ct.prod (com.uvlava.ct.prod), nyc3 store-vpc spoke, wg 10.9.0.10: the hardened
public Prospector app + Caddy edge host (apps.ftw.pw, 80/443 -> 127.0.0.1:3210,
/internal 403'd). DB + people/macsync over VPC/mesh; lime stays internal.
wg_pubkey + public IP are post-boot/post-apply placeholders. IaC:
uvlava/terraform/do/ct_prod.tf.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- wg-render: handle --keygen/--pubkey before self-detection. They are host-local
and must run BEFORE a host is in mesh-hosts.json (bootstrap order: keygen ->
paste pubkey -> apply); previously they aborted for an unregistered host.
- Register artifacts (com.uvlava.quinn.artifacts) as nyc3 spoke, wg 10.9.0.8.
Verified live: artifacts<->citron handshake, artifacts->lime spoke-to-spoke via
hub forwarding (0% loss). nyc3 segment = citron(hub) + lime + artifacts.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two bugs found bringing the nyc3 segment live (citron hub + lime spoke):
- Hub render ended in `[ -n "$miss" ] && echo`, which returns 1 when no spokes
are unkeyed; under `set -e` that silently aborted `render_conf > tmp` on the
apply path (spokes were fine — they end in printf). Use an if-block.
- `wg syncconf <(wg-quick strip)` used bash process substitution but the script
runs under /bin/sh (dash) — replaced with a POSIX temp file.
Also: nyc3 endpoint -> citron's bound public IP (104.248.9.88), not the reserved
IP (143.244.223.5) — DO routes the reserved IP in but WG replies from the
primary, so the reserved IP can't be a WG endpoint without anchor source-routing.
Verified live: lime<->citron handshake, ping 10.9.0.7 0% loss, citron dnsmasq
resolving *.wg on 10.9.0.7.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Canonical entry for the Android redroid host used by mrnumber/whatsapp screening automation (and future CT mrnumbers execution). Public IP, firewalled. ssh via the 1984 key from plum.
- data/mesh-hosts.json: "dx": {"hide_homelan": true} (with note). Data for apricot/pear/fennel/lan/services fully preserved for recovery.
- bin/mesh-hosts-render + bin/host-apply: respect the flag — filter to .class=="cloud" hosts only (yuzu, lime), emit dx mode note in headers, services filtered too.
- When true: generated /etc/hosts mesh-block and ~/.ssh/config net-tools fleet block only contain DO/cloud (homelan names like apricot.lan, bare fennel etc. hidden). dx-forges (ctforge/mcforge) unaffected at bottom.
- `net sync` (and direct renderers) now produce clean DO-only configs.
- README updated. To recover: set false + net sync.
Fulfills "hide the homelan config... now only use DO... may try to recover homelan so dont delete it".
The DigitalOcean backend droplet (was bare ssh alias lilith-store-backend,
209.38.51.98) joins wg1 at 10.9.0.5 as a first-class cloud-class member —
runs quinn.api INTERNAL, the MCP gateways, DO Managed PG access, and private
workers (general backend node, not MCP-only). The .5 slot was held by
strawberry (Quinn's iPhone), which never worked reliably and is now off the
mesh; re-enrollable later via wg-phone-add. public=null so host-apply renders
the wg path (private node, no public app ports; reached via ProxyJump yuzu).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
