Initial commit: infrastructure documentation

Includes: - Hardware environment reference (Proxmox cluster, VMs, LXCs) - Services inventory with current deployments - Caddy & DNS configuration reference - Runbooks for common deployment procedures Recent additions: - SearXNG deployment (utility CT 102, search.echo6.co) - TOC conversion to Proxmox with cortex VM - Syncthing sync between Contabo and cortex Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-06 21:27:29 +01:00 · 2026-02-06 21:27:29 +01:00 · 880ff09c90
commit 880ff09c90
14 changed files with 1986 additions and 0 deletions
--- a/runbooks/expose-service-home.md
+++ b/runbooks/expose-service-home.md
@ -0,0 +1,107 @@
+# Expose Service on Home Network
+
+## Prerequisites
+- Service running on a Proxmox CT/VM or bare metal
+- Router forwards 80/443 to Utility Caddy (192.168.1.101) — one-time setup
+- Determine pattern: does the service have Authentik OIDC?
+
+## Steps
+
+### 1. Determine backend target
+
+| Has OIDC? | Proxy to | Why |
+|-----------|----------|-----|
+| YES | Local IP (192.168.1.x:port) | Authentik SSO protects access |
+| NO | Tailscale IP (100.64.0.x:port) | Only Caddy can reach backend |
+
+If no OIDC, service MUST have Tailscale installed and registered with Headscale first.
+
+### 2. Issue SSL certificate
+
+```bash
+ssh root@192.168.1.241
+
+pct exec 101 -- bash -c '
+export GD_Key="<from .ref/credentials>"
+export GD_Secret="<from .ref/credentials>"
+/root/.acme.sh/acme.sh --issue --dns dns_gd -d <service>.echo6.co --server letsencrypt
+'
+```
+
+### 3. Install certificate
+
+```bash
+pct exec 101 -- bash -c "
+mkdir -p /etc/caddy/certs
+/root/.acme.sh/acme.sh --install-cert -d <service>.echo6.co \
+  --cert-file /etc/caddy/certs/<service>.echo6.co.crt \
+  --key-file /etc/caddy/certs/<service>.echo6.co.key \
+  --fullchain-file /etc/caddy/certs/<service>.echo6.co.fullchain.crt \
+  --reloadcmd 'systemctl reload caddy'
+
+chown -R caddy:caddy /etc/caddy/certs
+chmod 600 /etc/caddy/certs/*.key
+chmod 644 /etc/caddy/certs/*.crt
+"
+```
+
+### 4. Add Caddy site block
+
+```bash
+# WITH OIDC — local IP
+pct exec 101 -- bash -c "cat >> /etc/caddy/Caddyfile << 'EOF'
+
+<service>.echo6.co {
+    tls /etc/caddy/certs/<service>.echo6.co.fullchain.crt /etc/caddy/certs/<service>.echo6.co.key
+    reverse_proxy 192.168.1.<X>:<PORT>
+}
+EOF
+systemctl reload caddy"
+
+# WITHOUT OIDC — Tailscale IP
+pct exec 101 -- bash -c "cat >> /etc/caddy/Caddyfile << 'EOF'
+
+<service>.echo6.co {
+    tls /etc/caddy/certs/<service>.echo6.co.fullchain.crt /etc/caddy/certs/<service>.echo6.co.key
+    reverse_proxy 100.64.0.<X>:<PORT>
+}
+EOF
+systemctl reload caddy"
+```
+
+### 5. Add DNS record
+
+```bash
+# On TOC
+source /home/zvx/projects/.ref/credentials
+godaddy-dns.py add-a echo6.co <service> 199.6.36.163
+```
+
+### 6. Update service CORS (if applicable)
+
+Add `https://<service>.echo6.co` to the service's allowed origins.
+
+### 7. Verify
+
+```bash
+curl -I https://<service>.echo6.co
+```
+
+### 8. Update docs
+
+- Update `~/.claude/docs/infrastructure/caddy.md` with new site block
+- Update `~/.claude/docs/infrastructure/services.md` with new service
+- Add credentials to `/home/zvx/projects/.ref/credentials` if applicable
+
+## Checklist
+
+```
+□ Backend pattern chosen (OIDC → local IP, no OIDC → Tailscale IP)
+□ SSL cert issued and installed via acme.sh
+□ Caddy site block added to CT 101 Caddyfile
+□ Caddy reloaded
+□ GoDaddy DNS → 199.6.36.163
+□ CORS updated if needed
+□ HTTPS access verified
+□ Docs updated
+```