diff --git a/lib/common.sh b/lib/common.sh
index 85b4818..dd25329 100644
--- a/lib/common.sh
+++ b/lib/common.sh
@@ -177,6 +177,10 @@ validate_ssl_mode() {
   [[ "$1" == "letsencrypt" ]] || [[ "$1" == "existing" ]]
 }
 
+validate_tls_mode() {
+  [[ "$1" == "cloudflare" ]] || [[ "$1" == "existing" ]]
+}
+
 validate_db_type() {
   [[ "$1" == "sqlite3" ]] || [[ "$1" == "mysql" ]] || [[ "$1" == "postgres" ]] || [[ "$1" == "mssql" ]]
 }
@@ -220,7 +224,7 @@ _ENV_VAR_NAMES=(
   REPO_NAMES
   MIGRATE_ISSUES MIGRATE_LABELS MIGRATE_MILESTONES MIGRATE_WIKI
   GITHUB_MIRROR_INTERVAL
-  NGINX_CONTAINER_NAME NGINX_CONF_PATH SSL_MODE
+  TLS_MODE CADDY_DOMAIN CADDY_DATA_PATH
   PROTECTED_BRANCH REQUIRE_PR_REVIEW REQUIRED_APPROVALS
   SEMGREP_VERSION TRIVY_VERSION GITLEAKS_VERSION SECURITY_FAIL_ON_ERROR
 )
@@ -242,15 +246,15 @@ _ENV_VAR_TYPES=(
   nonempty
   bool bool bool bool
   nonempty
-  nonempty path ssl_mode
+  tls_mode nonempty path
   nonempty bool integer
   nonempty nonempty nonempty bool
 )
 
-# Conditional variables — validated only when SSL_MODE matches.
-_ENV_CONDITIONAL_SSL_NAMES=(SSL_EMAIL SSL_CERT_PATH SSL_KEY_PATH)
-_ENV_CONDITIONAL_SSL_TYPES=(email     path          path)
-_ENV_CONDITIONAL_SSL_WHEN=( letsencrypt existing    existing)
+# Conditional variables — validated only when TLS_MODE matches.
+_ENV_CONDITIONAL_TLS_NAMES=(CLOUDFLARE_API_TOKEN SSL_CERT_PATH SSL_KEY_PATH)
+_ENV_CONDITIONAL_TLS_TYPES=(nonempty             path          path)
+_ENV_CONDITIONAL_TLS_WHEN=( cloudflare           existing      existing)
 
 # Conditional variables — validated only when GITEA_DB_TYPE is NOT sqlite3.
 _ENV_CONDITIONAL_DB_NAMES=(GITEA_DB_HOST GITEA_DB_PORT GITEA_DB_NAME GITEA_DB_USER GITEA_DB_PASSWD)
@@ -275,6 +279,7 @@ _validator_hint() {
     nonempty)         echo "cannot be empty" ;;
     password)         echo "must be at least 8 characters" ;;
     ssl_mode)         echo "must be letsencrypt or existing" ;;
+    tls_mode)         echo "must be cloudflare or existing" ;;
     db_type)          echo "must be sqlite3, mysql, postgres, or mssql" ;;
     optional)         echo "any value or empty" ;;
     *)                echo "invalid" ;;
@@ -300,20 +305,20 @@ validate_env() {
     fi
   done
 
-  # Validate conditional variables (SSL_MODE-dependent)
-  local ssl_mode="${SSL_MODE:-}"
-  for ((i = 0; i < ${#_ENV_CONDITIONAL_SSL_NAMES[@]}; i++)); do
-    var_name="${_ENV_CONDITIONAL_SSL_NAMES[$i]}"
-    var_type="${_ENV_CONDITIONAL_SSL_TYPES[$i]}"
-    local required_when="${_ENV_CONDITIONAL_SSL_WHEN[$i]}"
+  # Validate conditional variables (TLS_MODE-dependent)
+  local tls_mode="${TLS_MODE:-}"
+  for ((i = 0; i < ${#_ENV_CONDITIONAL_TLS_NAMES[@]}; i++)); do
+    var_name="${_ENV_CONDITIONAL_TLS_NAMES[$i]}"
+    var_type="${_ENV_CONDITIONAL_TLS_TYPES[$i]}"
+    local required_when="${_ENV_CONDITIONAL_TLS_WHEN[$i]}"
 
-    if [[ "$ssl_mode" != "$required_when" ]]; then
+    if [[ "$tls_mode" != "$required_when" ]]; then
       continue
     fi
 
     value="${!var_name:-}"
     if [[ -z "$value" ]]; then
-      log_error "  → $var_name is empty (required when SSL_MODE=$required_when, $(_validator_hint "$var_type"))"
+      log_error "  → $var_name is empty (required when TLS_MODE=$required_when, $(_validator_hint "$var_type"))"
       errors=$((errors + 1))
     elif ! "validate_${var_type}" "$value"; then
       log_error "  → $var_name='$value' ($(_validator_hint "$var_type"))"