Add Caddy reverse proxy configuration and Kopia backup documentation
- Create INFRASTRUCTURE-COMPLETE.md: Comprehensive infrastructure overview * Network architecture and DNS configuration * Storage architecture for Nextcloud (1.4TB warm storage via LVM) * Kopia backup setup with Backblaze B2 integration * Caddy reverse proxy configuration (CT 202) * Security configuration and capacity planning - Add Caddy reverse proxy configurations: * caddy-kopia-integration.md: Integration steps for CT 202 * caddy-kopia-reverse-proxy.md: Complete configuration reference * caddy/Caddyfile: Production-ready configuration * caddy/docker-compose.yml: Docker deployment spec - Add Kopia backup documentation: * kopia-nextcloud-backblaze-setup.md: Complete Kopia setup guide * Backup strategy, retention policies, and restore procedures - Update related documentation with consolidated references Status: Infrastructure documented and ready for deployment
This commit is contained in:
@@ -0,0 +1,65 @@
|
||||
# Caddy Configuration for Homelab
|
||||
# Location: /srv/docker/caddy/Caddyfile
|
||||
# Last Updated: April 27, 2026
|
||||
|
||||
# ============================================================================
|
||||
# Kopia Web UI - HTTPS Reverse Proxy
|
||||
# ============================================================================
|
||||
kopia.jgitta.com {
|
||||
# Reverse proxy to Kopia Web UI running on localhost:51515
|
||||
reverse_proxy 127.0.0.1:51515 {
|
||||
# Pass original headers for proper proxying
|
||||
header_upstream X-Forwarded-Proto {scheme}
|
||||
header_upstream X-Forwarded-Host {http.request.host}
|
||||
header_upstream X-Forwarded-For {http.request.remote.host}
|
||||
|
||||
# WebSocket support (Kopia uses WebSockets for real-time updates)
|
||||
header_upstream Connection {http.request.header.Connection}
|
||||
header_upstream Upgrade {http.request.header.Upgrade}
|
||||
|
||||
# Timeout settings for backup operations (which can be slow)
|
||||
timeout 300s
|
||||
}
|
||||
|
||||
# Security headers
|
||||
header {
|
||||
# Prevent MIME type sniffing
|
||||
X-Content-Type-Options "nosniff"
|
||||
|
||||
# Clickjacking protection
|
||||
X-Frame-Options "SAMEORIGIN"
|
||||
|
||||
# XSS protection
|
||||
X-XSS-Protection "1; mode=block"
|
||||
|
||||
# HTTPS enforcement (HSTS)
|
||||
# max-age: 1 year, includeSubDomains: apply to subdomains
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
||||
|
||||
# Content Security Policy (basic)
|
||||
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
|
||||
|
||||
# Referrer policy
|
||||
Referrer-Policy "strict-origin-when-cross-origin"
|
||||
|
||||
# Permissions policy
|
||||
Permissions-Policy "geolocation=(), microphone=(), camera=()"
|
||||
}
|
||||
|
||||
# Logging
|
||||
log {
|
||||
output stdout
|
||||
format json
|
||||
}
|
||||
|
||||
# Enable TLS (automatic, self-signed for internal use)
|
||||
tls internal
|
||||
}
|
||||
|
||||
# ============================================================================
|
||||
# HTTP to HTTPS Redirect
|
||||
# ============================================================================
|
||||
http://kopia.jgitta.com {
|
||||
# Redirect all HTTP traffic to HTTPS
|
||||
redir https://kopia.jgitta.com{uri} permanent
|
||||
}
|
||||
@@ -0,0 +1,108 @@
|
||||
version: '3.8'
|
||||
|
||||
# Caddy Reverse Proxy for Homelab Services
|
||||
# Location: /srv/docker/caddy/docker-compose.yml
|
||||
# Last Updated: April 27, 2026
|
||||
#
|
||||
# This service acts as a reverse proxy and HTTPS termination point for internal services
|
||||
# Routes requests to appropriate backends and handles TLS encryption
|
||||
|
||||
services:
|
||||
caddy:
|
||||
image: caddy:latest
|
||||
container_name: caddy
|
||||
restart: unless-stopped
|
||||
|
||||
# Network ports
|
||||
ports:
|
||||
# Port 80: HTTP (redirects to HTTPS)
|
||||
- "80:80"
|
||||
# Port 443: HTTPS (main service port)
|
||||
- "443:443"
|
||||
|
||||
# Volume mounts
|
||||
volumes:
|
||||
# Configuration file (read-only to prevent accidental modification)
|
||||
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
||||
|
||||
# Persistent storage for certificates and configuration
|
||||
# These volumes survive container restarts and updates
|
||||
- caddy_data:/data
|
||||
- caddy_config:/config
|
||||
|
||||
# Log directory (optional, for debugging)
|
||||
- ./logs:/var/log/caddy
|
||||
|
||||
# Environment variables
|
||||
environment:
|
||||
# ACME server for Let's Encrypt (public domain setup)
|
||||
# For internal use, Caddy will generate self-signed certificates
|
||||
CADDY_ACME_CA: "https://acme-v02.api.letsencrypt.org/directory"
|
||||
|
||||
# Email for Let's Encrypt renewal notifications (optional, for public domains)
|
||||
CADDY_ACME_EMAIL: "jgitta@jgitta.com"
|
||||
|
||||
# Network connectivity
|
||||
networks:
|
||||
- docker_network
|
||||
|
||||
# Container labels for identification and monitoring
|
||||
labels:
|
||||
com.example.description: "Caddy reverse proxy for homelab services"
|
||||
com.example.version: "latest"
|
||||
|
||||
# Health check - ensures container is working
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:80"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
start_period: 40s
|
||||
|
||||
# Container logging
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
max-size: "10m"
|
||||
max-file: "3"
|
||||
labels: "caddy=true"
|
||||
|
||||
# Named volumes for persistent data
|
||||
volumes:
|
||||
# Certificate storage (TLS certificates, whether self-signed or Let's Encrypt)
|
||||
caddy_data:
|
||||
driver: local
|
||||
|
||||
# Configuration storage (Caddy internal config and metadata)
|
||||
caddy_config:
|
||||
driver: local
|
||||
|
||||
# Network definition
|
||||
networks:
|
||||
docker_network:
|
||||
driver: bridge
|
||||
ipam:
|
||||
config:
|
||||
- subnet: 172.20.0.0/16
|
||||
|
||||
# Usage Instructions:
|
||||
#
|
||||
# Start the service:
|
||||
# cd /srv/docker/caddy
|
||||
# docker-compose up -d
|
||||
#
|
||||
# Check status:
|
||||
# docker-compose ps
|
||||
#
|
||||
# View logs:
|
||||
# docker-compose logs -f caddy
|
||||
#
|
||||
# Reload configuration (no downtime):
|
||||
# docker-compose restart caddy
|
||||
#
|
||||
# Stop the service:
|
||||
# docker-compose down
|
||||
#
|
||||
# Update to latest Caddy version:
|
||||
# docker-compose pull
|
||||
# docker-compose up -d
|
||||
Reference in New Issue
Block a user