initial COM1 gateway system blueprint

caddy/Caddyfile.bak.20260117-160813

@@ -0,0 +1,39 @@
+{
+  email admin@hx-ki.com
+}
+
+# --- Gateway on COM1 (49.12.97.28) ---
+# Everything terminates TLS here, then proxies to WG targets.
+
+caddy.hx-ki.com {
+  respond "HXKI Caddy Gateway OK" 200
+}
+
+webui.hx-ki.com {
+  reverse_proxy 10.10.0.2:8080
+}
+
+grafana.hx-ki.com {
+  reverse_proxy 10.10.0.3:3000
+}
+
+n8n.hx-ki.com {
+  reverse_proxy 10.10.0.1:5678
+}
+
+syncthing.hx-ki.com {
+  reverse_proxy 10.10.0.1:8384
+}
+
+# gitea points to another public server (DNS already 91.98.70.222)
+gitea.hx-ki.com {
+  reverse_proxy 91.98.70.222:3000
+}
+
+# DBs should NOT be public
+postgres.hx-ki.com {
+  respond "Postgres is internal only" 403
+}
+mariadb.hx-ki.com {
+  respond "MariaDB is internal only" 403
+}