Add Caddy layer4 for Forgejo SSH (#56)

## Summary
- Add layer4 TCP proxy configuration to Caddyfile template for SSH services
- Configure Forgejo SSH on port 2222 → localhost:2200
- Switch HTTPS from port 8443 (testing) to 443 (production)
- Requires Caddy rebuilt with `github.com/mholt/caddy-l4` plugin

## What This Enables
Git+SSH access via `forge.ops.eblu.me:2222` is now accessible from:
- Tailnet clients (gilbert)
- Docker containers on indri
- Kubernetes pods in minikube

This solves the DNS resolution issues where containers couldn't reach Tailscale MagicDNS names.

## Testing Done
- [x] Caddy rebuilt with layer4 plugin
- [x] Validated Caddyfile syntax
- [x] Cleared `svc:forge` from tailscale serve
- [x] Verified HTTPS works: `curl https://forge.ops.eblu.me`
- [x] Verified SSH works: `ssh -p 2222 forgejo@forge.ops.eblu.me`
- [x] Verified git clone works via new endpoint
- [x] Verified minikube pods can reach both HTTPS and SSH endpoints

## Deployment
Caddy is already running with the new config on indri. This PR captures the ansible changes.

## Next Steps
- Update zk docs with new git remote format
- Migrate registry and other services to Caddy
- Retire tailscale_services ansible role

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/56

mise-tasks/container-tag-and-release

@@ -71,4 +71,4 @@ echo "The workflow will now build and push:"
 echo "  registry.tail8d86e.ts.net/$IMAGE:$VERSION"
 echo ""
 echo "Monitor the build at:"
-echo "  https://forge.tail8d86e.ts.net/eblume/blumeops/actions"
+echo "  https://forge.ops.eblu.me/eblume/blumeops/actions"

mise-tasks/indri-runner-logs

@@ -12,7 +12,7 @@ if [[ -z "$RUN_ID" ]]; then
     echo "Only works for runs executed by the indri-host-runner."
     echo ""
     echo "Recent runs:"
-    curl -sf "https://forge.tail8d86e.ts.net/api/v1/repos/eblume/blumeops/actions/tasks" | \
+    curl -sf "https://forge.ops.eblu.me/api/v1/repos/eblume/blumeops/actions/tasks" | \
         jq -r '.workflow_runs[:10] | .[] | "  \(.id)\t\(.status)\t\(.workflow_id)\t\(.display_title | .[0:50])"'
     exit 1
 fi

mise-tasks/indri-services-check

@@ -70,7 +70,7 @@ check_http "Prometheus" "https://prometheus.tail8d86e.ts.net/-/healthy"
 check_http "Loki" "https://loki.tail8d86e.ts.net/ready"
 check_http "Grafana" "https://grafana.tail8d86e.ts.net/api/health"
 check_http "ArgoCD" "https://argocd.tail8d86e.ts.net/healthz"
-check_http "Forgejo" "https://forge.tail8d86e.ts.net/"
+check_http "Forgejo" "https://forge.ops.eblu.me/"
 check_http "Zot Registry" "https://registry.tail8d86e.ts.net/v2/_catalog"
 check_http "Kiwix" "https://kiwix.tail8d86e.ts.net/"
 check_http "Miniflux" "https://feed.tail8d86e.ts.net/healthcheck"

mise-tasks/pr-comments

@@ -20,7 +20,7 @@ import httpx
 from rich.console import Console
 from rich.text import Text
 
-FORGE_API_BASE = "https://forge.tail8d86e.ts.net/api/v1"
+FORGE_API_BASE = "https://forge.ops.eblu.me/api/v1"
 REPO_OWNER = "eblume"
 REPO_NAME = "blumeops"