infra/caddy/Caddyfile

@@ -31,9 +31,23 @@
 	respond @actuator 404
 }
 
+(access_log) {
+	# JSON access log for fail2ban. The jail at infra/fail2ban/familienarchiv.conf
+	# watches this file for 401 responses on /api/auth/login.
+	# Caddy auto-creates /var/log/caddy/ when running as the `caddy` system user.
+	log {
+		output file /var/log/caddy/access.log {
+			roll_size 10mb
+			roll_keep 14
+		}
+		format json
+	}
+}
+
 archiv.raddatz.cloud {
 	import security_headers
 	import block_actuator
+	import access_log
 
 	handle /api/* {
 		reverse_proxy 127.0.0.1:8080
@@ -47,6 +61,7 @@ archiv.raddatz.cloud {
 staging.raddatz.cloud {
 	import security_headers
 	import block_actuator
+	import access_log
 
 	handle /api/* {
 		reverse_proxy 127.0.0.1:8081