Erich Blume
64a78422b1
Some checks failed
Deploy Fly.io Proxy / deploy (push) Failing after 9s
## Summary - Adds a Fly.io reverse proxy (`blumeops-proxy`) that tunnels public traffic to homelab services over Tailscale - First service exposed: `docs.eblu.me` — the Quartz static docs site - Includes Pulumi IaC for Tailscale auth key/ACLs and Gandi DNS CNAME - Adds mise tasks (`fly-deploy`, `fly-setup`, `fly-shutoff`) and Forgejo CI workflow ## Key details - Fly.io Firecracker VMs support TUN devices natively — no userspace networking needed - Tailscale auth key is `preauthorized=True` to avoid device approval hangs on container restarts - nginx caches aggressively for the static site; health check is on the default_server block - ACLs restrict `tag:flyio-proxy` to `tag:k8s` on port 443 only - DNS CNAME deployed and verified: `docs.eblu.me` → `blumeops-proxy.fly.dev` ## Test plan - [x] `curl -sf https://blumeops-proxy.fly.dev/healthz` returns `ok` - [x] `curl -I -H "Host: docs.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 with `X-Cache-Status` - [x] `curl -I https://docs.eblu.me/` returns 200 with valid Let's Encrypt cert - [x] `dig forge.ops.eblu.me` still resolves to 100.98.163.89 (private services unaffected) - [x] Set `FLY_DEPLOY_TOKEN` Forgejo Actions secret for CI auto-deploy 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/120
64 lines
2.2 KiB
Markdown
64 lines
2.2 KiB
Markdown
---
|
|
title: Fly.io Proxy
|
|
tags:
|
|
- service
|
|
- networking
|
|
- fly-io
|
|
---
|
|
|
|
# Fly.io Proxy
|
|
|
|
Public reverse proxy on [Fly.io](https://fly.io) that exposes selected BlumeOps services to the internet via a Tailscale tunnel back to the homelab.
|
|
|
|
## Quick Reference
|
|
|
|
| Property | Value |
|
|
|----------|-------|
|
|
| **App** | `blumeops-proxy` |
|
|
| **Region** | `sjc` (San Jose) |
|
|
| **Fly.io URL** | `blumeops-proxy.fly.dev` |
|
|
| **Config** | `fly/` directory in repo |
|
|
| **IaC** | `fly/fly.toml` (app), Pulumi (DNS + auth key) |
|
|
|
|
## Exposed Services
|
|
|
|
| Public domain | Backend | Service |
|
|
|---------------|---------|---------|
|
|
| `docs.eblu.me` | `docs.tail8d86e.ts.net` | [[docs]] |
|
|
|
|
## Architecture
|
|
|
|
Internet traffic hits Fly.io's Anycast edge, terminates TLS with a Let's Encrypt certificate, and is proxied by nginx to the backend service over a Tailscale WireGuard tunnel. See [[expose-service-publicly]] for the full architecture diagram.
|
|
|
|
## Key Files
|
|
|
|
| File | Purpose |
|
|
|------|---------|
|
|
| `fly/fly.toml` | App configuration |
|
|
| `fly/Dockerfile` | nginx + Tailscale container |
|
|
| `fly/nginx.conf` | Reverse proxy, caching, rate limiting |
|
|
| `fly/start.sh` | Entrypoint: start Tailscale, then nginx |
|
|
| `pulumi/tailscale/__main__.py` | Auth key (`tag:flyio-proxy`) |
|
|
| `pulumi/tailscale/policy.hujson` | ACL grants for proxy |
|
|
| `pulumi/gandi/__main__.py` | DNS CNAMEs |
|
|
|
|
## Networking
|
|
|
|
Fly.io runs Firecracker microVMs which support TUN devices natively. Tailscale runs with a real TUN interface (not userspace networking), so MagicDNS and direct Tailscale IP routing work normally.
|
|
|
|
The Tailscale auth key is `preauthorized=True` to avoid device approval hangs on container restarts.
|
|
|
|
## Secrets
|
|
|
|
| Secret | Source | Description |
|
|
|--------|--------|-------------|
|
|
| `TS_AUTHKEY` | Pulumi state → `fly secrets` | Tailscale auth key for joining tailnet |
|
|
| `FLY_DEPLOY_TOKEN` | Fly.io → 1Password | Deploy token for CI |
|
|
|
|
## Related
|
|
|
|
- [[expose-service-publicly]] - Setup guide for adding new public services
|
|
- [[manage-flyio-proxy]] - Operational tasks (deploy, shutoff, troubleshoot)
|
|
- [[caddy]] - Private reverse proxy for `*.ops.eblu.me` (separate system)
|
|
- [[tailscale]] - WireGuard mesh network
|
|
- [[gandi]] - DNS hosting
|