matt/echo6-docs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
echo6-docs/docs/software/caddy.md
Matt Johnson e9231ac24a Migration: consolidate Echo6 docs to cortex with full infrastructure cleanup sync 
- Documents recent infrastructure cleanup (8 CTs destroyed, 35 DNS records removed, Headscale cleanup)
- Adds 24 new runbooks covering Authentik, PeerTube, Meshtastic, RECON, Proxmox, Mailcow, Internet Archive, GPU routing
- Adds project documentation for headscale, vaultwarden, peertube, matrix, mmud, advbbs, arr stack
- Updates services.md, environment.md, caddy.md, authentik.md to match live infrastructure
- Removes 4 deprecated runbook duplicates (canonical versions live in projects/)
- Adds .gitignore for binary archives and editor temp files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 06:02:16 +00:00

8.2 KiB
Raw Blame History

Caddy & DNS Reference

Contabo Caddy

Config: /etc/caddy/Caddyfile on Contabo (ssh root@100.64.0.1)

Global options: email admin@echo6.co, admin off (no live reload — must systemctl restart caddy)

Current Site Blocks

Domain Backend Service
auth.echo6.co 127.0.0.1:9000 Authentik SSO
forge.echo6.co 127.0.0.1:3001 Forgejo Git
mail.echo6.co https://127.0.0.1:8453 Mailcow (tls_insecure_skip_verify, r/w timeout 3600s)
vpn.echo6.co 127.0.0.1:8084 Headscale
vpn.echo6.co/admin* 127.0.0.1:3100 Headplane
autodiscover.echo6.co https://127.0.0.1:8443 Mailcow autodiscover
autoconfig.echo6.co https://127.0.0.1:8443 Mailcow autoconfig
vault.echo6.co 127.0.0.1:8086 Vaultwarden
proxmox.echo6.co https://100.64.0.6:8006 (via Tailscale) Proxmox VE (data node)
wt.echo6.co 127.0.0.1:8099 (Authentik forward auth) WATCHTOWER ops dashboard
matrix.echo6.co 127.0.0.1:8008 + 127.0.0.1:8085 Matrix Synapse + MAS (login/logout/refresh/auth_metadata → MAS:8085, _matrix/* → Synapse:8008, default → MAS:8085)
element.echo6.co 127.0.0.1:8088 Element Web client
notes.echo6.co 127.0.0.1:5984 + 127.0.0.1:5985 LiveSync (CouchDB + provisioner, forward auth on /_provision*, CORS for Obsidian)
tak.echo6.co https://100.64.0.1:8446 + 100.64.0.1:8990 TAK Server admin (8446, Authentik forward auth) + SIGIL console (/sigil, 8990)

Commands

ssh root@100.64.0.1
caddy validate --config /etc/caddy/Caddyfile
systemctl restart caddy  # admin off, so reload won't work
journalctl -u caddy -f

Utility Caddy (Home)

Location: CT 101 on utility Proxmox (192.168.1.101) Tailscale IP: 100.64.0.8 Config: /etc/caddy/Caddyfile inside CT 101 SSL Certs: /etc/caddy/certs/ (managed by acme.sh) Port forward: Router 80/443 → 192.168.1.101

Current Site Blocks

Domain Backend Pattern Service
mesh.echo6.co 192.168.1.100:8080 Local IP MeshMonitor (Authentik forward auth)
echo6.co 100.64.0.15:8080 Tailscale Echo6 Search (SearXNG) + Matrix well-known
search.echo6.co 301 redirect to echo6.co
nas.echo6.co 100.64.0.21:80 Tailscale OpenMediaVault (pi-nas)
immich.echo6.co 192.168.1.182:2283 Local IP Immich (has 2FA)
nextcloud.echo6.co 192.168.1.183:11000 Local IP Nextcloud AIO (SSO via Authentik)
jellyfin.echo6.co 100.64.0.18:8096 Tailscale Jellyfin media server (SSO via Authentik)
requests.echo6.co 100.64.0.18:5055 Tailscale Jellyseer request management (SSO via Authentik)
stream.echo6.co 192.168.1.170:80 Local IP PeerTube video streaming (SSO via Authentik)
ai.echo6.co 100.64.0.14:8080 Tailscale Open WebUI (SSO via Authentik)
files.echo6.co 100.64.0.24:8888 Tailscale RECON PDF library (Authentik forward auth)
recon.echo6.co 100.64.0.24:8420 Tailscale RECON dashboard + API
lidarr.echo6.co 100.64.0.18:8686 Tailscale Lidarr music automation (Authentik forward auth)
navidrome.echo6.co 100.64.0.18:4533 Tailscale Navidrome music server (Authentik forward auth, /rest/* exempt for Subsonic API)
vpn.idahomesh.com 192.168.1.106:8080 Local IP IdahoMesh Headscale VPN coordination

Commands

ssh root@192.168.1.241 'pct exec 101 -- cat /etc/caddy/Caddyfile'
ssh root@192.168.1.241 'pct exec 101 -- systemctl reload caddy'
ssh root@192.168.1.241 'pct exec 101 -- journalctl -u caddy -f'

dnsmasq (Tailscale Split DNS)

Config: /etc/dnsmasq.d/tailscale-dns.conf on Contabo Listens on: 100.64.0.1:53

Current Records

Domain Tailscale IP Service
auth.echo6.co 100.64.0.1 Authentik
forge.echo6.co 100.64.0.1 Forgejo
mail.echo6.co 100.64.0.1 Mailcow
vpn.echo6.co 100.64.0.1 Headscale
vault.echo6.co 100.64.0.1 Vaultwarden
proxmox.echo6.co 100.64.0.1 Proxmox VE (via Caddy)
stream.echo6.co 100.64.0.8 PeerTube (via utility Caddy)
notes.echo6.co 100.64.0.1 LiveSync CouchDB + provisioner (via Contabo Caddy)
tak.echo6.co 100.64.0.1 TAK Server + SIGIL (via Contabo Caddy)
jellyfin.echo6.co 100.64.0.8 Jellyfin (via utility Caddy)
requests.echo6.co 100.64.0.8 Jellyseer (via utility Caddy)
wt.echo6.co 100.64.0.1 WATCHTOWER ops dashboard
ai.echo6.co 100.64.0.8 Open WebUI (via utility Caddy)
matrix.echo6.co 100.64.0.1 Matrix Synapse (via Contabo Caddy)
element.echo6.co 100.64.0.1 Element Web (via Contabo Caddy)
echo6.co 100.64.0.8 Echo6 Search homepage (via utility Caddy)
files.echo6.co 100.64.0.8 RECON PDF library (via utility Caddy)
recon.echo6.co 100.64.0.8 RECON dashboard (via utility Caddy)
lidarr.echo6.co 100.64.0.8 Lidarr music automation (via utility Caddy)
navidrome.echo6.co 100.64.0.8 Navidrome music server (via utility Caddy)

Commands

ssh root@100.64.0.1
nano /etc/dnsmasq.d/tailscale-dns.conf
systemctl restart dnsmasq
dig +short forge.echo6.co @100.64.0.1   # Test

GoDaddy DNS Records (echo6.co)

Contabo Services → 5.189.158.149

Subdomain Service
auth Authentik SSO
forge Forgejo Git
mail Mailcow Email
vpn Headscale VPN
vault Vaultwarden
wt WATCHTOWER ops dashboard
matrix Matrix Synapse
element Element Web
notes LiveSync (CouchDB + provisioner)
proxmox Proxmox VE (via Tailscale to data node)
tak TAK Server + SIGIL

Home Services → 199.6.36.163

Subdomain Service
@ Echo6 Search homepage (SearXNG)
ai Open WebUI
stream PeerTube
jellyfin Jellyfin
mesh MeshMonitor
nas OpenMediaVault (pi-nas)
search SearXNG (redirects to echo6.co)
immich Immich
nextcloud Nextcloud
requests Jellyseer
files RECON PDF library
recon RECON dashboard
lidarr Lidarr music automation
navidrome Navidrome music server

Email Records

Type Name Value
MX @ mail.echo6.co
CNAME autoconfig mail.echo6.co
CNAME autodiscover mail.echo6.co
TXT @ v=spf1 mx a:mail.echo6.co -all
TXT _dmarc v=DMARC1; p=quarantine
TXT dkim._domainkey (DKIM key)

Headscale Config

Location: /opt/headscale/ on Contabo Data: Named Docker volume headscale_headscale-data Config: /opt/headscale/config.yaml

dns:
  base_domain: echo6.mesh
  nameservers:
    global:
      - 1.1.1.1

oidc:
  issuer: "https://auth.echo6.co/application/o/headscale/"
  client_id: "headscale"

Split DNS: Configured via dnsmasq on Contabo. Headplane: Deployed at vpn.echo6.co/admin - OIDC via Authentik. First login gets Owner.

Port Map (Contabo)

Service Container Port Host Binding Public Domain
Authentik 9000 127.0.0.1:9000 auth.echo6.co
Forgejo 3000 127.0.0.1:3001 forge.echo6.co
Forgejo SSH 22 0.0.0.0:2222 Direct (not proxied)
Headscale 8080 127.0.0.1:8084 vpn.echo6.co
Headplane 3000 127.0.0.1:3100 vpn.echo6.co/admin
Mailcow 8443 127.0.0.1:8443 mail.echo6.co
Vaultwarden 80 127.0.0.1:8086 vault.echo6.co
Vaultwarden WS 3012 127.0.0.1:3012 vault.echo6.co/notifications/hub
WATCHTOWER 8084 host network :8099 wt.echo6.co
Matrix Synapse 8008 127.0.0.1:8008 matrix.echo6.co (/_matrix/, /_synapse/)
Matrix MAS 8080 127.0.0.1:8085 matrix.echo6.co (login/logout/refresh/auth_metadata, default)
Element Web 80 127.0.0.1:8088 element.echo6.co
LiveSync CouchDB 5984 127.0.0.1:5984 notes.echo6.co
LiveSync Provisioner 8080 127.0.0.1:5985 notes.echo6.co/_provision/*
TAK Server Admin 8446 https://100.64.0.1:8446 (Tailscale) tak.echo6.co
SIGIL Console 8990 100.64.0.1:8990 tak.echo6.co/sigil

Last updated: 2026-04-13 — Audit sync: added MAS routing on matrix.echo6.co, lidarr/navidrome/vpn.idahomesh.com to utility Caddy, proxmox/tak to GoDaddy, removed ghost docs.echo6.co entries, added dnsmasq lidarr/navidrome