Route Fly proxy through Caddy on indri for direct WireGuard peering
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m59s
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m59s
Tailscale Ingress pods in k8s can't establish direct WireGuard connections (stuck behind pod-network NAT → DERP relay → 20s latency). Indri's host-level Tailscale CAN peer directly with Fly. Change all nginx upstreams to route through Caddy on indri instead of per-service Tailscale Ingress endpoints. Tag indri as flyio-target in the Tailscale ACL so the Fly proxy can reach it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
bca4c2bede
commit
12b2786ca2
3 changed files with 30 additions and 34 deletions
|
|
@ -50,6 +50,7 @@ indri_tags = tailscale.DeviceTags(
|
|||
"tag:loki",
|
||||
"tag:registry", # Zot container registry
|
||||
"tag:k8s-api", # Kubernetes API server (minikube)
|
||||
"tag:flyio-target", # Fly proxy routes through Caddy on indri
|
||||
],
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -193,11 +193,13 @@
|
|||
"src": "tag:ci-gateway",
|
||||
"accept": ["tag:registry:443"],
|
||||
},
|
||||
// Fly.io proxy can only reach flyio-target tagged endpoints, nothing else
|
||||
// Fly.io proxy can only reach flyio-target tagged endpoints, nothing else.
|
||||
// indri has tag:flyio-target (Caddy) so tag:homelab:443 is reachable on
|
||||
// indri specifically but not other homelab devices.
|
||||
{
|
||||
"src": "tag:flyio-proxy",
|
||||
"accept": ["tag:flyio-target:443"],
|
||||
"deny": ["tag:k8s:443", "tag:homelab:443", "tag:homelab:22", "tag:nas:445", "tag:registry:443"],
|
||||
"deny": ["tag:k8s:443", "tag:homelab:22", "tag:nas:445", "tag:registry:443"],
|
||||
},
|
||||
],
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue