docs/expose-service-publicly pt2 - fly.io #119

Merged

eblume merged 4 commits from docs/expose-service-publicly into main 2026-02-08 00:38:28 -08:00

Conversation 0 Commits 4 Files changed 4 +647 -135

eblume commented 2026-02-08 00:36:36 -08:00

Owner

Copy link

No description provided.

eblume added 5 commits 2026-02-08 00:36:37 -08:00

Add how-to guide for exposing services publicly via Cloudflare Tunnel ... bc263f3ee8

Documents the full plan for exposing docs.eblu.me to the public internet
using Cloudflare as CDN/DDoS shield with a Cloudflare Tunnel from k8s.
Covers DNS migration, Caddy TLS changes, Pulumi IaC, and verification.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Rewrite public exposure guide to Fly.io + Tailscale approach ... 1de5492d6c

Replace the Cloudflare Tunnel plan with a Fly.io reverse proxy
architecture that tunnels back to indri over Tailscale. Covers:
- Full architecture with nginx proxy cache + rate limiting
- One-time setup vs per-service steps
- Fly.io container (Dockerfile, fly.toml, nginx.conf, start.sh)
- Pulumi IaC for Tailscale auth key + DNS CNAMEs
- Forgejo CI workflow for automated deploys
- Security model, DDoS considerations, break-glass shutoff
- Mise tasks: fly-deploy, fly-setup, fly-shutoff

Also fix docs-check-links to handle in-page anchor links
([[#Heading]]) and cross-file anchors ([[file#Heading]]).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Editorial cleanup and non-k8s service note ... 863dd59f3b

- Add frontmatter aliases and id fields
- Wrap long lines for readability
- Note that non-k8s services (forgejo, zot) work via tailscale serve
- Clarify that private *.ops.eblu.me access continues in parallel

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add dynamic service guidance to public exposure guide ... a538698806

The guide was static-site-specific. Update to cover dynamic,
authenticated services (e.g., Forgejo):

- Add dynamic service nginx example with no blanket cache, proxy
  headers, WebSocket support, selective static asset caching
- Expand DDoS section: explain why dynamic services are more vulnerable
  (no cache absorbing traffic) and what mitigations exist
- Rewrite fail2ban section: irrelevant for static, essential for
  dynamic services; runs on indri watching service logs, needs
  forwarded IP headers
- Add comparison table: static vs dynamic across caching, sessions,
  rate limits, proxy headers, fail2ban, DDoS exposure
- Add pre-exposure checklist for dynamic services
- Note Tailscale ACL differences for non-k8s services (e.g., Forgejo
  on indri needs tag:homelab grant, not tag:k8s)
- Add inline comments in nginx.conf marking static-only directives

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

line length dd3be25956

eblume force-pushed docs/expose-service-publicly from dd3be25956 to c15d09dc76 2026-02-08 00:37:50 -08:00 Compare

eblume merged commit fbedaf2833 into main 2026-02-08 00:38:28 -08:00

eblume referenced this pull request from a commit 2026-02-08 00:38:29 -08:00

docs/expose-service-publicly pt2 - fly.io (#119)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!119

No description provided.