ci(nightly): reload Caddy before smoke test

Adds a `sudo systemctl reload caddy` step between the docker compose
deploy and the smoke test. This ensures any committed Caddyfile changes
are applied before the public surface is verified.

Previously the workflow had no mechanism to push Caddyfile changes to
the running host daemon. A Caddyfile edit would land in the repo but
Caddy would keep serving the previous config, causing the smoke test to
catch a stale header or still-proxied /actuator route rather than the
intended current config.

This step also surfaces the root cause of today's port-443 failure
explicitly: if Caddy is not running, the step fails with a clear service
error rather than a misleading "Failed to connect to port 443" from curl.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/nightly.yml

@@ -120,6 +120,20 @@ jobs:
             --profile staging \
             up -d --wait --remove-orphans
 
+      - name: Reload Caddy
+        # Apply any committed Caddyfile changes before smoke-testing the
+        # public surface. Without this step, a Caddyfile edit lands in the
+        # repo but Caddy keeps serving the previous config until someone
+        # reloads it manually — the smoke test would then catch a stale
+        # header or a still-proxied /actuator route rather than confirming
+        # the current config is live.
+        #
+        # `systemctl reload caddy` sends SIGHUP; Caddy re-reads /etc/caddy/Caddyfile
+        # (symlinked to infra/caddy/Caddyfile) without dropping connections.
+        # If Caddy is not running this step fails fast and clearly before the
+        # smoke test issues a misleading "port 443 refused" error.
+        run: sudo systemctl reload caddy
+
       - name: Smoke test deployed environment
         # Healthchecks confirm containers are healthy; they do NOT confirm the
         # public surface works. This step catches: Caddy not reloaded, HSTS