Expose CV publicly at cv.eblu.me (#173)

## Summary - Add nginx server block for `cv.eblu.me` (static site, same pattern as docs) - Add DNS CNAME record in Pulumi (`cv.eblu.me` → `blumeops-proxy.fly.dev`) - Add `cv.eblu.me` cert to `fly-setup` mise task - Tag CV Tailscale ingress with `tag:flyio-target` for ACL access - Remove `/_error` test endpoint from docs proxy ## Deployment and Testing - [ ] `argocd app set cv --revision cv/public-cv-eblu-me && argocd app sync cv` - [ ] `fly certs add cv.eblu.me -a blumeops-proxy` - [ ] `mise run fly-deploy` - [ ] Verify proxy: `curl -I -H "Host: cv.eblu.me" https://blumeops-proxy.fly.dev/` - [ ] `mise run dns-preview` then `mise run dns-up` - [ ] Verify live: `curl -I https://cv.eblu.me` - [ ] Merge, then `argocd app set cv --revision main && argocd app sync cv` Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/173
2026-02-12 14:05:00 -08:00 · 2026-02-12 14:05:00 -08:00 · df372fccb6
commit df372fccb6
parent a68542a602
8 changed files with 309 additions and 7 deletions
--- a/fly/nginx.conf
+++ b/fly/nginx.conf
@ -54,11 +54,6 @@ http {
            root /usr/share/nginx/html;
            internal;
        }
-        location = /_error {
-            root /usr/share/nginx/html;
-            try_files /error.html =404;
-        }
-
        location / {
            set $upstream_docs https://docs.tail8d86e.ts.net;
            proxy_pass $upstream_docs$request_uri;
@ -85,6 +80,38 @@ http {

    }

+    # --- cv.eblu.me (static site) ---
+    server {
+        listen 8080;
+        server_name cv.eblu.me;
+
+        limit_req zone=general burst=20 nodelay;
+
+        error_page 502 503 504 /error.html;
+        location = /error.html {
+            root /usr/share/nginx/html;
+            internal;
+        }
+
+        location / {
+            set $upstream_cv https://cv.tail8d86e.ts.net;
+            proxy_pass $upstream_cv$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+            proxy_intercept_errors on;
+
+            proxy_cache services;
+            proxy_cache_valid 200 1d;
+            proxy_cache_valid 404 1m;
+            proxy_cache_use_stale error timeout updating;
+            proxy_cache_lock on;
+            proxy_cache_key $host$uri;
+            proxy_ignore_headers Cache-Control Set-Cookie;
+
+            add_header X-Cache-Status $upstream_cache_status;
+        }
+    }
+
    # Catch-all: reject unknown hosts, but serve health check
    server {
        listen 8080 default_server;