diff --git a/bin/nexredirect b/bin/nexredirect
index d368c82..9505803 100755
--- a/bin/nexredirect
+++ b/bin/nexredirect
@@ -28,7 +28,9 @@ nexredirect — CoreX NexRedirect CLI
   update [tag]      Auf neueste Version (oder bestimmten Tag); skip wenn schon aktuell
   update -f [tag]   Update erzwingen auch wenn Version gleich
   version           Aktuelle + neueste Version (GitHub)
-  caddy reload      Caddyfile neu generieren + reload
+  caddy reload      Caddyfile reload via Admin-API
+  caddy regen       Caddyfile aus DB neu generieren (per-Domain-Blöcke + Auto-HTTPS)
+  caddy fix-perms   /etc/caddy/Caddyfile dem Service-User übertragen
   caddy show        Aktuellen Caddyfile anzeigen
   db                SQLite-Shell auf der Datenbank öffnen
   domains           Aktive Domains listen
@@ -93,11 +95,23 @@ cmd_caddy() {
         && echo "Caddy reloaded" \
         || systemctl reload caddy
       ;;
+    regen)
+      require_root "caddy regen"
+      chown "$SERVICE_USER:$SERVICE_USER" /etc/caddy/Caddyfile 2>/dev/null || true
+      chmod 644 /etc/caddy/Caddyfile 2>/dev/null || true
+      sudo -u "$SERVICE_USER" -H bash -c "cd '$INSTALL_DIR' && NEXREDIRECT_DATA_DIR='$DATA_DIR' ./node_modules/.bin/tsx -e \"import('./lib/caddy').then(async m=>{const r=await m.reloadCaddy();console.log(JSON.stringify(r));process.exit(r.ok?0:1)})\""
+      ;;
+    fix-perms)
+      require_root "caddy fix-perms"
+      chown "$SERVICE_USER:$SERVICE_USER" /etc/caddy/Caddyfile
+      chmod 644 /etc/caddy/Caddyfile
+      echo "OK — Caddyfile gehört jetzt $SERVICE_USER"
+      ;;
     show|config|"")
       cat /etc/caddy/Caddyfile
       ;;
     *)
-      echo "Usage: nexredirect caddy [reload|show]" >&2
+      echo "Usage: nexredirect caddy [reload|regen|fix-perms|show]" >&2
       exit 1
       ;;
   esac
diff --git a/package.json b/package.json
index f7de44f..343bec3 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "corex-nexredirect",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "license": "MIT",
   "overrides": {
     "postcss": "^8.5.13",
diff --git a/scripts/install.sh b/scripts/install.sh
index 8f0343e..6c6adfc 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -160,6 +160,11 @@ cat > /etc/caddy/Caddyfile <<EOF
 }
 EOF
 
+# Caddyfile + caddy-data writable by service user, so app can regenerate per-domain blocks
+chown -R "$SERVICE_USER:$SERVICE_USER" /etc/caddy/Caddyfile
+chmod 644 /etc/caddy/Caddyfile
+# Caddy admin API runs as caddy user; allow service user to talk to it (localhost:2019 is fine)
+
 # Server-IPs in DB-Settings schreiben (via tsx)
 sudo -u "$SERVICE_USER" -H bash -c "cd '$INSTALL_DIR' && NEXREDIRECT_DATA_DIR='$DATA_DIR' SERVER_IP='$SERVER_IP' SERVER_IPV6='$SERVER_IPV6' ./node_modules/.bin/tsx -e \"import('./lib/db').then(({setSetting})=>{if(process.env.SERVER_IP)setSetting('server_ip',process.env.SERVER_IP);if(process.env.SERVER_IPV6)setSetting('server_ipv6',process.env.SERVER_IPV6);})\"" || \
   echo "    (Server-IP konnte nicht direkt gesetzt werden — manuell via /settings nachholen.)"
diff --git a/scripts/update.sh b/scripts/update.sh
index b66ab4c..80583a5 100755
--- a/scripts/update.sh
+++ b/scripts/update.sh
@@ -20,6 +20,12 @@ if ! command -v sqlite3 >/dev/null 2>&1; then
   apt-get install -y -qq sqlite3 >/dev/null 2>&1 || true
 fi
 
+# Caddyfile-Permissions reparieren (App muss schreiben können)
+if [[ -f /etc/caddy/Caddyfile ]]; then
+  chown "$SERVICE_USER:$SERVICE_USER" /etc/caddy/Caddyfile 2>/dev/null || true
+  chmod 644 /etc/caddy/Caddyfile 2>/dev/null || true
+fi
+
 if [[ -z "$TAG" ]]; then
   TAG=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" 2>/dev/null \
     | grep -m1 '"tag_name"' | sed -E 's/.*"tag_name": *"([^"]+)".*/\1/' || true)