Add Caddy layer4 support for Forgejo SSH

- Add layer4 TCP proxy configuration to Caddyfile template
- Configure SSH service on port 2222 → localhost:2200 (Forgejo)
- Switch HTTPS port from 8443 (testing) to 443 (production)
- Requires Caddy rebuilt with github.com/mholt/caddy-l4 plugin

This enables git+ssh access via forge.ops.eblu.me:2222, accessible
from tailnet clients, docker containers, and k8s pods alike.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/roles/caddy/defaults/main.yml

@@ -15,9 +15,8 @@ caddy_gandi_token_file: /Users/erichblume/.config/caddy/gandi-token
 # Domain configuration
 caddy_domain: ops.eblu.me
 
-# Listen on Tailscale interface only (port 443)
-# Use 8443 during testing to avoid conflicts with Tailscale serve
-caddy_https_port: 8443
+# HTTPS port (443 is standard)
+caddy_https_port: 443
 
 # Services to proxy
 # Format: { name: "service", host: "hostname", backend: "url" }
@@ -35,3 +34,9 @@ caddy_services:
   # - name: grafana
   #   host: "grafana.{{ caddy_domain }}"
   #   backend: "http://minikube-ip:nodeport"
+
+# SSH services (Layer 4 TCP proxy)
+# Format: { port: external_port, backend: "host:port" }
+caddy_ssh_services:
+  - port: 2222
+    backend: "localhost:2200"  # Forgejo SSH

ansible/roles/caddy/templates/Caddyfile.j2

@@ -7,6 +7,19 @@
 {
 	# Global options
 	admin off
+
+{% if caddy_ssh_services %}
+	# Layer 4 (TCP) routing for SSH services
+	layer4 {
+{% for ssh_svc in caddy_ssh_services %}
+		:{{ ssh_svc.port }} {
+			route {
+				proxy {{ ssh_svc.backend }}
+			}
+		}
+{% endfor %}
+	}
+{% endif %}
 }
 
 # Wildcard certificate for all services