fix(docker): use build args for NEXT_PUBLIC vars, remove host port exposure

- Dockerfile: replace hardcoded NEXT_PUBLIC env vars with ARG+ENV pattern
  so the same Dockerfile works for any environment (local dev, Dokploy prod)
- docker-compose.yml: pass SUPABASE_ANON_KEY as build arg to Dockerfile
- docker-compose.yml: remove DB port 5432 exposure (not needed on server,
  services communicate via Docker network)

Dockerfile

@@ -8,9 +8,15 @@ ARG CACHE_BUST=1
 COPY . .
 RUN pnpm install --no-frozen-lockfile
 ENV NEXT_TELEMETRY_DISABLED=1
-ENV NEXT_PUBLIC_SITE_URL=https://myeasycms.de
-ENV NEXT_PUBLIC_SUPABASE_URL=http://localhost:8000
-ENV NEXT_PUBLIC_SUPABASE_PUBLIC_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlzcyI6InN1cGFiYXNlIiwiaWF0IjoxNzc0ODgzNDYwLCJleHAiOjIwOTAyNDM0NjB9.hbeQae1gYRTcJQ_6m7MPjoDlYFhp4tsszEQD2g5q6vY
+
+# NEXT_PUBLIC_* vars are baked into the Next.js build at compile time.
+# Pass them as build args so the same Dockerfile works for any environment.
+ARG NEXT_PUBLIC_SITE_URL=https://myeasycms.de
+ARG NEXT_PUBLIC_SUPABASE_URL=http://localhost:8000
+ARG NEXT_PUBLIC_SUPABASE_PUBLIC_KEY
+ENV NEXT_PUBLIC_SITE_URL=${NEXT_PUBLIC_SITE_URL}
+ENV NEXT_PUBLIC_SUPABASE_URL=${NEXT_PUBLIC_SUPABASE_URL}
+ENV NEXT_PUBLIC_SUPABASE_PUBLIC_KEY=${NEXT_PUBLIC_SUPABASE_PUBLIC_KEY}
 RUN pnpm --filter web build
 
 # --- Run ---

docker-compose.yml

@@ -24,8 +24,6 @@ services:
     environment:
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
       POSTGRES_DB: postgres
-    ports:
-      - "${DB_PORT:-5432}:5432"
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U postgres -d postgres"]
       interval: 10s
@@ -294,6 +292,10 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
+      args:
+        NEXT_PUBLIC_SITE_URL: ${SITE_URL:-https://myeasycms.de}
+        NEXT_PUBLIC_SUPABASE_URL: http://localhost:8000
+        NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY}
     restart: unless-stopped
     depends_on:
       supabase-kong: