From 863dd59f3b6b00a722e96538f15b9e4117be05ab Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 8 Feb 2026 00:16:19 -0800 Subject: [PATCH] Editorial cleanup and non-k8s service note - Add frontmatter aliases and id fields - Wrap long lines for readability - Note that non-k8s services (forgejo, zot) work via tailscale serve - Clarify that private *.ops.eblu.me access continues in parallel Co-Authored-By: Claude Opus 4.6 --- docs/how-to/expose-service-publicly.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/how-to/expose-service-publicly.md b/docs/how-to/expose-service-publicly.md index e64e61c..bd12304 100644 --- a/docs/how-to/expose-service-publicly.md +++ b/docs/how-to/expose-service-publicly.md @@ -5,13 +5,19 @@ tags: - fly-io - tailscale - networking +aliases: [] +id: expose-service-publicly --- # Expose a Service Publicly via Fly.io + Tailscale > **Status:** Plan — not yet implemented. First target: `docs.eblu.me`. -This guide describes how to expose a BlumeOps service to the public internet using a reverse proxy container on [Fly.io](https://fly.io) that tunnels back to [[indri]] over [[tailscale]]. The approach keeps the home IP hidden, requires no changes to existing infrastructure (`*.ops.eblu.me`, [[caddy]], DNS), and is reusable for multiple services. +This guide describes how to expose a BlumeOps service to the public internet +using a reverse proxy container on [Fly.io](https://fly.io) that tunnels back +to [[indri]] over [[tailscale]]. The approach keeps the home IP hidden, +requires no changes to existing infrastructure (`*.ops.eblu.me`, [[caddy]], +DNS), and is reusable for multiple services. ## Architecture @@ -28,10 +34,17 @@ Internet → .eblu.me │ k8s Service → pod ``` +(The approach works similarly for non-k8s services via `tailscale serve` +service definitions, eg. [[forgejo]] and [[zot]]) -A single Fly.io container serves as the public-facing proxy for all exposed services. Each service gets a `server` block in the nginx config and a DNS CNAME. The container joins the tailnet via an ephemeral auth key and reaches backend services through Tailscale ingress endpoints. +A single Fly.io container serves as the public-facing proxy for all exposed +services. Each service gets a `server` block in the nginx config and a DNS +CNAME. The container joins the tailnet via an ephemeral auth key and reaches +backend services through Tailscale ingress endpoints. -Existing `*.ops.eblu.me` services remain private behind Tailscale — this approach does not touch [[caddy]], [[gandi]] DNS-01, or any other existing infrastructure. +Existing `*.ops.eblu.me` services remain private behind Tailscale — this +approach does not touch [[caddy]], [[gandi]] DNS-01, or any other existing +infrastructure. They can continue to operate in parallel for private access. ## Key decisions