config: enhance .env.example and refine Caddyfile formatting

- Added new comments and examples in `.env.example` for clarity and proper configuration.
- Improved readability and structure of `Caddyfile` with better indentation, comments, and routing logic.

Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>

.env.example

@@ -17,22 +17,31 @@ PROJECT_NAME=meldestelle
 BACKUP_DIR=/home/<USER>/backups/meldestelle
 BACKUP_RETENTION_DAYS=7
 
-# Docker build versions (optional overrides)
+# --- DOCKER BUILD & REGISTRY ---
+DOCKER_REGISTRY=git.mo-code.at/mo-code
+DOCKER_TAG=latest
 DOCKER_VERSION=1.0.0-SNAPSHOT
 DOCKER_BUILD_DATE=2026-02-02T15:00:00Z
 DOCKER_GRADLE_VERSION=9.3.1
-# Check if 25 is intended (Early Access) or if LTS 21 was meant
+# Java 25 = Early Access; für LTS auf 21 setzen
 DOCKER_JAVA_VERSION=25
 DOCKER_NODE_VERSION=24.12.0
-DOCKER_NGINX_VERSION=1.28.0-alpine
+# Caddy Version für den Web-App Container
+DOCKER_CADDY_VERSION=2.11-alpine
+# ARM64 spezifische JVM-Optionen (leer lassen auf x86/amd64, z.B. auf Apple Silicon)
+# Beispiel ARM64: JVM_OPTS_ARM64=-XX:UseSVE=0
+JVM_OPTS_ARM64=
 
-# Postgres
+# --- POSTGRES ---
 POSTGRES_IMAGE=postgres:16-alpine
-POSTGRES_USER=pg-user
-POSTGRES_PASSWORD=pg-password
+POSTGRES_USER=<DB_USER>
+POSTGRES_PASSWORD=<SICHERES_PASSWORT>
 POSTGRES_DB=pg-meldestelle-db
 POSTGRES_PORT=5432:5432
 POSTGRES_DB_URL=jdbc:postgresql://postgres:5432/pg-meldestelle-db
+# PostgreSQL Performance Tuning
+POSTGRES_SHARED_BUFFERS=256MB
+POSTGRES_EFFECTIVE_CACHE_SIZE=768MB
 
 # --- VALKEY (formerly Redis) ---
 VALKEY_IMAGE=valkey/valkey:9-alpine
@@ -42,7 +51,7 @@ VALKEY_SERVER_HOSTNAME=valkey
 VALKEY_SERVER_PORT=6379
 VALKEY_SERVER_CONNECT_TIMEOUT=5s
 VALKEY_POLICY=allkeys-lru
-VALKEY_MAXMEMORY=256mb
+VALKEY_MAX_MEMORY=256mb
 
 # --- KEYCLOAK ---
 KEYCLOAK_IMAGE_TAG=26.4
@@ -56,8 +65,9 @@ KC_ADMIN_PASSWORD=<SICHERES_PASSWORT>
 KC_DB=postgres
 KC_DB_SCHEMA=keycloak
 KC_DB_PASSWORD=<SICHERES_PASSWORT>
-# SERVER: Public Domain (z.B. auth.mo-code.at) - ohne http/https Prefix!
+# SERVER: Public Domain (z.B. auth.mo-code.at) – ohne http/https Prefix!
 # LOKAL:  localhost
+# SERVER: auth.mo-code.at
 KC_HOSTNAME=<SERVER_IP_ODER_DOMAIN>
 # false = Zugriff über beliebige Hostnamen erlaubt (nötig ohne TLS / für HTTP-Betrieb)
 KC_HOSTNAME_STRICT=false
@@ -69,22 +79,34 @@ KC_MANAGEMENT_PORT=9000:9000
 # Public Issuer URI: muss mit dem Hostname übereinstimmen, den Browser/App sieht
 # LOKAL:  http://localhost:8180/realms/meldestelle
 # SERVER: https://auth.mo-code.at/realms/meldestelle (via Pangolin)
-SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=http://<SERVER_IP_ODER_DOMAIN>:8180/realms/meldestelle
+KC_ISSUER_URI=http://<SERVER_IP_ODER_DOMAIN>:8180/realms/meldestelle
+# SERVER: https://auth.mo-code.at/realms/meldestelle
 # Internal JWK Set URI: Service-zu-Service innerhalb Docker (immer keycloak:8080)
-SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs
+KC_JWK_SET_URI=http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs
 
 # --- CONSUL ---
 CONSUL_IMAGE=hashicorp/consul:1.22.1
 CONSUL_PORT=8500:8500
 CONSUL_UDP_PORT=8600:8600/udp
 CONSUL_HOST=consul
+# Separater HTTP-Port (ohne Mapping) für Service-zu-Service Kommunikation (ping-service)
+CONSUL_HTTP_PORT=8500
 
-# --- Zipkin ---
+# --- SPRING CLOUD CONSUL (api-gateway) ---
+SPRING_CLOUD_CONSUL_HOST=consul
+SPRING_CLOUD_CONSUL_PORT=8500
+SPRING_CLOUD_CONSUL_DISCOVERY_SERVICE_NAME=api-gateway
+SPRING_CLOUD_CONSUL_DISCOVERY_PREFER_IP_ADDRESS=true
+
+# --- ZIPKIN ---
 ZIPKIN_IMAGE=openzipkin/zipkin:3
-ZIPKIN_HEAP=256m
+ZIPKIN_MIN_HEAP=256M
+ZIPKIN_MAX_HEAP=512M
 ZIPKIN_PORT=9411:9411
+ZIPKIN_ENDPOINT=http://zipkin:9411/api/v2/spans
+ZIPKIN_SAMPLING_PROBABILITY=1.0
 
-# --- Mailpit ---
+# --- MAILPIT ---
 MAILPIT_IMAGE=axllent/mailpit:v1.29
 MAILPIT_WEB_PORT=8025:8025
 MAILPIT_SMTP_PORT=1025:1025
@@ -92,7 +114,7 @@ MAILPIT_SMTP_PORT=1025:1025
 # --- PGADMIN ---
 PGADMIN_IMAGE=dpage/pgadmin4:8
 PGADMIN_EMAIL=meldestelle@mo-code.at
-PGADMIN_PASSWORD=pgadmin
+PGADMIN_PASSWORD=<SICHERES_PASSWORT>
 PGADMIN_PORT=8888:80
 
 # --- POSTGRES-EXPORTER ---
@@ -109,7 +131,7 @@ PROMETHEUS_PORT=9090:9090
 # --- GRAFANA ---
 GF_IMAGE=grafana/grafana:12.3
 GF_ADMIN_USER=gf-admin
-GF_ADMIN_PASSWORD=gf-password
+GF_ADMIN_PASSWORD=<SICHERES_PASSWORT>
 GF_PORT=3000:3000
 
 # --- API-GATEWAY ---
@@ -118,9 +140,6 @@ GATEWAY_DEBUG_PORT=5005:5005
 GATEWAY_SERVER_PORT=8081
 GATEWAY_SPRING_PROFILES_ACTIVE=docker
 GATEWAY_DEBUG=true
-GATEWAY_SERVICE_NAME=api-gateway
-GATEWAY_CONSUL_HOSTNAME=api-gateway
-GATEWAY_CONSUL_PREFER_IP=true
 
 # --- PING-SERVICE ---
 PING_SPRING_PROFILES_ACTIVE=docker
@@ -129,20 +148,20 @@ PING_DEBUG_PORT=5006:5006
 PING_SERVER_PORT=8082
 PING_DEBUG=true
 PING_SERVICE_NAME=ping-service
-PING_CONSUL_HOSTNAME=ping-service
 PING_CONSUL_PREFER_IP=true
 
 # --- WEB-APP ---
-CADDY_VERSION=2.11-alpine
 WEB_APP_PORT=4000:4000
-WEB_BUILD_PROFILE=dev
 # URL für API-Zugriffe vom Browser (Public URL via Pangolin)
 # LOKAL:  http://localhost:8081
 # SERVER: https://api.mo-code.at
+# SERVER: https://app.mo-code.at  (API-Proxy läuft in Caddy unter /api/*  – gleiche Domain, kein CORS!)
+# ALTERNATIV (eigene Domain): https://api.mo-code.at  → dann separaten Pangolin-Route anlegen
 WEB_APP_API_URL=http://localhost:8081
 # URL für Keycloak-Zugriffe vom Browser (Public URL via Pangolin)
 # LOKAL:  http://localhost:8180
 # SERVER: https://auth.mo-code.at
+# SERVER: https://auth.mo-code.at  → Pangolin-Route: auth.mo-code.at → http://10.0.0.50:8180
 WEB_APP_KEYCLOAK_URL=http://localhost:8180
 
 # --- DESKTOP-APP ---

config/docker/caddy/web-app/Caddyfile

@@ -1,40 +1,43 @@
 {
-# Global options
+# TLS wird durch Pangolin/Traefik auf dem VPS terminiert – hier kein HTTPS nötig
   auto_https off
+
   servers {
             metrics
           }
 }
 
 :4000 {
-# Root directory
+# Root-Verzeichnis für statische Assets
   root * /usr/share/caddy
 
-# Logging
+# Logging (strukturiert, JSON)
   log {
         output stdout
         format json
       }
 
-# Compression
+# Komprimierung
   encode gzip zstd
 
-# Configuration Template
+# Caddy-Template-Engine für config.json (liefert API_BASE_URL & KEYCLOAK_URL an den Browser)
   templates {
               mime application/json
             }
 
-# API Proxy (has priority)
+# API-Proxy (höchste Priorität – vor dem SPA-Fallback)
   handle /api/* {
                   reverse_proxy api-gateway:8081
                 }
 
-# Health Check
+# Health-Check-Endpunkt (für Pangolin Health-Check konfigurieren: GET /health)
   handle /health {
                    respond "healthy" 200
                  }
 
-# Serve static files if they exist, otherwise serve index.html (SPA)
-  file_server
-  try_files {path} /index.html
+# SPA-Fallback: existierende Dateien direkt ausliefern, sonst index.html
+  handle {
+           try_files {path} /index.html
+           file_server
+         }
 }

config/docker/caddy/web-app/config.json

@@ -1,10 +1,4 @@
 {
-  "apiBaseUrl": "{{env "
-  API_BASE_URL
-  " | default "
-  "}}",
-  "keycloakUrl": "{{env "
-  KEYCLOAK_URL
-  " | default "
-  "}}"
+  "apiBaseUrl": "{{env `API_BASE_URL`}}",
+  "keycloakUrl": "{{env `KEYCLOAK_URL`}}"
 }