# Expose Service on Contabo

## Prerequisites
- Service running in Docker on Contabo
- Port bound to `127.0.0.1` only (never `0.0.0.0`)

## Steps

### 1. Deploy the service

```bash
ssh root@100.64.0.6
mkdir -p /opt/<service>
# Create docker-compose.yml with port bound to 127.0.0.1:<port>
docker compose up -d
```

### 2. Add DNS record

```bash
# On TOC
source /home/zvx/projects/.ref/credentials
godaddy-dns.py add-a echo6.co <service> 5.189.158.149
dig +short <service>.echo6.co @8.8.8.8  # Verify
```

### 3. Add Caddy site block

```bash
ssh root@100.64.0.6
nano /etc/caddy/Caddyfile

# Add:
# <service>.echo6.co {
#     reverse_proxy 127.0.0.1:<port>
# }

caddy validate --config /etc/caddy/Caddyfile
systemctl reload caddy
```

### 4. Add dnsmasq split DNS entry

```bash
ssh root@100.64.0.6
nano /etc/dnsmasq.d/tailscale-dns.conf

# Add:
# address=/<service>.echo6.co/100.64.0.6

systemctl restart dnsmasq
```

### 5. Verify

```bash
# Public
curl -I https://<service>.echo6.co

# Tailscale
dig +short <service>.echo6.co @100.64.0.6  # Should return 100.64.0.6
```

### 6. Update docs

- Update `~/.claude/docs/infrastructure/caddy.md` with new site block
- Update `~/.claude/docs/infrastructure/services.md` with new service
- Add credentials to `/home/zvx/projects/.ref/credentials` if applicable

## Checklist

```
□ Docker container running, port on 127.0.0.1 only
□ GoDaddy DNS → 5.189.158.149
□ Caddy site block added and reloaded
□ dnsmasq entry added and restarted
□ Public access verified
□ Tailscale access verified
□ Docs updated
```