fix: LAN Caddyfile serves TLS on an https:// site, not an http:// one

_caddyfile_lan emitted the internal-CA `tls` directive inside an
`http://<cell>.cell, http://172.20.0.2:80` block. Caddy rejects a tls
directive on a port-80 (HTTP) listener ("server listening on [:80] is HTTP,
but attempts to configure TLS connection policies"), so cell-caddy crash-looped
in LAN mode. Split into a `https://<cell>.cell` site (internal-CA tls) plus a
separate plain-HTTP block for :80 — both needed because the WireGuard server
DNATs peer traffic to Caddy on 80 and 443.

Note: LAN mode still needs the internal serving cert wired to the mounted certs
dir (a separate gap) before cell-caddy comes fully up.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

tests/test_caddy_manager.py

@@ -48,12 +48,16 @@ class TestGenerateCaddyfileLan(unittest.TestCase):
         self.assertNotIn('acme_email', out)
         self.assertNotIn('dns pic_ngo', out)
         self.assertNotIn('dns cloudflare', out)
-        # Internal-CA TLS pair
+        # Internal-CA TLS pair, on an HTTPS (443) site — never on an http:// one.
         self.assertIn('tls /etc/caddy/internal/cert.pem '
                       '/etc/caddy/internal/key.pem', out)
-        # Cell hostname plus virtual IP listener
-        self.assertIn('http://mycell.cell', out)
-        self.assertIn('http://172.20.0.2:80', out)
+        self.assertIn('https://mycell.cell {', out)
+        # Cell hostname plus virtual IP listener on plain HTTP (80)
+        self.assertIn('http://mycell.cell, http://172.20.0.2:80 {', out)
+        # The HTTP (:80) block must NOT carry a tls directive — Caddy rejects
+        # "server listening on [:80] is HTTP, but attempts to configure TLS".
+        http_block = out.split('http://mycell.cell, http://172.20.0.2:80 {', 1)[1]
+        self.assertNotIn('tls ', http_block)
 
 
 class TestGenerateCaddyfilePicNgo(unittest.TestCase):