diff --git a/tech_docs/networking/caddy.md b/tech_docs/networking/caddy.md
new file mode 100644
index 0000000..443713b
--- /dev/null
+++ b/tech_docs/networking/caddy.md
@@ -0,0 +1,51 @@
+Exactly — keep **one** central Caddy **outside** Docker (systemd) and proxy to **whatever** runs inside containers, VMs, or localhost.  
+That’s the **single source of truth** you want.
+
+--------------------------------------------------
+1. Central Caddyfile (systemd) – **one file** rules them all
+----------------------------------------------------
+```bash
+sudo nano /etc/caddy/Caddyfile
+```
+Content (add more blocks as you spin up services):
+```
+# Git service inside Docker
+git.crazystorm-andromeda.duckdns.org {
+    reverse_proxy localhost:3000   # Docker published port
+    encode gzip
+    header -Server
+}
+
+# Future service – just add another block
+# next.crazystorm-andromeda.duckdns.org {
+#     reverse_proxy localhost:4000
+# }
+```
+
+--------------------------------------------------
+2. Reload after any edit
+----------------------------------------------------
+```bash
+sudo systemctl reload caddy
+```
+
+--------------------------------------------------
+3. Benefits you keep
+----------------------------------------------------
+- **One** Let’s Encrypt account, **one** cert cache, **one** log stream  
+- **No** extra Caddy container to babysit  
+- **Any** backend (Docker, native, remote IP) just becomes another `reverse_proxy` line  
+- **Survives** Docker Compose restarts; systemd starts before Docker
+
+--------------------------------------------------
+4. House-keeping
+----------------------------------------------------
+```bash
+# validate syntax
+caddy validate --config /etc/caddy/Caddyfile
+
+# live reload
+sudo systemctl reload caddy
+```
+
+That’s the **central, primitive, single-file** setup — add a block, reload, done.
\ No newline at end of file