Add Cloudflare automation, ngrok tunnel, fix Dockerfiles

- Ansible cloudflare.yml: DNS, SSL, HSTS, Brotli, bot fight, SEO bots allow
- Vault: add cloudflare_zone_id
- Workflow: run cloudflare config before deploy
- docker-compose-dev: add ngrok tunnel, vault, minio
- Ngrok sync script: writes OUTSIDE_URL to .env.local
- Fix Dockerfiles: remove mbstring/xml (built-in PHP 8.4), fix libfreetype-dev
- Makefile: maintenance_on/off, clear_prod
- Playbook: stop_prod, install_prod, start_prod, migrate, clear steps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker-compose-dev.yml

@@ -90,6 +90,53 @@ services:
       - "1025:1025"
       - "8025:8025"
 
+  vault:
+    image: hashicorp/vault:latest
+    container_name: e-ticket_vault
+    cap_add:
+      - IPC_LOCK
+    environment:
+      VAULT_DEV_ROOT_TOKEN_ID: e-ticket
+      VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
+    ports:
+      - "8200:8200"
+    volumes:
+      - vault-data:/vault/file
+
+  minio:
+    image: minio/minio:latest
+    container_name: e-ticket_minio
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: e-ticket
+      MINIO_ROOT_PASSWORD: e-ticket
+    ports:
+      - "9090:9000"
+      - "9001:9001"
+    volumes:
+      - minio-data:/data
+
+  ngrok:
+    image: ngrok/ngrok:latest
+    container_name: e-ticket_ngrok
+    command: http caddy:80 --log stdout
+    environment:
+      NGROK_AUTHTOKEN: GXtZtKtRxRF5TFV5pCKD_25f1ALUyQQ9LkyQJgv1dr
+    ports:
+      - "4040:4040"
+    depends_on:
+      - caddy
+
+  ngrok-sync:
+    image: curlimages/curl:latest
+    container_name: e-ticket_ngrok_sync
+    volumes:
+      - .:/app
+      - ./docker/ngrok/sync.sh:/sync.sh
+    depends_on:
+      - ngrok
+    entrypoint: sh /sync.sh
+
   redisinsight:
     image: redis/redisinsight:latest
     container_name: e-ticket_redisinsight
@@ -103,3 +150,5 @@ volumes:
   db-data:
   redis-data:
   bun-modules:
+  vault-data:
+  minio-data: