Erich Blume
1236d381eb
Upstream blocks resolve DNS at config load. If MagicDNS isn't ready yet (Tailscale just connected), nginx gets empty resolution and returns 502. Poll nslookup until resolution works before launching nginx. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
45 lines
1.5 KiB
Bash
45 lines
1.5 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
# Connect to tailnet first — nginx needs MagicDNS for upstream resolution.
|
|
# With bluegreen deploys, the old machine serves traffic until this one is
|
|
# fully ready. Fly.io runs Firecracker microVMs that support TUN devices
|
|
# natively — no need for --tun=userspace-networking.
|
|
tailscaled --statedir=/var/lib/tailscale &
|
|
sleep 2
|
|
tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
|
|
until tailscale status > /dev/null 2>&1; do sleep 1; done
|
|
echo "Tailscale connected"
|
|
|
|
# Wait for MagicDNS to be ready — upstream blocks resolve DNS at config
|
|
# load, so nginx will fail to start if MagicDNS can't resolve yet.
|
|
echo "Waiting for MagicDNS..."
|
|
until nslookup forge.tail8d86e.ts.net 100.100.100.100 > /dev/null 2>&1; do
|
|
sleep 1
|
|
done
|
|
echo "MagicDNS ready"
|
|
|
|
# Ensure fail2ban deny file exists before nginx starts
|
|
touch /etc/nginx/forge-deny.conf
|
|
|
|
# Start nginx — MagicDNS is available, upstreams resolved.
|
|
nginx -g "daemon off;" &
|
|
NGINX_PID=$!
|
|
echo "Nginx started"
|
|
|
|
# Start fail2ban for login brute-force protection.
|
|
# Non-fatal — nginx rate limiting is the primary defense; fail2ban is additive.
|
|
if fail2ban-server -b; then
|
|
echo "fail2ban started"
|
|
else
|
|
echo "WARNING: fail2ban failed to start (nginx rate limiting still active)"
|
|
fi
|
|
|
|
# Start Alloy for observability (logs → Loki, metrics → Prometheus)
|
|
alloy run /etc/alloy/config.alloy \
|
|
--server.http.listen-addr=127.0.0.1:12345 \
|
|
--storage.path=/tmp/alloy-data &
|
|
echo "Alloy started"
|
|
|
|
# Block on nginx — container exits if nginx stops
|
|
wait $NGINX_PID
|