This is a production guide based on building Dinehere.ai (AI restaurant website builder). The key insight: run Caddy as a Kamal accessory for on-demand TLS. Caddy checks a Rails endpoint before issuing any certificate, so random domains pointed at your IP won't trigger cert issuance. kamal-proxy still handles deployment and health checks — Caddy just sits in front for TLS termination. Part 1 (base Kamal deployment): https://mooktakim.com/blog/deploying-rails-with-kamal/