fix(caddy): re-chown /var/log/caddy after validate, before service start

`caddy validate` is run as root in 10-caddy.sh and side-effects the
global log directive — it opens /var/log/caddy/caddy.log, creating the
file as root:root 0600. Then when the systemd unit starts caddy under
User=caddy, the daemon can't append to its own log and dies with
"open /var/log/caddy/caddy.log: permission denied".

Add a chown -R caddy:caddy on the log dir right before systemctl
restart, so any files validate touched are handed back to the runtime
user.

Not an SELinux issue: confirmed binary is bin_t, log dir is var_log_t,
no AVCs at the failure timestamp.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: qfiber

bootstrap/10-caddy.sh

@@ -458,6 +458,12 @@ WantedBy=multi-user.target
 EOF
 systemctl daemon-reload
 systemctl enable caddy
+
+# `caddy validate` (run as root above) opens the global log file and creates
+# /var/log/caddy/caddy.log as root:root 0600. Re-chown so the caddy user can
+# append to it once systemd starts the daemon under User=caddy.
+chown -R "${CADDY_USER}:${CADDY_GROUP}" "${CADDY_LOG}"
+
 systemctl restart caddy
 sleep 2
 systemctl is-active --quiet caddy || die "Caddy failed to start. journalctl -u caddy -n 50"