From 83983d739cb5ba680c5e80ce7b72386ca964e971 Mon Sep 17 00:00:00 2001
From: sjat <sjat@ziethen.dk>
Date: Thu, 18 Jun 2026 16:35:15 +0200
Subject: [PATCH] fix(reverse_proxy): plain {% %} tags so the Caddyfile renders
 under ansible trim_blocks

The tls-internal/acme_ca knobs used {%- -%} trims validated only against raw jinja2; ansible (trim_blocks=True) double-stripped newlines and collapsed the Caddyfile onto single lines, crash-looping caddy. Match the role's existing plain {% %} style.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 roles/reverse_proxy/templates/Caddyfile.j2 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/roles/reverse_proxy/templates/Caddyfile.j2 b/roles/reverse_proxy/templates/Caddyfile.j2
index a14ec68..c9da8f5 100644
--- a/roles/reverse_proxy/templates/Caddyfile.j2
+++ b/roles/reverse_proxy/templates/Caddyfile.j2
@@ -1,9 +1,9 @@
 # {{ ansible_managed }}
 {
   email {{ reverse_proxy__acme_email }}
-{%- if reverse_proxy__acme_ca %}
+{% if reverse_proxy__acme_ca %}
   acme_ca {{ reverse_proxy__acme_ca }}
-{%- endif %}
+{% endif %}
 {% if reverse_proxy__acme_dns_provider == 'gandi' %}
   # ACME DNS-01 via Gandi (mesh/LAN-only hosts, incl. wildcard certs). Token is the
   # Gandi PAT, injected from the env file as a Bearer token (ADR-024). Needs the custom
@@ -13,9 +13,9 @@
 }
 {% for r in reverse_proxy__routes %}
 {{ r['host'] }} {
-{%- if reverse_proxy__tls_internal %}
+{% if reverse_proxy__tls_internal %}
   tls internal
-{%- endif %}
+{% endif %}
 {% if r['caddy'] is defined %}
 {{ r['caddy'] | trim | indent(2, first=true) }}
 {% elif r['upstream'] is defined %}