SCRUM-45: Caddy carve-out for the EasyPost return webhook

The Fulfillr host is IP-restricted, so EasyPost's servers can't reach it. Add a
narrow `handle /webhooks/easypost` before the IP restriction (handle blocks are
mutually exclusive, first match wins) for prod (:9054) and dev (:9055) so the
HMAC-verified tracker webhook is reachable while the rest of the host stays locked.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ansible/roles/podman/templates/caddy/Caddyfile.j2

@@ -344,6 +344,15 @@
 
 # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_server_name }} {
+	# Public EasyPost tracker webhook — HMAC-verified inside go-fulfillr. Placed
+	# before the IP restriction (handle blocks are mutually exclusive, first
+	# match wins) so EasyPost's servers can POST here while everything else on
+	# this host stays IP-restricted.
+	@easypost_webhook path /webhooks/easypost
+	handle @easypost_webhook {
+		reverse_proxy localhost:9054
+	}
+
 {{ ip_restricted_site() }}
 
 	@api {
@@ -391,6 +400,13 @@
 
 # Fulfillr DEV/staging - {{ fulfillr_dev_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_dev_server_name }} {
+	# Public EasyPost tracker webhook (test mode) — HMAC-verified inside
+	# go-fulfillr. Placed before the IP restriction so EasyPost can POST here.
+	@easypost_webhook path /webhooks/easypost
+	handle @easypost_webhook {
+		reverse_proxy localhost:9055
+	}
+
 {{ ip_restricted_site() }}
 
 	@api {