fix(caddy): move layer4 into global block; use :6380 listener address

The bare { } block at the bottom was a second global options block which
Caddy's caddyfile adapter rejects on reload. Merged layer4 into the single
top-level global block. Changed listener from hostname (redis.libnovel.cc:6380)
to :6380 so Caddy binds to the local interface rather than the Cloudflare IP
that resolves for the hostname.

Caddyfile

@@ -56,6 +56,22 @@
 		ticker_interval 15s
 	}
 
+	# ── Redis TCP proxy via layer4 ────────────────────────────────────────────
+	# Exposes homelab Redis over TLS for Asynq job enqueueing from the backend.
+	# Listens on :6380 (all interfaces). TLS is terminated here using the cert
+	# for redis.libnovel.cc; traffic is proxied to the homelab Redis instance.
+	# Requires the caddy-l4 module in the custom Caddy build.
+	layer4 {
+		:6380 {
+			route {
+				tls
+				proxy {
+					upstream {$HOMELAB_REDIS_ADDR:192.168.0.109:6379}
+				}
+			}
+		}
+	}
+}
 
 (security_headers) {
 	header {
@@ -170,12 +186,31 @@
 	# ── SvelteKit UI (catch-all — includes all remaining /api/* routes) ───────
 	handle {
 		reverse_proxy ui:3000 {
-	}
+			# Active health check: Caddy polls /health every 5 s and marks the
+			# upstream down immediately when it fails. Combined with
+			# lb_try_duration this means Watchtower container replacements
+			# show the maintenance page within a few seconds instead of
+			# hanging or returning a raw connection error to the browser.
+			health_uri      /health
+			health_interval 5s
+			health_timeout  2s
+			health_status   200
+
+			# If the upstream is down, fail fast (don't retry for longer than
+			# 3 s) and let Caddy's handle_errors 502/503 take over.
+			lb_try_duration 3s
+		}
+	}
 
 	# ── Caddy-level error pages ───────────────────────────────────────────────
 	# These fire when the upstream (backend or ui) is completely unreachable.
 	# SvelteKit's own +error.svelte handles application-level errors (404, 500).
 	handle_errors 404 {
+		root * /srv/errors
+		rewrite * /404.html
+		file_server
+	}
+	handle_errors 502 {
 		root * /srv/errors
 		rewrite * /502.html
 		file_server
@@ -234,27 +269,3 @@ search.libnovel.cc {
 	reverse_proxy meilisearch:7700
 }
 }
-# ── Redis TCP proxy: exposes homelab Redis over TLS for Asynq ─────────────────
-# The backend (prod) connects to rediss://redis.libnovel.cc:6380 to enqueue
-# Asynq jobs. Caddy terminates TLS (Let's Encrypt cert for redis.libnovel.cc)
-# and proxies the raw TCP stream to the homelab Redis via this reverse proxy.
-#
-# NOTE: Redis is NOT running on the prod server — it runs on the homelab
-# (192.168.0.109:6379) and is exposed to the internet via this Caddy proxy.
-# The homelab Redis is protected by REDIS_PASSWORD (requirepass).
-#
-# Caddy layer4 app handles this; requires the caddy-l4 module in the build.
-{
-	layer4 {
-		redis.libnovel.cc:6380 {
-			route {
-				tls
-				proxy {
-					# Homelab Redis — replace with actual homelab IP or FQDN
-					upstream {$HOMELAB_REDIS_ADDR:192.168.0.109:6379}
-				}
-			}
-		}
-	}
-}
-}

backend/Dockerfile

@@ -30,9 +30,14 @@ RUN --mount=type=cache,target=/root/go/pkg/mod \
       -o /out/healthcheck ./cmd/healthcheck
 
 # ── backend service ──────────────────────────────────────────────────────────
-FROM gcr.io/distroless/static:nonroot AS backend
+# Uses Alpine (not distroless) so ffmpeg is available for on-demand voice
+# sample generation via pocket-tts (WAV→MP3 transcoding).
+FROM alpine:3.21 AS backend
+RUN apk add --no-cache ffmpeg ca-certificates && \
+    addgroup -S appgroup && adduser -S appuser -G appgroup
 COPY --from=builder /out/healthcheck /healthcheck
 COPY --from=builder /out/backend /backend
+USER appuser
 ENTRYPOINT ["/backend"]
 
 # ── runner service ───────────────────────────────────────────────────────────

caddy/errors/404.html

@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>404 — Page Not Found</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      min-height: 100svh;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      justify-content: center;
+      gap: 1rem;
+      background: #09090b;
+      color: #a1a1aa;
+      font-family: ui-sans-serif, system-ui, sans-serif;
+      padding: 2rem;
+      text-align: center;
+    }
+    .code {
+      font-size: clamp(4rem, 20vw, 8rem);
+      font-weight: 800;
+      color: #27272a;
+      line-height: 1;
+      letter-spacing: -0.04em;
+    }
+    h1 { font-size: 1.25rem; font-weight: 600; color: #e4e4e7; }
+    p  { font-size: 0.9rem; max-width: 36ch; line-height: 1.6; }
+    a  {
+      margin-top: 0.5rem;
+      display: inline-block;
+      padding: 0.6rem 1.4rem;
+      border-radius: 0.5rem;
+      background: #f59e0b;
+      color: #000;
+      font-weight: 600;
+      font-size: 0.875rem;
+      text-decoration: none;
+    }
+    a:hover { background: #d97706; }
+  </style>
+</head>
+<body>
+  <div class="code">404</div>
+  <h1>Page Not Found</h1>
+  <p>The page you're looking for doesn't exist or has been moved.</p>
+  <a href="/">Go home</a>
+</body>
+</html>

docker-compose.yml

@@ -154,7 +154,7 @@ services:
     # No public port — all traffic is routed via Caddy.
     expose:
       - "8080"
-     environment:
+    environment:
       <<: *infra-env
       BACKEND_HTTP_ADDR: ":8080"
       LOG_LEVEL: "${LOG_LEVEL}"
@@ -224,6 +224,7 @@ services:
       # Kokoro-FastAPI TTS endpoint
       KOKORO_URL: "${KOKORO_URL}"
       KOKORO_VOICE: "${KOKORO_VOICE}"
+      POCKET_TTS_URL: "${POCKET_TTS_URL}"
       GLITCHTIP_DSN: "${GLITCHTIP_DSN}"
       OTEL_EXPORTER_OTLP_ENDPOINT: "${OTEL_EXPORTER_OTLP_ENDPOINT}"
       OTEL_SERVICE_NAME: "runner"

ui/src/routes/+layout.svelte

@@ -257,20 +257,14 @@
 
 				<div class="ml-auto flex items-center gap-4">
 					<!-- Desktop: admin + profile + sign out (hidden on mobile) -->
-					{#if data.user?.role === 'admin'}
-						<a
-							href="/admin/scrape"
-							class="hidden sm:block text-sm transition-colors {page.url.pathname.startsWith('/admin/scrape') ? 'text-zinc-100 font-medium' : 'text-zinc-400 hover:text-zinc-100'}"
-						>
-							Scrape
-						</a>
-						<a
-							href="/admin/audio"
-							class="hidden sm:block text-sm transition-colors {page.url.pathname.startsWith('/admin/audio') ? 'text-zinc-100 font-medium' : 'text-zinc-400 hover:text-zinc-100'}"
-						>
-							Audio
-						</a>
-					{/if}
+				{#if data.user?.role === 'admin'}
+					<a
+						href="/admin/scrape"
+						class="hidden sm:block text-sm transition-colors {page.url.pathname.startsWith('/admin') ? 'text-zinc-100 font-medium' : 'text-zinc-400 hover:text-zinc-100'}"
+					>
+						Admin
+					</a>
+				{/if}
 					<a
 						href="/profile"
 						class="hidden sm:block text-sm transition-colors {page.url.pathname === '/profile' ? 'text-zinc-100 font-medium' : 'text-zinc-400 hover:text-zinc-100'}"
@@ -350,31 +344,17 @@
 				>
 					Profile <span class="text-zinc-500 font-normal">({data.user.username})</span>
 				</a>
-				{#if data.user?.role === 'admin'}
-					<div class="my-1 border-t border-zinc-700/60"></div>
-					<p class="px-3 pt-1 pb-0.5 text-xs text-zinc-600 uppercase tracking-widest">Admin</p>
-					<a
-						href="/admin/scrape"
-						onclick={() => (menuOpen = false)}
-						class="px-3 py-2.5 rounded-lg text-sm font-medium transition-colors {page.url.pathname.startsWith('/admin/scrape') ? 'bg-zinc-800 text-zinc-100' : 'text-zinc-400 hover:bg-zinc-800 hover:text-zinc-100'}"
-					>
-						Scrape tasks
-					</a>
-					<a
-						href="/admin/audio"
-						onclick={() => (menuOpen = false)}
-						class="px-3 py-2.5 rounded-lg text-sm font-medium transition-colors {page.url.pathname === '/admin/audio' ? 'bg-zinc-800 text-zinc-100' : 'text-zinc-400 hover:bg-zinc-800 hover:text-zinc-100'}"
-					>
-						Audio cache
-					</a>
-					<a
-						href="/admin/audio-jobs"
-						onclick={() => (menuOpen = false)}
-						class="px-3 py-2.5 rounded-lg text-sm font-medium transition-colors {page.url.pathname.startsWith('/admin/audio-jobs') ? 'bg-zinc-800 text-zinc-100' : 'text-zinc-400 hover:bg-zinc-800 hover:text-zinc-100'}"
-					>
-						Audio jobs
-					</a>
-				{/if}
+			{#if data.user?.role === 'admin'}
+				<div class="my-1 border-t border-zinc-700/60"></div>
+				<p class="px-3 pt-1 pb-0.5 text-xs text-zinc-600 uppercase tracking-widest">Admin</p>
+				<a
+					href="/admin/scrape"
+					onclick={() => (menuOpen = false)}
+					class="px-3 py-2.5 rounded-lg text-sm font-medium transition-colors {page.url.pathname.startsWith('/admin') ? 'bg-zinc-800 text-zinc-100' : 'text-zinc-400 hover:bg-zinc-800 hover:text-zinc-100'}"
+				>
+					Admin panel
+				</a>
+			{/if}
 			<div class="my-1 border-t border-zinc-700/60"></div>
 			<form method="POST" action="/logout">
 				<Button
@@ -396,16 +376,16 @@
 	</main>
 
 	<footer class="border-t border-zinc-800 mt-auto">
-		<div class="max-w-6xl mx-auto px-4 py-6 flex flex-col items-center gap-4 text-xs text-zinc-600">
+		<div class="max-w-6xl mx-auto px-4 py-6 flex flex-col items-center gap-4 text-xs text-zinc-500">
 			<!-- Top row: site links -->
 			<nav class="flex flex-wrap items-center justify-center gap-x-5 gap-y-2">
-			<a href="/books" class="hover:text-zinc-400 transition-colors">Library</a>
-			<a href="/catalogue" class="hover:text-zinc-400 transition-colors">Catalogue</a>
+			<a href="/books" class="hover:text-zinc-300 transition-colors">Library</a>
+			<a href="/catalogue" class="hover:text-zinc-300 transition-colors">Catalogue</a>
 			<a
 				href="https://feedback.libnovel.cc"
 				target="_blank"
 				rel="noopener noreferrer"
-				class="hover:text-zinc-400 transition-colors flex items-center gap-1"
+				class="hover:text-zinc-300 transition-colors flex items-center gap-1"
 			>
 				Feedback
 				<svg class="w-3 h-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
@@ -417,7 +397,7 @@
 				href="https://novelfire.net"
 					target="_blank"
 					rel="noopener noreferrer"
-					class="hover:text-zinc-400 transition-colors flex items-center gap-1"
+					class="hover:text-zinc-300 transition-colors flex items-center gap-1"
 				>
 					novelfire.net
 					<svg class="w-3 h-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
@@ -427,10 +407,10 @@
 				</a>
 			</nav>
 		<!-- Bottom row: legal links + copyright -->
-		<div class="flex flex-wrap items-center justify-center gap-x-5 gap-y-2 text-zinc-700">
-			<a href="/disclaimer" class="hover:text-zinc-500 transition-colors">Disclaimer</a>
-			<a href="/privacy" class="hover:text-zinc-500 transition-colors">Privacy</a>
-			<a href="/dmca" class="hover:text-zinc-500 transition-colors">DMCA</a>
+		<div class="flex flex-wrap items-center justify-center gap-x-5 gap-y-2 text-zinc-500">
+			<a href="/disclaimer" class="hover:text-zinc-300 transition-colors">Disclaimer</a>
+			<a href="/privacy" class="hover:text-zinc-300 transition-colors">Privacy</a>
+			<a href="/dmca" class="hover:text-zinc-300 transition-colors">DMCA</a>
 			<span>&copy; {new Date().getFullYear()} libnovel</span>
 		</div>
 		<!-- Build version / commit SHA / build time -->

ui/src/routes/admin/+layout.svelte

@@ -1,12 +1,12 @@
 <script lang="ts">
 	import { page } from '$app/state';
 
-	const adminTabs = [
+	const internalLinks = [
 		{ href: '/admin/scrape', label: 'Scrape' },
 		{ href: '/admin/audio', label: 'Audio' }
 	];
 
-	const toolTabs = [
+	const externalLinks = [
 		{ href: 'https://feedback.libnovel.cc', label: 'Feedback' },
 		{ href: 'https://errors.libnovel.cc', label: 'Errors' },
 		{ href: 'https://analytics.libnovel.cc', label: 'Analytics' },
@@ -21,36 +21,51 @@
 	let { children }: Props = $props();
 </script>
 
-<!-- Admin nav: internal pages + external tools -->
-<div class="mb-6 flex flex-wrap items-center gap-3">
-	<!-- Internal admin pages -->
-	<div class="flex gap-1 bg-zinc-800 rounded-lg p-1 border border-zinc-700">
-		{#each adminTabs as tab}
-			<a
-				href={tab.href}
-				class="px-4 py-1.5 rounded-md text-sm font-medium transition-colors
-					{page.url.pathname.startsWith(tab.href)
-						? 'bg-zinc-700 text-zinc-100'
-						: 'text-zinc-400 hover:text-zinc-200'}"
-			>
-				{tab.label}
-			</a>
-		{/each}
-	</div>
+<div class="flex min-h-[calc(100vh-4rem)] gap-0">
+	<!-- Sidebar -->
+	<aside class="w-48 shrink-0 border-r border-zinc-800 px-3 py-6 flex flex-col gap-6">
+		<!-- Internal pages -->
+		<div>
+			<p class="px-2 mb-2 text-xs font-semibold text-zinc-600 uppercase tracking-widest">Pages</p>
+			<nav class="flex flex-col gap-0.5">
+				{#each internalLinks as link}
+					<a
+						href={link.href}
+						class="px-2 py-1.5 rounded-md text-sm font-medium transition-colors
+							{page.url.pathname.startsWith(link.href)
+								? 'bg-zinc-800 text-zinc-100'
+								: 'text-zinc-400 hover:bg-zinc-800/60 hover:text-zinc-200'}"
+					>
+						{link.label}
+					</a>
+				{/each}
+			</nav>
+		</div>
 
-	<!-- External tools (open in new tab) -->
-	<div class="flex gap-1 bg-zinc-800 rounded-lg p-1 border border-zinc-700">
-		{#each toolTabs as tool}
-			<a
-				href={tool.href}
-				target="_blank"
-				rel="noopener noreferrer"
-				class="px-4 py-1.5 rounded-md text-sm font-medium text-zinc-400 hover:text-zinc-200 transition-colors"
-			>
-				{tool.label} ↗
-			</a>
-		{/each}
-	</div>
+		<!-- External tools -->
+		<div>
+			<p class="px-2 mb-2 text-xs font-semibold text-zinc-600 uppercase tracking-widest">Tools</p>
+			<nav class="flex flex-col gap-0.5">
+				{#each externalLinks as link}
+					<a
+						href={link.href}
+						target="_blank"
+						rel="noopener noreferrer"
+						class="px-2 py-1.5 rounded-md text-sm font-medium text-zinc-400 hover:bg-zinc-800/60 hover:text-zinc-200 transition-colors flex items-center justify-between"
+					>
+						{link.label}
+						<svg class="w-3 h-3 shrink-0 opacity-50" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+								d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" />
+						</svg>
+					</a>
+				{/each}
+			</nav>
+		</div>
+	</aside>
+
+	<!-- Main content -->
+	<main class="flex-1 min-w-0 px-8 py-6">
+		{@render children?.()}
+	</main>
 </div>
-
-{@render children?.()}