# Caddy & DNS Reference ## Contabo Caddy **Config:** `/etc/caddy/Caddyfile` on Contabo (ssh root@100.64.0.1) **Global options:** `email admin@echo6.co`, `admin off` (no live reload — must `systemctl restart caddy`) ### Current Site Blocks | Domain | Backend | Service | |--------|---------|---------| | auth.echo6.co | 127.0.0.1:9000 | Authentik SSO | | forge.echo6.co | 127.0.0.1:3001 | Forgejo Git | | mail.echo6.co | https://127.0.0.1:8453 | Mailcow (tls_insecure_skip_verify, r/w timeout 3600s) | | vpn.echo6.co | 127.0.0.1:8084 | Headscale | | vpn.echo6.co/admin* | 127.0.0.1:3100 | Headplane | | autodiscover.echo6.co | https://127.0.0.1:8443 | Mailcow autodiscover | | autoconfig.echo6.co | https://127.0.0.1:8443 | Mailcow autoconfig | | vault.echo6.co | 127.0.0.1:8086 | Vaultwarden | | proxmox.echo6.co | https://100.64.0.6:8006 (via Tailscale) | Proxmox VE (data node) | | wt.echo6.co | 127.0.0.1:8099 (Authentik forward auth) | WATCHTOWER ops dashboard | | matrix.echo6.co | 127.0.0.1:8008 + 127.0.0.1:8085 | Matrix Synapse + MAS (login/logout/refresh/auth_metadata → MAS:8085, _matrix/* → Synapse:8008, default → MAS:8085) | | element.echo6.co | 127.0.0.1:8088 | Element Web client | | notes.echo6.co | 127.0.0.1:5984 + 127.0.0.1:5985 | LiveSync (CouchDB + provisioner, forward auth on /_provision*, CORS for Obsidian) | | tak.echo6.co | https://100.64.0.1:8446 + 100.64.0.1:8990 | TAK Server admin (8446, Authentik forward auth) + SIGIL console (/sigil, 8990) | ### Commands ```bash ssh root@100.64.0.1 caddy validate --config /etc/caddy/Caddyfile systemctl restart caddy # admin off, so reload won't work journalctl -u caddy -f ``` --- ## Utility Caddy (Home) **Location:** CT 101 on utility Proxmox (192.168.1.101) **Tailscale IP:** 100.64.0.8 **Config:** `/etc/caddy/Caddyfile` inside CT 101 **SSL Certs:** `/etc/caddy/certs/` (managed by acme.sh) **Port forward:** Router 80/443 → 192.168.1.101 ### Current Site Blocks | Domain | Backend | Pattern | Service | |--------|---------|---------|---------| | mesh.echo6.co | 192.168.1.100:8080 | Local IP | MeshMonitor (Authentik forward auth) | | echo6.co | 100.64.0.15:8080 | Tailscale | Echo6 Search (SearXNG) + Matrix well-known | | search.echo6.co | — | — | 301 redirect to echo6.co | | nas.echo6.co | 100.64.0.21:80 | Tailscale | OpenMediaVault (pi-nas) | | immich.echo6.co | 192.168.1.182:2283 | Local IP | Immich (has 2FA) | | nextcloud.echo6.co | 192.168.1.183:11000 | Local IP | Nextcloud AIO (SSO via Authentik) | | jellyfin.echo6.co | 100.64.0.18:8096 | Tailscale | Jellyfin media server (SSO via Authentik) | | requests.echo6.co | 100.64.0.18:5055 | Tailscale | Jellyseer request management (SSO via Authentik) | | stream.echo6.co | 192.168.1.170:80 | Local IP | PeerTube video streaming (SSO via Authentik) | | ai.echo6.co | 100.64.0.14:8080 | Tailscale | Open WebUI (SSO via Authentik) | | files.echo6.co | 100.64.0.24:8888 | Tailscale | RECON PDF library (Authentik forward auth) | | recon.echo6.co | 100.64.0.24:8420 | Tailscale | RECON dashboard + API | | lidarr.echo6.co | 100.64.0.18:8686 | Tailscale | Lidarr music automation (Authentik forward auth) | | navidrome.echo6.co | 100.64.0.18:4533 | Tailscale | Navidrome music server (Authentik forward auth, /rest/* exempt for Subsonic API) | | vpn.idahomesh.com | 192.168.1.106:8080 | Local IP | IdahoMesh Headscale VPN coordination | ### Commands ```bash ssh root@192.168.1.241 'pct exec 101 -- cat /etc/caddy/Caddyfile' ssh root@192.168.1.241 'pct exec 101 -- systemctl reload caddy' ssh root@192.168.1.241 'pct exec 101 -- journalctl -u caddy -f' ``` --- ## dnsmasq (Tailscale Split DNS) **Config:** `/etc/dnsmasq.d/tailscale-dns.conf` on Contabo **Listens on:** 100.64.0.1:53 ### Current Records | Domain | Tailscale IP | Service | |--------|-------------|---------| | auth.echo6.co | 100.64.0.1 | Authentik | | forge.echo6.co | 100.64.0.1 | Forgejo | | mail.echo6.co | 100.64.0.1 | Mailcow | | vpn.echo6.co | 100.64.0.1 | Headscale | | vault.echo6.co | 100.64.0.1 | Vaultwarden | | proxmox.echo6.co | 100.64.0.1 | Proxmox VE (via Caddy) | | stream.echo6.co | 100.64.0.8 | PeerTube (via utility Caddy) | | notes.echo6.co | 100.64.0.1 | LiveSync CouchDB + provisioner (via Contabo Caddy) | | tak.echo6.co | 100.64.0.1 | TAK Server + SIGIL (via Contabo Caddy) | | jellyfin.echo6.co | 100.64.0.8 | Jellyfin (via utility Caddy) | | requests.echo6.co | 100.64.0.8 | Jellyseer (via utility Caddy) | | wt.echo6.co | 100.64.0.1 | WATCHTOWER ops dashboard | | ai.echo6.co | 100.64.0.8 | Open WebUI (via utility Caddy) | | matrix.echo6.co | 100.64.0.1 | Matrix Synapse (via Contabo Caddy) | | element.echo6.co | 100.64.0.1 | Element Web (via Contabo Caddy) | | echo6.co | 100.64.0.8 | Echo6 Search homepage (via utility Caddy) | | files.echo6.co | 100.64.0.8 | RECON PDF library (via utility Caddy) | | recon.echo6.co | 100.64.0.8 | RECON dashboard (via utility Caddy) | | lidarr.echo6.co | 100.64.0.8 | Lidarr music automation (via utility Caddy) | | navidrome.echo6.co | 100.64.0.8 | Navidrome music server (via utility Caddy) | ### Commands ```bash ssh root@100.64.0.1 nano /etc/dnsmasq.d/tailscale-dns.conf systemctl restart dnsmasq dig +short forge.echo6.co @100.64.0.1 # Test ``` --- ## GoDaddy DNS Records (echo6.co) ### Contabo Services → 5.189.158.149 | Subdomain | Service | |-----------|---------| | auth | Authentik SSO | | forge | Forgejo Git | | mail | Mailcow Email | | vpn | Headscale VPN | | vault | Vaultwarden | | wt | WATCHTOWER ops dashboard | | matrix | Matrix Synapse | | element | Element Web | | notes | LiveSync (CouchDB + provisioner) | | proxmox | Proxmox VE (via Tailscale to data node) | | tak | TAK Server + SIGIL | ### Home Services → 199.6.36.163 | Subdomain | Service | |-----------|---------| | @ | Echo6 Search homepage (SearXNG) | | ai | Open WebUI | | stream | PeerTube | | jellyfin | Jellyfin | | mesh | MeshMonitor | | nas | OpenMediaVault (pi-nas) | | search | SearXNG (redirects to echo6.co) | | immich | Immich | | nextcloud | Nextcloud | | requests | Jellyseer | | files | RECON PDF library | | recon | RECON dashboard | | lidarr | Lidarr music automation | | navidrome | Navidrome music server | ### Email Records | Type | Name | Value | |------|------|-------| | MX | @ | mail.echo6.co | | CNAME | autoconfig | mail.echo6.co | | CNAME | autodiscover | mail.echo6.co | | TXT | @ | v=spf1 mx a:mail.echo6.co -all | | TXT | _dmarc | v=DMARC1; p=quarantine | | TXT | dkim._domainkey | (DKIM key) | --- ## Headscale Config **Location:** `/opt/headscale/` on Contabo **Data:** Named Docker volume `headscale_headscale-data` **Config:** `/opt/headscale/config.yaml` ```yaml dns: base_domain: echo6.mesh nameservers: global: - 1.1.1.1 oidc: issuer: "https://auth.echo6.co/application/o/headscale/" client_id: "headscale" ``` **Split DNS:** Configured via dnsmasq on Contabo. **Headplane:** Deployed at `vpn.echo6.co/admin` - OIDC via Authentik. First login gets Owner. --- ## Port Map (Contabo) | Service | Container Port | Host Binding | Public Domain | |---------|---------------|--------------|---------------| | Authentik | 9000 | 127.0.0.1:9000 | auth.echo6.co | | Forgejo | 3000 | 127.0.0.1:3001 | forge.echo6.co | | Forgejo SSH | 22 | 0.0.0.0:2222 | Direct (not proxied) | | Headscale | 8080 | 127.0.0.1:8084 | vpn.echo6.co | | Headplane | 3000 | 127.0.0.1:3100 | vpn.echo6.co/admin | | Mailcow | 8443 | 127.0.0.1:8443 | mail.echo6.co | | Vaultwarden | 80 | 127.0.0.1:8086 | vault.echo6.co | | Vaultwarden WS | 3012 | 127.0.0.1:3012 | vault.echo6.co/notifications/hub | | WATCHTOWER | 8084 | host network :8099 | wt.echo6.co | | Matrix Synapse | 8008 | 127.0.0.1:8008 | matrix.echo6.co (/_matrix/*, /_synapse/*) | | Matrix MAS | 8080 | 127.0.0.1:8085 | matrix.echo6.co (login/logout/refresh/auth_metadata, default) | | Element Web | 80 | 127.0.0.1:8088 | element.echo6.co | | LiveSync CouchDB | 5984 | 127.0.0.1:5984 | notes.echo6.co | | LiveSync Provisioner | 8080 | 127.0.0.1:5985 | notes.echo6.co/_provision/* | | TAK Server Admin | 8446 | https://100.64.0.1:8446 (Tailscale) | tak.echo6.co | | SIGIL Console | 8990 | 100.64.0.1:8990 | tak.echo6.co/sigil | --- *Last updated: 2026-04-13 — Audit sync: added MAS routing on matrix.echo6.co, lidarr/navidrome/vpn.idahomesh.com to utility Caddy, proxmox/tak to GoDaddy, removed ghost docs.echo6.co entries, added dnsmasq lidarr/navidrome*