feat: add docker-compose-caddy template

Caddy reverse proxy container using slothcroissant/caddy-cloudflaredns
image for DNS-01 TLS. Joins the macvlan gitea_net network with a
static IP. CADDY_ENV_VARS and CADDY_EXTRA_VOLUMES are populated by
phase8 based on TLS_MODE (cloudflare vs existing cert paths).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

templates/docker-compose-caddy.yml.tpl

@@ -0,0 +1,25 @@
+# Caddy Docker Compose — rendered by phase8_cutover.sh
+# Caddy with Cloudflare DNS-01 support for wildcard TLS.
+# CF_API_TOKEN env var is only needed when TLS_MODE=cloudflare.
+
+version: "3"
+
+services:
+  caddy:
+    image: slothcroissant/caddy-cloudflaredns:latest
+    container_name: caddy
+    restart: unless-stopped
+    environment:
+${CADDY_ENV_VARS}
+    volumes:
+      - ${CADDY_DATA_PATH}/Caddyfile:/etc/caddy/Caddyfile
+      - ${CADDY_DATA_PATH}/data:/data
+      - ${CADDY_DATA_PATH}/config:/config
+${CADDY_EXTRA_VOLUMES}
+    networks:
+      gitea_net:
+        ipv4_address: ${CADDY_CONTAINER_IP}
+
+networks:
+  gitea_net:
+    external: true