feat: replace Nginx vars with Caddy/TLS vars in .env.example

Remove NGINX_CONTAINER_NAME, NGINX_CONF_PATH, SSL_MODE, SSL_EMAIL.
Add TLS_MODE (cloudflare|existing), CADDY_DOMAIN, CADDY_DATA_PATH,
CLOUDFLARE_API_TOKEN. Keep SSL_CERT_PATH/SSL_KEY_PATH for existing
cert mode.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.example

@@ -119,14 +119,14 @@ GITHUB_MIRROR_INTERVAL=8h         # How often Gitea pushes to GitHub (offsite ba
 
 
 # -----------------------------------------------------------------------------
-# NGINX REVERSE PROXY (existing Docker container on Unraid)
+# TLS / REVERSE PROXY (Caddy — dedicated container per host)
 # -----------------------------------------------------------------------------
-NGINX_CONTAINER_NAME=             # Name of existing Nginx Docker container (e.g. nginx, swag)
+TLS_MODE=cloudflare               # TLS mode: "cloudflare" (DNS-01 via CF API) or "existing" (manual certs)
-NGINX_CONF_PATH=                  # Host path to Nginx conf.d directory (e.g. /mnt/user/appdata/nginx/conf.d)
+CADDY_DOMAIN=                     # Wildcard base domain (e.g. privacyindesign.com)
-SSL_MODE=letsencrypt              # SSL mode: "letsencrypt" (auto-provision via Certbot) or "existing" (provide cert paths)
+CADDY_DATA_PATH=                  # Absolute path on host for Caddy data (e.g. /mnt/nvme/caddy)
-SSL_EMAIL=                        # Email for Let's Encrypt (only if SSL_MODE=letsencrypt)
+CLOUDFLARE_API_TOKEN=             # Cloudflare API token with Zone:DNS:Edit (only if TLS_MODE=cloudflare)
-SSL_CERT_PATH=                    # Absolute path to SSL cert on Unraid (only if SSL_MODE=existing)
+SSL_CERT_PATH=                    # Absolute path to SSL cert (only if TLS_MODE=existing)
-SSL_KEY_PATH=                     # Absolute path to SSL key on Unraid (only if SSL_MODE=existing)
+SSL_KEY_PATH=                     # Absolute path to SSL key (only if TLS_MODE=existing)
 
 
 # -----------------------------------------------------------------------------