DOCKER: Add INTERNAL_AUTH_TOKEN support and improve auto-generation

- Add INTERNAL_AUTH_TOKEN to docker-compose.yml environment variables
- Create comprehensive .env.example with deployment guidance
- Document zero-config deployment for single instances
- Clarify multi-instance deployment requirements
- Ensure auto-generated keys persist in Docker volumes (/app/config)

Security improvements:
- Complete Docker support for new internal auth token mechanism
- Maintains automatic key generation while ensuring persistence
- No manual configuration required for standard deployments

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

docker/.env.example

@@ -0,0 +1,52 @@
+# Termix Docker Environment Configuration Example
+#
+# IMPORTANT: This file shows available environment variables.
+# For most users, you DON'T need to create a .env file.
+# Termix will auto-generate secure keys on first startup.
+#
+# Copy this file to .env ONLY if you need custom configuration:
+# cp docker/.env.example docker/.env
+
+# ===== BASIC CONFIGURATION =====
+PORT=8080
+NODE_ENV=production
+
+# ===== SSL/HTTPS CONFIGURATION =====
+ENABLE_SSL=false
+SSL_PORT=8443
+SSL_DOMAIN=localhost
+SSL_CERT_PATH=/app/ssl/termix.crt
+SSL_KEY_PATH=/app/ssl/termix.key
+
+# ===== SECURITY KEYS =====
+# WARNING: Only set these if you need specific keys for multi-instance deployment
+# For single instance deployment, leave these EMPTY - Termix will auto-generate
+# secure random keys and persist them in Docker volumes.
+#
+# If you DO set these, generate them with: openssl rand -hex 32
+JWT_SECRET=
+DATABASE_KEY=
+INTERNAL_AUTH_TOKEN=
+
+# ===== DATABASE CONFIGURATION =====
+DATABASE_ENCRYPTION=true
+
+# ===== CORS CONFIGURATION =====
+ALLOWED_ORIGINS=*
+
+# ===== DEPLOYMENT NOTES =====
+#
+# Single Instance (Recommended):
+# - Don't create .env file - let Termix auto-generate keys
+# - Keys are automatically persisted in Docker volumes
+# - Secure and maintenance-free
+#
+# Multi-Instance Cluster:
+# - Set identical JWT_SECRET, DATABASE_KEY, INTERNAL_AUTH_TOKEN across all instances
+# - Use shared storage for /app/data and /app/config volumes
+# - Ensure all instances can access the same encryption keys
+#
+# Security Best Practices:
+# - Never commit .env files to version control
+# - Use Docker secrets in production environments
+# - Regularly rotate keys (requires data migration)

docker/docker-compose.yml

@@ -1,3 +1,12 @@
+# Termix Docker Compose Configuration
+#
+# QUICK START: Just run "docker-compose up -d"
+# - Security keys are auto-generated on first startup
+# - Keys are persisted in Docker volumes (survive container restarts)
+# - No manual .env file needed for single-instance deployment
+#
+# See docker/.env.example for advanced configuration options
+
 services:
   termix:
     build:
@@ -12,7 +21,7 @@ services:
       - "${SSL_PORT:-8443}:8443"
     volumes:
       - termix-data:/app/data
-      - termix-config:/app/config
+      - termix-config:/app/config  # Auto-generated .env keys are persisted here
       # Optional: Mount custom SSL certificates
       # - ./ssl:/app/ssl:ro
     environment:
@@ -27,9 +36,12 @@ services:
       - SSL_CERT_PATH=${SSL_CERT_PATH:-/app/ssl/termix.crt}
       - SSL_KEY_PATH=${SSL_KEY_PATH:-/app/ssl/termix.key}
 
-      # Security keys (set these for production)
+      # Security keys (auto-generated if not provided)
+      # Leave empty to auto-generate secure random keys on first startup
+      # Set values only if you need specific keys for multi-instance deployment
       - JWT_SECRET=${JWT_SECRET:-}
       - DATABASE_KEY=${DATABASE_KEY:-}
+      - INTERNAL_AUTH_TOKEN=${INTERNAL_AUTH_TOKEN:-}
 
       # Database configuration
       - DATABASE_ENCRYPTION=${DATABASE_ENCRYPTION:-true}