diff --git a/cloud-init.yaml b/cloud-init.yaml
index a5fdc46..0d07680 100644
--- a/cloud-init.yaml
+++ b/cloud-init.yaml
@@ -5,6 +5,21 @@ packages:
   - docker-compose-v2
 
 write_files:
+  - path: /opt/services/Caddyfile
+    permissions: "0644"
+    content: |
+      {
+      	email quinn@cocotte.tech
+      }
+      forge.ct.uvlava.com, npm.ct.uvlava.com, pypi.ct.uvlava.com {
+      	reverse_proxy forgejo-ct:3000
+      }
+      forge.mc.uvlava.com, npm.mc.uvlava.com, pypi.mc.uvlava.com {
+      	reverse_proxy forgejo-mc:3000
+      }
+      forge.quinn.uvlava.com, npm.quinn.uvlava.com, pypi.quinn.uvlava.com {
+      	reverse_proxy forgejo-quinn:3000
+      }
   - path: /opt/services/docker-compose.yml
     permissions: "0644"
     content: |
@@ -12,61 +27,36 @@ write_files:
         forgejo-ct:
           image: codeberg.org/forgejo/forgejo:10
           restart: always
-          environment:
-            USER_UID: "1000"
-            USER_GID: "1000"
-            FORGEJO__server__HTTP_PORT: "3000"
-            FORGEJO__server__SSH_PORT: "2222"
-            FORGEJO__security__INSTALL_LOCK: "true"
-            FORGEJO__service__DISABLE_REGISTRATION: "true"
-          volumes:
-            - /opt/services/ct:/data
-          ports:
-            - "3000:3000"
-            - "2222:22"
+          environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.ct.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.ct.uvlava.com/", FORGEJO__server__DISABLE_SSH: "true", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true" }
+          volumes: [ /opt/services/ct:/data ]
+          ports: [ "3000:3000" ]
         forgejo-mc:
           image: codeberg.org/forgejo/forgejo:10
           restart: always
-          environment:
-            USER_UID: "1000"
-            USER_GID: "1000"
-            FORGEJO__server__HTTP_PORT: "3000"
-            FORGEJO__server__SSH_PORT: "2223"
-            FORGEJO__security__INSTALL_LOCK: "true"
-            FORGEJO__service__DISABLE_REGISTRATION: "true"
-          volumes:
-            - /opt/services/mc:/data
-          ports:
-            - "3001:3000"
-            - "2223:22"
+          environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.mc.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.mc.uvlava.com/", FORGEJO__server__DISABLE_SSH: "true", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true" }
+          volumes: [ /opt/services/mc:/data ]
+          ports: [ "3001:3000" ]
         forgejo-quinn:
           image: codeberg.org/forgejo/forgejo:10
           restart: always
-          environment:
-            USER_UID: "1000"
-            USER_GID: "1000"
-            FORGEJO__server__HTTP_PORT: "3000"
-            FORGEJO__server__SSH_PORT: "2224"
-            FORGEJO__security__INSTALL_LOCK: "true"
-            FORGEJO__service__DISABLE_REGISTRATION: "true"
-          volumes:
-            - /opt/services/quinn:/data
-          ports:
-            - "3002:3000"
-            - "2224:22"
+          environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.quinn.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.quinn.uvlava.com/", FORGEJO__server__DISABLE_SSH: "true", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true" }
+          volumes: [ /opt/services/quinn:/data ]
+          ports: [ "3002:3000" ]
         verdaccio:
           image: verdaccio/verdaccio:6
           restart: always
-          ports:
-            - "4873:4873"
-          volumes:
-            - /opt/services/verdaccio:/verdaccio/storage
+          ports: [ "4873:4873" ]
+          volumes: [ /opt/services/verdaccio:/verdaccio/storage ]
+        caddy:
+          image: caddy:2
+          restart: always
+          ports: [ "80:80", "443:443" ]
+          volumes: [ /opt/services/Caddyfile:/etc/caddy/Caddyfile, /opt/services/caddy-data:/data, /opt/services/caddy-config:/config ]
 
 runcmd:
-  # 2GB swap (safety on the 4GB box)
   - [ bash, -c, "fallocate -l 2G /swapfile && chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile && echo '/swapfile none swap sw 0 0' >> /etc/fstab" ]
-  - [ bash, -c, "mkdir -p /opt/services/ct /opt/services/mc /opt/services/quinn /opt/services/verdaccio && chown -R 1000:1000 /opt/services" ]
+  - [ bash, -c, "mkdir -p /opt/services/ct /opt/services/mc /opt/services/quinn /opt/services/verdaccio && chown -R 1000:1000 /opt/services/ct /opt/services/mc /opt/services/quinn /opt/services/verdaccio" ]
   - [ systemctl, enable, --now, docker ]
   - [ bash, -c, "cd /opt/services && docker compose up -d" ]
 
-final_message: "services droplet up: 3 Forgejo (ct:3000 mc:3001 quinn:3002) + Verdaccio:4873"
+final_message: "com.uvlava.quinn.artifacts up: forges (forge.{ct,mc,quinn}.uvlava.com) + registries via Caddy/TLS"
diff --git a/main.tf b/main.tf
index 9fb2da0..b8eb1ab 100644
--- a/main.tf
+++ b/main.tf
@@ -16,8 +16,9 @@ resource "digitalocean_droplet" "services" {
 
   lifecycle {
     # Forgejo/Verdaccio data lives in /opt/services volumes; never let a
-    # user_data tweak silently rebuild and wipe it.
-    ignore_changes = [user_data]
+    # user_data tweak silently rebuild and wipe it. `name` is ForceNew in the
+    # provider — rename live via doctl, never let a label change replace the box.
+    ignore_changes = [user_data, name]
   }
 }
 
diff --git a/variables.tf b/variables.tf
index c786585..189b69e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -25,5 +25,5 @@ variable "ssh_key_fingerprints" {
 
 variable "name" {
   type    = string
-  default = "services"
+  default = "com.uvlava.quinn.artifacts" # reverse-DNS: forges + registries box (convention:infra_manifest droplet_naming)
 }