feat: add Docker deployment, web installer, and local test environment

- Multi-stage Dockerfiles for API (NestJS) and Web (Next.js standalone)
- docker-compose.prod.yml: full production stack (postgres, redis, keycloak,
  api, web) with optional Caddy/Let's Encrypt via --profile ssl
- docker-compose.local.yml: identical local test stack, all ports exposed
- docker/postgres/init.sql: auto-creates tos_app DB on first start
- Caddyfile: reverse proxy for app domain + auth subdomain
- install.sh: interactive installer (domain, SSL mode, secret generation)
- NestJS SetupModule: @Public() endpoints for /setup/status, /setup/admin,
  /setup/branding, /setup/complete with setup-token guard
- Web installer: 4-step flow (system check, admin creation, branding, complete)
  at /[locale]/setup/* with public middleware bypass
- i18n: installer namespace added to de.json and en.json
- CORS: x-setup-token header allowed in main.ts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker/.env.prod.example

@@ -0,0 +1,46 @@
+# =============================================================================
+# tOS Production Configuration
+# =============================================================================
+# Kopiere diese Datei nach docker/.env und fuelle alle Werte aus.
+# Alternativ: Nutze install.sh fuer eine interaktive Einrichtung.
+#
+# Secrets generieren mit: openssl rand -hex 32
+# =============================================================================
+
+# ---- Application Domain ----------------------------------------------------
+APP_DOMAIN=tos.example.com
+LETSENCRYPT_EMAIL=admin@example.com
+
+# ---- PostgreSQL -------------------------------------------------------------
+POSTGRES_USER=tos_user
+POSTGRES_PASSWORD=CHANGE_ME_run_openssl_rand_hex_32
+POSTGRES_DB=tos_db
+POSTGRES_PORT=5432
+
+# ---- Redis ------------------------------------------------------------------
+REDIS_PORT=6379
+
+# ---- Keycloak ---------------------------------------------------------------
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=CHANGE_ME_run_openssl_rand_hex_32
+KEYCLOAK_PORT=8080
+KEYCLOAK_REALM=tOS
+
+# ---- Application Secrets ---------------------------------------------------
+# Jedes Secret separat generieren: openssl rand -hex 32
+JWT_SECRET=CHANGE_ME_run_openssl_rand_hex_32
+ENCRYPTION_KEY=CHANGE_ME_run_openssl_rand_hex_32
+NEXTAUTH_SECRET=CHANGE_ME_run_openssl_rand_hex_32
+
+# ---- Keycloak OAuth Clients ------------------------------------------------
+# Nach dem ersten Keycloak-Start aus der Admin-UI auslesen:
+# https://auth.<APP_DOMAIN>/admin/master/console/#/tOS/clients
+KEYCLOAK_CLIENT_ID=tos-backend
+KEYCLOAK_CLIENT_SECRET=CHANGE_ME_from_keycloak_admin_ui
+NEXTAUTH_KEYCLOAK_CLIENT_ID=tos-nextauth
+NEXTAUTH_KEYCLOAK_CLIENT_SECRET=CHANGE_ME_from_keycloak_admin_ui
+
+# ---- Setup Token ------------------------------------------------------------
+# Wird fuer die initiale Einrichtung benoetigt. Nach dem Setup entfernen.
+# Generieren mit: uuidgen || openssl rand -hex 16
+SETUP_TOKEN=CHANGE_ME_generated_by_install_script