Files
homelab-configs/caddy-kopia-integration.md
jgitta 821f954200 Add Caddy reverse proxy configuration and Kopia backup documentation
- Create INFRASTRUCTURE-COMPLETE.md: Comprehensive infrastructure overview
  * Network architecture and DNS configuration
  * Storage architecture for Nextcloud (1.4TB warm storage via LVM)
  * Kopia backup setup with Backblaze B2 integration
  * Caddy reverse proxy configuration (CT 202)
  * Security configuration and capacity planning

- Add Caddy reverse proxy configurations:
  * caddy-kopia-integration.md: Integration steps for CT 202
  * caddy-kopia-reverse-proxy.md: Complete configuration reference
  * caddy/Caddyfile: Production-ready configuration
  * caddy/docker-compose.yml: Docker deployment spec

- Add Kopia backup documentation:
  * kopia-nextcloud-backblaze-setup.md: Complete Kopia setup guide
  * Backup strategy, retention policies, and restore procedures

- Update related documentation with consolidated references

Status: Infrastructure documented and ready for deployment
2026-04-27 11:46:47 -05:00

3.8 KiB

Caddy Integration for Kopia.jgitta.com - CT 202

Date: April 27, 2026
Status: Configuration Ready for CT 202
Purpose: Add kopia.jgitta.com reverse proxy to existing Caddy setup


Quick Integration

Caddy is already running on CT 202. To add kopia.jgitta.com reverse proxy:

Step 1: Access CT 202

# SSH to CT 202 (adjust IP if needed)
ssh root@[CT-202-IP]

# Or via Proxmox container access
pct enter 202

Step 2: Find Caddy Configuration Location

# Find Caddyfile location
find /etc/caddy -name "Caddyfile" -o -name "*.caddy" 2>/dev/null

# Or check docker/systemd
ps aux | grep -i caddy

Step 3: Add Kopia Configuration Block

Add this to your existing Caddyfile:

# Kopia Web UI Reverse Proxy
kopia.jgitta.com {
    # Reverse proxy to Kopia on siklos
    reverse_proxy http://192.168.88.27:51515 {
        # WebSocket support for real-time updates
        header_upstream Connection {http.request.header.Connection}
        header_upstream Upgrade {http.request.header.Upgrade}
        
        # Long timeout for backup operations
        timeout 300s
    }
    
    # Security headers
    header {
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        X-XSS-Protection "1; mode=block"
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
    }
}

# HTTP to HTTPS redirect
http://kopia.jgitta.com {
    redir https://kopia.jgitta.com{uri} permanent
}

Step 4: Reload Caddy

# If running as systemd service
sudo systemctl reload caddy

# If running as Docker container
docker-compose -f /path/to/docker-compose.yml restart caddy
# or
docker restart caddy

# Verify configuration
curl -k https://kopia.jgitta.com/

Step 5: Verify DNS and Access

# Check DNS resolution
nslookup kopia.jgitta.com

# Test from another machine
curl -k https://kopia.jgitta.com/

# Access in browser
# https://kopia.jgitta.com (ignore certificate warning for self-signed)

Expected Result

After configuration:

  • https://kopia.jgitta.com/ → Caddy (443) → Kopia Web UI (51515 on siklos)
  • http://kopia.jgitta.com/ → Redirects to HTTPS
  • SSL/TLS encryption end-to-end
  • Security headers applied
  • WebSocket support for real-time Kopia updates

Troubleshooting

Can't connect to kopia.jgitta.com

  1. Verify Caddy is running on CT 202

    ps aux | grep caddy
    docker ps | grep caddy
    
  2. Check DNS resolution

    nslookup kopia.jgitta.com
    # Should return 192.168.88.27 (pointing to CT 202 IP or Caddy host)
    
  3. Verify kopia.jgitta.com points to Caddy

    • On MikroTik: kopia.jgitta.com → [CT-202-IP]
    • Not to 192.168.88.27 directly (unless CT 202 is on that IP)
  4. Test Caddy directly

    # From CT 202
    curl http://localhost/
    
    # From another host
    curl https://[CT-202-IP]/ -k
    
  5. Check Caddy configuration syntax

    caddy validate
    

Kopia backend unreachable

  1. Verify Kopia is running on siklos:

    ssh jgitta@192.168.88.27 "docker ps | grep kopia"
    
  2. Test connectivity from Caddy to Kopia:

    curl http://192.168.88.27:51515/ (from CT 202)
    
  3. Check firewall allows port 51515 on siklos

Certificate errors

  • For internal use, self-signed certificates are normal
  • Browser will show warning — click "Advanced" and "Proceed"
  • Or use curl -k to skip certificate verification
  • For production public access, configure Let's Encrypt in Caddy

Complete Caddyfile Reference

If you need the full Caddyfile structure, see: caddy-kopia-reverse-proxy.md


Status: Ready for integration on CT 202
Next: Apply configuration to Caddy, verify HTTPS access, then push to Gitea