Refactor infrastructure into separate docker-compose

[jmfk]

This PR separates the core infrastructure (DB, Redis, MinIO, imgproxy) into a dedicated docker-compose.infra.yml and updates the Makefile to manage both stacks. This enables shared infrastructure access across different services and improves development workflow.

[claude]

Claude finished @jmfk's task —— View job

---

Security and Bug Review

Reviewing this infrastructure refactor PR for bugs and security issues.

Todo List:

• Read and analyze docker-compose.infra.yml for security issues
• Review docker-compose.dev.yml changes
• Check Makefile modifications
• Review .gitignore changes
• Provide summary of findings

Security Issues Found:

docker-compose.infra.yml:

1. Default credentials exposed (lines 10-11, 47-48): PostgreSQL and MinIO using default credentials (postgres/postgres, minioadmin/minioadmin) exposed in source code
2. POSTGRES_HOST_AUTH_METHOD: trust (line 12): Allows connections without password authentication
3. IMGPROXY_ALLOW_UNSAFE_URL: true (line 68): Allows imgproxy to fetch images from unsafe URLs, potential SSRF risk
4. IMGPROXY_IGNORE_SSL_VERIFICATION: true (line 88): Disables SSL verification for external requests

docker-compose.dev.yml:
5. Hardcoded secrets (lines 34-35): IMGPROXY_KEY and IMGPROXY_SALT are hardcoded in environment variables
6. Hardcoded API token (line 98): API_TOKEN hardcoded in theme-sync service environment

Non-Critical Issues:

• Development secrets (line 25): SECRET_KEY is clearly marked as dev-only but should use environment variable
• External network dependency (line 112): References external network that may not exist

Assessment:

The security issues are primarily development-related but should be addressed before production use. The infrastructure separation itself is well-implemented.