mesh: add lime (DO backend node, 10.9.0.5); remove dead strawberry phone

The DigitalOcean backend droplet (was bare ssh alias lilith-store-backend, 209.38.51.98) joins wg1 at 10.9.0.5 as a first-class cloud-class member — runs quinn.api INTERNAL, the MCP gateways, DO Managed PG access, and private workers (general backend node, not MCP-only). The .5 slot was held by strawberry (Quinn's iPhone), which never worked reliably and is now off the mesh; re-enrollable later via wg-phone-add. public=null so host-apply renders the wg path (private node, no public app ports; reached via ProxyJump yuzu). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 09:51:43 -04:00 · 2026-06-28 09:51:43 -04:00 · 7c345ceba5
commit 7c345ceba5
parent 6e6512abf6
1 changed files with 11 additions and 10 deletions
--- a/data/mesh-hosts.json
+++ b/data/mesh-hosts.json
@ -1,5 +1,5 @@
 {
-  "_purpose": "Single source of truth for the wg1 mesh + LAN: the four hosts, their addresses on each path, the MAC + L7 identity probe the smart-lan-router daemon uses, and the DNS records apricot's dnsmasq serves. Everything that needs a host address derives from here — never hardcode mesh IPs, MACs, or identity URLs elsewhere.",
+  "_purpose": "Single source of truth for the wg1 mesh + LAN: the four hosts, their addresses on each path, MAC-based DHCP discovery, L7 health probes for `net doctor`, and the DNS records apricot's dnsmasq serves. Everything that needs a host address derives from here — never hardcode mesh IPs, MACs, or identity URLs elsewhere.",
  "_schema": {
    "hosts[].name": "Canonical name = fruit family encodes machine class (gpu=stone fruit, cpu=pome, cloud=citrus, laptop=vegetable, phone=berry).",
    "fleet.enforce_hostname": "true => every agent converges its node's OS hostname to its canonical name (scutil on darwin, hostnamectl on linux). The FLEET renames hosts — never run hostnamectl by hand.",
@ -8,10 +8,10 @@
    "hosts[].class": "gpu | cpu | cloud | laptop.",
    "hosts[].wg/lan/public": "wg = mesh IP (10.9.0.0/24); lan = home LAN IP (10.0.0.0/24, null if roaming/no LAN leg); public = internet IP (null if none).",
    "hosts[].mac": "LAN interface MAC — the stable key the daemon uses to DISCOVER the host's current DHCP IP via ARP (name-sync). null = not discoverable.",
-    "hosts[].identity": "L7 identity probe so the daemon never routes to a stranger at the same RFC1918 IP. {url ('{ip}' substituted), markers (all must appear)}. null = not a routing target.",
+    "hosts[].identity": "L7 health probe for `net doctor` only (url with '{ip}' substituted, markers all required). null = skip service check. Routing uses subnet /24 + gateway-MAC fingerprint, not per-host identity.",
    "services": "{host: [fqdn, ...]} — service vhost names that live ON a host and must resolve to that host's CURRENT LAN IP. Rendered by mesh-hosts-render with the discovered overlay, so they track DHCP drift. Add names here, never hand-edit /etc/hosts.",
    "naming": "'<host>.wg' = mesh IP (explicit tunnel path); '<host>.lan' + BARE '<host>' = current LAN IP (direct at home; via tunnel when away, since the daemon routes the LAN /24 through wg then). Hosts without a LAN IP get bare name → wg IP. ('.local' is retired — platform uses .com, infra .lan.)",
-    "daemon_targets": "smart-lan-router.py routes hosts where lan AND identity are both set, excluding the host it runs on."
+    "routing": "smart-lan-router.py (laptop role) routes the entire LAN /24 direct when HOME (gateway MAC match) or via wg when AWAY. No per-host /32 pins."
  },
  "_consumers": ["bin/wg-dns-sync", "bin/mesh-hosts-render", "smart-lan-router/smart-lan-router.py"],
  "fleet": {
@ -74,17 +74,18 @@
      "identity": null
    },
    {
-      "name": "strawberry",
-      "aliases": ["phone-quinn"],
-      "class": "phone",
-      "role": "Quinn's iPhone — wg mesh client via WireGuard app (DNS=10.9.0.2); no agent, no sshd",
-      "os": "ios",
-      "ssh_user": null,
+      "name": "lime",
+      "aliases": ["lilith-store-backend"],
+      "class": "cloud",
+      "role": "DigitalOcean backend node (nyc3, public IP 209.38.51.98 reached via ProxyJump yuzu / wg — no public app ports) — quinn.api INTERNAL (:3030), MCP gateways (:3910-3914), DO Managed PG (VPC), LISTEN/NOTIFY + private workers. Joins wg1 via phase-b-mesh-join.sh. IaC: uvlava/terraform/do.",
+      "os": "linux",
+      "ssh_user": "root",
+      "ssh_identity": "~/.ssh/id_ed25519_1984",
      "wg": "10.9.0.5",
      "lan": null,
      "public": null,
      "mac": null,
-      "identity": null
+      "identity": { "url": "http://{ip}:3030/healthz", "markers": ["ok"] }
    },
    {
      "name": "yuzu",