eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Fly.io public reverse proxy for docs.eblu.me #120

Merged
eblume merged 8 commits from feature/flyio-proxy into main 2026-02-08 02:36:20 -08:00
Conversation 0 Commits 8 Files changed 35 +928 -208

8 commits

Author SHA1 Message Date
Erich Blume
90c751ecca Add FLY_DEPLOY_TOKEN to Forgejo Actions secrets 
Extends the forgejo_actions_secrets role to sync the Fly.io deploy
token from 1Password, enabling CI auto-deploy on push to fly/.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 02:35:24 -08:00
Erich Blume
9a5444851c Update docs for public proxy: docs.eblu.me is canonical URL 
- Replace docs.ops.eblu.me with docs.eblu.me across all references
- Add Fly.io proxy reference card and operations how-to
- Move shutoff escalation levels to manage-flyio-proxy how-to
- Update index, Caddy, and docs reference cards with Fly.io context
- Update homepage link in docs ingress annotation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 02:32:42 -08:00
Erich Blume
494a359606 Update expose-service-publicly docs to match deployed config 
Remove status line, update code examples to reflect lessons learned:
TUN networking (not userspace), iptables, healthz on default_server,
proxy_ssl_server_name, and preauthorized auth key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 02:20:21 -08:00
Erich Blume
0c6223fcf1 Fix Fly.io proxy: use TUN networking, preauthorize key, move healthz 
Resolves multiple issues found during first deploy:
- Drop --tun=userspace-networking: Fly.io Firecracker VMs support TUN
  natively; userspace mode broke MagicDNS and Tailscale IP routing
- Add preauthorized=True to TailnetKey: required when tailnet has
  device approval enabled, otherwise containers hang on restart
- Move /healthz to default_server: Fly health checks send no Host
  header, so healthz must be on the catch-all server block
- Change region from sea (deprecated) to sjc
- Add iptables/ip6tables for TUN device support
- Add proxy_ssl_server_name for proper TLS SNI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 02:16:19 -08:00
Erich Blume
a580b0f079 Add IP allocation to fly-setup, improve idempotency 
fly-setup now allocates shared IPv4 + IPv6 (both free for HTTP/HTTPS),
stages secrets with --stage to avoid unnecessary redeployments, and
selects the Pulumi stack explicitly. Updated docs with cost note for
dedicated IPv4.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 01:29:49 -08:00
Erich Blume
bcefb08894 Fix Pulumi venv: re-lock via devpi, add sync with fallback hint 
Re-enabled devpi cache and regenerated lock files against it. Removed
uv.lock from tailscale .gitignore so locks are tracked. Mise tasks now
run uv sync before Pulumi and suggest 'devpi off' if sync fails (e.g.
during a power outage or devpi cache clear).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 01:19:37 -08:00
Erich Blume
3f88dea9d0 Add explicit stack selection to Pulumi mise tasks 
Prevents "no stack selected" errors when running from a fresh
environment or after stack state is cleared.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 01:04:32 -08:00
Erich Blume
4374e0c0a7 Add Fly.io public reverse proxy infrastructure 
Introduces the fly/ directory with nginx + Tailscale container config,
Pulumi changes for Tailscale ACLs and auth key, DNS CNAME for
docs.eblu.me (staged but not yet deployed), mise tasks for deploy/setup/
shutoff, and Forgejo CI workflow for auto-deploy on push.

First target service: docs.eblu.me

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 01:01:25 -08:00