Standalone plan for the TaPPaaS operator's Claude Code: WireGuard client
(peer 10.13.0.9, split-tunnel), Caddy plain-HTTP backend on 10.13.0.9:80,
firewall lock to 10.13.0.1, internal split-horizon DNS. Bakes in the
verified VPS-side contract (hub endpoint/pubkey, preserved Host, *.tappaas
wildcard, public DNS) and the key-exchange handshake. Flags the internal-TLS
decision (internal CA vs Gandi DNS-01 vs no internal TLS).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Split-horizon DNS + public exposure under *.tappaas.makerfloss.eu,
reusing the proven mf01 publishing pattern (new wg1 peer, TLS terminates
at VPS, plain HTTP over wg1 to TaPPaaS Caddy). TaPPaaS-side config repo
left as an open item.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>