feat: add Caddyfile template for reverse proxy

Template uses TLS_BLOCK placeholder that phase8 populates based on
TLS_MODE: cloudflare (DNS-01 wildcard via Cloudflare API) or
existing (manual cert/key paths). Reverse proxies to Gitea container
on its macvlan IP.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

templates/Caddyfile.tpl

@@ -0,0 +1,9 @@
+# Caddyfile — rendered by phase8_cutover.sh
+# TLS_BLOCK is replaced by the phase script based on TLS_MODE:
+#   cloudflare → dns cloudflare {env.CF_API_TOKEN}
+#   existing   → tls /path/to/cert /path/to/key
+
+${GITEA_DOMAIN} {
+${TLS_BLOCK}
+    reverse_proxy ${GITEA_CONTAINER_IP}:3000
+}