echo6-docs/docs/software/caddy.md

Caddy & DNS Reference

Contabo Caddy

Config: /etc/caddy/Caddyfile on Contabo (ssh root@100.64.0.1)

Current Site Blocks

Domain	Backend	Service
auth.echo6.co	127.0.0.1:9000	Authentik SSO
forge.echo6.co	127.0.0.1:3001	Forgejo Git
mail.echo6.co	https://127.0.0.1:8443	Mailcow (tls_insecure_skip_verify)
vpn.echo6.co	127.0.0.1:8084	Headscale
vpn.echo6.co/admin*	127.0.0.1:3100	Headplane
autodiscover.echo6.co	https://127.0.0.1:8443	Mailcow autodiscover
autoconfig.echo6.co	https://127.0.0.1:8443	Mailcow autoconfig
vault.echo6.co	127.0.0.1:8086	Vaultwarden
proxmox.echo6.co	https://100.64.0.6:8006 (via Tailscale)	Proxmox VE (data node)

Commands

ssh root@100.64.0.1
caddy validate --config /etc/caddy/Caddyfile
systemctl restart caddy  # admin off, so reload won't work
journalctl -u caddy -f

---

Utility Caddy (Home)

Location: CT 101 on utility Proxmox (192.168.1.101) Tailscale IP: 100.64.0.8 Config: /etc/caddy/Caddyfile inside CT 101 SSL Certs: /etc/caddy/certs/ (managed by acme.sh) Port forward: Router 80/443 → 192.168.1.101

Current Site Blocks

Domain	Backend	Pattern	Service
mesh.echo6.co	100.64.0.7:8080	Tailscale	MeshMonitor
search.echo6.co	100.64.0.15:8080	Tailscale	SearXNG

Commands

ssh root@192.168.1.241 'pct exec 101 -- cat /etc/caddy/Caddyfile'
ssh root@192.168.1.241 'pct exec 101 -- systemctl reload caddy'
ssh root@192.168.1.241 'pct exec 101 -- journalctl -u caddy -f'

---

dnsmasq (Tailscale Split DNS)

Config: /etc/dnsmasq.d/tailscale-dns.conf on Contabo Listens on: 100.64.0.1:53

Current Records

Domain	Tailscale IP	Service
auth.echo6.co	100.64.0.1	Authentik
forge.echo6.co	100.64.0.1	Forgejo
mail.echo6.co	100.64.0.1	Mailcow
vpn.echo6.co	100.64.0.1	Headscale
vault.echo6.co	100.64.0.1	Vaultwarden
docs.echo6.co	100.64.0.1	Wiki.js
proxmox.echo6.co	100.64.0.1	Proxmox VE (via Caddy)
stream.echo6.co	TBD	PeerTube - needs host verification
notes.echo6.co	TBD	Obsidian LiveSync - needs host verification

Commands

ssh root@100.64.0.1
nano /etc/dnsmasq.d/tailscale-dns.conf
systemctl restart dnsmasq
dig +short forge.echo6.co @100.64.0.1   # Test

---

GoDaddy DNS Records (echo6.co)

Contabo Services → 5.189.158.149

Subdomain	Service
auth	Authentik SSO
forge	Forgejo Git
mail	Mailcow Email
vpn	Headscale VPN
vault	Vaultwarden

Home Services → 199.6.36.163

Subdomain	Service
@	Main site
ai	Open WebUI
docs	Wiki.js
stream	PeerTube
notes	Obsidian LiveSync
jellyfin	Jellyfin
mesh	MeshMonitor
search	SearXNG

Email Records

Type	Name	Value
MX	@	mail.echo6.co
CNAME	autoconfig	mail.echo6.co
CNAME	autodiscover	mail.echo6.co
TXT	@	v=spf1 mx a:mail.echo6.co -all
TXT	_dmarc	v=DMARC1; p=quarantine
TXT	dkim._domainkey	(DKIM key)

---

Headscale Config

Location: /opt/headscale/ on Contabo Data: Named Docker volume headscale_headscale-data Config: /opt/headscale/config.yaml

dns:
  base_domain: echo6.mesh
  nameservers:
    global:
      - 1.1.1.1

oidc:
  issuer: "https://auth.echo6.co/application/o/headscale/"
  client_id: "headscale"

Split DNS: Configured via dnsmasq on Contabo. Headplane: Deployed at vpn.echo6.co/admin - OIDC via Authentik. First login gets Owner.

---

Port Map (Contabo)

Service	Container Port	Host Binding	Public Domain
Authentik	9000	127.0.0.1:9000	auth.echo6.co
Forgejo	3000	127.0.0.1:3001	forge.echo6.co
Headscale	8080	127.0.0.1:8084	vpn.echo6.co
Headplane	3000	127.0.0.1:3100	vpn.echo6.co/admin
Mailcow	8443	127.0.0.1:8443	mail.echo6.co
Vaultwarden	80	127.0.0.1:8086	vault.echo6.co
Vaultwarden WS	3012	127.0.0.1:3012	vault.echo6.co/notifications/hub

---

Last updated: 2026-02-06 — Added SearXNG (search.echo6.co) on utility CT 102