Switching over to using unix sockets for ICP

roles/valkey/defaults/main.yml

@@ -13,10 +13,14 @@
 valkey_service_enabled: true
 valkey_service_state: "started"
 
-# Network Security (localhost only - matches PostgreSQL pattern)
-valkey_bind: "127.0.0.1"
-valkey_port: 6379
-valkey_protected_mode: true
+# Network Security (Unix socket with localhost TCP for compatibility)
+valkey_bind: "127.0.0.1"  # Listen on localhost for apps that don't support Unix sockets
+valkey_port: 6379  # Keep TCP port for compatibility
+valkey_protected_mode: true  # Enable protection for TCP
+
+# Unix socket configuration (also enabled for better performance)
+valkey_unixsocket: "/run/valkey/valkey.sock"
+valkey_unixsocketperm: 777  # Allows container access
 
 # Authentication
 valkey_password: "{{ vault_valkey_password }}"

roles/valkey/tasks/main.yml

@@ -15,6 +15,15 @@
     state: directory
     mode: '0755'
 
+- name: Create Valkey socket directory
+  file:
+    path: /run/valkey
+    state: directory
+    owner: valkey
+    group: valkey
+    mode: '0755'
+  when: valkey_unixsocket is defined
+
 - name: Check if Valkey data directory exists
   stat:
     path: "/var/lib/valkey"
@@ -55,19 +64,31 @@
     state: "{{ valkey_service_state }}"
     daemon_reload: yes
 
-- name: Wait for Valkey to be ready
+- name: Wait for Valkey to be ready (TCP)
   wait_for:
     port: "{{ valkey_port }}"
-    host: "{{ valkey_bind }}"
+    host: "{{ valkey_bind | default('127.0.0.1') }}"
     timeout: 30
-  when: valkey_service_state == "started"
+  when: 
+    - valkey_service_state == "started"
+    - valkey_port != 0
 
-- name: Test Valkey connectivity
-  command: valkey-cli -h {{ valkey_bind }} -p {{ valkey_port }} -a "{{ valkey_password }}" ping
+- name: Wait for Valkey Unix socket to be ready
+  wait_for:
+    path: "{{ valkey_unixsocket }}"
+    timeout: 30
+  when: 
+    - valkey_service_state == "started"
+    - valkey_unixsocket is defined
+
+- name: Test Valkey connectivity (Unix socket)
+  command: valkey-cli -s {{ valkey_unixsocket }} -a "{{ valkey_password }}" ping
   register: valkey_ping_result
   changed_when: false
   failed_when: valkey_ping_result.stdout != "PONG"
-  when: valkey_service_state == "started"
+  when: 
+    - valkey_service_state == "started"
+    - valkey_unixsocket is defined
 
 - name: Display Valkey infrastructure status
   debug:

roles/valkey/templates/valkey.conf.j2

@@ -8,12 +8,22 @@
 # Network Configuration
 # =================================================================
 
-# Bind to localhost only for security (like PostgreSQL)
+{% if valkey_bind %}
+# Bind to specified interfaces
 bind {{ valkey_bind }}
+{% else %}
+# No TCP binding - Unix socket only
+{% endif %}
 
-# Valkey port
+# Valkey port (0 = disable TCP)
 port {{ valkey_port }}
 
+# Unix socket configuration
+{% if valkey_unixsocket is defined %}
+unixsocket {{ valkey_unixsocket }}
+unixsocketperm {{ valkey_unixsocketperm }}
+{% endif %}
+
 # Protected mode - requires authentication
 protected-mode {{ 'yes' if valkey_protected_mode else 'no' }}