fix(caddy): move layer4 into global block; use :6380 listener address

The bare { } block at the bottom was a second global options block which
Caddy's caddyfile adapter rejects on reload. Merged layer4 into the single
top-level global block. Changed listener from hostname (redis.libnovel.cc:6380)
to :6380 so Caddy binds to the local interface rather than the Cloudflare IP
that resolves for the hostname.

Caddyfile

@@ -56,6 +56,22 @@
 		ticker_interval 15s
 	}
 
+	# ── Redis TCP proxy via layer4 ────────────────────────────────────────────
+	# Exposes homelab Redis over TLS for Asynq job enqueueing from the backend.
+	# Listens on :6380 (all interfaces). TLS is terminated here using the cert
+	# for redis.libnovel.cc; traffic is proxied to the homelab Redis instance.
+	# Requires the caddy-l4 module in the custom Caddy build.
+	layer4 {
+		:6380 {
+			route {
+				tls
+				proxy {
+					upstream {$HOMELAB_REDIS_ADDR:192.168.0.109:6379}
+				}
+			}
+		}
+	}
+}
 
 (security_headers) {
 	header {
@@ -170,12 +186,31 @@
 	# ── SvelteKit UI (catch-all — includes all remaining /api/* routes) ───────
 	handle {
 		reverse_proxy ui:3000 {
-	}
+			# Active health check: Caddy polls /health every 5 s and marks the
+			# upstream down immediately when it fails. Combined with
+			# lb_try_duration this means Watchtower container replacements
+			# show the maintenance page within a few seconds instead of
+			# hanging or returning a raw connection error to the browser.
+			health_uri      /health
+			health_interval 5s
+			health_timeout  2s
+			health_status   200
+
+			# If the upstream is down, fail fast (don't retry for longer than
+			# 3 s) and let Caddy's handle_errors 502/503 take over.
+			lb_try_duration 3s
+		}
+	}
 
 	# ── Caddy-level error pages ───────────────────────────────────────────────
 	# These fire when the upstream (backend or ui) is completely unreachable.
 	# SvelteKit's own +error.svelte handles application-level errors (404, 500).
 	handle_errors 404 {
+		root * /srv/errors
+		rewrite * /404.html
+		file_server
+	}
+	handle_errors 502 {
 		root * /srv/errors
 		rewrite * /502.html
 		file_server
@@ -234,27 +269,3 @@ search.libnovel.cc {
 	reverse_proxy meilisearch:7700
 }
 }
-# ── Redis TCP proxy: exposes homelab Redis over TLS for Asynq ─────────────────
-# The backend (prod) connects to rediss://redis.libnovel.cc:6380 to enqueue
-# Asynq jobs. Caddy terminates TLS (Let's Encrypt cert for redis.libnovel.cc)
-# and proxies the raw TCP stream to the homelab Redis via this reverse proxy.
-#
-# NOTE: Redis is NOT running on the prod server — it runs on the homelab
-# (192.168.0.109:6379) and is exposed to the internet via this Caddy proxy.
-# The homelab Redis is protected by REDIS_PASSWORD (requirepass).
-#
-# Caddy layer4 app handles this; requires the caddy-l4 module in the build.
-{
-	layer4 {
-		redis.libnovel.cc:6380 {
-			route {
-				tls
-				proxy {
-					# Homelab Redis — replace with actual homelab IP or FQDN
-					upstream {$HOMELAB_REDIS_ADDR:192.168.0.109:6379}
-				}
-			}
-		}
-	}
-}
-}

backend/Dockerfile

@@ -30,9 +30,14 @@ RUN --mount=type=cache,target=/root/go/pkg/mod \
       -o /out/healthcheck ./cmd/healthcheck
 
 # ── backend service ──────────────────────────────────────────────────────────
-FROM gcr.io/distroless/static:nonroot AS backend
+# Uses Alpine (not distroless) so ffmpeg is available for on-demand voice
+# sample generation via pocket-tts (WAV→MP3 transcoding).
+FROM alpine:3.21 AS backend
+RUN apk add --no-cache ffmpeg ca-certificates && \
+    addgroup -S appgroup && adduser -S appuser -G appgroup
 COPY --from=builder /out/healthcheck /healthcheck
 COPY --from=builder /out/backend /backend
+USER appuser
 ENTRYPOINT ["/backend"]
 
 # ── runner service ───────────────────────────────────────────────────────────

caddy/errors/404.html

@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>404 — Page Not Found</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      min-height: 100svh;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      justify-content: center;
+      gap: 1rem;
+      background: #09090b;
+      color: #a1a1aa;
+      font-family: ui-sans-serif, system-ui, sans-serif;
+      padding: 2rem;
+      text-align: center;
+    }
+    .code {
+      font-size: clamp(4rem, 20vw, 8rem);
+      font-weight: 800;
+      color: #27272a;
+      line-height: 1;
+      letter-spacing: -0.04em;
+    }
+    h1 { font-size: 1.25rem; font-weight: 600; color: #e4e4e7; }
+    p  { font-size: 0.9rem; max-width: 36ch; line-height: 1.6; }
+    a  {
+      margin-top: 0.5rem;
+      display: inline-block;
+      padding: 0.6rem 1.4rem;
+      border-radius: 0.5rem;
+      background: #f59e0b;
+      color: #000;
+      font-weight: 600;
+      font-size: 0.875rem;
+      text-decoration: none;
+    }
+    a:hover { background: #d97706; }
+  </style>
+</head>
+<body>
+  <div class="code">404</div>
+  <h1>Page Not Found</h1>
+  <p>The page you're looking for doesn't exist or has been moved.</p>
+  <a href="/">Go home</a>
+</body>
+</html>