matt/echo6-docs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
echo6-docs/runbooks/expose-service-home.md
Matt Johnson 880ff09c90 Initial commit: infrastructure documentation 
Includes:
- Hardware environment reference (Proxmox cluster, VMs, LXCs)
- Services inventory with current deployments
- Caddy & DNS configuration reference
- Runbooks for common deployment procedures

Recent additions:
- SearXNG deployment (utility CT 102, search.echo6.co)
- TOC conversion to Proxmox with cortex VM
- Syncthing sync between Contabo and cortex

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-06 21:27:29 +01:00

2.7 KiB
Executable file
Raw Blame History

Expose Service on Home Network

Prerequisites

  • Service running on a Proxmox CT/VM or bare metal
  • Router forwards 80/443 to Utility Caddy (192.168.1.101) — one-time setup
  • Determine pattern: does the service have Authentik OIDC?

Steps

1. Determine backend target

Has OIDC? Proxy to Why
YES Local IP (192.168.1.x:port) Authentik SSO protects access
NO Tailscale IP (100.64.0.x:port) Only Caddy can reach backend

If no OIDC, service MUST have Tailscale installed and registered with Headscale first.

2. Issue SSL certificate

ssh root@192.168.1.241

pct exec 101 -- bash -c '
export GD_Key="<from .ref/credentials>"
export GD_Secret="<from .ref/credentials>"
/root/.acme.sh/acme.sh --issue --dns dns_gd -d <service>.echo6.co --server letsencrypt
'

3. Install certificate

pct exec 101 -- bash -c "
mkdir -p /etc/caddy/certs
/root/.acme.sh/acme.sh --install-cert -d <service>.echo6.co \
  --cert-file /etc/caddy/certs/<service>.echo6.co.crt \
  --key-file /etc/caddy/certs/<service>.echo6.co.key \
  --fullchain-file /etc/caddy/certs/<service>.echo6.co.fullchain.crt \
  --reloadcmd 'systemctl reload caddy'

chown -R caddy:caddy /etc/caddy/certs
chmod 600 /etc/caddy/certs/*.key
chmod 644 /etc/caddy/certs/*.crt
"

4. Add Caddy site block

# WITH OIDC — local IP
pct exec 101 -- bash -c "cat >> /etc/caddy/Caddyfile << 'EOF'

<service>.echo6.co {
    tls /etc/caddy/certs/<service>.echo6.co.fullchain.crt /etc/caddy/certs/<service>.echo6.co.key
    reverse_proxy 192.168.1.<X>:<PORT>
}
EOF
systemctl reload caddy"

# WITHOUT OIDC — Tailscale IP
pct exec 101 -- bash -c "cat >> /etc/caddy/Caddyfile << 'EOF'

<service>.echo6.co {
    tls /etc/caddy/certs/<service>.echo6.co.fullchain.crt /etc/caddy/certs/<service>.echo6.co.key
    reverse_proxy 100.64.0.<X>:<PORT>
}
EOF
systemctl reload caddy"

5. Add DNS record

# On TOC
source /home/zvx/projects/.ref/credentials
godaddy-dns.py add-a echo6.co <service> 199.6.36.163

6. Update service CORS (if applicable)

Add https://<service>.echo6.co to the service's allowed origins.

7. Verify

curl -I https://<service>.echo6.co

8. Update docs

  • Update ~/.claude/docs/infrastructure/caddy.md with new site block
  • Update ~/.claude/docs/infrastructure/services.md with new service
  • Add credentials to /home/zvx/projects/.ref/credentials if applicable

Checklist

□ Backend pattern chosen (OIDC → local IP, no OIDC → Tailscale IP)
□ SSL cert issued and installed via acme.sh
□ Caddy site block added to CT 101 Caddyfile
□ Caddy reloaded
□ GoDaddy DNS → 199.6.36.163
□ CORS updated if needed
□ HTTPS access verified
□ Docs updated