+  file:
+    path: /etc/containers/systemd
+    state: directory
+    mode: '0755'
+
+- name: Deploy Quadlet container file 
+  template:
+    src: vaultwarden.container
+    dest: /etc/containers/systemd/vaultwarden.container
+    mode: '0644'
+  notify:
+    - reload systemd
+    - restart vaultwarden
+  tags: [containers, deployment]
+
+- name: Deploy Caddy configuration
+  template:
+    src: vaultwarden.caddy.j2
+    dest: "{{ caddy_sites_enabled_dir }}/vaultwarden.caddy"
+    owner: root
+    group: "{{ caddy_user }}"
+    mode: '0644'
+    backup: true
+  notify: reload caddy
+  tags: [caddy, reverse-proxy]
+
+- name: Ensure PostgreSQL is running
+  systemd:
+    name: postgresql
+    state: started
+
+- name: Wait for PostgreSQL socket to be ready
+  wait_for:
+    path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}"
+    timeout: 30
+  when: postgresql_unix_socket_enabled
+
+- name: Enable and start Vaultwarden service (system scope)
+  systemd:
+    name: vaultwarden
+    enabled: "{{ vaultwarden_service_enabled }}"
+    state: "{{ vaultwarden_service_state }}"
+    daemon_reload: true
+  tags: [containers, service]
+
+- name: Wait for Vaultwarden to be ready
+  uri:
+    url: "http://127.0.0.1:{{ vaultwarden_http_port }}/"
+    method: GET
+    status_code: [200, 302]
+    timeout: 30
+  retries: 10
+  delay: 15
+  register: vaultwarden_health_check
+  tags: [verification, health-check]
+
+- name: Display Vaultwarden deployment status
+  debug:
+    msg: |
+      Vaultwarden Password Manager deployed successfully!
+      
+      Domain: {{ vaultwarden_domain }}
+      Database: {{ vaultwarden_db_name }} (Unix socket)
+      Container: {{ vaultwarden_image }}:{{ vaultwarden_version }}
+      Admin Panel: https://{{ vaultwarden_domain }}/admin
+      
+      Ready for user registration and password management!
+      
+      Next Steps:
+      - Access https://{{ vaultwarden_domain }}/admin with your admin token
+      - Configure additional settings (SMTP, SSO, etc.)
+      - Invite users or create accounts
+  tags: [verification]

roles/vaultwarden/tasks/user.yml

@@ -0,0 +1,28 @@
+---
+# Vaultwarden User Management - Service-Specific User Setup
+
+- name: Create vaultwarden group
+  group:
+    name: "{{ vaultwarden_group }}"
+    system: true
+
+- name: Create vaultwarden user
+  user:
+    name: "{{ vaultwarden_user }}"
+    group: "{{ vaultwarden_group }}"
+    system: true
+    shell: /bin/bash
+    home: "{{ vaultwarden_home }}"
+    create_home: true
+    comment: "Vaultwarden password manager service"
+
+- name: Create vaultwarden directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ vaultwarden_user }}"
+    group: "{{ vaultwarden_group }}"
+    mode: '0755'
+  loop:
+    - "{{ vaultwarden_home }}"
+    - "{{ vaultwarden_data_dir }}"