Implement shared CA certificate system for multi-server TLS security

- Generate shared CA during core deployment for consistent trust across servers
- Modify setup_docker_tls() to use shared CA instead of per-server CAs
- Update share_certs_with_core() to copy shared CA from core server
- Re-enable TLS verification (DOCKER_TLS_VERIFY=1) in Sablier
- Fix Sablier certificate mounting for proper TLS connection
- Add docker-tls/ to .gitignore to prevent certificate leaks
- Update documentation for shared CA approach

docker-compose/core/docker-compose.yml

@@ -99,10 +99,10 @@ services:
   # Sablier - Lazy loading service for Docker containers
   # Controls startup/shutdown of lazy-loaded services, must always run
   # REQUIREMENTS FOR DOCKER API ACCESS:
-  # 1. Docker daemon must be configured to listen on TCP port 2375
+  # 1. Docker daemon must be configured to listen on TCP port 2376 with TLS
   # 2. DOCKER_HOST environment variable must point to accessible Docker API endpoint
-  # 3. Firewall must allow TCP connections to Docker API port (default 2375)
-  # 4. For production, consider using TLS for Docker API communication
+  # 3. Firewall must allow TCP connections to Docker API port (2376)
+  # 4. TLS certificates must be mounted and environment variables set
   # 5. Ensure dockerproxy service is running and accessible
   sablier-service:
     image: sablierapp/sablier:latest
@@ -115,7 +115,11 @@ services:
       - SABLIER_DOCKER_API_VERSION=1.51
       - SABLIER_DOCKER_NETWORK=traefik-network
       - SABLIER_LOG_LEVEL=debug
-      - DOCKER_HOST=tcp://192.168.4.11:2375
+      - DOCKER_HOST=tcp://${SERVER_IP}:2376
+      - DOCKER_TLS_VERIFY=1
+      - DOCKER_CERT_PATH=/certs
+    volumes:
+      - ./sablier-certs:/certs:ro
     ports:
       - 10000:10000
     labels: