refactor: reorganize fluent-bit and geoip out of containers

- Move fluent-bit to common role (systemd service, not a container)
- Move geoip to podman/tasks/data/ (data prep, not a container)
- Remove debyltech tag from geoip (not a debyltech service)
- Fix check_mode for fetch subuid task to enable dry-run mode

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/roles/podman/tasks/containers/base/fluent-bit.yml

@@ -1,64 +0,0 @@
----
-# Fluent Bit - Log forwarder from journald to Graylog GELF
-# Deployed as systemd service (not container) for direct journal access
-
-# Clean up old container deployment if it exists
-- name: stop and remove fluent-bit container if exists
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_container:
-    name: fluent-bit
-    state: absent
-  ignore_errors: true
-
-- name: disable old fluent-bit container systemd service
-  become: true
-  become_user: "{{ podman_user }}"
-  ansible.builtin.systemd:
-    name: fluent-bit
-    enabled: false
-    state: stopped
-    scope: user
-  ignore_errors: true
-
-- name: install fluent-bit package
-  become: true
-  ansible.builtin.dnf:
-    name: fluent-bit
-    state: present
-
-- name: create fluent-bit state directory for tail db files
-  become: true
-  ansible.builtin.file:
-    path: /var/lib/fluent-bit
-    state: directory
-    owner: root
-    group: root
-    mode: '0755'
-
-- name: deploy fluent-bit parsers configuration
-  become: true
-  ansible.builtin.template:
-    src: fluent-bit/parsers.conf.j2
-    dest: /etc/fluent-bit/parsers.conf
-    owner: root
-    group: root
-    mode: '0644'
-  notify: restart fluent-bit
-
-- name: deploy fluent-bit configuration
-  become: true
-  ansible.builtin.template:
-    src: fluent-bit/fluent-bit.conf.j2
-    dest: /etc/fluent-bit/fluent-bit.conf
-    owner: root
-    group: root
-    mode: '0644'
-  notify: restart fluent-bit
-
-- name: enable and start fluent-bit service
-  become: true
-  ansible.builtin.systemd:
-    name: fluent-bit
-    enabled: true
-    state: started

ansible/roles/podman/tasks/containers/debyltech/geoip.yml

@@ -1,59 +0,0 @@
----
-# Download MaxMind GeoLite2 database for Graylog GeoIP enrichment
-# Requires free MaxMind account: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
-
-- name: create geoip directory
-  become: true
-  ansible.builtin.file:
-    path: "{{ geoip_path }}"
-    state: directory
-    owner: "{{ podman_subuid.stdout }}"
-    group: "{{ podman_subuid.stdout }}"
-    mode: '0755'
-  notify: restorecon podman
-  tags: graylog, geoip
-
-- name: download GeoLite2 database
-  become: true
-  ansible.builtin.get_url:
-    url: "https://download.maxmind.com/geoip/databases/{{ geoip_database_edition }}/download?suffix=tar.gz"
-    dest: "{{ geoip_path }}/{{ geoip_database_edition }}.tar.gz"
-    url_username: "{{ geoip_maxmind_account_id }}"
-    url_password: "{{ geoip_maxmind_license_key }}"
-    force: false
-    mode: '0644'
-  register: geoip_download
-  tags: graylog, geoip
-
-- name: extract GeoLite2 database
-  become: true
-  ansible.builtin.unarchive:
-    src: "{{ geoip_path }}/{{ geoip_database_edition }}.tar.gz"
-    dest: "{{ geoip_path }}"
-    remote_src: true
-    extra_opts:
-      - --strip-components=1
-      - --wildcards
-      - "*/{{ geoip_database_edition }}.mmdb"
-  when: geoip_download.changed
-  tags: graylog, geoip
-
-# Fix ownership of downloaded files to podman user's subuid range
-- name: fix geoip files ownership for podman user
-  become: true
-  ansible.builtin.file:
-    path: "{{ geoip_path }}"
-    state: directory
-    owner: "{{ podman_subuid.stdout }}"
-    group: "{{ podman_subuid.stdout }}"
-    recurse: true
-  tags: graylog, geoip
-
-# Graylog runs as UID 1100 inside the container
-- name: fix geoip database ownership for graylog container
-  become: true
-  become_user: "{{ podman_user }}"
-  changed_when: false
-  ansible.builtin.command: |
-    podman unshare chown -R 1100:1100 {{ geoip_path }}
-  tags: graylog, geoip