MichaelVessia/caddy
modules/programs/agents/shared/skills/caddy/SKILL.md
Inspect and manage my self-hosted Caddy reverse proxy via its admin API. Use when the user asks about Caddy, mentions reverse proxy routes, virtual hosts, TLS/cert issues for internal `.lan` domains, upstream health, or wants to view/reload the active Caddy configuration.
$ install --global
skillsauthnpx skillsauth add MichaelVessia/nixos-config caddyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 25, 2026, 5:47 AM109.4s6 files scanned
SKILL.md
- name:
- caddy
- description:
- Inspect and manage my self-hosted Caddy reverse proxy via its admin API. Use when the user asks about Caddy, mentions reverse proxy routes, virtual hosts, TLS/cert issues for internal `.lan` domains, upstream health, or wants to view/reload the active Caddy configuration.
- allowed-tools:
- Bash, WebFetch
Caddy
Manage my self-hosted Caddy reverse proxy through its admin API: inspect the running config, list routes and upstream pools, check the internal CA, and hot-reload a new config file.
Environment
The admin API URL is exported into the shell by sops-nix (see
modules/programs/shell.nix):
CADDY_URL— base URL of the admin API, no trailing slash (e.g.http://192.168.1.252:2019)
The Caddy admin API has no authentication. It is bound to a LAN-only
address on the LXC host; off-network access requires tailscale/VPN. The caddy
CLI reports a JSON error envelope when CADDY_URL is missing.
CLI
Use the installed caddy CLI for common operations. It always emits a single
JSON envelope with ok, command, result or error, and next_actions.
scripts/caddy.sh remains as a compatibility shim for older workflows.
caddy config # GET /config/ (full active config)
caddy routes # matchers + upstreams per server
caddy upstreams # live reverse-proxy pool + health
caddy pki-ca # internal CA info (GET /pki/ca/local)
caddy reload <config.json> --confirm-reload # POST /load, confirm first
For anything not covered, call the API directly with $CADDY_URL — see
references/api-endpoints.md and references/quick-reference.md.
Workflow: inspect routes for a host
caddy routesto see all matchers + their upstream dials.- To narrow to one host:
curl -fsS "$CADDY_URL/config/" | jq ' .apps.http.servers[].routes[] | select(.match[]?.host[]? == "example.lan") ' - To check whether an upstream is currently healthy:
caddy upstreams.
Workflow: TLS for internal .lan domains
This Caddy uses tls.automation.issuers.module = internal, i.e. Caddy's
built-in CA. Clients must trust Caddy's root CA cert to avoid browser
warnings:
caddy pki-ca— returns the CA'sroot_certificate(PEM).- Install the PEM into the client's system trust store (macOS Keychain,
update-ca-certificateson Linux, mobile profile, etc.).
Mutations: confirm first
reload replaces the entire active configuration atomically. Caddy validates
the new config first, but a bad config that still parses can take services
offline. Always confirm with the user before:
caddy reload <file> --confirm-reload— replaces the running config- Any direct
POST /load,PATCH /config/...,PUT /config/...,DELETE /config/..., orPOST /stopcall
Require the user to say something explicit like "yes, reload" or "go ahead, apply it" before invoking. Show them the diff of what will change first when possible.
References
references/api-endpoints.md— admin API endpoints used here (/config/,/load,/reverse_proxy/upstreams,/pki/ca/local)references/quick-reference.md— copy-paste curl recipesreferences/troubleshooting.md— admin API reachability, invalid configs, internal-CA cert trust issues
Notes
- Admin API docs: https://caddyserver.com/docs/api
- The admin API speaks JSON. Caddyfile-style configs need adapting with the
real Caddy binary, not this garage wrapper, before posting to
/load. - Caddy lives on the LAN (
192.168.1.252:2019). Off-network access requires tailscale or VPN. - If
CADDY_URLis unreachable, surface that to the user rather than guessing.
Related Skills
MichaelVessia/stack
tools
VerifiedTrustedCommunity
User guide for the local squash-safe `stack` CLI for stacked PR/MR repair on GitHub and GitLab. Use when someone asks how to inspect, track, sync, merge, document, or undo stacked pull requests / merge requests in squash-merge repositories. Prefer this tool over GitHub's `gh stack` command for this workflow.
2SKILL.mdUpdated Jun 5, 2026
MichaelVessia/herdr
tools
VerifiedTrustedCommunity
Control herdr from inside it. Manage workspaces and tabs, split panes, spawn agents, read output, and wait for state changes — all via CLI commands that talk to the running herdr instance over a local unix socket. Use when running inside herdr (HERDR_ENV=1).
2SKILL.mdUpdated Jun 4, 2026
MichaelVessia/autocaliweb
development
VerifiedTrustedCommunity
Inspect my self-hosted AutoCaliWeb library. Use when the user asks about AutoCaliWeb, books in Calibre, OPDS status, recent imports, shelves, catalog stats, or wants to search the ebook library.
2SKILL.mdUpdated May 25, 2026
MichaelVessia/add-youtube-channel
data-ai
VerifiedTrustedCommunity
Subscribe a YouTube channel in TubeArchivist, queue its top videos by views from recent uploads, wait for the first file, scan Jellyfin, and rename + lock the channel folder to a friendly display name. Use when the user says "add a youtube channel", "subscribe to <channel>", or wants a curated TubeArchivist + Jellyfin import for a creator.
2SKILL.mdUpdated May 24, 2026