Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126)

## Summary
- Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy
- Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test
- Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses
- Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress)
- Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly

## Manual step (not in PR)
Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes.

## Deployment order
1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up`
2. **OAuth client** — Manual update in Tailscale admin console
3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus`
4. **Fly.io proxy** — `mise run fly-deploy`
5. **Verify** — `mise run services-check`, check Grafana dashboards

## Test plan
- [ ] `mise run tailnet-preview` shows clean diff
- [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions
- [ ] After deploy: Grafana dashboards show continued log/metric flow
- [ ] `curl -sf https://docs.eblu.me` returns 200
- [ ] `mise run services-check` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126

docs/explanation/architecture.md

@@ -42,15 +42,17 @@ Two always-on devices form the infrastructure backbone:
 - All devices on tailnet `tail8d86e.ts.net`
 - ACLs control access between devices and services
 - MagicDNS provides `*.tail8d86e.ts.net` hostnames
-- No port forwarding or public IPs needed
+- No port forwarding or public IPs on homelab devices
+- Selected services exposed publicly via [[flyio-proxy]] (Fly.io → Tailscale tunnel)
 
 ## Service Routing
 
-Two DNS domains route to services:
+Three DNS domains route to services:
 
 | Domain | Mechanism | Reachable from |
 |--------|-----------|----------------|
-| `*.ops.eblu.me` | Caddy reverse proxy on indri | Everywhere (k8s pods, containers, tailnet) |
+| `*.eblu.me` | [[flyio-proxy]] (Fly.io → Tailscale tunnel) | Public internet |
+| `*.ops.eblu.me` | Caddy reverse proxy on indri | k8s pods, containers, tailnet clients |
 | `*.tail8d86e.ts.net` | Tailscale MagicDNS | Tailnet clients only |
 
 See [[routing]] for details on when to use which.

docs/explanation/security-model.md

@@ -17,18 +17,22 @@ The foundational security decision is using [[tailscale]] as the network layer.
 
 ### Zero Trust Networking
 
-BlumeOps has no public IP addresses or port forwarding. All services are only accessible via Tailscale:
+BlumeOps infrastructure has no public IP addresses or port forwarding. Most services are only accessible via Tailscale:
 
-- **No attack surface** from the public internet
 - **Encrypted by default** - WireGuard encryption for all traffic
 - **Identity-based access** - ACLs based on user/device identity, not IP addresses
+- **Minimal public surface** - only selected services are exposed via [[flyio-proxy]]
+
+### Public Access via Fly.io
+
+A small number of services are exposed to the internet through a reverse proxy on Fly.io that tunnels back to the homelab over Tailscale. The proxy uses restricted ACLs (`tag:flyio-target`) so it can only reach explicitly tagged endpoints — a compromised proxy cannot route to arbitrary services on the tailnet. See [[flyio-proxy]] for details and [[expose-service-publicly]] for the security considerations.
 
 ### Defense in Depth
 
 Even within the tailnet, access is restricted:
 
 ```
-Internet ──X──▶ Services (no public access)
+Internet ──▶ Fly.io proxy ──▶ tag:flyio-target only (docs, observability)
 
 Tailnet:
   Admin ────────▶ All services