From 9ae26e3772d5e4183edf73c8e7d01468d1cd08c8 Mon Sep 17 00:00:00 2001 From: Natalie Date: Tue, 30 Jun 2026 12:17:36 -0400 Subject: [PATCH] data(mesh): add ct.prod host entry (hardened public prod / DMZ) ct.prod (com.uvlava.ct.prod), nyc3 store-vpc spoke, wg 10.9.0.10: the hardened public Prospector app + Caddy edge host (apps.ftw.pw, 80/443 -> 127.0.0.1:3210, /internal 403'd). DB + people/macsync over VPC/mesh; lime stays internal. wg_pubkey + public IP are post-boot/post-apply placeholders. IaC: uvlava/terraform/do/ct_prod.tf. Co-Authored-By: Claude Opus 4.8 (1M context) --- data/mesh-hosts.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/data/mesh-hosts.json b/data/mesh-hosts.json index 0b77c97..0928acc 100644 --- a/data/mesh-hosts.json +++ b/data/mesh-hosts.json @@ -195,6 +195,29 @@ "public": "134.199.243.61", "mac": null, "identity": null + }, + { + "name": "ct.prod", + "aliases": [ + "com.uvlava.ct.prod" + ], + "class": "cloud", + "role": "DigitalOcean hardened PUBLIC prod host (nyc3, store vpc) for the Prospector app + Caddy edge (the DMZ). The ONLY ct host with public app ports: Caddy terminates 80/443 for apps.ftw.pw and reverse-proxies the same-origin NestJS app on 127.0.0.1:3210 (/prospector/* + static console); /internal/* is 403'd at the edge. DB (DO Managed PG) + mesh deps (people/mac-sync/mr-number) reached privately over the store VPC + wg1; lime stays internal. wg leg 10.9.0.10. Reserved public IP set after terraform apply (A record apps.ftw.pw at the ftw.pw registrar). Joins wg1 via phase-b-mesh-join.sh (nyc3 hub = citron). IaC: uvlava/terraform/do/ct_prod.tf.", + "os": "linux", + "ssh_user": "root", + "ssh_identity": "~/.ssh/id_ed25519_1984", + "segment": "nyc3", + "wg_pubkey": "__SET_AFTER_BOOT__", + "wg": "10.9.0.10", + "lan": null, + "public": "__SET_AFTER_APPLY__", + "mac": null, + "identity": { + "url": "http://{ip}:3210/", + "markers": [ + "ok" + ] + } } ], "services": {