eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints #126

Merged
eblume merged 7 commits from restrict-flyio-proxy-acl into main 2026-02-08 21:54:19 -08:00
Conversation 0 Commits 7 Files changed 30 +8 -4
1 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 716f1f0cfa - Show all commits

Keep Alloy on direct Tailscale Ingress endpoints

Prev Next 
Revert the Caddy endpoint change — flyio-proxy ACLs only allow
tag:flyio-target, so Alloy can't reach Caddy on indri (tag:homelab).
The direct Tailscale Ingress endpoints (loki/prometheus.tail8d86e.ts.net)
are tagged tag:flyio-target specifically for this purpose.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-08 21:46:09 -08:00
commit 716f1f0cfa

12
fly/alloy.river
View file

@ -94,10 +94,12 @@ loki.relabel "instance" {
}
}
// Write logs to Loki via Caddy reverse proxy
// Write logs to Loki via Tailscale Ingress (direct, bypasses Caddy)
// Uses direct Tailscale endpoint because flyio-proxy ACLs only allow
// tag:flyio-target — Caddy on indri (tag:homelab) is not reachable.
loki.write "loki" {
endpoint {
url = "https://loki.ops.eblu.me/loki/api/v1/push"
url = "https://loki.tail8d86e.ts.net/loki/api/v1/push"
}
}
@ -134,9 +136,11 @@ prometheus.relabel "instance" {
}
}
// Push metrics to Prometheus via Caddy reverse proxy
// Push metrics to Prometheus via Tailscale Ingress (direct, bypasses Caddy)
// Uses direct Tailscale endpoint because flyio-proxy ACLs only allow
// tag:flyio-target — Caddy on indri (tag:homelab) is not reachable.
prometheus.remote_write "prometheus" {
endpoint {
url = "https://prometheus.ops.eblu.me/api/v1/write"
url = "https://prometheus.tail8d86e.ts.net/api/v1/write"
}
}