Convert Podman Quadlet deployment from rootful to rootless

Converts Foreman deployment to rootless Podman containers with dedicated
service user and proper namespace isolation.

Key changes:

- Auto-allocate matching UID/GID for foreman service user
- Map container volumes to proper UIDs (PostgreSQL:26, Redis:1001, Pulp:700)
- Move certificates from /root to /var/lib/foreman with correct ownership
- Add migration playbook for converting existing rootful deployments
- Move Quadlet files to user scope (~/.config/containers/systemd)
- Enable loginctl linger and configure unprivileged ports

New components:

- rootless_user role: Service user creation with auto-allocation
- migrate-to-rootless playbook: Automated rootful-to-rootless migration

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: pablomh

docs/certificates.md

@@ -42,14 +42,18 @@ foremanctl deploy --certificate-source=installer
 After deployment, certificates are available at:
 
 **Default Source:**
-- CA Certificate: `/root/certificates/certs/ca.crt`
-- Server Certificate: `/root/certificates/certs/<hostname>.crt`
-- Client Certificate: `/root/certificates/certs/<hostname>-client.crt`
+- CA Certificate: `/var/lib/foreman/certificates/certs/ca.crt`
+- Server Certificate: `/var/lib/foreman/certificates/certs/<hostname>.crt`
+- Client Certificate: `/var/lib/foreman/certificates/certs/<hostname>-client.crt`
 
 **Installer Source:**
-- CA Certificate: `/root/ssl-build/katello-default-ca.crt`
-- Server Certificate: `/root/ssl-build/<hostname>/<hostname>-apache.crt`
-- Client Certificate: `/root/ssl-build/<hostname>/<hostname>-foreman-client.crt`
+- CA Certificate: `/var/lib/foreman/ssl-build/katello-default-ca.crt`
+- Server Certificate: `/var/lib/foreman/ssl-build/<hostname>/<hostname>-apache.crt`
+- Client Certificate: `/var/lib/foreman/ssl-build/<hostname>/<hostname>-foreman-client.crt`
+
+**Note for Rootless Deployments:**
+- All certificates are owned by `foreman:foreman` user and group
+- If migrating from a rootful deployment with installer certificates, copy them from `/root/ssl-build/` to `/var/lib/foreman/ssl-build/` and ensure proper ownership (`chown -R foreman:foreman /var/lib/foreman/ssl-build/`)
 
 ### Current Limitations
 
@@ -99,16 +103,18 @@ Certificate paths are defined in source-specific variable files:
 
 **Default Source (`src/vars/default_certificates.yml`):**
 ```yaml
+certificates_ca_directory: /var/lib/foreman/certificates
 ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
 server_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_facts['fqdn'] }}.crt"
 client_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_facts['fqdn'] }}-client.crt"
 ```
 
 **Installer Source (`src/vars/installer_certificates.yml`):**
 ```yaml
-ca_certificate: "/root/ssl-build/katello-default-ca.crt"
-server_certificate: "/root/ssl-build/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-apache.crt"
-client_certificate: "/root/ssl-build/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-foreman-client.crt"
+certificates_ca_directory: /var/lib/foreman/ssl-build
+ca_certificate: "{{ certificates_ca_directory }}/katello-default-ca.crt"
+server_certificate: "{{ certificates_ca_directory }}/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-apache.crt"
+client_certificate: "{{ certificates_ca_directory }}/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-foreman-client.crt"
 ```
 
 #### Integration with Deployment
@@ -138,12 +144,14 @@ The `certificate_checks` role uses `foreman-certificate-check` binary to validat
 
 **Directory Structure:**
 ```
-/root/certificates/
+/var/lib/foreman/certificates/
 ├── certs/           # Public certificates
 ├── private/         # Private keys and passwords
 └── requests/        # Certificate signing requests
 ```
 
+All certificate files and directories are owned by `foreman:foreman` to support rootless Podman deployments.
+
 **OpenSSL Configuration:**
 - Custom configuration template supports SAN extensions
 - Single DNS entry per certificate: `subjectAltName = DNS:{{ certificates_hostname }}`

src/playbooks/deploy/deploy.yaml

@@ -14,6 +14,7 @@
     - "../../vars/base.yaml"
   roles:
     - role: pre_install
+    - role: rootless_user
     - role: checks
     - role: certificates
       when: "certificate_source == 'default'"