feat: add Docker deployment, web installer, and local test environment

- Multi-stage Dockerfiles for API (NestJS) and Web (Next.js standalone)
- docker-compose.prod.yml: full production stack (postgres, redis, keycloak,
  api, web) with optional Caddy/Let's Encrypt via --profile ssl
- docker-compose.local.yml: identical local test stack, all ports exposed
- docker/postgres/init.sql: auto-creates tos_app DB on first start
- Caddyfile: reverse proxy for app domain + auth subdomain
- install.sh: interactive installer (domain, SSL mode, secret generation)
- NestJS SetupModule: @Public() endpoints for /setup/status, /setup/admin,
  /setup/branding, /setup/complete with setup-token guard
- Web installer: 4-step flow (system check, admin creation, branding, complete)
  at /[locale]/setup/* with public middleware bypass
- i18n: installer namespace added to de.json and en.json
- CORS: x-setup-token header allowed in main.ts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker/Caddyfile

@@ -0,0 +1,30 @@
+# =============================================================================
+# tOS Caddy Reverse Proxy Konfiguration
+# =============================================================================
+# Caddy uebernimmt automatisch Let's Encrypt Zertifikate und HTTPS-Terminierung.
+#
+# Routing:
+#   {APP_DOMAIN}       -> Web Frontend (Next.js)
+#   {APP_DOMAIN}/api/* -> API Backend (NestJS)
+#   auth.{APP_DOMAIN}  -> Keycloak Identity Provider
+# =============================================================================
+{
+	email {$LETSENCRYPT_EMAIL}
+}
+
+# Haupt-Domain: Frontend + API
+{$APP_DOMAIN} {
+	# API-Requests an das NestJS Backend weiterleiten
+	handle /api/* {
+		reverse_proxy api:3001
+	}
+
+	# Alle anderen Requests an das Next.js Frontend
+	reverse_proxy web:3000
+}
+
+# Auth-Subdomain: Keycloak
+auth.{$APP_DOMAIN} {
+	reverse_proxy keycloak:8080
+}
+}