feat(infra): write Caddy JSON access logs for fail2ban

Adds an (access_log) snippet writing JSON-formatted access logs to
/var/log/caddy/access.log with 10mb rolling and 14-file retention. Both
archive vhosts (archiv.raddatz.cloud and staging.raddatz.cloud) import
it; the git vhost is intentionally excluded.

This is the prerequisite for the fail2ban jail committed in the next
commit — fail2ban tails this file looking for 401 responses on
/api/auth/login to defend against credential stuffing.

Validated with `caddy validate` against caddy:2.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

infra/caddy/Caddyfile

@@ -31,9 +31,23 @@
 	respond @actuator 404
 }
 
+(access_log) {
+	# JSON access log for fail2ban. The jail at infra/fail2ban/familienarchiv.conf
+	# watches this file for 401 responses on /api/auth/login.
+	# Caddy auto-creates /var/log/caddy/ when running as the `caddy` system user.
+	log {
+		output file /var/log/caddy/access.log {
+			roll_size 10mb
+			roll_keep 14
+		}
+		format json
+	}
+}
+
 archiv.raddatz.cloud {
 	import security_headers
 	import block_actuator
+	import access_log
 
 	handle /api/* {
 		reverse_proxy 127.0.0.1:8080
@@ -47,6 +61,7 @@ archiv.raddatz.cloud {
 staging.raddatz.cloud {
 	import security_headers
 	import block_actuator
+	import access_log
 
 	handle /api/* {
 		reverse_proxy 127.0.0.1:8081