feat: replace Nginx/SSL prompts with Caddy/TLS prompts in configure_env.sh

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

setup/configure_env.sh

@@ -70,7 +70,7 @@ CURRENT_PROMPT=0
 LAST_SECTION=""
 
 # Collected SSL_MODE for conditional logic
-COLLECTED_SSL_MODE=""
+COLLECTED_TLS_MODE=""
 
 prompt_var() {
   local var_name="$1"
@@ -166,9 +166,9 @@ prompt_var() {
         if validate_password "$value"; then break; fi
         printf '%b  Invalid: password must be at least 8 characters%b\n' "$C_RED" "$C_RESET"
         ;;
-      ssl_mode)
-        if validate_ssl_mode "$value"; then break; fi
-        printf '%b  Invalid: must be "letsencrypt" or "existing"%b\n' "$C_RED" "$C_RESET"
+      tls_mode)
+        if validate_tls_mode "$value"; then break; fi
+        printf '%b  Invalid: must be "cloudflare" or "existing"%b\n' "$C_RED" "$C_RESET"
         ;;
       db_type)
         if validate_db_type "$value"; then break; fi
@@ -184,9 +184,9 @@ prompt_var() {
   # Write to .env
   write_env_var "$var_name" "$value"
 
-  # Track SSL mode for conditional prompts
-  if [[ "$var_name" == "SSL_MODE" ]]; then
-    COLLECTED_SSL_MODE="$value"
+  # Track TLS mode for conditional prompts
+  if [[ "$var_name" == "TLS_MODE" ]]; then
+    COLLECTED_TLS_MODE="$value"
   fi
 }
 
@@ -365,21 +365,21 @@ prompt_var "RUNNER_DATA_BASE_PATH"    "Base dir on remote hosts for runner data
 prompt_var "LOCAL_RUNNER_DATA_BASE_PATH" "Base dir on macOS for native runner data"  nonempty  "~/gitea-runner"  "RUNNERS"
 prompt_var "LOCAL_REGISTRY"           "Local registry prefix (empty = Docker Hub)"   optional          ""                               "RUNNERS"
 
-# --- NGINX REVERSE PROXY ---
-prompt_var "NGINX_CONTAINER_NAME" "Name of existing Nginx Docker container" nonempty  ""            "NGINX REVERSE PROXY"
-prompt_var "NGINX_CONF_PATH"      "Host path to Nginx conf.d directory"     path      ""            "NGINX REVERSE PROXY"
-prompt_var "SSL_MODE"             "SSL mode: letsencrypt or existing"       ssl_mode  "letsencrypt" "NGINX REVERSE PROXY"
+# --- TLS / REVERSE PROXY (Caddy) ---
+prompt_var "TLS_MODE"     "TLS mode: cloudflare (DNS-01) or existing (manual certs)"  tls_mode  "cloudflare"  "TLS / REVERSE PROXY"
+prompt_var "CADDY_DOMAIN"    "Wildcard base domain (e.g. privacyindesign.com)"        nonempty  ""            "TLS / REVERSE PROXY"
+prompt_var "CADDY_DATA_PATH" "Absolute path on host for Caddy data"                   path      ""            "TLS / REVERSE PROXY"
 
-# Conditional SSL prompts
-if [[ "$COLLECTED_SSL_MODE" == "letsencrypt" ]]; then
-  prompt_var "SSL_EMAIL" "Email for Let's Encrypt" email "" "NGINX REVERSE PROXY"
+# Conditional TLS prompts
+if [[ "$COLLECTED_TLS_MODE" == "cloudflare" ]]; then
+  prompt_var "CLOUDFLARE_API_TOKEN" "Cloudflare API token (Zone:DNS:Edit)" nonempty "" "TLS / REVERSE PROXY"
   # Skip cert path prompts but still count them for progress
   CURRENT_PROMPT=$((CURRENT_PROMPT + 2))
 else
-  # Skip email prompt but count it
+  # Skip cloudflare token prompt but count it
   CURRENT_PROMPT=$((CURRENT_PROMPT + 1))
-  prompt_var "SSL_CERT_PATH" "Absolute path to SSL cert on Unraid" path "" "NGINX REVERSE PROXY"
-  prompt_var "SSL_KEY_PATH"  "Absolute path to SSL key on Unraid"  path "" "NGINX REVERSE PROXY"
+  prompt_var "SSL_CERT_PATH" "Absolute path to SSL cert" path "" "TLS / REVERSE PROXY"
+  prompt_var "SSL_KEY_PATH"  "Absolute path to SSL key"  path "" "TLS / REVERSE PROXY"
 fi
 
 # --- BRANCH PROTECTION ---
@@ -406,7 +406,7 @@ printf '  Fedora:     %s@%s:%s\n' "$(get_env_val FEDORA_SSH_USER)" "$(get_env_va
 printf '  Gitea:      %s (admin: %s, password: ****)\n' "$(get_env_val GITEA_DOMAIN)" "$(get_env_val GITEA_ADMIN_USER)"
 printf '  Org:        %s\n' "$(get_env_val GITEA_ORG_NAME)"
 printf '  Repos:      %s\n' "$(get_env_val REPO_NAMES)"
-printf '  TLS/SSL:    %s\n' "${COLLECTED_SSL_MODE}"
+printf '  TLS:        %s (Caddy)\n' "${COLLECTED_TLS_MODE}"
 printf '  .env saved: %s\n\n' "$ENV_FILE"
 
 printf 'Next step: run %bsetup/macbook.sh%b to install local prerequisites.\n' "$C_BOLD" "$C_RESET"