initial commit: Dawarich LXC role (CT 459 on pve02, .159)

Self-hosted location history. 4-container compose: Rails 8 app + Sidekiq
+ PostGIS 16-3.4 + Redis 7, plus watchtower. Authentik OIDC end-to-end.
Image pinned at freikin/dawarich:1.7.11 (OIDC support requires >= 1.7.8).

PostGIS DB lives in this LXC, not on the central DB VM (.172) — central
image is postgres:16-alpine without postgis, swapping it carries broader
blast radius than colocating here. Convention exception captured in
homelab-docs project_dawarich memory.

Roles:
  - dawarich: system + Docker + compose + weekly prune timer
  - alloy:    logs+journald → Loki, node metrics → Prometheus

Bring-up sequence proven 2026-06-01. README documents the 5-trap build
chain (image version, entrypoint scripts, solid_cache SQLite bind mount,
APPLICATION_HOSTS+localhost, force_ssl+healthcheck).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

roles/alloy/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: Create Alloy directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: cbalders
+    group: cbalders
+    mode: '0755'
+  loop:
+    - /opt/alloy
+    - /var/lib/alloy
+
+- name: Deploy Alloy compose
+  template:
+    src: docker-compose.yml.j2
+    dest: /opt/alloy/docker-compose.yml
+    owner: cbalders
+    group: cbalders
+    mode: '0644'
+  notify: restart alloy
+
+- name: Deploy Alloy config
+  template:
+    src: config.alloy.j2
+    dest: /opt/alloy/config.alloy
+    owner: cbalders
+    group: cbalders
+    mode: '0644'
+  notify: restart alloy
+
+# Bring Alloy up (idempotent — docker compose up -d is a no-op if running
+# and config hasn't changed). The handler force-recreates on config edit.
+- name: Ensure Alloy is running
+  command: docker compose -f /opt/alloy/docker-compose.yml up -d
+  args:
+    chdir: /opt/alloy
+  changed_when: false