diff --git a/ansible/roles/caddy/defaults/main.yml b/ansible/roles/caddy/defaults/main.yml
index 931e2a0..a9576a1 100644
--- a/ansible/roles/caddy/defaults/main.yml
+++ b/ansible/roles/caddy/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 # Caddy reverse proxy configuration
-# Caddy is built manually from ~/code/3rd/caddy with the Gandi DNS plugin
+# Caddy is built from ~/code/3rd/caddy with Gandi DNS and Layer 4 plugins
 
 caddy_repo_dir: /Users/erichblume/code/3rd/caddy
 caddy_binary: "{{ caddy_repo_dir }}/bin/caddy"
diff --git a/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md b/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md
new file mode 100644
index 0000000..f0f213f
--- /dev/null
+++ b/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md
@@ -0,0 +1 @@
+Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes), create caddy-l4 forge mirror, migrate all ~/code/3rd clones on indri to HTTPS forge.ops.eblu.me remotes.
diff --git a/docs/reference/services/caddy.md b/docs/reference/services/caddy.md
index c6e5e4f..8896a86 100644
--- a/docs/reference/services/caddy.md
+++ b/docs/reference/services/caddy.md
@@ -1,6 +1,6 @@
 ---
 title: Caddy
-modified: 2026-02-12
+modified: 2026-03-15
 tags:
   - service
   - networking
@@ -87,14 +87,20 @@ Caddy has no authentication layer — it is a plain reverse proxy. Access contro
 
 ## Custom Build
 
-Caddy is built from source with the Gandi DNS plugin:
+Caddy is built from source using `xcaddy` with two plugins:
+
+- `github.com/caddy-dns/gandi` — ACME DNS-01 challenges via Gandi API
+- `github.com/mholt/caddy-l4` — Layer 4 (TCP/UDP) proxying
 
 ```bash
-# Build location
+# Source and build location (mirrored on forge)
 ~/code/3rd/caddy/bin/caddy
+
+# Build via mise task in the caddy clone
+cd ~/code/3rd/caddy && mise run build
 ```
 
-The build includes the `github.com/caddy-dns/gandi` plugin for ACME DNS-01 challenges.
+Forge mirrors: `mirrors/caddy`, `mirrors/caddy-gandi`, `mirrors/xcaddy`, `mirrors/caddy-l4`.
 
 ## Related
 
diff --git a/service-versions.yaml b/service-versions.yaml
index 7d03295..85705cc 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -276,10 +276,10 @@ services:
 
   - name: caddy
     type: ansible
-    last-reviewed: null
-    current-version: null
+    last-reviewed: 2026-03-15
+    current-version: "v2.11.2"
     upstream-source: https://github.com/caddyserver/caddy/releases
-    notes: Built from source with Gandi DNS plugin
+    notes: Built from source with Gandi DNS and Layer 4 plugins
 
   - name: borgmatic
     type: ansible