refactor: reorganize fluent-bit and geoip out of containers

- Move fluent-bit to common role (systemd service, not a container)
- Move geoip to podman/tasks/data/ (data prep, not a container)
- Remove debyltech tag from geoip (not a debyltech service)
- Fix check_mode for fetch subuid task to enable dry-run mode

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/roles/podman/handlers/main.yml

@@ -42,11 +42,3 @@
     scope: user
   tags:
     - zomboid
-
-- name: restart fluent-bit
-  become: true
-  ansible.builtin.systemd:
-    name: fluent-bit
-    state: restarted
-  tags:
-    - fluent-bit

ansible/roles/podman/tasks/containers/base/fluent-bit.yml

@@ -1,64 +0,0 @@
----
-# Fluent Bit - Log forwarder from journald to Graylog GELF
-# Deployed as systemd service (not container) for direct journal access
-
-# Clean up old container deployment if it exists
-- name: stop and remove fluent-bit container if exists
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_container:
-    name: fluent-bit
-    state: absent
-  ignore_errors: true
-
-- name: disable old fluent-bit container systemd service
-  become: true
-  become_user: "{{ podman_user }}"
-  ansible.builtin.systemd:
-    name: fluent-bit
-    enabled: false
-    state: stopped
-    scope: user
-  ignore_errors: true
-
-- name: install fluent-bit package
-  become: true
-  ansible.builtin.dnf:
-    name: fluent-bit
-    state: present
-
-- name: create fluent-bit state directory for tail db files
-  become: true
-  ansible.builtin.file:
-    path: /var/lib/fluent-bit
-    state: directory
-    owner: root
-    group: root
-    mode: '0755'
-
-- name: deploy fluent-bit parsers configuration
-  become: true
-  ansible.builtin.template:
-    src: fluent-bit/parsers.conf.j2
-    dest: /etc/fluent-bit/parsers.conf
-    owner: root
-    group: root
-    mode: '0644'
-  notify: restart fluent-bit
-
-- name: deploy fluent-bit configuration
-  become: true
-  ansible.builtin.template:
-    src: fluent-bit/fluent-bit.conf.j2
-    dest: /etc/fluent-bit/fluent-bit.conf
-    owner: root
-    group: root
-    mode: '0644'
-  notify: restart fluent-bit
-
-- name: enable and start fluent-bit service
-  become: true
-  ansible.builtin.systemd:
-    name: fluent-bit
-    enabled: true
-    state: started

ansible/roles/podman/tasks/main.yml

@@ -31,7 +31,7 @@
 
 - import_tasks: containers/home/hass.yml
   vars:
-    image: ghcr.io/home-assistant/home-assistant:2025.9
+    image: ghcr.io/home-assistant/home-assistant:2026.1
   tags: hass
 
 - import_tasks: containers/home/partkeepr.yml
@@ -86,15 +86,16 @@
     image: docker.io/louislam/uptime-kuma:2.0.2
   tags: home, uptime
 
-- import_tasks: containers/debyltech/geoip.yml
-  tags: debyltech, graylog, geoip
+- import_tasks: data/geoip.yml
+  tags: graylog, geoip
 
 - import_tasks: containers/debyltech/graylog.yml
+  vars:
+    mongo_image: docker.io/mongo:7.0
+    opensearch_image: docker.io/opensearchproject/opensearch:2
+    image: docker.io/graylog/graylog:7.0.1
   tags: debyltech, graylog
 
-- import_tasks: containers/base/fluent-bit.yml
-  tags: fluent-bit, graylog
-
 - import_tasks: containers/home/gregtime.yml
   vars:
     image: localhost/greg-time-bot:3.0.2

ansible/roles/podman/tasks/podman/podman.yml

@@ -112,6 +112,7 @@
 - name: fetch subuid of {{ podman_user }}
   become: true
   changed_when: false
+  check_mode: false
   ansible.builtin.shell: |
     set -o pipefail && cat /etc/subuid | awk -F':' '/{{ podman_user }}/{ print $2 }' | head -n 1
   register: podman_subuid

ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2

@@ -1,149 +0,0 @@
-[SERVICE]
-    Flush        5
-    Daemon       Off
-    Log_Level    info
-    Parsers_File parsers.conf
-
-# =============================================================================
-# INPUT: Podman container logs
-# =============================================================================
-# Container logs come from conmon process with CONTAINER_NAME field
-[INPUT]
-    Name            systemd
-    Tag             podman.*
-    Systemd_Filter  _COMM=conmon
-    Read_From_Tail  On
-    Strip_Underscores On
-
-# =============================================================================
-# INPUT: SSH logs for security monitoring
-# =============================================================================
-[INPUT]
-    Name            systemd
-    Tag             ssh.*
-    Systemd_Filter  _SYSTEMD_UNIT=sshd.service
-    Read_From_Tail  On
-    Strip_Underscores On
-
-# =============================================================================
-# INPUT: Kernel firewall logs for Zomboid connections
-# =============================================================================
-# Captures ZOMBOID_CONN firewall events with source IP for player correlation
-[INPUT]
-    Name            systemd
-    Tag             firewall.zomboid
-    Systemd_Filter  _TRANSPORT=kernel
-    Read_From_Tail  On
-    Strip_Underscores On
-
-# =============================================================================
-# INPUT: Kernel firewall logs for Zomboid rate limiting
-# =============================================================================
-# Captures ZOMBOID_RATELIMIT firewall events for fail2ban monitoring
-[INPUT]
-    Name            systemd
-    Tag             firewall.zomboid.ratelimit
-    Systemd_Filter  _TRANSPORT=kernel
-    Read_From_Tail  On
-    Strip_Underscores On
-
-# =============================================================================
-# INPUT: Fail2ban actions (ban/unban events)
-# =============================================================================
-[INPUT]
-    Name            systemd
-    Tag             fail2ban.*
-    Systemd_Filter  _SYSTEMD_UNIT=fail2ban.service
-    Read_From_Tail  On
-    Strip_Underscores On
-
-# =============================================================================
-# INPUT: Caddy access logs (JSON format)
-# =============================================================================
-{% for log_name in caddy_log_names %}
-[INPUT]
-    Name            tail
-    Tag             caddy.{{ log_name }}
-    Path            {{ caddy_log_path }}/{{ log_name }}.log
-    Parser          caddy_json
-    Read_From_Head  False
-    Refresh_Interval 5
-    DB              /var/lib/fluent-bit/caddy_{{ log_name }}.db
-
-{% endfor %}
-# =============================================================================
-# FILTERS: Add metadata for Graylog categorization
-# =============================================================================
-[FILTER]
-    Name          record_modifier
-    Match         podman.*
-    Record        host {{ ansible_hostname }}
-    Record        source podman
-    Record        log_type container
-
-[FILTER]
-    Name          record_modifier
-    Match         ssh.*
-    Record        host {{ ansible_hostname }}
-    Record        source sshd
-    Record        log_type security
-
-# Copy msg to MESSAGE for caddy logs (GELF requires MESSAGE)
-[FILTER]
-    Name          modify
-    Match         caddy.*
-    Copy          msg MESSAGE
-
-[FILTER]
-    Name          record_modifier
-    Match         caddy.*
-    Record        host {{ ansible_hostname }}
-    Record        source caddy
-    Record        log_type access
-
-# Filter kernel logs to only keep ZOMBOID_CONN messages
-[FILTER]
-    Name          grep
-    Match         firewall.zomboid
-    Regex         MESSAGE ZOMBOID_CONN
-
-[FILTER]
-    Name          record_modifier
-    Match         firewall.zomboid
-    Record        host {{ ansible_hostname }}
-    Record        source firewall
-    Record        log_type zomboid_connection
-
-# Filter kernel logs to only keep ZOMBOID_RATELIMIT messages
-[FILTER]
-    Name          grep
-    Match         firewall.zomboid.ratelimit
-    Regex         MESSAGE ZOMBOID_RATELIMIT
-
-[FILTER]
-    Name          record_modifier
-    Match         firewall.zomboid.ratelimit
-    Record        host {{ ansible_hostname }}
-    Record        source firewall
-    Record        log_type zomboid_ratelimit
-
-# Fail2ban ban/unban events
-[FILTER]
-    Name          record_modifier
-    Match         fail2ban.*
-    Record        host {{ ansible_hostname }}
-    Record        source fail2ban
-    Record        log_type security
-
-# =============================================================================
-# OUTPUT: All logs to Graylog GELF UDP
-# =============================================================================
-# Graylog needs a GELF UDP input configured on port 12203
-[OUTPUT]
-    Name          gelf
-    Match         *
-    Host          127.0.0.1
-    Port          12203
-    Mode          udp
-    Gelf_Short_Message_Key MESSAGE
-    Gelf_Host_Key host

ansible/roles/podman/templates/fluent-bit/parsers.conf.j2

@@ -1,24 +0,0 @@
-[PARSER]
-    Name        caddy_json
-    Format      json
-    Time_Key    ts
-    Time_Format %s.%L
-
-# Generic JSON parser for nested message fields
-[PARSER]
-    Name        json
-    Format      json
-
-# Parse ZOMBOID_CONN firewall logs to extract source IP
-# Example: ZOMBOID_CONN: IN=enp0s31f6 OUT= MAC=... SRC=45.5.113.90 DST=192.168.1.10 ...
-[PARSER]
-    Name        zomboid_firewall
-    Format      regex
-    Regex       ZOMBOID_CONN:.*SRC=(?<src_ip>[0-9.]+).*DST=(?<dst_ip>[0-9.]+).*DPT=(?<dst_port>[0-9]+)
-
-# Parse ZOMBOID_RATELIMIT firewall logs to extract source IP
-# Example: ZOMBOID_RATELIMIT: IN=enp0s31f6 OUT= MAC=... SRC=45.5.113.90 DST=192.168.1.10 ...
-[PARSER]
-    Name        zomboid_ratelimit
-    Format      regex
-    Regex       ZOMBOID_RATELIMIT:.*SRC=(?<src_ip>[0-9.]+).*DST=(?<dst_ip>[0-9.]+).*DPT=(?<dst_port>[0-9]+)