Add kopia restore guide, update Caddy config, add .gitignore to exclude credentials

This commit is contained in:
2026-05-08 22:21:08 -05:00
parent 748f3cafc6
commit 4a6cfa9ed0
5 changed files with 843 additions and 0 deletions
+97
View File
@@ -0,0 +1,97 @@
# Caddy Configuration for Homelab
# Location: /srv/docker/caddy/Caddyfile
# Last Updated: April 29, 2026
# ============================================================================
# Kopia Web UI - HTTPS Reverse Proxy
# ============================================================================
kopia.jgitta.com {
# Reverse proxy to Kopia Web UI running on localhost:51515
reverse_proxy 127.0.0.1:51515 {
# Pass original headers for proper proxying
header_upstream X-Forwarded-Proto {scheme}
header_upstream X-Forwarded-Host {http.request.host}
header_upstream X-Forwarded-For {http.request.remote.host}
# WebSocket support (Kopia uses WebSockets for real-time updates)
header_upstream Connection {http.request.header.Connection}
header_upstream Upgrade {http.request.header.Upgrade}
# Timeout settings for backup operations (which can be slow)
timeout 300s
}
# Security headers
header {
# Prevent MIME type sniffing
X-Content-Type-Options "nosniff"
# Clickjacking protection
X-Frame-Options "SAMEORIGIN"
# XSS protection
X-XSS-Protection "1; mode=block"
# HTTPS enforcement (HSTS)
# max-age: 1 year, includeSubDomains: apply to subdomains
Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Content Security Policy (basic)
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
# Referrer policy
Referrer-Policy "strict-origin-when-cross-origin"
# Permissions policy
Permissions-Policy "geolocation=(), microphone=(), camera=()"
}
# Logging
log {
output stdout
format json
}
# Enable TLS (automatic, self-signed for internal use)
tls internal
}
# ============================================================================
# HTTP to HTTPS Redirect
# ============================================================================
http://kopia.jgitta.com {
# Redirect all HTTP traffic to HTTPS
redir https://kopia.jgitta.com{uri} permanent
}
# ============================================================================
# Portainer - Docker Management UI on siklos
# ============================================================================
portainer.jgitta.com {
# Reverse proxy to Portainer on siklos (HTTP port — Caddy handles TLS)
reverse_proxy 192.168.88.27:9000 {
header_upstream X-Forwarded-Proto {scheme}
header_upstream X-Forwarded-Host {http.request.host}
header_upstream X-Forwarded-For {http.request.remote.host}
}
# Security headers
header {
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
X-XSS-Protection "1; mode=block"
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Referrer-Policy "strict-origin-when-cross-origin"
}
log {
output stdout
format json
}
tls internal
}
http://portainer.jgitta.com {
redir https://portainer.jgitta.com{uri} permanent
}