infra: clean up Keycloak configuration, enforce consistency in .env, and improve health checks

Streamlined Keycloak configurations with defaults for development and production in `.env`. Added health checks and improved environment variable documentation with comments to differentiate local and server deployments. Ensured compatibility with pre-built registry images.

dc-infra.yaml

@@ -77,7 +77,7 @@ services:
       dockerfile: config/docker/keycloak/Dockerfile
       args:
         KEYCLOAK_IMAGE_TAG: "${KEYCLOAK_IMAGE_TAG:-26.4}"
-    image: "${DOCKER_REGISTRY:-git.mo-code.at/grandmo}/keycloak:${KEYCLOAK_IMAGE_TAG:-26.4}"
+    image: "${DOCKER_REGISTRY:-git.mo-code.at/mocode-software}/keycloak:${KEYCLOAK_IMAGE_TAG:-26.4}"
     container_name: "${PROJECT_NAME:-meldestelle}-keycloak"
     restart: unless-stopped
     profiles: [ "infra", "all" ]
@@ -89,21 +89,36 @@ services:
       KC_DB_URL: "jdbc:postgresql://postgres:5432/${POSTGRES_DB:-pg-meldestelle-db}"
       KC_DB_USERNAME: "${POSTGRES_USER:-pg-user}"
       KC_DB_PASSWORD: "${POSTGRES_PASSWORD:-pg-password}"
+      # Hostname-Konfiguration: Für lokale Entwicklung "localhost", auf dem Server die echte IP/Domain setzen
       KC_HOSTNAME: "${KC_HOSTNAME:-localhost}"
+      # WICHTIG: false erlaubt Zugriff über beliebige Hostnamen (nötig für Server-Betrieb ohne TLS)
+      KC_HOSTNAME_STRICT: "${KC_HOSTNAME_STRICT:-false}"
+      # WICHTIG: false erlaubt HTTP (kein HTTPS-Zwang) – für Entwicklung und HTTP-only Server
+      KC_HOSTNAME_STRICT_HTTPS: "${KC_HOSTNAME_STRICT_HTTPS:-false}"
       KC_HTTP_ENABLED: "true"
+      # Admin-Interface explizit auf allen Interfaces binden (0.0.0.0)
+      KC_HTTP_MANAGEMENT_PORT: "9000"
       KC_HEALTH_ENABLED: "true"
       KC_METRICS_ENABLED: "true"
       # Integration der Power-Flags
       JAVA_OPTS_APPEND: "-Xms${KC_HEAP_MIN:-512M} -Xmx${KC_HEAP_MAX:-1024M} ${JVM_OPTS_ARM64}"
     ports:
       - "${KC_PORT:-8180:8080}"
-      - "${KC_DEBUG_PORT:-9000:9000}"
+      - "${KC_MANAGEMENT_PORT:-9000:9000}"
     depends_on:
       postgres:
         condition: "service_healthy"
+    healthcheck:
+      test: [ "CMD-SHELL", "curl -sf http://localhost:9000/health/ready || exit 1" ]
+      interval: "15s"
+      timeout: "5s"
+      retries: "10"
+      start_period: "60s"
     volumes:
       - "./config/docker/keycloak:/opt/keycloak/data/import:Z"
-    command: "${KC_COMMAND:-start-dev --import-realm}"
+    # start --optimized nutzt das pre-built Image (kc.sh build im Dockerfile)
+    # start-dev würde den Pre-Build ignorieren und im Dev-Modus starten (Konflikt mit Registry-Images!)
+    command: "${KC_COMMAND:-start --optimized --import-realm}"
     networks:
       meldestelle-network:
         aliases: