eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/infrastructure/routing.md
Erich Blume e6cf7e47e0
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m8s
Details
Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126) 
## Summary
- Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy
- Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test
- Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses
- Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress)
- Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly

## Manual step (not in PR)
Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes.

## Deployment order
1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up`
2. **OAuth client** — Manual update in Tailscale admin console
3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus`
4. **Fly.io proxy** — `mise run fly-deploy`
5. **Verify** — `mise run services-check`, check Grafana dashboards

## Test plan
- [ ] `mise run tailnet-preview` shows clean diff
- [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions
- [ ] After deploy: Grafana dashboards show continued log/metric flow
- [ ] `curl -sf https://docs.eblu.me` returns 200
- [ ] `mise run services-check` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
2026-02-08 21:54:18 -08:00

3 KiB
Raw Blame History

title tags
Routing
infrastructure
networking

Service Routing

Services are accessible via three DNS domains with different reachability.

DNS Domains

Domain Proxy Reachable From
*.eblu.me flyio-proxy (Fly.io → Tailscale tunnel) Public internet
*.ops.eblu.me Caddy on indri k8s pods, docker containers, tailnet clients
*.tail8d86e.ts.net Tailscale MagicDNS Tailnet clients only

Use *.ops.eblu.me for services that need pod-to-service communication. Use *.eblu.me for services exposed publicly via Fly.io.

Caddy Services (*.ops.eblu.me)

DNS points to indri's Tailscale IP. TLS via Let's Encrypt (ACME DNS-01 with Gandi).

Service URL Description
Homepage https://go.ops.eblu.me Service dashboard
forgejo https://forge.ops.eblu.me Git hosting (SSH: 2222)
zot https://registry.ops.eblu.me Container registry
grafana https://grafana.ops.eblu.me Dashboards
argocd https://argocd.ops.eblu.me GitOps CD
prometheus https://prometheus.ops.eblu.me Metrics
loki https://loki.ops.eblu.me Logs
miniflux https://feed.ops.eblu.me RSS reader
kiwix https://kiwix.ops.eblu.me Offline Wikipedia
transmission https://torrent.ops.eblu.me BitTorrent
teslamate https://tesla.ops.eblu.me Tesla logger
navidrome https://dj.ops.eblu.me Music streaming
jellyfin https://jellyfin.ops.eblu.me Media server
postgresql pg.ops.eblu.me:5432 Database
[[sifaka Sifaka]] https://nas.ops.eblu.me

Public Services (*.eblu.me)

DNS CNAMEs point to blumeops-proxy.fly.dev. TLS via Fly.io-managed Let's Encrypt. Traffic tunnels back to the homelab over Tailscale. Only services tagged tag:flyio-target are reachable by the proxy — see flyio-proxy for details.

Service URL Description
docs https://docs.eblu.me Documentation site

Tailscale-Only Services

Service URL Description
Kubernetes https://k8s.tail8d86e.ts.net Minikube API

Port Map (Indri)

Port Service Protocol Binding Notes
443 Caddy HTTPS 0.0.0.0 Reverse proxy
2222 Caddy L4 TCP 0.0.0.0 SSH proxy to Forgejo
5432 Caddy L4 TCP 0.0.0.0 PostgreSQL proxy
2200 Forgejo SSH TCP localhost Built-in SSH server
3001 Forgejo HTTP localhost Web UI
5050 Zot HTTP localhost Registry API
8096 Jellyfin HTTP localhost Media server
44491 K8s API HTTPS 0.0.0.0 Minikube API server

Related