Complete production-ready Caddy infrastructure with security hardening

- Add comprehensive Caddy role with HTTPS/TLS, DNS challenges, and systemd security
- Implement optimized systemd overrides with enhanced security restrictions
- Create detailed documentation with usage examples and variable references
- Establish proper Ansible configuration with vault integration
- Update site.yml for infrastructure orchestration with role-based deployment
- Add host-specific configuration structure for scalable multi-environment setup

roles/caddy/templates/systemd-override.conf.j2

@@ -0,0 +1,38 @@
+[Service]
+# Reload configuration with --force flag for reliability
+ExecReload=
+ExecReload=/usr/bin/caddy reload --config {{ caddy_config_file }} --force
+
+{% if caddy_systemd_security | default(true) %}
+# Enhanced security hardening beyond base service  
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+RemoveIPC=true
+
+# Filesystem restrictions (upgrade from ProtectSystem=full)
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths={{ caddy_data_dir }} {{ caddy_log_dir }}
+BindReadOnlyPaths={{ caddy_config_dir }}
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+
+# Network and namespace restrictions
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
+# Process restrictions
+LimitNPROC=1048576
+MemoryDenyWriteExecute=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+# Logging (explicit configuration)
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=caddy
+{% endif %}