Initial commit: breakpilot-core - Shared Infrastructure

Docker Compose with 24+ services:
- PostgreSQL (PostGIS), Valkey, MinIO, Qdrant
- Vault (PKI/TLS), Nginx (Reverse Proxy)
- Backend Core API, Consent Service, Billing Service
- RAG Service, Embedding Service
- Gitea, Woodpecker CI/CD
- Night Scheduler, Health Aggregator
- Jitsi (Web/XMPP/JVB/Jicofo), Mailpit

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

vault/agent/config.hcl

@@ -0,0 +1,44 @@
+# Vault Agent Configuration for BreakPilot SSL Certificates
+# Automatically renews certificates and updates nginx
+
+pid_file = "/tmp/vault-agent.pid"
+
+vault {
+  address = "http://vault:8200"
+  retry {
+    num_retries = 5
+  }
+}
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/agent/data/role-id"
+      secret_id_file_path = "/vault/agent/data/secret-id"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+
+  sink "file" {
+    config = {
+      path = "/vault/agent/data/token"
+      mode = 0600
+    }
+  }
+}
+
+# Single template that generates all certificate components
+# Uses a single pkiCert call to ensure cert/key match
+template {
+  source      = "/vault/agent/templates/all.tpl"
+  destination = "/vault/certs/combined.pem"
+  perms       = 0600
+  command     = "sh /vault/agent/split-certs.sh"
+}
+
+# Listener for debugging (optional)
+listener "tcp" {
+  address     = "127.0.0.1:8100"
+  tls_disable = true
+}

vault/agent/split-certs.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+# Split combined certificate file into separate components
+
+COMBINED="/vault/certs/combined.pem"
+CERT_FILE="/vault/certs/macmini.crt"
+KEY_FILE="/vault/certs/macmini.key"
+CA_FILE="/vault/certs/ca-chain.crt"
+
+# Extract certificate (between ===CERT=== and ===CA===)
+sed -n '/===CERT===/,/===CA===/p' "$COMBINED" | sed '1d;$d' > "$CERT_FILE"
+
+# Append CA to certificate file for full chain
+sed -n '/===CA===/,/===KEY===/p' "$COMBINED" | sed '1d;$d' >> "$CERT_FILE"
+
+# Extract CA chain
+sed -n '/===CA===/,/===KEY===/p' "$COMBINED" | sed '1d;$d' > "$CA_FILE"
+
+# Extract private key
+sed -n '/===KEY===/,$p' "$COMBINED" | sed '1d' > "$KEY_FILE"
+
+# Set permissions
+chmod 644 "$CERT_FILE" "$CA_FILE"
+chmod 600 "$KEY_FILE"
+
+# Reload nginx if running
+nginx -s reload 2>/dev/null || true
+
+echo "Certificates split successfully"

vault/agent/templates/all.tpl

@@ -0,0 +1,9 @@
+{{- /* Combined Certificate Template - generates all certificate components from a single PKI call */ -}}
+{{- with pkiCert "pki_int/issue/breakpilot-internal" "common_name=macmini" "alt_names=localhost,macmini.local" "ip_sans=127.0.0.1,192.168.178.163" "ttl=168h" -}}
+===CERT===
+{{ .Cert }}
+===CA===
+{{ .CA }}
+===KEY===
+{{ .Key }}
+{{- end -}}

vault/agent/templates/ca-chain.tpl

@@ -0,0 +1,4 @@
+{{- /* CA Chain Template */ -}}
+{{- with pkiCert "pki_int/issue/breakpilot-internal" "common_name=macmini" "alt_names=localhost,macmini.local" "ip_sans=127.0.0.1,192.168.178.163" "ttl=168h" -}}
+{{ .CA }}
+{{- end -}}

vault/agent/templates/cert.tpl

@@ -0,0 +1,5 @@
+{{- /* Certificate Template for macmini */ -}}
+{{- with pkiCert "pki_int/issue/breakpilot-internal" "common_name=macmini" "alt_names=localhost,macmini.local" "ip_sans=127.0.0.1,192.168.178.163" "ttl=168h" -}}
+{{ .Cert }}
+{{ .CA }}
+{{- end -}}

vault/agent/templates/key.tpl

@@ -0,0 +1,4 @@
+{{- /* Private Key Template for macmini */ -}}
+{{- with pkiCert "pki_int/issue/breakpilot-internal" "common_name=macmini" "alt_names=localhost,macmini.local" "ip_sans=127.0.0.1,192.168.178.163" "ttl=168h" -}}
+{{ .Key }}
+{{- end -}}