# fly.io knot deployment notes

## the actual issue

fly.io's **shared IPv4** does not support raw TCP services like SSH. connections get closed immediately at key exchange.

the fix: allocate a **dedicated IPv4** ($2/mo):

```bash
fly ips allocate-v4 --yes
```

then release the shared IP to avoid DNS confusion:

```bash
fly ips release <shared-ip>
```

## other learnings

1. the `tngl/knot:latest` docker image uses s6-overlay which requires PID 1 - doesn't work on fly.io. bypass with custom entrypoint.

2. knot server has built-in SSH that binds to `FLY_PRIVATE_IP:22`. fly's proxy expects `0.0.0.0:22`. run your own sshd on `0.0.0.0:22` instead.

3. fly's `hallpass` process runs on every machine for `fly ssh console`. it binds to the fly private IPv6 address on port 22. doesn't conflict with sshd on `0.0.0.0:22`.

4. `fly proxy` (wireguard tunnel) works even when edge TCP routing doesn't - useful for debugging.

## working config

- sshd listening on `0.0.0.0:22`
- fly.toml: `[[services]]` with `internal_port = 22`, external `port = 2222`
- dedicated IPv4 allocated
- `~/.ssh/config` entry pointing to dedicated IP until DNS propagates