Add Authentik SSO service and refactor Valkey configuration to use native tools and consolidated systemd service

roles/valkey/templates/valkey.service.j2

@@ -0,0 +1,78 @@
+# Valkey Systemd Service
+# Generated by rick-infra Valkey role
+#
+# This service provides a secure, hardened Valkey instance with proper configuration loading
+
+[Unit]
+Description=Valkey (Redis-compatible) Key-Value Store
+Documentation=https://valkey.io/
+After=network.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+User=valkey
+Group=valkey
+
+# Core service configuration - ensures config file is loaded
+ExecStart=/usr/bin/valkey-server /etc/valkey/valkey.conf --supervised systemd
+ExecReload=/bin/kill -USR2 $MAINPID
+
+# Restart configuration
+Restart=on-failure
+RestartSec=5s
+TimeoutStartSec=60
+TimeoutStopSec=60
+
+# Runtime directory
+RuntimeDirectory=valkey
+RuntimeDirectoryMode=755
+
+# Resource limits
+LimitNOFILE=10032
+
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+# Network security
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Filesystem permissions
+ReadWritePaths=/var/lib/valkey
+ReadOnlyPaths=/etc/valkey
+
+# System call filtering
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
+
+# Memory and resource limits
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+
+# Capabilities (remove all unnecessary capabilities)
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Process isolation
+PrivateUsers=yes
+RemoveIPC=yes
+
+# Additional security
+UMask=0027
+
+# Ensure service stops cleanly
+KillMode=mixed
+KillSignal=SIGTERM
+
+[Install]
+WantedBy=multi-user.target
+Alias=redis.service