echo6-docs/runbooks/contabo-configs.md

# Contabo VPS Current Configurations

**Server:** 5.189.158.149 / 100.64.0.4
**Last Updated:** 2026-02-05

---

## Caddy Configuration

**File:** `/etc/caddy/Caddyfile`

```caddyfile
# Global options
{
    email admin@echo6.co
    admin off
}

# Main Mailcow hostname
mail.echo6.co {
    reverse_proxy https://127.0.0.1:8443 {
        transport http {
            tls_insecure_skip_verify
            read_timeout 3600s
            write_timeout 3600s
        }
    }
}

# Autodiscover for Outlook
autodiscover.echo6.co {
    reverse_proxy https://127.0.0.1:8443 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

# Autoconfig for Thunderbird
autoconfig.echo6.co {
    reverse_proxy https://127.0.0.1:8443 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

# Headscale VPN + Headplane Admin
vpn.echo6.co {
    handle /admin* {
        reverse_proxy 127.0.0.1:3100
    }
    handle {
        reverse_proxy 127.0.0.1:8084
    }
}

# Authentik SSO
auth.echo6.co {
    reverse_proxy 127.0.0.1:9000
}

# Forgejo Git Forge
forge.echo6.co {
    reverse_proxy 127.0.0.1:3001
}

# Vaultwarden Password Manager
vault.echo6.co {
    reverse_proxy /notifications/hub 127.0.0.1:3012
    reverse_proxy 127.0.0.1:8086
}
```

### Commands

```bash
# Validate
caddy validate --config /etc/caddy/Caddyfile

# Restart (admin off, so reload won't work)
systemctl restart caddy

# Logs
journalctl -u caddy -f
```

---

## dnsmasq Split DNS Configuration

**File:** `/etc/dnsmasq.d/tailscale-dns.conf`

```conf
# DNSmasq config for Tailscale Split DNS
# Listen only on Tailscale interface
listen-address=100.64.0.4
bind-interfaces

# Upstream DNS servers
server=1.1.1.1
server=8.8.8.8

# Local records for echo6.co services (route through Tailscale)
address=/forge.echo6.co/100.64.0.4
address=/auth.echo6.co/100.64.0.4
address=/mail.echo6.co/100.64.0.4
address=/vpn.echo6.co/100.64.0.4
address=/docs.echo6.co/100.64.0.4
address=/vault.echo6.co/100.64.0.4
address=/stream.echo6.co/100.64.0.7
address=/notes.echo6.co/100.64.0.22

# Don't read /etc/hosts
no-hosts

# Cache size
cache-size=1000

# Log queries for debugging
log-queries
```

### Commands

```bash
# Restart
systemctl restart dnsmasq

# Status
systemctl status dnsmasq

# Test resolution
dig +short vault.echo6.co @100.64.0.4
```

---

## Port Mappings Summary

| Service | Container Port | Host Binding | Caddy Proxy |
|---------|---------------|--------------|-------------|
| Authentik | 9000 | 127.0.0.1:9000 | auth.echo6.co |
| Forgejo | 3000 | 127.0.0.1:3001 | forge.echo6.co |
| Forgejo SSH | 22 | 0.0.0.0:2222 | Direct |
| Headscale | 8080 | 127.0.0.1:8084 | vpn.echo6.co |
| Headplane | 3000 | 127.0.0.1:3100 | vpn.echo6.co/admin |
| Mailcow | 8443 | 127.0.0.1:8443 | mail.echo6.co |
| Vaultwarden | 80 | 127.0.0.1:8086 | vault.echo6.co |
| Vaultwarden WS | 3012 | 127.0.0.1:3012 | vault.echo6.co/notifications/hub |

---

## DNS Records (GoDaddy → Contabo)

| Subdomain | IP | Service |
|-----------|-----|---------|
| auth | 5.189.158.149 | Authentik |
| forge | 5.189.158.149 | Forgejo |
| mail | 5.189.158.149 | Mailcow |
| vpn | 5.189.158.149 | Headscale |
| vault | 5.189.158.149 | Vaultwarden |
| autodiscover | 5.189.158.149 | Mailcow |
| autoconfig | 5.189.158.149 | Mailcow |

---

## Split DNS Mappings (Tailscale)

| Domain | Tailscale IP | Server |
|--------|-------------|--------|
| auth.echo6.co | 100.64.0.4 | Contabo |
| forge.echo6.co | 100.64.0.4 | Contabo |
| mail.echo6.co | 100.64.0.4 | Contabo |
| vpn.echo6.co | 100.64.0.4 | Contabo |
| vault.echo6.co | 100.64.0.4 | Contabo |
| docs.echo6.co | 100.64.0.4 | Contabo |
| stream.echo6.co | 100.64.0.7 | PeerTube |
| notes.echo6.co | 100.64.0.22 | Cloud |

---

*Last updated: 2026-02-05*