line length

docs/how-to/expose-service-publicly.md

@@ -63,11 +63,18 @@ infrastructure. They can continue to operate in parallel for private access.
 
 There are three independent TLS segments — none involve Caddy:
 
-1. **Browser → Fly.io edge**: Fly.io auto-provisions a Let's Encrypt certificate for each custom domain (e.g., `docs.eblu.me`). Validated via TLS-ALPN challenge — no DNS API needed.
+1. **Browser → Fly.io edge**: Fly.io auto-provisions a Let's Encrypt
-2. **nginx → Tailscale ingress**: nginx proxies to `https://<service>.tail8d86e.ts.net`. The Tailscale ingress serves a Tailscale-issued cert. nginx uses `proxy_ssl_verify off` since the underlying tunnel is already encrypted.
+   certificate for each custom domain (e.g., `docs.eblu.me`). Validated via
-3. **WireGuard tunnel**: All Tailscale traffic is encrypted at the network layer regardless of application-level TLS.
+   TLS-ALPN challenge — no DNS API needed.
+2. **nginx → Tailscale ingress**: nginx proxies to
+   `https://<service>.tail8d86e.ts.net`. The Tailscale ingress serves a
+   Tailscale-issued cert. nginx uses `proxy_ssl_verify off` since the
+   underlying tunnel is already encrypted.
+3. **WireGuard tunnel**: All Tailscale traffic is encrypted at the network
+   layer regardless of application-level TLS.
 
-Caddy continues to serve `*.ops.eblu.me` with its existing Gandi DNS-01 certificates. The two TLS domains are completely independent.
+Caddy continues to serve `*.ops.eblu.me` with its existing Gandi DNS-01
+certificates. The two TLS domains are completely independent.
 
 ## External references