Migration: consolidate Echo6 docs to cortex with full infrastructure cleanup sync

- Documents recent infrastructure cleanup (8 CTs destroyed, 35 DNS records removed, Headscale cleanup) - Adds 24 new runbooks covering Authentik, PeerTube, Meshtastic, RECON, Proxmox, Mailcow, Internet Archive, GPU routing - Adds project documentation for headscale, vaultwarden, peertube, matrix, mmud, advbbs, arr stack - Updates services.md, environment.md, caddy.md, authentik.md to match live infrastructure - Removes 4 deprecated runbook duplicates (canonical versions live in projects/) - Adds .gitignore for binary archives and editor temp files Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 06:02:16 +00:00 · 2026-04-13 06:02:16 +00:00 · e9231ac24a
commit e9231ac24a
parent 89834796ff
93 changed files with 51223 additions and 254 deletions
--- a/docs/software/caddy.md
+++ b/docs/software/caddy.md
@ -4,19 +4,26 @@

 **Config:** `/etc/caddy/Caddyfile` on Contabo (ssh root@100.64.0.1)

+**Global options:** `email admin@echo6.co`, `admin off` (no live reload — must `systemctl restart caddy`)
+
 ### Current Site Blocks

 | Domain | Backend | Service |
 |--------|---------|---------|
 | auth.echo6.co | 127.0.0.1:9000 | Authentik SSO |
 | forge.echo6.co | 127.0.0.1:3001 | Forgejo Git |
-| mail.echo6.co | https://127.0.0.1:8443 | Mailcow (tls_insecure_skip_verify) |
+| mail.echo6.co | https://127.0.0.1:8453 | Mailcow (tls_insecure_skip_verify, r/w timeout 3600s) |
 | vpn.echo6.co | 127.0.0.1:8084 | Headscale |
 | vpn.echo6.co/admin* | 127.0.0.1:3100 | Headplane |
 | autodiscover.echo6.co | https://127.0.0.1:8443 | Mailcow autodiscover |
 | autoconfig.echo6.co | https://127.0.0.1:8443 | Mailcow autoconfig |
 | vault.echo6.co | 127.0.0.1:8086 | Vaultwarden |
 | proxmox.echo6.co | https://100.64.0.6:8006 (via Tailscale) | Proxmox VE (data node) |
+| wt.echo6.co | 127.0.0.1:8099 (Authentik forward auth) | WATCHTOWER ops dashboard |
+| matrix.echo6.co | 127.0.0.1:8008 + 127.0.0.1:8085 | Matrix Synapse + MAS (login/logout/refresh/auth_metadata → MAS:8085, _matrix/* → Synapse:8008, default → MAS:8085) |
+| element.echo6.co | 127.0.0.1:8088 | Element Web client |
+| notes.echo6.co | 127.0.0.1:5984 + 127.0.0.1:5985 | LiveSync (CouchDB + provisioner, forward auth on /_provision*, CORS for Obsidian) |
+| tak.echo6.co | https://100.64.0.1:8446 + 100.64.0.1:8990 | TAK Server admin (8446, Authentik forward auth) + SIGIL console (/sigil, 8990) |

 ### Commands

@ -41,8 +48,21 @@ journalctl -u caddy -f

 | Domain | Backend | Pattern | Service |
 |--------|---------|---------|---------|
-| mesh.echo6.co | 100.64.0.7:8080 | Tailscale | MeshMonitor |
-| search.echo6.co | 100.64.0.15:8080 | Tailscale | SearXNG |
+| mesh.echo6.co | 192.168.1.100:8080 | Local IP | MeshMonitor (Authentik forward auth) |
+| echo6.co | 100.64.0.15:8080 | Tailscale | Echo6 Search (SearXNG) + Matrix well-known |
+| search.echo6.co | — | — | 301 redirect to echo6.co |
+| nas.echo6.co | 100.64.0.21:80 | Tailscale | OpenMediaVault (pi-nas) |
+| immich.echo6.co | 192.168.1.182:2283 | Local IP | Immich (has 2FA) |
+| nextcloud.echo6.co | 192.168.1.183:11000 | Local IP | Nextcloud AIO (SSO via Authentik) |
+| jellyfin.echo6.co | 100.64.0.18:8096 | Tailscale | Jellyfin media server (SSO via Authentik) |
+| requests.echo6.co | 100.64.0.18:5055 | Tailscale | Jellyseer request management (SSO via Authentik) |
+| stream.echo6.co | 192.168.1.170:80 | Local IP | PeerTube video streaming (SSO via Authentik) |
+| ai.echo6.co | 100.64.0.14:8080 | Tailscale | Open WebUI (SSO via Authentik) |
+| files.echo6.co | 100.64.0.24:8888 | Tailscale | RECON PDF library (Authentik forward auth) |
+| recon.echo6.co | 100.64.0.24:8420 | Tailscale | RECON dashboard + API |
+| lidarr.echo6.co | 100.64.0.18:8686 | Tailscale | Lidarr music automation (Authentik forward auth) |
+| navidrome.echo6.co | 100.64.0.18:4533 | Tailscale | Navidrome music server (Authentik forward auth, /rest/* exempt for Subsonic API) |
+| vpn.idahomesh.com | 192.168.1.106:8080 | Local IP | IdahoMesh Headscale VPN coordination |

 ### Commands

@ -68,10 +88,21 @@ ssh root@192.168.1.241 'pct exec 101 -- journalctl -u caddy -f'
 | mail.echo6.co | 100.64.0.1 | Mailcow |
 | vpn.echo6.co | 100.64.0.1 | Headscale |
 | vault.echo6.co | 100.64.0.1 | Vaultwarden |
-| docs.echo6.co | 100.64.0.1 | Wiki.js |
 | proxmox.echo6.co | 100.64.0.1 | Proxmox VE (via Caddy) |
-| stream.echo6.co | *TBD* | PeerTube - needs host verification |
-| notes.echo6.co | *TBD* | Obsidian LiveSync - needs host verification |
+| stream.echo6.co | 100.64.0.8 | PeerTube (via utility Caddy) |
+| notes.echo6.co | 100.64.0.1 | LiveSync CouchDB + provisioner (via Contabo Caddy) |
+| tak.echo6.co | 100.64.0.1 | TAK Server + SIGIL (via Contabo Caddy) |
+| jellyfin.echo6.co | 100.64.0.8 | Jellyfin (via utility Caddy) |
+| requests.echo6.co | 100.64.0.8 | Jellyseer (via utility Caddy) |
+| wt.echo6.co | 100.64.0.1 | WATCHTOWER ops dashboard |
+| ai.echo6.co | 100.64.0.8 | Open WebUI (via utility Caddy) |
+| matrix.echo6.co | 100.64.0.1 | Matrix Synapse (via Contabo Caddy) |
+| element.echo6.co | 100.64.0.1 | Element Web (via Contabo Caddy) |
+| echo6.co | 100.64.0.8 | Echo6 Search homepage (via utility Caddy) |
+| files.echo6.co | 100.64.0.8 | RECON PDF library (via utility Caddy) |
+| recon.echo6.co | 100.64.0.8 | RECON dashboard (via utility Caddy) |
+| lidarr.echo6.co | 100.64.0.8 | Lidarr music automation (via utility Caddy) |
+| navidrome.echo6.co | 100.64.0.8 | Navidrome music server (via utility Caddy) |

 ### Commands

@ -95,19 +126,31 @@ dig +short forge.echo6.co @100.64.0.1   # Test
 | mail | Mailcow Email |
 | vpn | Headscale VPN |
 | vault | Vaultwarden |
+| wt | WATCHTOWER ops dashboard |
+| matrix | Matrix Synapse |
+| element | Element Web |
+| notes | LiveSync (CouchDB + provisioner) |
+| proxmox | Proxmox VE (via Tailscale to data node) |
+| tak | TAK Server + SIGIL |

 ### Home Services → 199.6.36.163

 | Subdomain | Service |
 |-----------|---------|
-| @ | Main site |
+| @ | Echo6 Search homepage (SearXNG) |
 | ai | Open WebUI |
-| docs | Wiki.js |
 | stream | PeerTube |
-| notes | Obsidian LiveSync |
 | jellyfin | Jellyfin |
 | mesh | MeshMonitor |
-| search | SearXNG |
+| nas | OpenMediaVault (pi-nas) |
+| search | SearXNG (redirects to echo6.co) |
+| immich | Immich |
+| nextcloud | Nextcloud |
+| requests | Jellyseer |
+| files | RECON PDF library |
+| recon | RECON dashboard |
+| lidarr | Lidarr music automation |
+| navidrome | Navidrome music server |

 ### Email Records

@ -151,12 +194,21 @@ oidc:
 |---------|---------------|--------------|---------------|
 | Authentik | 9000 | 127.0.0.1:9000 | auth.echo6.co |
 | Forgejo | 3000 | 127.0.0.1:3001 | forge.echo6.co |
+| Forgejo SSH | 22 | 0.0.0.0:2222 | Direct (not proxied) |
 | Headscale | 8080 | 127.0.0.1:8084 | vpn.echo6.co |
 | Headplane | 3000 | 127.0.0.1:3100 | vpn.echo6.co/admin |
 | Mailcow | 8443 | 127.0.0.1:8443 | mail.echo6.co |
 | Vaultwarden | 80 | 127.0.0.1:8086 | vault.echo6.co |
 | Vaultwarden WS | 3012 | 127.0.0.1:3012 | vault.echo6.co/notifications/hub |
+| WATCHTOWER | 8084 | host network :8099 | wt.echo6.co |
+| Matrix Synapse | 8008 | 127.0.0.1:8008 | matrix.echo6.co (/_matrix/*, /_synapse/*) |
+| Matrix MAS | 8080 | 127.0.0.1:8085 | matrix.echo6.co (login/logout/refresh/auth_metadata, default) |
+| Element Web | 80 | 127.0.0.1:8088 | element.echo6.co |
+| LiveSync CouchDB | 5984 | 127.0.0.1:5984 | notes.echo6.co |
+| LiveSync Provisioner | 8080 | 127.0.0.1:5985 | notes.echo6.co/_provision/* |
+| TAK Server Admin | 8446 | https://100.64.0.1:8446 (Tailscale) | tak.echo6.co |
+| SIGIL Console | 8990 | 100.64.0.1:8990 | tak.echo6.co/sigil |

 ---

-*Last updated: 2026-02-06 — Added SearXNG (search.echo6.co) on utility CT 102*
+*Last updated: 2026-04-13 — Audit sync: added MAS routing on matrix.echo6.co, lidarr/navidrome/vpn.idahomesh.com to utility Caddy, proxmox/tak to GoDaddy, removed ghost docs.echo6.co entries, added dnsmasq lidarr/navidrome*