Add Caddy reverse proxy configuration and Kopia backup documentation
- Create INFRASTRUCTURE-COMPLETE.md: Comprehensive infrastructure overview * Network architecture and DNS configuration * Storage architecture for Nextcloud (1.4TB warm storage via LVM) * Kopia backup setup with Backblaze B2 integration * Caddy reverse proxy configuration (CT 202) * Security configuration and capacity planning - Add Caddy reverse proxy configurations: * caddy-kopia-integration.md: Integration steps for CT 202 * caddy-kopia-reverse-proxy.md: Complete configuration reference * caddy/Caddyfile: Production-ready configuration * caddy/docker-compose.yml: Docker deployment spec - Add Kopia backup documentation: * kopia-nextcloud-backblaze-setup.md: Complete Kopia setup guide * Backup strategy, retention policies, and restore procedures - Update related documentation with consolidated references Status: Infrastructure documented and ready for deployment
This commit is contained in:
@@ -0,0 +1,170 @@
|
||||
# Caddy Integration for Kopia.jgitta.com - CT 202
|
||||
|
||||
**Date**: April 27, 2026
|
||||
**Status**: Configuration Ready for CT 202
|
||||
**Purpose**: Add kopia.jgitta.com reverse proxy to existing Caddy setup
|
||||
|
||||
---
|
||||
|
||||
## Quick Integration
|
||||
|
||||
Caddy is already running on **CT 202**. To add kopia.jgitta.com reverse proxy:
|
||||
|
||||
### Step 1: Access CT 202
|
||||
|
||||
```bash
|
||||
# SSH to CT 202 (adjust IP if needed)
|
||||
ssh root@[CT-202-IP]
|
||||
|
||||
# Or via Proxmox container access
|
||||
pct enter 202
|
||||
```
|
||||
|
||||
### Step 2: Find Caddy Configuration Location
|
||||
|
||||
```bash
|
||||
# Find Caddyfile location
|
||||
find /etc/caddy -name "Caddyfile" -o -name "*.caddy" 2>/dev/null
|
||||
|
||||
# Or check docker/systemd
|
||||
ps aux | grep -i caddy
|
||||
```
|
||||
|
||||
### Step 3: Add Kopia Configuration Block
|
||||
|
||||
Add this to your existing Caddyfile:
|
||||
|
||||
```caddy
|
||||
# Kopia Web UI Reverse Proxy
|
||||
kopia.jgitta.com {
|
||||
# Reverse proxy to Kopia on siklos
|
||||
reverse_proxy http://192.168.88.27:51515 {
|
||||
# WebSocket support for real-time updates
|
||||
header_upstream Connection {http.request.header.Connection}
|
||||
header_upstream Upgrade {http.request.header.Upgrade}
|
||||
|
||||
# Long timeout for backup operations
|
||||
timeout 300s
|
||||
}
|
||||
|
||||
# Security headers
|
||||
header {
|
||||
X-Content-Type-Options "nosniff"
|
||||
X-Frame-Options "SAMEORIGIN"
|
||||
X-XSS-Protection "1; mode=block"
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
||||
}
|
||||
}
|
||||
|
||||
# HTTP to HTTPS redirect
|
||||
http://kopia.jgitta.com {
|
||||
redir https://kopia.jgitta.com{uri} permanent
|
||||
}
|
||||
```
|
||||
|
||||
### Step 4: Reload Caddy
|
||||
|
||||
```bash
|
||||
# If running as systemd service
|
||||
sudo systemctl reload caddy
|
||||
|
||||
# If running as Docker container
|
||||
docker-compose -f /path/to/docker-compose.yml restart caddy
|
||||
# or
|
||||
docker restart caddy
|
||||
|
||||
# Verify configuration
|
||||
curl -k https://kopia.jgitta.com/
|
||||
```
|
||||
|
||||
### Step 5: Verify DNS and Access
|
||||
|
||||
```bash
|
||||
# Check DNS resolution
|
||||
nslookup kopia.jgitta.com
|
||||
|
||||
# Test from another machine
|
||||
curl -k https://kopia.jgitta.com/
|
||||
|
||||
# Access in browser
|
||||
# https://kopia.jgitta.com (ignore certificate warning for self-signed)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Expected Result
|
||||
|
||||
After configuration:
|
||||
- ✅ `https://kopia.jgitta.com/` → Caddy (443) → Kopia Web UI (51515 on siklos)
|
||||
- ✅ `http://kopia.jgitta.com/` → Redirects to HTTPS
|
||||
- ✅ SSL/TLS encryption end-to-end
|
||||
- ✅ Security headers applied
|
||||
- ✅ WebSocket support for real-time Kopia updates
|
||||
|
||||
---
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Can't connect to kopia.jgitta.com
|
||||
|
||||
1. **Verify Caddy is running on CT 202**
|
||||
```bash
|
||||
ps aux | grep caddy
|
||||
docker ps | grep caddy
|
||||
```
|
||||
|
||||
2. **Check DNS resolution**
|
||||
```bash
|
||||
nslookup kopia.jgitta.com
|
||||
# Should return 192.168.88.27 (pointing to CT 202 IP or Caddy host)
|
||||
```
|
||||
|
||||
3. **Verify kopia.jgitta.com points to Caddy**
|
||||
- On MikroTik: kopia.jgitta.com → [CT-202-IP]
|
||||
- Not to 192.168.88.27 directly (unless CT 202 is on that IP)
|
||||
|
||||
4. **Test Caddy directly**
|
||||
```bash
|
||||
# From CT 202
|
||||
curl http://localhost/
|
||||
|
||||
# From another host
|
||||
curl https://[CT-202-IP]/ -k
|
||||
```
|
||||
|
||||
5. **Check Caddy configuration syntax**
|
||||
```bash
|
||||
caddy validate
|
||||
```
|
||||
|
||||
### Kopia backend unreachable
|
||||
|
||||
1. Verify Kopia is running on siklos:
|
||||
```bash
|
||||
ssh jgitta@192.168.88.27 "docker ps | grep kopia"
|
||||
```
|
||||
|
||||
2. Test connectivity from Caddy to Kopia:
|
||||
```bash
|
||||
curl http://192.168.88.27:51515/ (from CT 202)
|
||||
```
|
||||
|
||||
3. Check firewall allows port 51515 on siklos
|
||||
|
||||
### Certificate errors
|
||||
|
||||
- For internal use, self-signed certificates are normal
|
||||
- Browser will show warning — click "Advanced" and "Proceed"
|
||||
- Or use `curl -k` to skip certificate verification
|
||||
- For production public access, configure Let's Encrypt in Caddy
|
||||
|
||||
---
|
||||
|
||||
## Complete Caddyfile Reference
|
||||
|
||||
If you need the full Caddyfile structure, see: `caddy-kopia-reverse-proxy.md`
|
||||
|
||||
---
|
||||
|
||||
**Status**: Ready for integration on CT 202
|
||||
**Next**: Apply configuration to Caddy, verify HTTPS access, then push to Gitea
|
||||
Reference in New Issue
Block a user