zzstoatzz.io / zzknotzz
this repo has no description
fork atom
zzknotzz / NOTES.md
at main 1.2 kB view raw view code

fly.io knot deployment notes#

the actual issue#

fly.io's shared IPv4 does not support raw TCP services like SSH. connections get closed immediately at key exchange.

the fix: allocate a dedicated IPv4 ($2/mo):

fly ips allocate-v4 --yes

then release the shared IP to avoid DNS confusion:

fly ips release <shared-ip>

other learnings#

  1. the tngl/knot:latest docker image uses s6-overlay which requires PID 1 - doesn't work on fly.io. bypass with custom entrypoint.

  2. knot server has built-in SSH that binds to FLY_PRIVATE_IP:22. fly's proxy expects 0.0.0.0:22. run your own sshd on 0.0.0.0:22 instead.

  3. fly's hallpass process runs on every machine for fly ssh console. it binds to the fly private IPv6 address on port 22. doesn't conflict with sshd on 0.0.0.0:22.

  4. fly proxy (wireguard tunnel) works even when edge TCP routing doesn't - useful for debugging.

working config#

  • sshd listening on 0.0.0.0:22
  • fly.toml: [[services]] with internal_port = 22, external port = 2222
  • dedicated IPv4 allocated
  • ~/.ssh/config entry pointing to dedicated IP until DNS propagates