Add production Docker Compose file for external PostgreSQL integration

- Introduced `docker-compose.prod.yml` for production deployment.
- Configured service to connect to an external PostgreSQL instance.
- Set environment variables for JWT and database connection strings.
- Defined network and volume for data protection keys.

.env.example

@@ -1,47 +1,15 @@
 # OTSSignsOrchestrator — environment variables
 # Copy to .env and fill in real values before running.
+#
+# Only TWO secrets are required here — everything else is configured
+# via the admin UI (Settings page) and stored encrypted in PostgreSQL.
 
 # ── PostgreSQL ───────────────────────────────────────────────────────────────
-# Used directly by the app. When running via docker-compose, POSTGRES_PASSWORD
-# is also required so the postgres service can initialise the database.
-ConnectionStrings__OrchestratorDb=Host=postgres;Port=5432;Database=orchestrator;Username=ots;Password=changeme
+# Password for the postgres service AND the app connection string.
+# Generate:  openssl rand -base64 32
 POSTGRES_PASSWORD=changeme
 
 # ── JWT ──────────────────────────────────────────────────────────────────────
-# Key must be at least 32 characters (256-bit). Generate with:
-#   openssl rand -base64 32
-Jwt__Key=change-me-to-a-random-256-bit-key
-# Jwt__Issuer=OTSSignsOrchestrator   # optional — has a default
-# Jwt__Audience=OTSSignsOrchestrator # optional — has a default
-
-# ── Bitwarden Secrets Manager ────────────────────────────────────────────────
-# Machine account access token from https://vault.bitwarden.com
-Bitwarden__AccessToken=
-Bitwarden__OrganizationId=
-# ProjectId is the default project for orchestrator config secrets
-Bitwarden__ProjectId=
-# InstanceProjectId is optional; instance-level secrets go here when set
-# Bitwarden__InstanceProjectId=
-# Bitwarden__IdentityUrl=https://identity.bitwarden.com  # optional
-# Bitwarden__ApiUrl=https://api.bitwarden.com            # optional
-
-# ── Stripe ───────────────────────────────────────────────────────────────────
-Stripe__SecretKey=sk_test_...
-Stripe__WebhookSecret=whsec_...
-
-# ── Authentik (SAML IdP) ─────────────────────────────────────────────────────
-Authentik__BaseUrl=https://auth.example.com
-Authentik__ApiToken=
-# UUID of the OTS signing certificate-key pair in Authentik
-Authentik__OtsSigningKpId=
-# Authentik__SourcePreAuthFlowSlug=default-source-pre-authentication  # optional
-# Authentik__SourceAuthFlowSlug=default-source-authentication         # optional
-
-# ── Email (SendGrid) ─────────────────────────────────────────────────────────
-Email__SendGridApiKey=SG....
-# Email__SenderEmail=noreply@otssigns.com  # optional
-# Email__SenderName=OTS Signs             # optional
-
-# ── Git template repository ───────────────────────────────────────────────────
-# These are stored in Bitwarden at runtime; set here only for local dev without BW.
-# Git__CacheDir=.template-cache  # optional
+# Key must be at least 32 characters (256-bit).
+# Generate:  openssl rand -base64 48
+JWT_KEY=change-me-to-a-random-256-bit-key