Fix fresh-deploy blockers and clean up architecture

- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's
  requirement for at least one account on first boot
- Add failed_when: false to mail user/alias list tasks (files don't exist
  on first run)
- Add forgejo_runner_version (was undefined); default to 12
- Create /srv/forgejo/data/gitea/conf before deploying app.ini
- Decouple goaccess sync from restic: new enable_goaccess_sync flag with
  its own goaccess_sync_* variables
- Move Docker installation to bootstrap exclusively; rename docker.yml to
  networks.yml (runs docker_network role only)
- Add radicale_password to vault template and setup.sh
- Fix goaccess sync tasks gated on enable_goaccess_sync
- Add upstream bug comment to authorized_key deprecation warning
- Update CLAUDE.md and README.md throughout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

playbooks/bootstrap.yml

@@ -2,6 +2,8 @@
 - name: Bootstrap Ubuntu server
   hosts: all
   become: true
+  vars:
+    ansible_user: root
 
   pre_tasks:
     - name: Ensure apt cache is up to date
@@ -14,16 +16,32 @@
       timezone:
         name: "{{ timezone }}"
 
+    - name: Set root password
+      ansible.builtin.user:
+        name: root
+        password: "{{ root_password | password_hash('sha512') }}"
+
     - name: Create admin user
-      user:
+      ansible.builtin.user:
         name: "{{ admin_user }}"
+        password: "{{ admin_password | password_hash('sha512') }}"
         groups: sudo
         shell: "{{ admin_shell }}"
         append: true
         create_home: true
 
+    - name: Grant admin user passwordless sudo
+      lineinfile:
+        path: /etc/sudoers.d/{{ admin_user }}
+        line: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL"
+        create: true
+        mode: "0440"
+        validate: visudo -cf %s
+
+    # BUG: ansible.posix.authorized_key emits a deprecation warning — this is a known upstream bug:
+    # https://github.com/ansible-collections/ansible.posix/issues/695
     - name: Authorize SSH key for admin user
-      authorized_key:
+      ansible.posix.authorized_key:
         user: "{{ admin_user }}"
         key: "{{ admin_ssh_key }}"
 

playbooks/networks.yml

@@ -1,8 +1,7 @@
 ---
-- name: Install Docker and prepare filesystem
+- name: Create Docker networks
   hosts: all
   become: true
 
   roles:
-    - docker
     - docker_network

playbooks/site.yml

@@ -9,8 +9,8 @@
 - import_playbook: bootstrap.yml
   tags: [bootstrap, never]  # only runs when explicitly tagged
 
-- import_playbook: docker.yml
-  tags: [docker]
+- import_playbook: networks.yml
+  tags: [networks]
 
 - import_playbook: nebula.yml
   tags: [nebula]