refactor: reorganize fluent-bit and geoip out of containers

- Move fluent-bit to common role (systemd service, not a container)
- Move geoip to podman/tasks/data/ (data prep, not a container)
- Remove debyltech tag from geoip (not a debyltech service)
- Fix check_mode for fetch subuid task to enable dry-run mode

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/roles/common/tasks/fluent-bit.yml

@@ -0,0 +1,45 @@
+---
+# Fluent Bit - Log forwarder from journald to Graylog GELF
+# Deployed as systemd service (not container) for direct journal access
+
+- name: install fluent-bit package
+  become: true
+  ansible.builtin.dnf:
+    name: fluent-bit
+    state: present
+
+- name: create fluent-bit state directory for tail db files
+  become: true
+  ansible.builtin.file:
+    path: /var/lib/fluent-bit
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: deploy fluent-bit parsers configuration
+  become: true
+  ansible.builtin.template:
+    src: fluent-bit/parsers.conf.j2
+    dest: /etc/fluent-bit/parsers.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart fluent-bit
+
+- name: deploy fluent-bit configuration
+  become: true
+  ansible.builtin.template:
+    src: fluent-bit/fluent-bit.conf.j2
+    dest: /etc/fluent-bit/fluent-bit.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart fluent-bit
+
+- name: enable and start fluent-bit service
+  become: true
+  ansible.builtin.systemd:
+    name: fluent-bit
+    enabled: true
+    state: started

ansible/roles/common/tasks/main.yml

@@ -3,6 +3,9 @@
 - import_tasks: security.yml
 - import_tasks: service.yml
 
+- import_tasks: fluent-bit.yml
+  tags: fluent-bit, graylog
+
 - name: create the docker group
   become: true
   ansible.builtin.group: