From 716f1f0cfa3e9d3c9c656c10cee0f0980a61ba62 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 8 Feb 2026 21:46:09 -0800
Subject: [PATCH] Keep Alloy on direct Tailscale Ingress endpoints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Revert the Caddy endpoint change — flyio-proxy ACLs only allow
tag:flyio-target, so Alloy can't reach Caddy on indri (tag:homelab).
The direct Tailscale Ingress endpoints (loki/prometheus.tail8d86e.ts.net)
are tagged tag:flyio-target specifically for this purpose.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 fly/alloy.river | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/fly/alloy.river b/fly/alloy.river
index d599358..213d8c5 100644
--- a/fly/alloy.river
+++ b/fly/alloy.river
@@ -94,10 +94,12 @@ loki.relabel "instance" {
   }
 }
 
-// Write logs to Loki via Caddy reverse proxy
+// Write logs to Loki via Tailscale Ingress (direct, bypasses Caddy)
+// Uses direct Tailscale endpoint because flyio-proxy ACLs only allow
+// tag:flyio-target — Caddy on indri (tag:homelab) is not reachable.
 loki.write "loki" {
   endpoint {
-    url = "https://loki.ops.eblu.me/loki/api/v1/push"
+    url = "https://loki.tail8d86e.ts.net/loki/api/v1/push"
   }
 }
 
@@ -134,9 +136,11 @@ prometheus.relabel "instance" {
   }
 }
 
-// Push metrics to Prometheus via Caddy reverse proxy
+// Push metrics to Prometheus via Tailscale Ingress (direct, bypasses Caddy)
+// Uses direct Tailscale endpoint because flyio-proxy ACLs only allow
+// tag:flyio-target — Caddy on indri (tag:homelab) is not reachable.
 prometheus.remote_write "prometheus" {
   endpoint {
-    url = "https://prometheus.ops.eblu.me/api/v1/write"
+    url = "https://prometheus.tail8d86e.ts.net/api/v1/write"
   }
 }