From c896f69ff9a5cf42e74fd6cb885408e50680cf6f Mon Sep 17 00:00:00 2001
From: Bastian de Byl <bastian@debyl.io>
Date: Fri, 12 Jun 2026 20:29:44 -0400
Subject: [PATCH] SCRUM-45: Caddy carve-out for the EasyPost return webhook

The Fulfillr host is IP-restricted, so EasyPost's servers can't reach it. Add a
narrow `handle /webhooks/easypost` before the IP restriction (handle blocks are
mutually exclusive, first match wins) for prod (:9054) and dev (:9055) so the
HMAC-verified tracker webhook is reachable while the rest of the host stays locked.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../roles/podman/templates/caddy/Caddyfile.j2    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/ansible/roles/podman/templates/caddy/Caddyfile.j2 b/ansible/roles/podman/templates/caddy/Caddyfile.j2
index 048696f..e0ce118 100644
--- a/ansible/roles/podman/templates/caddy/Caddyfile.j2
+++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2
@@ -344,6 +344,15 @@
 
 # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_server_name }} {
+	# Public EasyPost tracker webhook — HMAC-verified inside go-fulfillr. Placed
+	# before the IP restriction (handle blocks are mutually exclusive, first
+	# match wins) so EasyPost's servers can POST here while everything else on
+	# this host stays IP-restricted.
+	@easypost_webhook path /webhooks/easypost
+	handle @easypost_webhook {
+		reverse_proxy localhost:9054
+	}
+
 {{ ip_restricted_site() }}
 
 	@api {
@@ -391,6 +400,13 @@
 
 # Fulfillr DEV/staging - {{ fulfillr_dev_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_dev_server_name }} {
+	# Public EasyPost tracker webhook (test mode) — HMAC-verified inside
+	# go-fulfillr. Placed before the IP restriction so EasyPost can POST here.
+	@easypost_webhook path /webhooks/easypost
+	handle @easypost_webhook {
+		reverse_proxy localhost:9055
+	}
+
 {{ ip_restricted_site() }}
 
 	@api {