From c0e5137b68ea1e90f30fe63c16d507be7a2ce02b Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 15 Mar 2026 10:29:45 -0700
Subject: [PATCH] =?UTF-8?q?Upgrade=20Caddy=20v2.10.2=20=E2=86=92=20v2.11.2?=
 =?UTF-8?q?,=20fix=20forge=20mirror=20setup?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Rebuild caddy binary with v2.11.2 (7 CVE fixes in v2.11.1/v2.11.2)
- Create mirrors/caddy-l4 on forge
- Migrate all ~/code/3rd clones on indri to HTTPS forge.ops.eblu.me remotes
- Remove stale clones (apple-silicon-detector, whisper.cpp)
- Update caddy docs and service-versions tracking

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ansible/roles/caddy/defaults/main.yml              |  2 +-
 .../feature-caddy-upgrade-v2.11.2.infra.md         |  1 +
 docs/reference/services/caddy.md                   | 14 ++++++++++----
 service-versions.yaml                              |  6 +++---
 4 files changed, 15 insertions(+), 8 deletions(-)
 create mode 100644 docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md

diff --git a/ansible/roles/caddy/defaults/main.yml b/ansible/roles/caddy/defaults/main.yml
index 931e2a0..a9576a1 100644
--- a/ansible/roles/caddy/defaults/main.yml
+++ b/ansible/roles/caddy/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 # Caddy reverse proxy configuration
-# Caddy is built manually from ~/code/3rd/caddy with the Gandi DNS plugin
+# Caddy is built from ~/code/3rd/caddy with Gandi DNS and Layer 4 plugins
 
 caddy_repo_dir: /Users/erichblume/code/3rd/caddy
 caddy_binary: "{{ caddy_repo_dir }}/bin/caddy"
diff --git a/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md b/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md
new file mode 100644
index 0000000..f0f213f
--- /dev/null
+++ b/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md
@@ -0,0 +1 @@
+Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes), create caddy-l4 forge mirror, migrate all ~/code/3rd clones on indri to HTTPS forge.ops.eblu.me remotes.
diff --git a/docs/reference/services/caddy.md b/docs/reference/services/caddy.md
index c6e5e4f..8896a86 100644
--- a/docs/reference/services/caddy.md
+++ b/docs/reference/services/caddy.md
@@ -1,6 +1,6 @@
 ---
 title: Caddy
-modified: 2026-02-12
+modified: 2026-03-15
 tags:
   - service
   - networking
@@ -87,14 +87,20 @@ Caddy has no authentication layer — it is a plain reverse proxy. Access contro
 
 ## Custom Build
 
-Caddy is built from source with the Gandi DNS plugin:
+Caddy is built from source using `xcaddy` with two plugins:
+
+- `github.com/caddy-dns/gandi` — ACME DNS-01 challenges via Gandi API
+- `github.com/mholt/caddy-l4` — Layer 4 (TCP/UDP) proxying
 
 ```bash
-# Build location
+# Source and build location (mirrored on forge)
 ~/code/3rd/caddy/bin/caddy
+
+# Build via mise task in the caddy clone
+cd ~/code/3rd/caddy && mise run build
 ```
 
-The build includes the `github.com/caddy-dns/gandi` plugin for ACME DNS-01 challenges.
+Forge mirrors: `mirrors/caddy`, `mirrors/caddy-gandi`, `mirrors/xcaddy`, `mirrors/caddy-l4`.
 
 ## Related
 
diff --git a/service-versions.yaml b/service-versions.yaml
index 7d03295..85705cc 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -276,10 +276,10 @@ services:
 
   - name: caddy
     type: ansible
-    last-reviewed: null
-    current-version: null
+    last-reviewed: 2026-03-15
+    current-version: "v2.11.2"
     upstream-source: https://github.com/caddyserver/caddy/releases
-    notes: Built from source with Gandi DNS plugin
+    notes: Built from source with Gandi DNS and Layer 4 plugins
 
   - name: borgmatic
     type: ansible