# Caddy & DNS Reference ## Contabo Caddy **Config:** `/etc/caddy/Caddyfile` on Contabo (ssh root@100.64.0.1) ### Current Site Blocks | Domain | Backend | Service | |--------|---------|---------| | auth.echo6.co | 127.0.0.1:9000 | Authentik SSO | | forge.echo6.co | 127.0.0.1:3001 | Forgejo Git | | mail.echo6.co | https://127.0.0.1:8443 | Mailcow (tls_insecure_skip_verify) | | vpn.echo6.co | 127.0.0.1:8084 | Headscale | | vpn.echo6.co/admin* | 127.0.0.1:3100 | Headplane | | autodiscover.echo6.co | https://127.0.0.1:8443 | Mailcow autodiscover | | autoconfig.echo6.co | https://127.0.0.1:8443 | Mailcow autoconfig | | vault.echo6.co | 127.0.0.1:8086 | Vaultwarden | | proxmox.echo6.co | https://100.64.0.6:8006 (via Tailscale) | Proxmox VE (data node) | ### Commands ```bash ssh root@100.64.0.1 caddy validate --config /etc/caddy/Caddyfile systemctl restart caddy # admin off, so reload won't work journalctl -u caddy -f ``` --- ## Utility Caddy (Home) **Location:** CT 101 on utility Proxmox (192.168.1.101) **Tailscale IP:** 100.64.0.8 **Config:** `/etc/caddy/Caddyfile` inside CT 101 **SSL Certs:** `/etc/caddy/certs/` (managed by acme.sh) **Port forward:** Router 80/443 → 192.168.1.101 ### Current Site Blocks | Domain | Backend | Pattern | Service | |--------|---------|---------|---------| | mesh.echo6.co | 100.64.0.7:8080 | Tailscale | MeshMonitor | | search.echo6.co | 100.64.0.15:8080 | Tailscale | SearXNG | ### Commands ```bash ssh root@192.168.1.241 'pct exec 101 -- cat /etc/caddy/Caddyfile' ssh root@192.168.1.241 'pct exec 101 -- systemctl reload caddy' ssh root@192.168.1.241 'pct exec 101 -- journalctl -u caddy -f' ``` --- ## dnsmasq (Tailscale Split DNS) **Config:** `/etc/dnsmasq.d/tailscale-dns.conf` on Contabo **Listens on:** 100.64.0.1:53 ### Current Records | Domain | Tailscale IP | Service | |--------|-------------|---------| | auth.echo6.co | 100.64.0.1 | Authentik | | forge.echo6.co | 100.64.0.1 | Forgejo | | mail.echo6.co | 100.64.0.1 | Mailcow | | vpn.echo6.co | 100.64.0.1 | Headscale | | vault.echo6.co | 100.64.0.1 | Vaultwarden | | docs.echo6.co | 100.64.0.1 | Wiki.js | | proxmox.echo6.co | 100.64.0.1 | Proxmox VE (via Caddy) | | stream.echo6.co | *TBD* | PeerTube - needs host verification | | notes.echo6.co | *TBD* | Obsidian LiveSync - needs host verification | ### Commands ```bash ssh root@100.64.0.1 nano /etc/dnsmasq.d/tailscale-dns.conf systemctl restart dnsmasq dig +short forge.echo6.co @100.64.0.1 # Test ``` --- ## GoDaddy DNS Records (echo6.co) ### Contabo Services → 5.189.158.149 | Subdomain | Service | |-----------|---------| | auth | Authentik SSO | | forge | Forgejo Git | | mail | Mailcow Email | | vpn | Headscale VPN | | vault | Vaultwarden | ### Home Services → 199.6.36.163 | Subdomain | Service | |-----------|---------| | @ | Main site | | ai | Open WebUI | | docs | Wiki.js | | stream | PeerTube | | notes | Obsidian LiveSync | | jellyfin | Jellyfin | | mesh | MeshMonitor | | search | SearXNG | ### Email Records | Type | Name | Value | |------|------|-------| | MX | @ | mail.echo6.co | | CNAME | autoconfig | mail.echo6.co | | CNAME | autodiscover | mail.echo6.co | | TXT | @ | v=spf1 mx a:mail.echo6.co -all | | TXT | _dmarc | v=DMARC1; p=quarantine | | TXT | dkim._domainkey | (DKIM key) | --- ## Headscale Config **Location:** `/opt/headscale/` on Contabo **Data:** Named Docker volume `headscale_headscale-data` **Config:** `/opt/headscale/config.yaml` ```yaml dns: base_domain: echo6.mesh nameservers: global: - 1.1.1.1 oidc: issuer: "https://auth.echo6.co/application/o/headscale/" client_id: "headscale" ``` **Split DNS:** Configured via dnsmasq on Contabo. **Headplane:** Deployed at `vpn.echo6.co/admin` - OIDC via Authentik. First login gets Owner. --- ## Port Map (Contabo) | Service | Container Port | Host Binding | Public Domain | |---------|---------------|--------------|---------------| | Authentik | 9000 | 127.0.0.1:9000 | auth.echo6.co | | Forgejo | 3000 | 127.0.0.1:3001 | forge.echo6.co | | Headscale | 8080 | 127.0.0.1:8084 | vpn.echo6.co | | Headplane | 3000 | 127.0.0.1:3100 | vpn.echo6.co/admin | | Mailcow | 8443 | 127.0.0.1:8443 | mail.echo6.co | | Vaultwarden | 80 | 127.0.0.1:8086 | vault.echo6.co | | Vaultwarden WS | 3012 | 127.0.0.1:3012 | vault.echo6.co/notifications/hub | --- *Last updated: 2026-02-06 — Added SearXNG (search.echo6.co) on utility CT 102*