From aa0b7d3a6cea04cac6203d0cddd92baef85e1d13 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 15 Feb 2026 07:33:15 -0800 Subject: [PATCH] Review deploy-k8s-service doc: fix repoURL, Caddy keys, add tag docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: - repoURL: indri.tail8d86e.ts.net:2200 → forge.ops.eblu.me:2222 - Caddy config: upstream → backend, add missing host field - Homepage group: "Apps" → "Services" (matches real ingresses) Adds documentation for tailscale.com/tags annotation: - ProxyGroup default tag:k8s is inherited, no per-ingress annotation needed - tag:flyio-target must be added explicitly for public access - Setting tags overrides ProxyGroup defaults, so both must be specified Co-Authored-By: Claude Opus 4.6 --- docs/how-to/deploy-k8s-service.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/docs/how-to/deploy-k8s-service.md b/docs/how-to/deploy-k8s-service.md index ed42912..e54fd7a 100644 --- a/docs/how-to/deploy-k8s-service.md +++ b/docs/how-to/deploy-k8s-service.md @@ -1,6 +1,7 @@ --- title: Deploy K8s Service -modified: 2026-02-11 +modified: 2026-02-15 +last-reviewed: 2026-02-15 tags: - how-to - kubernetes @@ -34,7 +35,7 @@ metadata: spec: project: default source: - repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git + repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git targetRevision: main path: argocd/manifests/ destination: @@ -60,7 +61,7 @@ metadata: tailscale.com/proxy-group: "ingress" gethomepage.dev/enabled: "true" gethomepage.dev/name: "Service Name" - gethomepage.dev/group: "Apps" + gethomepage.dev/group: "Services" gethomepage.dev/icon: ".png" gethomepage.dev/href: "https://.ops.eblu.me" gethomepage.dev/pod-selector: "app=" @@ -80,6 +81,12 @@ Key points: - **`proxy-group: "ingress"`** routes through the shared ProxyGroup instead of spawning a per-ingress proxy - **Do not use `rules:` with `host:`** — the ProxyGroup proxy receives the FQDN as Host header (e.g. `.tail8d86e.ts.net`), so a short `host: ` won't match. Use `defaultBackend` instead. - **`tls.hosts`** sets the MagicDNS hostname (becomes `.tail8d86e.ts.net`) +- **`gethomepage.dev/group`** — use one of the existing groups: "Services", "Content", or "Infrastructure" +- **`tailscale.com/tags`** is not needed in the default case — the ProxyGroup already applies `tag:k8s`. Only add this annotation when the service needs public internet access via the [[flyio-proxy]]. When you do, you must include both tags (setting tags overrides the ProxyGroup default): + ```yaml + tailscale.com/tags: "tag:k8s,tag:flyio-target" + ``` + Then add a Caddy route and Fly.io proxy config per [[expose-service-publicly]]. ## Add Caddy Route (if needed) @@ -88,7 +95,8 @@ If other pods need to access the service, add to `ansible/roles/caddy/defaults/m ```yaml caddy_services: - name: - upstream: "https://.tail8d86e.ts.net" + host: ".{{ caddy_domain }}" + backend: "https://.tail8d86e.ts.net" ``` Then: `mise run provision-indri -- --tags caddy`