authelia: sync caddy-forward-auth snippet to deployed reality

The portal vhost + forward-auth are now live on the main box Caddy. Align
the template with what was actually deployed:

- upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS
  name), replacing the majikthise placeholder
- drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS
  (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443
  SNI fan-out (tls-alpn-01) + :80 (http-01)
- forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the
  Authelia 4.39 path; portal redirect comes from authelia_url in the yml
- note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this
  Caddy's LE account is allowlisted (now done alongside Stalwart's)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

authelia/caddy-forward-auth.snippet

@@ -1,19 +1,29 @@
-# Add to the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,
+# Wired into the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,
 # so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.
-# Replace majikthise with your AUTHELIA_MAGIC_NAME.
+# This file mirrors what is deployed. Upstream host = AUTHELIA_MAGIC_NAME, the
+# Authelia node's MagicDNS name (currently `agrajag`).
+#
+# Two deliberate differences from a vanilla Authelia example, to match this host:
+#  - No explicit `tls` cert files: this Caddy uses automatic HTTPS like its other
+#    vhosts (there is no /etc/caddy/certs). ACME for auth.infinidim.net works via
+#    the :443→:8443 SNI fan-out (tls-alpn-01) and :80 (http-01).
+#    NOTE: infinidim.net has a CAA record pinning issuance to Let's Encrypt by
+#    accounturi — this Caddy's LE account must be listed there or issuance 403s
+#    ("CAA record prevents issuance"). Stalwart's account + this Caddy's account
+#    are both allowlisted.
+#  - Endpoint is /api/authz/forward-auth (Authelia 4.38+/4.39 path). The legacy
+#    /api/verify?rd=... is deprecated; the portal redirect comes from
+#    `authelia_url` in configuration.yml, so no ?rd= query is needed.
 
-# 1) The Authelia portal itself.
+# 1) The Authelia portal itself (access_control marks it `bypass`).
 auth.infinidim.net {
-    import common_log
-    reverse_proxy majikthise.tail7b1641.ts.net:9091
-    tls /etc/caddy/certs/auth.infinidim.net/fullchain.pem \
-        /etc/caddy/certs/auth.infinidim.net/privkey.pem
+    reverse_proxy agrajag.tail7b1641.ts.net:9091
 }
 
 # 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.
 (authelia) {
-    forward_auth majikthise.tail7b1641.ts.net:9091 {
-        uri /api/verify?rd=https://auth.infinidim.net
+    forward_auth agrajag.tail7b1641.ts.net:9091 {
+        uri /api/authz/forward-auth
         copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
     }
 }
@@ -22,6 +32,4 @@ auth.infinidim.net {
 # secure-app.infinidim.net {
 #     import authelia
 #     reverse_proxy some-backend.tail7b1641.ts.net:8080
-#     tls /etc/caddy/certs/secure-app.infinidim.net/fullchain.pem \
-#         /etc/caddy/certs/secure-app.infinidim.net/privkey.pem
 # }