Deploy Fly.io Proxy / deploy (push) Failing after 9s

Details

Add Fly.io public reverse proxy for docs.eblu.me (#120 )

## Summary

- Adds a Fly.io reverse proxy (`blumeops-proxy`) that tunnels public traffic to homelab services over Tailscale
- First service exposed: `docs.eblu.me` — the Quartz static docs site
- Includes Pulumi IaC for Tailscale auth key/ACLs and Gandi DNS CNAME
- Adds mise tasks (`fly-deploy`, `fly-setup`, `fly-shutoff`) and Forgejo CI workflow

## Key details

- Fly.io Firecracker VMs support TUN devices natively — no userspace networking needed
- Tailscale auth key is `preauthorized=True` to avoid device approval hangs on container restarts
- nginx caches aggressively for the static site; health check is on the default_server block
- ACLs restrict `tag:flyio-proxy` to `tag:k8s` on port 443 only
- DNS CNAME deployed and verified: `docs.eblu.me` → `blumeops-proxy.fly.dev`

## Test plan

- [x] `curl -sf https://blumeops-proxy.fly.dev/healthz` returns `ok`
- [x] `curl -I -H "Host: docs.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 with `X-Cache-Status`
- [x] `curl -I https://docs.eblu.me/` returns 200 with valid Let's Encrypt cert
- [x] `dig forge.ops.eblu.me` still resolves to 100.98.163.89 (private services unaffected)
- [x] Set `FLY_DEPLOY_TOKEN` Forgejo Actions secret for CI auto-deploy

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/120

2026-02-08 02:36:19 -08:00

2.4 KiB

Raw Blame History

title

Reference

Technical specifications, inventories, and configuration details for BlumeOps infrastructure.

Services

Individual service reference cards with URLs and configuration details.

Service	Description	Location
[[alloy	Alloy]]	Observability collector (metrics & logs)
argocd	GitOps continuous delivery	k8s
borgmatic	Backup system	indri
caddy	Reverse proxy & TLS termination	indri
1password	Secrets management	cloud + k8s
forgejo	Git forge & CI/CD	indri
grafana	Dashboards & visualization	k8s
immich	Photo management	k8s
jellyfin	Media server	indri
kiwix	Offline Wikipedia & ZIM archives	k8s
loki	Log aggregation	k8s
miniflux	RSS feed reader	k8s
navidrome	Music streaming	k8s
postgresql	Database cluster	k8s
prometheus	Metrics collection	k8s
teslamate	Tesla data logger	k8s
transmission	BitTorrent daemon	k8s
zot	Container registry	indri
devpi	PyPI caching proxy	k8s
docs	Documentation site (Quartz)	k8s
flyio-proxy	Public reverse proxy (Fly.io + Tailscale)	Fly.io
automounter	SMB share automounter	indri

Infrastructure

Host inventory and network configuration.

hosts - Device inventory
indri - Primary server
gilbert - Development workstation
tailscale - ACLs, groups, tags
gandi - DNS hosting for eblu.me
routing - DNS domains, port mappings

Kubernetes

Cluster configuration and application registry.

cluster - Minikube specs, storage, networking
apps - ArgoCD application registry
tailscale-operator - Tailscale ingress for k8s services
external-secrets - Secrets management

Ansible

Configuration management for indri-hosted services.

roles - Available ansible roles

Storage

Network storage and backup configuration.

sifaka - Synology NAS configuration
postgresql-storage - Database cluster
backups - Backup policy and schedule

Operations

Operational concerns and their components.

observability - Metrics, logs, dashboards
backup - Data protection
disaster-recovery - Recovery procedures (TBD)

2.4 KiB Raw Blame History