uvlava/README.md

# uvlava

**uvlava.com — the shared infranet.** The infrastructure layer beneath both
product lines, replacing the dead homelan hosts `black` + `apricot` (died
2026-06-27). Not a product; the substrate the products run on.

- **lilith (v2)** — `~/Code/@projects/@lilith/lilith-platform.live`
- **cocotte (v4)** — `~/Code/@projects/@cocottetech`

Both consume uvlava; neither owns it. Infra config lives here so it isn't
buried in a product repo.

## Topology

```
   PUBLIC INTERNET ─► serve tier (NOT uvlava): 1984.is / vps-0 (Iceland)
                       nginx · SPAs · edge cache · mail · adult content
                                     │ private (WireGuard mesh)
   uvlava ───────────► store/infra tier: DigitalOcean (ct:prod, nyc3)
                       Forgejo · Verdaccio · Managed PG · Spaces · workers
```

uvlava is **store/infra only** — it never serves adult content to the public
(provider-AUP + the serve tier stays on content-tolerant 1984.is).

## What's live

| Service | Host | Endpoint |
|---|---|---|
| Forgejo (git canonical) | ct-forge droplet | `https://forge.ct.uvlava.com` (live, Caddy + LE) |
| Verdaccio (`@lilith/*` npm) | same droplet | `https://npm.ct.uvlava.com` |

DO account `ct` / project `ct:prod` / region `nyc3`. `uvlava.com` is registered
(joker.com) and **delegated to DigitalOcean** — joker.com publishes
`ns1/ns2/ns3.digitalocean.com` at the `.com` registry (verified 2026-06-30).
DNS resolves publicly and Caddy auto-provisions Let's Encrypt certs per
hostname: `forge.ct.uvlava.com` serves `HTTP/2 200` with a valid LE cert
(`CN=forge.ct.uvlava.com`). Only hostnames explicitly in the zone resolve —
there is **no wildcard**, so each new subdomain needs its own A record.

## Layout

- `terraform/do/` — DO store tier IaC (Managed PG + Spaces + backend droplet +
  WG peer + optional GPU). `init`/`validate`/`plan` verified against the live
  account (13 resources, no GPU); **not yet applied**. See
  [`terraform/do/README.md`](terraform/do/README.md) for the apply guide.

## Secrets

None in-tree. All under `~/.vault/` (`0600`): `do-pat-ct.token`,
`forge-admin-quinn.*`. `.gitignore` blocks `*.tfstate` / `*.tfvars`.
infra(uvlava): seed shared infranet repo with DO store-tier IaC Dedicated home for uvlava.com infra (forge, registry, DB, mesh) serving lilith v2 + cocotte v4. Terraform init/validate/plan verified against live DO (13 resources). Migrated out of the v2 product tree per the v2/v4 boundary. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-27 09:43:44 -04:00			`# uvlava`

			`uvlava.com — the shared infranet. The infrastructure layer beneath both`
			product lines, replacing the dead homelan hosts `black` + `apricot` (died
			`2026-06-27). Not a product; the substrate the products run on.`

			- lilith (v2) — `~/Code/@projects/@lilith/lilith-platform.live`
			- cocotte (v4) — `~/Code/@projects/@cocottetech`

			`Both consume uvlava; neither owns it. Infra config lives here so it isn't`
			`buried in a product repo.`

			`## Topology`

			```
			`PUBLIC INTERNET ─► serve tier (NOT uvlava): 1984.is / vps-0 (Iceland)`
			`nginx · SPAs · edge cache · mail · adult content`
			`│ private (WireGuard mesh)`
			`uvlava ───────────► store/infra tier: DigitalOcean (ct:prod, nyc3)`
			`Forgejo · Verdaccio · Managed PG · Spaces · workers`
			```

			`uvlava is store/infra only — it never serves adult content to the public`
			`(provider-AUP + the serve tier stays on content-tolerant 1984.is).`

			`## What's live`

docs: mark uvlava.com DO delegation live (forge.ct serving HTTPS) joker.com now publishes ns1/ns2/ns3.digitalocean.com at the .com registry (verified 2026-06-30). DNS resolves publicly; forge.ct.uvlava.com serves HTTP/2 200 with a valid Let's Encrypt cert via Caddy. Update README "What's live" and the dns.tf delegation header to reflect the live state (was "registered but not yet pointed" / "INERT until delegated"). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-30 01:15:41 -04:00			`\| Service \| Host \| Endpoint \|`
infra(uvlava): seed shared infranet repo with DO store-tier IaC Dedicated home for uvlava.com infra (forge, registry, DB, mesh) serving lilith v2 + cocotte v4. Terraform init/validate/plan verified against live DO (13 resources). Migrated out of the v2 product tree per the v2/v4 boundary. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-27 09:43:44 -04:00			`\|---\|---\|---\|`
docs: mark uvlava.com DO delegation live (forge.ct serving HTTPS) joker.com now publishes ns1/ns2/ns3.digitalocean.com at the .com registry (verified 2026-06-30). DNS resolves publicly; forge.ct.uvlava.com serves HTTP/2 200 with a valid Let's Encrypt cert via Caddy. Update README "What's live" and the dns.tf delegation header to reflect the live state (was "registered but not yet pointed" / "INERT until delegated"). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-30 01:15:41 -04:00			\| Forgejo (git canonical) \| ct-forge droplet \| `https://forge.ct.uvlava.com` (live, Caddy + LE) \|
			\| Verdaccio (`@lilith/*` npm) \| same droplet \| `https://npm.ct.uvlava.com` \|
infra(uvlava): seed shared infranet repo with DO store-tier IaC Dedicated home for uvlava.com infra (forge, registry, DB, mesh) serving lilith v2 + cocotte v4. Terraform init/validate/plan verified against live DO (13 resources). Migrated out of the v2 product tree per the v2/v4 boundary. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-27 09:43:44 -04:00
			DO account `ct` / project `ct:prod` / region `nyc3`. `uvlava.com` is registered
docs: mark uvlava.com DO delegation live (forge.ct serving HTTPS) joker.com now publishes ns1/ns2/ns3.digitalocean.com at the .com registry (verified 2026-06-30). DNS resolves publicly; forge.ct.uvlava.com serves HTTP/2 200 with a valid Let's Encrypt cert via Caddy. Update README "What's live" and the dns.tf delegation header to reflect the live state (was "registered but not yet pointed" / "INERT until delegated"). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-30 01:15:41 -04:00			`(joker.com) and delegated to DigitalOcean — joker.com publishes`
			`ns1/ns2/ns3.digitalocean.com` at the `.com` registry (verified 2026-06-30).
			`DNS resolves publicly and Caddy auto-provisions Let's Encrypt certs per`
			hostname: `forge.ct.uvlava.com` serves `HTTP/2 200` with a valid LE cert
			(`CN=forge.ct.uvlava.com`). Only hostnames explicitly in the zone resolve —
			`there is no wildcard, so each new subdomain needs its own A record.`
infra(uvlava): seed shared infranet repo with DO store-tier IaC Dedicated home for uvlava.com infra (forge, registry, DB, mesh) serving lilith v2 + cocotte v4. Terraform init/validate/plan verified against live DO (13 resources). Migrated out of the v2 product tree per the v2/v4 boundary. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-27 09:43:44 -04:00
			`## Layout`

			- `terraform/do/` — DO store tier IaC (Managed PG + Spaces + backend droplet +
			WG peer + optional GPU). `init`/`validate`/`plan` verified against the live
			`account (13 resources, no GPU); not yet applied. See`
			[`terraform/do/README.md`](terraform/do/README.md) for the apply guide.

			`## Secrets`

			None in-tree. All under `~/.vault/` (`0600`): `do-pat-ct.token`,
			`forge-admin-quinn.`. `.gitignore` blocks `.tfstate` / `*.tfvars`.