feat(reverse_proxy): tls-internal + acme_ca knobs for integration/staging (ADR-025)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/reverse_proxy/defaults/main.yml

@@ -35,3 +35,7 @@ access__api:  # noqa: var-naming[no-role-prefix]
 # DNS-01; no manual steps). Residual risk: Let's Encrypt rate limits on rapid re-issuance.
 backup__service: reverse_proxy  # noqa: var-naming[no-role-prefix]
 backup__state: false  # noqa: var-naming[no-role-prefix]
+
+# Integration-test / staging cert knobs (ADR-025). Default off = production behaviour.
+reverse_proxy__tls_internal: false   # true => every site uses Caddy's self-signed CA
+reverse_proxy__acme_ca: ""           # set to the LE staging directory URL to use staging

roles/reverse_proxy/templates/Caddyfile.j2

@@ -1,6 +1,9 @@
 # {{ ansible_managed }}
 {
   email {{ reverse_proxy__acme_email }}
+{%- if reverse_proxy__acme_ca %}
+  acme_ca {{ reverse_proxy__acme_ca }}
+{%- endif %}
 {% if reverse_proxy__acme_dns_provider == 'gandi' %}
   # ACME DNS-01 via Gandi (mesh/LAN-only hosts, incl. wildcard certs). Token is the
   # Gandi PAT, injected from the env file as a Bearer token (ADR-024). Needs the custom
@@ -10,6 +13,9 @@
 }
 {% for r in reverse_proxy__routes %}
 {{ r['host'] }} {
+{%- if reverse_proxy__tls_internal %}
+  tls internal
+{%- endif %}
 {% if r['caddy'] is defined %}
 {{ r['caddy'] | trim | indent(2, first=true) }}
 {% elif r['upstream'] is defined %}