docs(infra): update README, outputs for new pypi/swift services on ct-forge DO droplet

- Document pypi.ct, swift.ct in ct_infra_hosts output. - Update README table and follow-ups for the new publish registries (verdaccio, pypi via pypiserver, swift via forgejo) on the forge droplet. - All under TF IaC (cloud-init compose, dns, firewall).
2026-06-28 17:46:07 -04:00 · 2026-06-28 17:46:07 -04:00 · a379326caa
commit a379326caa
parent 1a2603c113
2 changed files with 44 additions and 13 deletions
--- a/terraform/do/README.md
+++ b/terraform/do/README.md
@ -16,18 +16,32 @@ and [`../../../docs/EDGE_ISLAND_MODE.md`](../../../docs/EDGE_ISLAND_MODE.md).
 - **Region:** `nyc3` (operator NYC-local). GDPR residency caveat for EU-subject
  PII is open — see the plan.

-## Live now (provisioned 2026-06-27, NOT yet under Terraform state)
+## Live now (ct-forge / cocotte-forge droplet — now under Terraform)

-`lilith-forge` was stood up directly via the DO API to immediately replace the
-two dead `forge.black.lan` services. It can be `terraform import`ed later.
+The `cocotte-forge` droplet (aliased lilith-forge) that hosts Forgejo (the new git `origin`) + Verdaccio (the private `@lilith/*` npm registry, required for publishing updated versions of things like `@lilith/mac-sync-client` with phone/call support) is now a managed `digitalocean_droplet.forge` resource.
+
+DNS (forge.ct.uvlava.com, npm.ct.uvlava.com, apex) is driven from its IPv4 address.
+
+If the droplet already exists from the out-of-band provisioning, import it (and optionally the matching cloud firewall):
+
+```sh
+terraform import digitalocean_droplet.forge <id-from-do-console-or-state>  # e.g. 580675125
+# Optional: terraform import digitalocean_firewall.forge lilith-forge-fw
+```
+
+After import + apply, the DNS records (forge.ct, npm.ct, apex) will be driven from the resource IP, and the firewall resource will manage the rules. The existing cloud fw (if not imported) may need manual cleanup or rename to avoid conflicts.
+
+(See the "Live now" table in the previous version of this README for the id 580675125 and current IP if you need to cross-reference before import.)

 | Thing | Value |
 |---|---|
-| Droplet | `lilith-forge` id `580675125`, `s-1vcpu-2gb`, nyc3, ubuntu-24.04 ($12/mo) |
-| Public IP (reserved) | `134.199.243.61` |
-| Forgejo (git, new `origin`) | `http://134.199.243.61:3000` · git-ssh on `:2222` |
-| Verdaccio (`@lilith/*` npm) | `http://134.199.243.61:4873` |
-| Cloud firewall | `lilith-forge-fw` — inbound 22/2222/3000/4873 from **plum + vps-0 only** |
+| Droplet (TF resource) | `cocotte-forge` (`digitalocean_droplet.forge`), s-1vcpu-2gb, nyc3 |
+| Public IP | `digitalocean_droplet.forge.ipv4_address` (was 134.199.243.61) |
+| Forgejo (git, new `origin`) | http://<ip>:3000 (or forge.ct.uvlava.com once Caddy) · git-ssh :2222 |
+| Verdaccio (`@lilith/*` npm) | http://<ip>:4873 (or https://npm.ct.uvlava.com once TLS) |
+| PyPI (Python packages, new service) | http://<ip>:8080 (or https://pypi.ct.uvlava.com once TLS) — pypiserver |
+| Swift (Swift packages via Forgejo registry, new) | https://forge.ct.uvlava.com/api/packages/<owner>/swift (or https://swift.ct.uvlava.com once TLS) |
+| Cloud firewall | `digitalocean_firewall.forge` (lilith-forge-fw) — inbound 22/2222/3000/4873/8080/8081 from admin_ips + vps-0/plum |
 | Forgejo admin | user `quinn` — password at `~/.vault/forge-admin-quinn.password` |
 | Forgejo API token | `~/.vault/forge-admin-quinn.api-token` |
 | Repo | `quinn/lilith-platform.live` (private) |
@ -37,13 +51,16 @@ Git remote on plum: `forge` →
 `GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ed25519_1984"`).

 Cloud-init that builds this box: [`cloud-init/forge.yaml`](cloud-init/forge.yaml)
-(keep it pure-ASCII — em-dashes break cloud-init's early YAML parse).
+(keep it pure-ASCII — em-dashes break cloud-init's early YAML parse). The
+droplet resource now uses it directly.

 ### Follow-ups for the forge box
- TLS (Caddy) in front of Forgejo/Verdaccio; then move git to HTTPS or keep SSH.
- Join it to the wg1 mesh and drop the public 3000/4873 exposure.
- Repoint repo `origin` + the 9 `forge.black.lan` registry refs + `@lilith`
-  `.npmrc` to this Verdaccio (Phase 3 of the plan).
+- TLS (Caddy) in front of Forgejo/Verdaccio/PyPI (see the yaml comment); then move git to HTTPS or keep SSH. swift.ct proxies to Forgejo.
+- Join it to the wg1 mesh (update cloud-init or post-provision) and drop the public 3000/4873/8080 exposure (use the backend mesh + firewall).
+- Repoint repo `origin` + registry refs + `@lilith` `.npmrc` / PyPI config to the ct-forge services (Verdaccio for npm, pypiserver for PyPI, Forgejo for Swift). Update consumers and publish flows (from ct-forge CI runners on DO).
+- Bring the `lilith-forge-fw` under TF as `digitalocean_firewall.forge` (inbound rules for 22/2222/3000/4873/8080/8081 from admin IPs + vps-0 + plum).
+- (Optional) make the forge droplet join the same VPC as backend for private paths.
+- Add `forge:setup-registries` or post-up hook in cocottetech scripts if needed for service bootstrap (compose now includes them via TF cloud-init).

 ## Terraform (store tier — written, NOT yet applied)

@ -77,6 +94,8 @@ terraform plan
 behind an access request. `gpu_enabled=false` until granted (hybrid inference
 12b/12c). Serverless inference (12a) is unaffected.

+**Forge/Verdaccio/PyPI/Swift (ct-forge) transition (2026-06-28):** The cocotte-forge droplet (now `digitalocean_droplet.forge` in this TF) hosts Forgejo + Verdaccio + pypiserver (new PyPI service) + Swift registry support (via Forgejo packages) live at the bare IP. uvlava.com DNS (forge.ct.uvlava.com, npm.ct.uvlava.com, pypi.ct.uvlava.com, swift.ct.uvlava.com) + A records are in dns.tf (and the forge droplet + firewall resources added), but the domains are NOT LIVE YET (registrar joker.com NS delegation for uvlava.com to DO nameservers is pending). Old forge.black.lan / npm.black.lan are dead. Use the IP for git pushes, publishing to the new services (Verdaccio 4873 for npm @lilith/*, pypiserver 8080 for PyPI, Forgejo API for Swift), until delegation + Caddy/LE TLS is live on the ct domains (see cloud-init/forge.yaml which now includes pypiserver and updated Caddy). Update scripts/.npmrc/pypirc etc once live. The push scripts and platform infra handle the current IP. New services on the forge droplet for publishing packages (no more black).
+
 ## Secrets

 None live in this tree. All under `~/.vault/` (0600). `.gitignore` blocks
--- a/terraform/do/outputs.tf
+++ b/terraform/do/outputs.tf
@ -52,6 +52,16 @@ output "gpu_droplet_ip" {
  value       = var.gpu_enabled ? digitalocean_droplet.gpu[0].ipv4_address_private : null
 }

+output "forge_public_ip" {
+  description = "Public IP of the cocotte-forge / ct-forge droplet (Forgejo + Verdaccio host)."
+  value       = digitalocean_droplet.forge.ipv4_address
+}
+
+output "forge_private_ip" {
+  description = "Private (VPC) IP of the forge droplet if it joins a VPC in future."
+  value       = digitalocean_droplet.forge.ipv4_address_private
+}
+
 ###############################################################################
 # uvlava.com infranet DNS (dns.tf)
 ###############################################################################
@ -66,6 +76,8 @@ output "ct_infra_hosts" {
  value = {
    forge   = "forge.ct.uvlava.com"
    npm     = "npm.ct.uvlava.com"
+    pypi    = "pypi.ct.uvlava.com"
+    swift   = "swift.ct.uvlava.com"
    backend = "backend.ct.uvlava.com"
    db      = "db.ct.uvlava.com"
    apex    = "uvlava.com"