The database@server notation expressed in the logs is cool, but is not how it is expressed to actually connect. That threw up a red herring.

I had to create all of the postgres users

Postgres ident authentication requires an ident server such as oidentd. It used to be installed by default, but must be installed after the fact by the system admin now.

Your guess about a not-clean system is not too far off.  Just before this email came in I hit a snag with the CA and key generation. I ran engine-cleanup, then ran engine-setup again, and now the non-UI functions of the engine are (apparently) back up.

Now the engine is running, but the web gui is throwing 500 errors. Internet cut out so I'll get back to it in the morning.