Rewrite every role to run as usernamespaced container from root
Sometime ago i decided that's how i want to run podman containers in 'production'. But there are still some roles left to port. Some of them i'm kind of scared as they need so special treatment regarding to non-consistent UID assignment (looking at you gitlab-omnibus).