From 8d27c82e6d25ec4f1a55a43ea686aeadb5218e09 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 11 May 2026 12:02:28 +0200
Subject: [PATCH] feat(infra): write Caddy JSON access logs for fail2ban
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an (access_log) snippet writing JSON-formatted access logs to
/var/log/caddy/access.log with 10mb rolling and 14-file retention. Both
archive vhosts (archiv.raddatz.cloud and staging.raddatz.cloud) import
it; the git vhost is intentionally excluded.

This is the prerequisite for the fail2ban jail committed in the next
commit — fail2ban tails this file looking for 401 responses on
/api/auth/login to defend against credential stuffing.

Validated with `caddy validate` against caddy:2.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 infra/caddy/Caddyfile | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/infra/caddy/Caddyfile b/infra/caddy/Caddyfile
index f32b1f2f..b5dfd345 100644
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -31,9 +31,23 @@
 	respond @actuator 404
 }
 
+(access_log) {
+	# JSON access log for fail2ban. The jail at infra/fail2ban/familienarchiv.conf
+	# watches this file for 401 responses on /api/auth/login.
+	# Caddy auto-creates /var/log/caddy/ when running as the `caddy` system user.
+	log {
+		output file /var/log/caddy/access.log {
+			roll_size 10mb
+			roll_keep 14
+		}
+		format json
+	}
+}
+
 archiv.raddatz.cloud {
 	import security_headers
 	import block_actuator
+	import access_log
 
 	handle /api/* {
 		reverse_proxy 127.0.0.1:8080
@@ -47,6 +61,7 @@ archiv.raddatz.cloud {
 staging.raddatz.cloud {
 	import security_headers
 	import block_actuator
+	import access_log
 
 	handle /api/* {
 		reverse_proxy 127.0.0.1:8081