feat: add Docker deployment, web installer, and local test environment

- Multi-stage Dockerfiles for API (NestJS) and Web (Next.js standalone)
- docker-compose.prod.yml: full production stack (postgres, redis, keycloak,
  api, web) with optional Caddy/Let's Encrypt via --profile ssl
- docker-compose.local.yml: identical local test stack, all ports exposed
- docker/postgres/init.sql: auto-creates tos_app DB on first start
- Caddyfile: reverse proxy for app domain + auth subdomain
- install.sh: interactive installer (domain, SSL mode, secret generation)
- NestJS SetupModule: @Public() endpoints for /setup/status, /setup/admin,
  /setup/branding, /setup/complete with setup-token guard
- Web installer: 4-step flow (system check, admin creation, branding, complete)
  at /[locale]/setup/* with public middleware bypass
- i18n: installer namespace added to de.json and en.json
- CORS: x-setup-token header allowed in main.ts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker/.env.prod.example

@@ -0,0 +1,46 @@
+# =============================================================================
+# tOS Production Configuration
+# =============================================================================
+# Kopiere diese Datei nach docker/.env und fuelle alle Werte aus.
+# Alternativ: Nutze install.sh fuer eine interaktive Einrichtung.
+#
+# Secrets generieren mit: openssl rand -hex 32
+# =============================================================================
+
+# ---- Application Domain ----------------------------------------------------
+APP_DOMAIN=tos.example.com
+LETSENCRYPT_EMAIL=admin@example.com
+
+# ---- PostgreSQL -------------------------------------------------------------
+POSTGRES_USER=tos_user
+POSTGRES_PASSWORD=CHANGE_ME_run_openssl_rand_hex_32
+POSTGRES_DB=tos_db
+POSTGRES_PORT=5432
+
+# ---- Redis ------------------------------------------------------------------
+REDIS_PORT=6379
+
+# ---- Keycloak ---------------------------------------------------------------
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=CHANGE_ME_run_openssl_rand_hex_32
+KEYCLOAK_PORT=8080
+KEYCLOAK_REALM=tOS
+
+# ---- Application Secrets ---------------------------------------------------
+# Jedes Secret separat generieren: openssl rand -hex 32
+JWT_SECRET=CHANGE_ME_run_openssl_rand_hex_32
+ENCRYPTION_KEY=CHANGE_ME_run_openssl_rand_hex_32
+NEXTAUTH_SECRET=CHANGE_ME_run_openssl_rand_hex_32
+
+# ---- Keycloak OAuth Clients ------------------------------------------------
+# Nach dem ersten Keycloak-Start aus der Admin-UI auslesen:
+# https://auth.<APP_DOMAIN>/admin/master/console/#/tOS/clients
+KEYCLOAK_CLIENT_ID=tos-backend
+KEYCLOAK_CLIENT_SECRET=CHANGE_ME_from_keycloak_admin_ui
+NEXTAUTH_KEYCLOAK_CLIENT_ID=tos-nextauth
+NEXTAUTH_KEYCLOAK_CLIENT_SECRET=CHANGE_ME_from_keycloak_admin_ui
+
+# ---- Setup Token ------------------------------------------------------------
+# Wird fuer die initiale Einrichtung benoetigt. Nach dem Setup entfernen.
+# Generieren mit: uuidgen || openssl rand -hex 16
+SETUP_TOKEN=CHANGE_ME_generated_by_install_script

docker/Caddyfile

@@ -0,0 +1,30 @@
+# =============================================================================
+# tOS Caddy Reverse Proxy Konfiguration
+# =============================================================================
+# Caddy uebernimmt automatisch Let's Encrypt Zertifikate und HTTPS-Terminierung.
+#
+# Routing:
+#   {APP_DOMAIN}       -> Web Frontend (Next.js)
+#   {APP_DOMAIN}/api/* -> API Backend (NestJS)
+#   auth.{APP_DOMAIN}  -> Keycloak Identity Provider
+# =============================================================================
+{
+	email {$LETSENCRYPT_EMAIL}
+}
+
+# Haupt-Domain: Frontend + API
+{$APP_DOMAIN} {
+	# API-Requests an das NestJS Backend weiterleiten
+	handle /api/* {
+		reverse_proxy api:3001
+	}
+
+	# Alle anderen Requests an das Next.js Frontend
+	reverse_proxy web:3000
+}
+
+# Auth-Subdomain: Keycloak
+auth.{$APP_DOMAIN} {
+	reverse_proxy keycloak:8080
+}
+}

docker/docker-compose.local.yml

@@ -0,0 +1,200 @@
+# =============================================================================
+# tOS Local Docker Compose (Full-Stack)
+# =============================================================================
+# Lokaler Full-Stack zum Testen der containerisierten Anwendung.
+# Alle Services laufen containerisiert mit exponierten Ports.
+#
+# Start:   docker compose -f docker-compose.local.yml up -d --build
+# Stop:    docker compose -f docker-compose.local.yml down
+# Reset:   docker compose -f docker-compose.local.yml down -v
+#
+# Unterschied zum Dev-Stack (docker-compose.yml):
+#   - Dev-Stack: Nur Infra (Postgres, Redis, Keycloak), Apps laufen nativ
+#   - Local-Stack: Alle Services containerisiert (nahe an Produktion)
+# =============================================================================
+
+name: tos-local
+
+services:
+  # ---------------------------------------------------------------------------
+  # PostgreSQL Database
+  # ---------------------------------------------------------------------------
+  postgres:
+    image: postgres:16-alpine
+    container_name: tos-postgres-local
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-tos_user}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-tos_local_password}
+      POSTGRES_DB: ${POSTGRES_DB:-tos_db}
+      POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
+    ports:
+      - "5432:5432"
+    volumes:
+      - postgres_local_data:/var/lib/postgresql/data
+      - ./postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-tos_user} -d ${POSTGRES_DB:-tos_db}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+    networks:
+      - tos-local-network
+
+  # ---------------------------------------------------------------------------
+  # Redis Cache & Queue
+  # ---------------------------------------------------------------------------
+  redis:
+    image: redis:7-alpine
+    container_name: tos-redis-local
+    restart: unless-stopped
+    command: redis-server --appendonly yes
+    ports:
+      - "6379:6379"
+    volumes:
+      - redis_local_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - tos-local-network
+
+  # ---------------------------------------------------------------------------
+  # Keycloak Identity & Access Management (Dev Mode)
+  # ---------------------------------------------------------------------------
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0
+    container_name: tos-keycloak-local
+    restart: unless-stopped
+    command:
+      - start-dev
+      - --import-realm
+    environment:
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin123}
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-tos_db}
+      KC_DB_USERNAME: ${POSTGRES_USER:-tos_user}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-tos_local_password}
+      KC_HOSTNAME: localhost
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+      KC_HTTP_ENABLED: "true"
+      KC_HEALTH_ENABLED: "true"
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
+    healthcheck:
+      # Keycloak 24+ (UBI9) hat kein curl - nutze bash TCP redirect
+      test: >
+        bash -c 'exec 3<>/dev/tcp/localhost/8080 &&
+        echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" >&3 &&
+        timeout 2 cat <&3 | grep -q "200 OK"'
+      interval: 30s
+      timeout: 15s
+      retries: 5
+      start_period: 90s
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - tos-local-network
+
+  # ---------------------------------------------------------------------------
+  # tOS API (NestJS Backend)
+  # ---------------------------------------------------------------------------
+  api:
+    build:
+      context: ..
+      dockerfile: apps/api/Dockerfile
+    container_name: tos-api-local
+    restart: unless-stopped
+    environment:
+      NODE_ENV: production
+      PORT: "3001"
+      API_PREFIX: api
+      DATABASE_URL: postgresql://${POSTGRES_USER:-tos_user}:${POSTGRES_PASSWORD:-tos_local_password}@postgres:5432/tos_app
+      JWT_SECRET: ${JWT_SECRET:-local-jwt-secret-not-for-production-use}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY:-local-encryption-key-32-bytes-long!!}
+      KEYCLOAK_URL: http://keycloak:8080
+      KEYCLOAK_REALM: tOS
+      KEYCLOAK_CLIENT_ID: tos-backend
+      KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET:-}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin123}
+      REDIS_HOST: redis
+      REDIS_PORT: "6379"
+      SETUP_TOKEN: ${SETUP_TOKEN:-local-setup-token-for-testing}
+    ports:
+      - "3001:3001"
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+      keycloak:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:3001/api/v1/health/liveness || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    networks:
+      - tos-local-network
+
+  # ---------------------------------------------------------------------------
+  # tOS Web Frontend (Next.js)
+  # ---------------------------------------------------------------------------
+  # HINWEIS zum Keycloak-Issuer-Problem in Docker:
+  # Next.js/NextAuth validiert Tokens server-seitig gegen den Issuer.
+  # Der Browser erreicht Keycloak ueber localhost:8080, aber der Container
+  # muss ueber den Docker-Netzwerknamen "keycloak:8080" zugreifen.
+  #
+  # Loesung: KEYCLOAK_ISSUER fuer Browser-Redirects (localhost),
+  #          NEXTAUTH_KEYCLOAK_ISSUER fuer server-seitige Validierung (Docker-intern)
+  # ---------------------------------------------------------------------------
+  web:
+    build:
+      context: ..
+      dockerfile: apps/web/Dockerfile
+    container_name: tos-web-local
+    restart: unless-stopped
+    environment:
+      NEXT_PUBLIC_APP_URL: http://localhost:3000
+      NEXT_PUBLIC_API_URL: http://localhost:3001/api/v1
+      NEXTAUTH_URL: http://localhost:3000
+      NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:-local-nextauth-secret}
+      KEYCLOAK_CLIENT_ID: tos-nextauth
+      KEYCLOAK_CLIENT_SECRET: ${NEXTAUTH_KEYCLOAK_CLIENT_SECRET:-tos-nextauth-secret-dev}
+      # Browser-seitige Redirects: localhost (erreichbar vom Host)
+      KEYCLOAK_ISSUER: http://localhost:8080/realms/tOS
+      # Server-seitige Token-Validierung: Docker-internes Netzwerk
+      NEXTAUTH_KEYCLOAK_ISSUER: http://keycloak:8080/realms/tOS
+    ports:
+      - "3000:3000"
+    depends_on:
+      api:
+        condition: service_healthy
+    networks:
+      - tos-local-network
+
+# =============================================================================
+# Volumes
+# =============================================================================
+volumes:
+  postgres_local_data:
+    name: tos-local-postgres-data
+  redis_local_data:
+    name: tos-local-redis-data
+
+# =============================================================================
+# Networks
+# =============================================================================
+networks:
+  tos-local-network:
+    name: tos-local-network
+    driver: bridge

docker/docker-compose.prod.yml

@@ -0,0 +1,218 @@
+# =============================================================================
+# tOS Production Docker Compose
+# =============================================================================
+# Vollstaendiger Produktions-Stack mit optionalem SSL via Caddy.
+#
+# Ohne SSL (externer Reverse Proxy):
+#   docker compose -f docker-compose.prod.yml up -d
+#
+# Mit Let's Encrypt SSL (Caddy):
+#   docker compose -f docker-compose.prod.yml --profile ssl up -d
+#
+# Voraussetzungen:
+#   - docker/.env mit allen Secrets (erstellt durch install.sh)
+#   - Docker Images gebaut (api + web)
+# =============================================================================
+
+name: tos-prod
+
+services:
+  # ---------------------------------------------------------------------------
+  # PostgreSQL Database
+  # ---------------------------------------------------------------------------
+  postgres:
+    image: postgres:16-alpine
+    container_name: tos-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-tos_user}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${POSTGRES_DB:-tos_db}
+      POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+      - ./postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-tos_user} -d ${POSTGRES_DB:-tos_db}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+    networks:
+      - tos-network
+
+  # ---------------------------------------------------------------------------
+  # Redis Cache & Queue
+  # ---------------------------------------------------------------------------
+  redis:
+    image: redis:7-alpine
+    container_name: tos-redis
+    restart: unless-stopped
+    command: >
+      redis-server
+      --appendonly yes
+      --maxmemory 256mb
+      --maxmemory-policy allkeys-lru
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - tos-network
+
+  # ---------------------------------------------------------------------------
+  # Keycloak Identity & Access Management (Production Mode)
+  # ---------------------------------------------------------------------------
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0
+    container_name: tos-keycloak
+    restart: unless-stopped
+    # "start" statt "start-dev" fuer Production (aktiviert Caching, deaktiviert Dev-Features)
+    command:
+      - start
+      - --import-realm
+    environment:
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-tos_db}
+      KC_DB_USERNAME: ${POSTGRES_USER:-tos_user}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
+      # Hostname-Konfiguration fuer Production hinter Reverse Proxy
+      KC_HOSTNAME: auth.${APP_DOMAIN}
+      KC_HOSTNAME_STRICT: "true"
+      KC_HOSTNAME_STRICT_HTTPS: "true"
+      KC_HTTP_ENABLED: "true"
+      KC_HEALTH_ENABLED: "true"
+      KC_PROXY: edge
+    volumes:
+      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
+    healthcheck:
+      # Keycloak 24+ (UBI9) hat kein curl - nutze bash TCP redirect
+      test: >
+        bash -c 'exec 3<>/dev/tcp/localhost/8080 &&
+        echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" >&3 &&
+        timeout 2 cat <&3 | grep -q "200 OK"'
+      interval: 30s
+      timeout: 15s
+      retries: 5
+      start_period: 120s
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - tos-network
+
+  # ---------------------------------------------------------------------------
+  # tOS API (NestJS Backend)
+  # ---------------------------------------------------------------------------
+  api:
+    build:
+      context: ..
+      dockerfile: apps/api/Dockerfile
+    container_name: tos-api
+    restart: unless-stopped
+    environment:
+      NODE_ENV: production
+      PORT: "3001"
+      API_PREFIX: api
+      DATABASE_URL: postgresql://${POSTGRES_USER:-tos_user}:${POSTGRES_PASSWORD}@postgres:5432/tos_app
+      JWT_SECRET: ${JWT_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
+      KEYCLOAK_URL: http://keycloak:8080
+      KEYCLOAK_REALM: ${KEYCLOAK_REALM:-tOS}
+      KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID:-tos-backend}
+      KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET:-}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      REDIS_HOST: redis
+      REDIS_PORT: "6379"
+      SETUP_TOKEN: ${SETUP_TOKEN}
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+      keycloak:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:3001/api/v1/health/liveness || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    networks:
+      - tos-network
+
+  # ---------------------------------------------------------------------------
+  # tOS Web Frontend (Next.js)
+  # ---------------------------------------------------------------------------
+  web:
+    build:
+      context: ..
+      dockerfile: apps/web/Dockerfile
+    container_name: tos-web
+    restart: unless-stopped
+    environment:
+      NEXT_PUBLIC_APP_URL: https://${APP_DOMAIN}
+      NEXT_PUBLIC_API_URL: https://${APP_DOMAIN}/api/v1
+      NEXTAUTH_URL: https://${APP_DOMAIN}
+      NEXTAUTH_SECRET: ${NEXTAUTH_SECRET}
+      KEYCLOAK_CLIENT_ID: ${NEXTAUTH_KEYCLOAK_CLIENT_ID:-tos-nextauth}
+      KEYCLOAK_CLIENT_SECRET: ${NEXTAUTH_KEYCLOAK_CLIENT_SECRET:-}
+      # Browser-seitige Redirects: oeffentliche URL
+      KEYCLOAK_ISSUER: https://auth.${APP_DOMAIN}/realms/${KEYCLOAK_REALM:-tOS}
+    depends_on:
+      api:
+        condition: service_healthy
+    networks:
+      - tos-network
+
+  # ---------------------------------------------------------------------------
+  # Caddy Reverse Proxy (optional, nur mit --profile ssl)
+  # ---------------------------------------------------------------------------
+  caddy:
+    profiles: ["ssl"]
+    image: caddy:2-alpine
+    container_name: tos-caddy
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_config:/config
+    environment:
+      APP_DOMAIN: ${APP_DOMAIN}
+      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL:-}
+    depends_on:
+      - web
+      - api
+      - keycloak
+    networks:
+      - tos-network
+
+# =============================================================================
+# Volumes
+# =============================================================================
+volumes:
+  postgres_data:
+    name: tos-postgres-data
+  redis_data:
+    name: tos-redis-data
+  caddy_data:
+    name: tos-caddy-data
+  caddy_config:
+    name: tos-caddy-config
+
+# =============================================================================
+# Networks
+# =============================================================================
+networks:
+  tos-network:
+    name: tos-network
+    driver: bridge

docker/docker-compose.yml

@@ -27,6 +27,7 @@ services:
       - "${POSTGRES_PORT:-5432}:5432"
     volumes:
       - postgres_data:/var/lib/postgresql/data
+      - ./postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-tos_user} -d ${POSTGRES_DB:-tos_db}"]
       interval: 10s

docker/postgres/init.sql

@@ -0,0 +1,16 @@
+-- =============================================================================
+-- tOS PostgreSQL Initialisierung
+-- =============================================================================
+-- Diese Datei wird automatisch beim ersten Start des PostgreSQL-Containers
+-- ausgefuehrt (via /docker-entrypoint-initdb.d/).
+--
+-- Keycloak verwendet die Standard-Datenbank "tos_db" (POSTGRES_DB).
+-- Die Applikation (NestJS/Prisma) benoetigt eine separate Datenbank "tos_app",
+-- um Datenisolation zwischen IAM und Geschaeftslogik sicherzustellen.
+-- =============================================================================
+
+-- Erstelle die Applikations-Datenbank (getrennt von Keycloaks tos_db)
+CREATE DATABASE tos_app;
+
+-- Stelle sicher, dass der Standard-User vollen Zugriff auf tos_app hat
+GRANT ALL PRIVILEGES ON DATABASE tos_app TO tos_user;