diff --git a/data/mesh-hosts.json b/data/mesh-hosts.json index c31f8c1..b00ac78 100644 --- a/data/mesh-hosts.json +++ b/data/mesh-hosts.json @@ -1,5 +1,5 @@ { - "_purpose": "Single source of truth for the wg1 mesh + LAN: the four hosts, their addresses on each path, the MAC + L7 identity probe the smart-lan-router daemon uses, and the DNS records apricot's dnsmasq serves. Everything that needs a host address derives from here — never hardcode mesh IPs, MACs, or identity URLs elsewhere.", + "_purpose": "Single source of truth for the wg1 mesh + LAN: the four hosts, their addresses on each path, MAC-based DHCP discovery, L7 health probes for `net doctor`, and the DNS records apricot's dnsmasq serves. Everything that needs a host address derives from here — never hardcode mesh IPs, MACs, or identity URLs elsewhere.", "_schema": { "hosts[].name": "Canonical name = fruit family encodes machine class (gpu=stone fruit, cpu=pome, cloud=citrus, laptop=vegetable, phone=berry).", "fleet.enforce_hostname": "true => every agent converges its node's OS hostname to its canonical name (scutil on darwin, hostnamectl on linux). The FLEET renames hosts — never run hostnamectl by hand.", @@ -8,10 +8,10 @@ "hosts[].class": "gpu | cpu | cloud | laptop.", "hosts[].wg/lan/public": "wg = mesh IP (10.9.0.0/24); lan = home LAN IP (10.0.0.0/24, null if roaming/no LAN leg); public = internet IP (null if none).", "hosts[].mac": "LAN interface MAC — the stable key the daemon uses to DISCOVER the host's current DHCP IP via ARP (name-sync). null = not discoverable.", - "hosts[].identity": "L7 identity probe so the daemon never routes to a stranger at the same RFC1918 IP. {url ('{ip}' substituted), markers (all must appear)}. null = not a routing target.", + "hosts[].identity": "L7 health probe for `net doctor` only (url with '{ip}' substituted, markers all required). null = skip service check. Routing uses subnet /24 + gateway-MAC fingerprint, not per-host identity.", "services": "{host: [fqdn, ...]} — service vhost names that live ON a host and must resolve to that host's CURRENT LAN IP. Rendered by mesh-hosts-render with the discovered overlay, so they track DHCP drift. Add names here, never hand-edit /etc/hosts.", "naming": "'.wg' = mesh IP (explicit tunnel path); '.lan' + BARE '' = current LAN IP (direct at home; via tunnel when away, since the daemon routes the LAN /24 through wg then). Hosts without a LAN IP get bare name → wg IP. ('.local' is retired — platform uses .com, infra .lan.)", - "daemon_targets": "smart-lan-router.py routes hosts where lan AND identity are both set, excluding the host it runs on." + "routing": "smart-lan-router.py (laptop role) routes the entire LAN /24 direct when HOME (gateway MAC match) or via wg when AWAY. No per-host /32 pins." }, "_consumers": ["bin/wg-dns-sync", "bin/mesh-hosts-render", "smart-lan-router/smart-lan-router.py"], "fleet": { @@ -74,17 +74,18 @@ "identity": null }, { - "name": "strawberry", - "aliases": ["phone-quinn"], - "class": "phone", - "role": "Quinn's iPhone — wg mesh client via WireGuard app (DNS=10.9.0.2); no agent, no sshd", - "os": "ios", - "ssh_user": null, + "name": "lime", + "aliases": ["lilith-store-backend"], + "class": "cloud", + "role": "DigitalOcean backend node (nyc3, public IP 209.38.51.98 reached via ProxyJump yuzu / wg — no public app ports) — quinn.api INTERNAL (:3030), MCP gateways (:3910-3914), DO Managed PG (VPC), LISTEN/NOTIFY + private workers. Joins wg1 via phase-b-mesh-join.sh. IaC: uvlava/terraform/do.", + "os": "linux", + "ssh_user": "root", + "ssh_identity": "~/.ssh/id_ed25519_1984", "wg": "10.9.0.5", "lan": null, "public": null, "mac": null, - "identity": null + "identity": { "url": "http://{ip}:3030/healthz", "markers": ["ok"] } }, { "name": "yuzu",