Fix Caddy v2.11 Host header rewrite breaking proxied services

Caddy v2.11 (#7454) auto-rewrites the Host header to match the
upstream address for HTTPS backends. This causes services behind
Tailscale Ingress to see *.tail8d86e.ts.net instead of *.ops.eblu.me,
breaking Authentik OAuth flows, Homepage host validation, and other
services that check the Host header.

Only apply header_up for HTTPS backends (Tailscale Ingress); HTTP
backends (forge, registry, jellyfin, sifaka) are unaffected.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ansible/roles/caddy/templates/Caddyfile.j2

@@ -31,7 +31,15 @@
 {% for service in caddy_services %}
 	@{{ service.name }} host {{ service.host }}
 	handle @{{ service.name }} {
+{% if service.backend.startswith('https://') %}
+		reverse_proxy {{ service.backend }} {
+			# Caddy v2.11+ rewrites Host to upstream for HTTPS backends.
+			# Preserve the original Host so services see *.ops.eblu.me.
+			header_up Host {http.request.host}
+		}
+{% else %}
 		reverse_proxy {{ service.backend }}
+{% endif %}
 	}
 
 {% endfor %}

docs/changelog.d/+caddy-v2.11-host-header.bugfix.md

@@ -0,0 +1 @@
+Fix Caddy v2.11 breaking change: preserve original Host header for HTTPS upstreams.