diff --git a/docs/how-to/expose-service-publicly.md b/docs/how-to/expose-service-publicly.md
index ccbe1cb..77a0220 100644
--- a/docs/how-to/expose-service-publicly.md
+++ b/docs/how-to/expose-service-publicly.md
@@ -11,8 +11,6 @@ id: expose-service-publicly
 
 # Expose a Service Publicly via Fly.io + Tailscale
 
-> **Status:** In progress — first target: `docs.eblu.me`.
-
 This guide describes how to expose a BlumeOps service to the public internet
 using a reverse proxy container on [Fly.io](https://fly.io) that tunnels back
 to [[indri]] over [[tailscale]]. The approach keeps the home IP hidden,
@@ -146,7 +144,8 @@ COPY --from=docker.io/tailscale/tailscale:stable \
 COPY --from=docker.io/tailscale/tailscale:stable \
     /usr/local/bin/tailscale /usr/local/bin/tailscale
 
-RUN mkdir -p /var/run/tailscale /var/lib/tailscale
+RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
+    && apk add --no-cache iptables ip6tables
 
 COPY nginx.conf /etc/nginx/nginx.conf
 COPY start.sh /start.sh
@@ -163,8 +162,9 @@ CMD ["/start.sh"]
 #!/bin/sh
 set -e
 
-# Start tailscale in userspace networking mode (no TUN device needed)
-tailscaled --tun=userspace-networking --statedir=/var/lib/tailscale &
+# Start tailscale daemon. Fly.io runs Firecracker microVMs which support
+# TUN devices natively — no need for --tun=userspace-networking.
+tailscaled --statedir=/var/lib/tailscale &
 sleep 2
 
 # Authenticate and join tailnet
@@ -174,7 +174,7 @@ tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
 until tailscale status > /dev/null 2>&1; do sleep 1; done
 echo "Tailscale connected"
 
-# Start nginx
+# Start nginx — MagicDNS resolves *.tail8d86e.ts.net hostnames
 nginx -g "daemon off;"
 ```
 
@@ -211,6 +211,7 @@ http {
         location / {
             proxy_pass https://docs.tail8d86e.ts.net;
             proxy_ssl_verify off;
+            proxy_ssl_server_name on;
 
             # Cache aggressively — static site only.
             # Do NOT use these settings for dynamic services.
@@ -228,16 +229,19 @@ http {
 
             add_header X-Cache-Status $upstream_cache_status;
         }
+    }
+
+    # Catch-all: reject unknown hosts, but serve health check
+    server {
+        listen 8080 default_server;
 
         location /healthz {
             return 200 "ok\n";
         }
-    }
 
-    # Catch-all: reject unknown hosts
-    server {
-        listen 8080 default_server;
-        return 444;
+        location / {
+            return 444;
+        }
     }
 }
 ```