Add devpi PyPI caching proxy role for indri (#9)

## Summary
- Add ansible role for devpi-server as a transparent PyPI caching proxy
- LaunchAgent with KeepAlive runs via `mise x -- devpi-server`
- Listens on port 3141, data stored in `~/devpi`
- Health checks added to `indri-services-check` script

## Manual Setup Required (on indri, before provisioning)
1. Add to `~/.config/mise/config.toml`:
   ```toml
   [tools]
   "pipx:devpi-server" = "latest"
   "pipx:devpi-web" = "latest"
   "pipx:devpi-client" = "latest"
   ```
2. Run `mise install`
3. Initialize: `mise x -- devpi-init --serverdir ~/devpi`

## Post-Provisioning
- Set up Tailscale service `pypi` on port 443 → 3141
- Configure client pip.conf with index-url

## Test plan
- [x] Ansible syntax check passes
- [x] Dry-run: `mise run provision-indri -- --check --diff`
- [x] Apply: `mise run provision-indri`
- [x] Health check: `mise run indri-services-check`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/9

ansible/roles/devpi/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+# Note: devpi is installed via mise (pipx/uvx), not managed here.
+#
+# ONE-TIME SETUP (before running ansible):
+#
+# 1. Add to ~/.config/mise/config.toml on indri:
+#
+#    [tools]
+#    "pipx:devpi-server" = { version = "latest", uvx = "true", uvx_args = "--with devpi-web" }
+#    "pipx:devpi-client" = { version = "latest", uvx = "true" }
+#
+# 2. Install: mise install
+#
+# 3. Initialize with root password (generate password in 1password):
+#    mise x -- devpi-init --serverdir {{ devpi_serverdir }} --root-passwd YOUR_PASSWORD
+#
+# 4. Run ansible to deploy LaunchAgent
+#
+# 5. Set up Tailscale service (see management log)
+
+- name: Ensure devpi data directory exists
+  ansible.builtin.file:
+    path: "{{ devpi_serverdir }}"
+    state: directory
+    mode: '0755'
+
+- name: Generate devpi secret file if not exists
+  ansible.builtin.shell: |
+    openssl rand -hex 32 > "{{ devpi_secretfile }}"
+  args:
+    creates: "{{ devpi_secretfile }}"
+
+- name: Ensure devpi secret file has secure permissions
+  ansible.builtin.file:
+    path: "{{ devpi_secretfile }}"
+    mode: '0600'
+
+- name: Deploy devpi LaunchAgent plist
+  ansible.builtin.template:
+    src: devpi.plist.j2
+    dest: ~/Library/LaunchAgents/mcquack.eblume.devpi.plist
+    mode: '0644'
+  notify: reload devpi
+
+- name: Check if devpi LaunchAgent is loaded
+  ansible.builtin.command: launchctl list mcquack.eblume.devpi
+  register: launchctl_check
+  changed_when: false
+  failed_when: false
+
+- name: Load devpi LaunchAgent if not loaded
+  ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.devpi.plist
+  when: launchctl_check.rc != 0
+  failed_when: false