feat(infra): write Caddy JSON access logs for fail2ban

Adds an (access_log) snippet writing JSON-formatted access logs to /var/log/caddy/access.log with 10mb rolling and 14-file retention. Both archive vhosts (archiv.raddatz.cloud and staging.raddatz.cloud) import it; the git vhost is intentionally excluded. This is the prerequisite for the fail2ban jail committed in the next commit — fail2ban tails this file looking for 401 responses on /api/auth/login to defend against credential stuffing. Validated with `caddy validate` against caddy:2. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 12:02:28 +02:00
parent 4eb5eba347
commit 8d27c82e6d
1 changed files with 15 additions and 0 deletions
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -31,9 +31,23 @@
 	respond @actuator 404
 }

+(access_log) {
+	# JSON access log for fail2ban. The jail at infra/fail2ban/familienarchiv.conf
+	# watches this file for 401 responses on /api/auth/login.
+	# Caddy auto-creates /var/log/caddy/ when running as the `caddy` system user.
+	log {
+		output file /var/log/caddy/access.log {
+			roll_size 10mb
+			roll_keep 14
+		}
+		format json
+	}
+}
+
 archiv.raddatz.cloud {
 	import security_headers
 	import block_actuator
+	import access_log

 	handle /api/* {
 		reverse_proxy 127.0.0.1:8080
@@ -47,6 +61,7 @@ archiv.raddatz.cloud {
 staging.raddatz.cloud {
 	import security_headers
 	import block_actuator
+	import access_log

 	handle /api/* {
 		reverse_proxy 127.0.0.1:8081