1 files changed, 135 insertions, 0 deletions

diff --git a/skills/ship-caddy/SKILL.md b/skills/ship-caddy/SKILL.md
new file mode 100644
index 0000000..df79e39
--- /dev/null
+++ b/skills/ship-caddy/SKILL.md
@@ -0,0 +1,135 @@
+---
+name: ship-caddy
+description: Manage Caddy configuration for a deployed app. Add, update, or remove site configs. Use when you need to change how Caddy serves an app — custom domains, redirects, auth, headers, etc.
+argument-hint: "<app-name> [host-nickname]"
+---
+
+# ship-caddy
+
+Manage per-app Caddy configuration on a ship VPS.
+
+## Read Config
+
+```bash
+python3 -c "
+import json, os
+cfg = json.load(open(os.path.expanduser('~/.config/ship/config.json')))
+nick = '<nickname-or-default>'
+h = cfg['hosts'].get(nick, cfg['hosts'][cfg['default']])
+print(h['host'])
+"
+```
+
+## Usage Patterns
+
+### View current Caddy config for an app
+
+```bash
+ssh <host> "sudo cat /etc/caddy/sites-enabled/<app-name>.caddy"
+```
+
+### Add or update a site config
+
+Read the current config first if it exists, then write the new one. Always reload
+Caddy after writing — validate first by checking syntax:
+
+```bash
+ssh <host> "sudo caddy validate --config /etc/caddy/Caddyfile 2>&1"
+```
+
+If validation passes:
+```bash
+ssh <host> "sudo systemctl reload caddy"
+```
+
+If validation fails, show the error and do NOT reload. Tell the user what the
+problem is.
+
+### Standard reverse proxy config (most apps)
+
+```bash
+ssh <host> "sudo tee /etc/caddy/sites-enabled/<app-name>.caddy > /dev/null << 'EOF'
+<domain> {
+    reverse_proxy 127.0.0.1:<port>
+}
+EOF"
+```
+
+### Custom domain (in addition to default)
+
+```bash
+ssh <host> "sudo tee /etc/caddy/sites-enabled/<app-name>.caddy > /dev/null << 'EOF'
+<custom-domain>, <default-domain> {
+    reverse_proxy 127.0.0.1:<port>
+}
+EOF"
+```
+
+### Basic auth
+
+```bash
+ssh <host> "sudo tee /etc/caddy/sites-enabled/<app-name>.caddy > /dev/null << 'EOF'
+<domain> {
+    basicauth {
+        <username> <bcrypt-hash>
+    }
+    reverse_proxy 127.0.0.1:<port>
+}
+EOF"
+```
+
+To generate a bcrypt hash for a password:
+```bash
+ssh <host> "caddy hash-password --plaintext '<password>'"
+```
+
+### Redirect www to non-www
+
+```bash
+ssh <host> "sudo tee /etc/caddy/sites-enabled/<app-name>.caddy > /dev/null << 'EOF'
+www.<domain> {
+    redir https://<domain>{uri} permanent
+}
+
+<domain> {
+    reverse_proxy 127.0.0.1:<port>
+}
+EOF"
+```
+
+### Static site
+
+```bash
+ssh <host> "sudo tee /etc/caddy/sites-enabled/<app-name>.caddy > /dev/null << 'EOF'
+<domain> {
+    root * /var/www/<app-name>
+    file_server
+    encode gzip
+}
+EOF"
+```
+
+### Remove a site config
+
+```bash
+ssh <host> "sudo rm /etc/caddy/sites-enabled/<app-name>.caddy && sudo systemctl reload caddy"
+```
+
+Confirm with the user before removing.
+
+### View Caddy status and logs
+
+```bash
+ssh <host> "sudo systemctl status caddy --no-pager"
+ssh <host> "sudo journalctl -u caddy -n 50 --no-pager"
+```
+
+## Notes
+
+- Always validate before reloading — never reload with a broken config
+- The port for an app can be found at `/etc/ship/ports/<app-name>`
+- Caddy handles HTTPS automatically — no need to configure certificates
+- If the user asks for something not covered here, write the appropriate Caddy
+  directives — Caddy's config language is flexible and well documented
+- Main Caddyfile is at `/etc/caddy/Caddyfile` and imports all files in
+  `/etc/caddy/sites-enabled/`