add vault bootstrap for services and vault deploy app

vault/.dockerignore

@@ -0,0 +1,2 @@
+backups/
+*.json

vault/Dockerfile

@@ -0,0 +1,7 @@
+FROM hashicorp/vault:1.21.3
+
+COPY config /vault/config
+
+EXPOSE 8200 8201
+
+CMD ["vault", "server", "-config=/vault/config/vault.hcl"]

vault/README.md

@@ -0,0 +1,31 @@
+# Vault Setup
+
+This folder is intended for Dokploy deployment via `Dockerfile` (not docker-compose).
+
+## Build/Run
+
+Container image uses `vault/config/vault.hcl` and starts:
+
+```bash
+vault server -config=/vault/config/vault.hcl
+```
+
+Required runtime settings in Dokploy:
+
+- add capability: `IPC_LOCK`
+- mount persistent volume to `/vault/data`
+- expose port `8200` (API)
+- optionally expose `8201` (cluster)
+
+## KV Layout
+
+Vault stores environment variables in KV v2 under:
+
+- `secret/shared/<env>`
+- `secret/projects/<project>/<env>`
+
+Examples:
+
+- `secret/shared/prod`
+- `secret/projects/backend/prod`
+- `secret/projects/frontend/prod`

vault/config/vault.hcl

@@ -0,0 +1,16 @@
+ui = true
+disable_mlock = true
+
+storage "raft" {
+  path    = "/vault/data"
+  node_id = "vault-1"
+}
+
+listener "tcp" {
+  address         = "0.0.0.0:8200"
+  cluster_address = "0.0.0.0:8201"
+  tls_disable     = 1
+}
+
+cluster_addr = "http://127.0.0.1:8201"
+api_addr     = "http://0.0.0.0:8200"