Add Caddy reverse proxy configuration and Kopia backup documentation

- Create INFRASTRUCTURE-COMPLETE.md: Comprehensive infrastructure overview
  * Network architecture and DNS configuration
  * Storage architecture for Nextcloud (1.4TB warm storage via LVM)
  * Kopia backup setup with Backblaze B2 integration
  * Caddy reverse proxy configuration (CT 202)
  * Security configuration and capacity planning

- Add Caddy reverse proxy configurations:
  * caddy-kopia-integration.md: Integration steps for CT 202
  * caddy-kopia-reverse-proxy.md: Complete configuration reference
  * caddy/Caddyfile: Production-ready configuration
  * caddy/docker-compose.yml: Docker deployment spec

- Add Kopia backup documentation:
  * kopia-nextcloud-backblaze-setup.md: Complete Kopia setup guide
  * Backup strategy, retention policies, and restore procedures

- Update related documentation with consolidated references

Status: Infrastructure documented and ready for deployment
This commit is contained in:
2026-04-27 11:46:47 -05:00
parent b792d5bf41
commit 821f954200
31 changed files with 2373 additions and 71 deletions
+65
View File
@@ -0,0 +1,65 @@
# Caddy Configuration for Homelab
# Location: /srv/docker/caddy/Caddyfile
# Last Updated: April 27, 2026
# ============================================================================
# Kopia Web UI - HTTPS Reverse Proxy
# ============================================================================
kopia.jgitta.com {
# Reverse proxy to Kopia Web UI running on localhost:51515
reverse_proxy 127.0.0.1:51515 {
# Pass original headers for proper proxying
header_upstream X-Forwarded-Proto {scheme}
header_upstream X-Forwarded-Host {http.request.host}
header_upstream X-Forwarded-For {http.request.remote.host}
# WebSocket support (Kopia uses WebSockets for real-time updates)
header_upstream Connection {http.request.header.Connection}
header_upstream Upgrade {http.request.header.Upgrade}
# Timeout settings for backup operations (which can be slow)
timeout 300s
}
# Security headers
header {
# Prevent MIME type sniffing
X-Content-Type-Options "nosniff"
# Clickjacking protection
X-Frame-Options "SAMEORIGIN"
# XSS protection
X-XSS-Protection "1; mode=block"
# HTTPS enforcement (HSTS)
# max-age: 1 year, includeSubDomains: apply to subdomains
Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Content Security Policy (basic)
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
# Referrer policy
Referrer-Policy "strict-origin-when-cross-origin"
# Permissions policy
Permissions-Policy "geolocation=(), microphone=(), camera=()"
}
# Logging
log {
output stdout
format json
}
# Enable TLS (automatic, self-signed for internal use)
tls internal
}
# ============================================================================
# HTTP to HTTPS Redirect
# ============================================================================
http://kopia.jgitta.com {
# Redirect all HTTP traffic to HTTPS
redir https://kopia.jgitta.com{uri} permanent
}
+108
View File
@@ -0,0 +1,108 @@
version: '3.8'
# Caddy Reverse Proxy for Homelab Services
# Location: /srv/docker/caddy/docker-compose.yml
# Last Updated: April 27, 2026
#
# This service acts as a reverse proxy and HTTPS termination point for internal services
# Routes requests to appropriate backends and handles TLS encryption
services:
caddy:
image: caddy:latest
container_name: caddy
restart: unless-stopped
# Network ports
ports:
# Port 80: HTTP (redirects to HTTPS)
- "80:80"
# Port 443: HTTPS (main service port)
- "443:443"
# Volume mounts
volumes:
# Configuration file (read-only to prevent accidental modification)
- ./Caddyfile:/etc/caddy/Caddyfile:ro
# Persistent storage for certificates and configuration
# These volumes survive container restarts and updates
- caddy_data:/data
- caddy_config:/config
# Log directory (optional, for debugging)
- ./logs:/var/log/caddy
# Environment variables
environment:
# ACME server for Let's Encrypt (public domain setup)
# For internal use, Caddy will generate self-signed certificates
CADDY_ACME_CA: "https://acme-v02.api.letsencrypt.org/directory"
# Email for Let's Encrypt renewal notifications (optional, for public domains)
CADDY_ACME_EMAIL: "jgitta@jgitta.com"
# Network connectivity
networks:
- docker_network
# Container labels for identification and monitoring
labels:
com.example.description: "Caddy reverse proxy for homelab services"
com.example.version: "latest"
# Health check - ensures container is working
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:80"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
# Container logging
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
labels: "caddy=true"
# Named volumes for persistent data
volumes:
# Certificate storage (TLS certificates, whether self-signed or Let's Encrypt)
caddy_data:
driver: local
# Configuration storage (Caddy internal config and metadata)
caddy_config:
driver: local
# Network definition
networks:
docker_network:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
# Usage Instructions:
#
# Start the service:
# cd /srv/docker/caddy
# docker-compose up -d
#
# Check status:
# docker-compose ps
#
# View logs:
# docker-compose logs -f caddy
#
# Reload configuration (no downtime):
# docker-compose restart caddy
#
# Stop the service:
# docker-compose down
#
# Update to latest Caddy version:
# docker-compose pull
# docker-compose up -d