feat: add valkey/redis

roles/valkey/tasks/kernel-tuning.yml

@@ -0,0 +1,43 @@
+---
+- name: Configure kernel memory overcommit
+  ansible.posix.sysctl:
+    name: vm.overcommit_memory
+    value: "1"
+    state: present
+    sysctl_set: true
+    reload: true
+
+- name: Check if transparent_hugepage is set in GRUB
+  ansible.builtin.shell: grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=.*transparent_hugepage=' /etc/default/grub
+  register: thp_check
+  changed_when: false
+  failed_when: false
+
+- name: Add transparent_hugepage if not present
+  ansible.builtin.lineinfile:
+    path: /etc/default/grub
+    regexp: '^(GRUB_CMDLINE_LINUX_DEFAULT="[^"]*)"$'
+    line: '\1 transparent_hugepage=madvise"'
+    backrefs: true
+  when: thp_check.rc != 0
+  notify: Update GRUB
+  register: grub_updated
+
+- name: Check current THP runtime setting
+  ansible.builtin.shell: cat /sys/kernel/mm/transparent_hugepage/enabled
+  register: current_thp
+  changed_when: false
+
+- name: Disable THP at runtime (if not already set to madvise)
+  ansible.builtin.shell: |
+    echo madvise > /sys/kernel/mm/transparent_hugepage/enabled
+    echo madvise > /sys/kernel/mm/transparent_hugepage/defrag
+  when: "'[madvise]' not in current_thp.stdout"
+
+- name: Warn user about reboot requirement
+  ansible.builtin.debug:
+    msg: |
+      WARNING: GRUB configuration has been updated with transparent_hugepage=madvise
+      A REBOOT IS REQUIRED for this change to take effect permanently.
+      The setting has been applied at runtime temporarily.
+  when: grub_updated is changed

roles/valkey/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+- name: Validate required password is set
+  ansible.builtin.assert:
+    that:
+      - valkey_admin_password is defined
+      - valkey_admin_password | length >= 12
+    fail_msg: |
+      valkey_admin_password is required (min 12 chars).
+      See roles/valkey/defaults/main.yml for configuration instructions.
+    success_msg: "Password validation passed"
+
+- name: Configure kernel tuning for Valkey
+  ansible.builtin.import_tasks: kernel-tuning.yml
+
+- name: Load OS-specific variables
+  ansible.builtin.include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_facts['os_family'] }}.yml"
+    - debian.yml
+
+- name: Install Valkey
+  ansible.builtin.package:
+    name: "{{ valkey_package }}"
+    state: present
+
+- name: Deploy Valkey configuration
+  ansible.builtin.template:
+    src: valkey.conf.j2
+    dest: "{{ valkey_config_file }}"
+    owner: "{{ valkey_user }}"
+    group: "{{ valkey_group }}"
+    mode: "0640"
+  notify: Restart Valkey
+
+- name: Deploy Valkey ACL file
+  ansible.builtin.template:
+    src: users.acl.j2
+    dest: "{{ valkey_acl_file }}"
+    owner: "{{ valkey_user }}"
+    group: "{{ valkey_group }}"
+    mode: "0640"
+  notify: Restart Valkey
+
+- name: Enable and start Valkey service
+  ansible.builtin.systemd:
+    name: "{{ valkey_service_name }}"
+    enabled: true
+    state: started
+
+- name: Setup firewall rules for Valkey
+  community.general.ufw:
+    rule: allow
+    src: "{{ item }}"
+    port: "{{ valkey_port }}"
+    proto: tcp
+    direction: in
+    comment: "Valkey"
+  loop: "{{ valkey_firewall_allowed_sources }}"