Add caddy_config_dir = /etc/caddy on Linux, /opt/homebrew/etc/caddy on macOS.
Derive the Caddyfile / conf.d / fragment paths in the caddy role and the
gateway_openclaw/litellm/xworkmate_bridge roles from it, so a force-enabled
Caddy (caddy_enabled=true) on macOS writes to the Homebrew location instead of
the unwritable /etc/caddy. Default (caddy_enabled=false on macOS) still skips
Caddy entirely.
Add caddy_enabled (group_vars/all) defaulting to ansible_os_family != 'Darwin',
overridable via -e caddy_enabled=true/false. Wrap the dedicated caddy role and
the gateway_openclaw Caddy ingress block in 'when: caddy_enabled | bool' so
macOS single-host deploys never touch /etc/caddy or start caddy, while Linux
VPS deploys keep Caddy + HTTP/TLS by default. Notifies only fire from gated
tasks, so the Reload caddy handlers stay inert when disabled.
