fix: handle masked/missing caddy.service during package transition

Fixes the postinst failure when replacing stock caddy on hosts where
caddy.service was masked. The unit file could be missing after dpkg
removes the old caddy package, causing systemctl enable to fail.

Changes:
- postinst: unmask caddy.service before enable, recreate unit file
  from embedded copy if missing after unmasking, stop caddy-api.service
  with guard
- preinst (new): stop caddy.service and caddy-api.service with || true
  guards before install/upgrade
- Makefile: include preinst in deb build

Handles three scenarios:
1. Fresh install (no prior caddy)
2. Upgrade from stock caddy with masked service
3. Upgrade from previous madcat-caddy

Closes #1

debian/postinst

@@ -1,6 +1,15 @@
 #!/bin/sh
+# postinst for madcat-caddy
+#
+# Handles:
+#   - Fresh install (no prior caddy)
+#   - Upgrade from stock caddy with masked service
+#   - Upgrade from previous madcat-caddy
+
 set -e
 
+UNIT_PATH="/usr/lib/systemd/system/caddy.service"
+
 # Create caddy user/group if they don't exist
 if ! getent group caddy >/dev/null 2>&1; then
     groupadd --system caddy
@@ -16,9 +25,57 @@ mkdir -p /var/lib/caddy/.config/caddy
 mkdir -p /var/lib/caddy/.local/share/caddy
 chown -R caddy:caddy /var/lib/caddy
 
-# Enable and start the service
+# Stop caddy-api.service if it exists (leftover from stock caddy)
 if [ -d /run/systemd/system ]; then
+    systemctl stop caddy-api.service 2>/dev/null || true
+fi
+
+# Handle systemd service setup
+if [ -d /run/systemd/system ]; then
+    # If the unit file is missing (removed during package transition) or is a
+    # dangling symlink (masked unit pointing to /dev/null), recreate it.
+    if [ ! -f "$UNIT_PATH" ] || [ -L "$UNIT_PATH" ]; then
+        # Unmask first — removes the /dev/null symlink if masked
+        systemctl unmask caddy.service 2>/dev/null || true
+
+        # If still missing after unmask, recreate from our embedded copy
+        if [ ! -f "$UNIT_PATH" ]; then
+            mkdir -p "$(dirname "$UNIT_PATH")"
+            cat > "$UNIT_PATH" << 'UNIT'
+[Unit]
+Description=Caddy web server (madcat-caddy)
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target
+UNIT
+        fi
+    fi
+
+    # Reload systemd to pick up the unit file (new or recreated)
     systemctl daemon-reload
+
+    # Unmask again after reload in case it was masked in systemd's state
+    systemctl unmask caddy.service 2>/dev/null || true
+
+    # Enable and start
     systemctl enable caddy.service
     systemctl start caddy.service || true
 fi

debian/preinst

@@ -0,0 +1,14 @@
+#!/bin/sh
+# preinst for madcat-caddy
+#
+# Stop existing caddy services before install/upgrade.
+# Guards against failures when services don't exist (e.g., caddy-api.service
+# from stock caddy may not be present on all systems).
+
+set -e
+
+if [ -d /run/systemd/system ]; then
+    # Stop stock caddy services — both may not exist, so guard with || true
+    systemctl stop caddy.service 2>/dev/null || true
+    systemctl stop caddy-api.service 2>/dev/null || true
+fi