Deploy Fly.io Proxy / deploy (push) Successful in 1m28s

Details

Expose Forgejo publicly at forge.eblu.me (#278 )

## Summary

Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.

- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)

## Deployment Order

1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync

## Verification Checklist

- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes

Reviewed-on: #278

2026-03-03 08:40:41 -08:00

2.6 KiB

Raw Permalink Blame History

Tailscale Kubernetes Operator

Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD.

Source

operator.yaml - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
Secret block removed from operator.yaml - managed separately via secret.yaml.tpl
Image reference changed to fully-qualified docker.io/tailscale/k8s-operator:stable

Prerequisites

OAuth client in Tailscale admin console with:
- Devices: Core (Read & Write) - tag: tag:k8s-operator
- Auth Keys: Read & Write
- Services: Write
ACL with tag:k8s-operator owning tag:k8s (so operator can tag resources it creates)

Manual Bootstrap (Before ArgoCD)

Tailscale operator must be deployed before ArgoCD since ArgoCD uses Tailscale for ingress.

# 1. Create namespace
kubectl create namespace tailscale

# 2. Apply OAuth secret (uses 1Password)
op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply -f -

# 3. Apply manifests via kustomize
kubectl apply -k argocd/manifests/tailscale-operator/

Ongoing Management (After ArgoCD)

Once ArgoCD is running, the operator is managed by the tailscale-operator ArgoCD Application. ArgoCD pulls manifests from forge and applies them automatically.

ArgoCD CLI Commands

# Check application status
argocd app get tailscale-operator

# Trigger a sync (pull latest from forge and apply)
argocd app sync tailscale-operator

# Preview what would change without applying
argocd app diff tailscale-operator

# View deployment history
argocd app history tailscale-operator

# Hard refresh (clear cache and re-fetch from git)
argocd app get tailscale-operator --hard-refresh

Verification

# Check operator pod is running
kubectl get pods -n tailscale

# Check operator logs
kubectl logs -n tailscale -l app.kubernetes.io/name=operator

Files

File	Description
`kustomization.yaml`	Kustomize configuration for all manifests
`operator.yaml`	Operator deployment, CRDs, RBAC (secret removed)
`proxyclass.yaml`	ProxyClass with fully-qualified images
`dnsconfig.yaml`	DNSConfig for cluster-to-tailnet name resolution
`secret.yaml.tpl`	1Password template for OAuth credentials (manual)
`README.md`	This file

Notes

TODO: The OAuth secret (operator-oauth) is not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).
Services using the Tailscale LoadBalancer should reference the ProxyClass:
```
annotations:
  tailscale.com/proxy-class: "default"
```

2.6 KiB Raw Permalink Blame History