feat(infra): add local pull-through mirrors for NuGet, npm, Docker Hub

docker-compose.mirror.yml:
  - BaGet  (port 5101) → proxies nuget.org
  - Verdaccio (port 4873) → proxies npmjs.com
  - registry:2 (port 5100) → proxies Docker Hub

nuget.mirror.config: points dotnet restore at http://mirror:5101
mirrors/verdaccio/config.yaml: open reads, upstream npmjs fallback

CI workflow:
  - All container jobs: --add-host=mirror:host-gateway
  - dotnet restore --configfile nuget.mirror.config
  - npm install --registry http://mirror:4873

First run: packages fetched from upstream through the VPS.
All subsequent runs: served from local disk, no CDN needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.mirror.yml

@@ -0,0 +1,90 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# Local pull-through mirrors
+# ─────────────────────────────────────────────────────────────────────────────
+# Start:   docker compose -f docker-compose.mirror.yml up -d
+# Stop:    docker compose -f docker-compose.mirror.yml down
+#
+# Endpoints (reachable from CI containers via host-gateway as "mirror"):
+#   NuGet  →  http://SERVER_IP:5101/v3/index.json
+#   npm    →  http://SERVER_IP:4873
+#   Docker →  http://SERVER_IP:5100   (add to /etc/docker/daemon.json)
+#
+# First request for any package fetches from upstream and caches locally.
+# Subsequent requests are served from disk — no upstream needed.
+# ─────────────────────────────────────────────────────────────────────────────
+
+services:
+
+  # ── NuGet mirror (BaGet) ────────────────────────────────────────────────────
+  # Proxies → https://api.nuget.org/v3/index.json
+  # CI usage: dotnet restore --configfile nuget.mirror.config
+  baget:
+    image: loicsharma/baget:latest
+    restart: unless-stopped
+    environment:
+      ApiKey: "ci-mirror-key"          # only needed for package *publish*; reads are open
+      Storage__Type: FileSystem
+      Storage__Path: /var/baget/packages
+      Database__Type: Sqlite
+      Database__ConnectionString: "Data Source=/var/baget/db/baget.db"
+      Mirror__Enabled: "true"
+      Mirror__PackageSource: "https://api.nuget.org/v3/index.json"
+    volumes:
+      - baget-packages:/var/baget/packages
+      - baget-db:/var/baget/db
+    ports:
+      - "5101:80"
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # ── npm mirror (Verdaccio) ──────────────────────────────────────────────────
+  # Proxies → https://registry.npmjs.org
+  # CI usage: npm install --registry http://mirror:4873
+  verdaccio:
+    image: verdaccio/verdaccio:latest
+    restart: unless-stopped
+    volumes:
+      - verdaccio-storage:/verdaccio/storage
+      - ./mirrors/verdaccio/config.yaml:/verdaccio/conf/config.yaml:ro
+    ports:
+      - "4873:4873"
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:4873/-/ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # ── Docker Hub pull-through cache ───────────────────────────────────────────
+  # Proxies → https://registry-1.docker.io  (Docker Hub only)
+  # Activate by adding to /etc/docker/daemon.json on the server:
+  #   { "registry-mirrors": ["http://localhost:5100"] }
+  # then: systemctl restart docker
+  registry:
+    image: registry:2
+    restart: unless-stopped
+    environment:
+      REGISTRY_PROXY_REMOTEURL: "https://registry-1.docker.io"
+      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
+      REGISTRY_PROXY_TTL: "168h"       # cache pulled layers for 7 days
+    volumes:
+      - registry-data:/data
+    ports:
+      - "5100:5000"
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:5000/v2/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+volumes:
+  baget-packages:
+    name: meezi-mirror-baget-packages
+  baget-db:
+    name: meezi-mirror-baget-db
+  verdaccio-storage:
+    name: meezi-mirror-verdaccio
+  registry-data:
+    name: meezi-mirror-registry