chore(infra): add env templates and bootstrap script; ignore secrets in git

infra/env/common.env.example

@@ -0,0 +1,14 @@
+# Global/defaults
+INFRASTRUCTURE_LABEL=mindboost
+TZ=UTC
+
+# Traefik / proxy
+TRAEFIK_NETWORK=proxy
+TRAEFIK_HTTP_PORT=80
+TRAEFIK_HTTPS_PORT=443
+TRAEFIK_LOG_LEVEL=INFO
+ACME_EMAIL=you@example.com
+TRAEFIK_DASHBOARD_DOMAIN=traefik.example.com
+# Optional basic auth users for dashboard (format: user:hashed)
+#TRAEFIK_BASIC_AUTH_USERS=admin:$2y$05$...
+

infra/env/development/common.env

@@ -0,0 +1,11 @@
+# Development defaults (copy to production and adjust as needed)
+INFRASTRUCTURE_LABEL=dev
+TZ=UTC
+
+TRAEFIK_NETWORK=proxy
+TRAEFIK_HTTP_PORT=80
+TRAEFIK_HTTPS_PORT=443
+TRAEFIK_LOG_LEVEL=INFO
+ACME_EMAIL=dev@example.com
+TRAEFIK_DASHBOARD_DOMAIN=traefik.local
+

scripts/infra/bootstrap.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Create external proxy network if it doesn't exist and prepare Traefik state
+
+NETWORK_NAME=${TRAEFIK_NETWORK:-proxy}
+ACME_FILE="infra/core/traefik/data/acme.json"
+
+echo "[bootstrap] Ensuring external network '${NETWORK_NAME}' exists..."
+if ! docker network ls --format '{{.Name}}' | grep -qx "${NETWORK_NAME}"; then
+  docker network create "${NETWORK_NAME}"
+  echo "[bootstrap] Created network '${NETWORK_NAME}'."
+else
+  echo "[bootstrap] Network '${NETWORK_NAME}' already exists."
+fi
+
+echo "[bootstrap] Ensuring ACME storage exists with correct permissions..."
+mkdir -p "$(dirname "${ACME_FILE}")"
+touch "${ACME_FILE}"
+chmod 600 "${ACME_FILE}"
+echo "[bootstrap] ACME storage ready at ${ACME_FILE}."
+
+echo "[bootstrap] Done."
+