The always-on region-mobile surface is publicly "sales" (the node is still the
Prospector PWA internally). DNS host becomes sales.ct.uvlava.com; the joker.com
CNAME is sales.transquinnftw.com -> sales.ct.uvlava.com. Updated terraform
record, env grant, client examples, README, and tests (8 pass).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reusable dyndns client for always-on, region-mobile nodes (the Prospector PWA
on lime): install-client.sh drops dyndns-update.sh + a systemd oneshot/timer
that self-reports the node public IP to dns.ct.uvlava.com on boot and every
5 min, so prospector.ct.uvlava.com tracks the node across region moves while
the node stays up. Token + host in /etc/dyndns-updater (0600).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
dns.ct.uvlava.com — Bun+Hono service backed by the DO DNS API that lets
region-mobile nodes repoint their own A record on relocation:
- live.ct.uvlava.com (per-show broadcast relay, ephemeral)
- prospector.ct.uvlava.com (always-on Prospector PWA, follows operator)
Token -> hostname allowlist auth (a node can only update its own record;
cannot touch forge.ct/npm.ct). dyndns2 /nic/update (Bearer or Basic) +
/healthz. Runs behind the ct-forge Caddy on a shared "edge" network.
- terraform: dns.ct A -> forge; live.ct/prospector.ct seeded with
ignore_changes=[value] (service owns the value at runtime)
- forge cloud-init: edge network + dns.ct vhost (declarative)
- deploy.sh: rsync/build/start + idempotent live Caddy vhost wiring
- 8 smoke tests pass (auth, allowlist, IP validation, good/nochg, basic-auth)
The transquinnftw.com pretty-names become static CNAMEs onto these at
joker.com (one-time, manual) so only the DO-controlled zone ever moves.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Per-service DBs move to each service's own project infra declaration, not the
catch-all uvlava store cluster module (uvlava itself may be superseded by
per-project infra). Cluster + quinn/quinn_admin unchanged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Declares the two standalone-service logical DBs on the managed PG cluster
(own-DB-per-service) plus dedicated roles for credential separation, with
sensitive password outputs the backend droplet's service .envs consume.
terraform validate + fmt clean. Apply with the usual TF_VAR_do_token.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Document pypi.ct, swift.ct in ct_infra_hosts output.
- Update README table and follow-ups for the new publish registries (verdaccio, pypi via pypiserver, swift via forgejo) on the forge droplet.
- All under TF IaC (cloud-init compose, dns, firewall).
- Updated cloud-init/forge.yaml compose to include pypiserver (pypi :8080), swift via forgejo package registry.
- Updated Caddyfile for pypi.ct , swift.ct .
- Added DNS records in dns.tf for pypi.ct , swift.ct .
- Updated firewall in droplet.tf for 8080/8081.
- Ports in comments updated.
- Verdaccio already present; now full set: verdaccio (npm), pypi, swift on the forge droplet.
- Matches 'publish packages to new services in the forge droplet for verdaccio, pypi, and swift'.
- No more black; ct-forge on DO.
- Droplet: 'redroid'
- Firewall: 'redroid-fw'
- Volume: 'redroid-data'
- Container inside: 'redroid'
- Updated top comments, usage, volume mount refs.
- Note in IaC about previous bad name during store-vpc addition.
- This redroid is the shared execution backend for screening tools (mrnumber primarily); will be orchestrated by CT app post-subsumption of LP mrnumbers.
Account-namespaced infranet DNS, DO-managed:
- uvlava.com zone + forge.ct / npm.ct / backend.ct / db.ct / apex records
- forge.ct + npm.ct -> cocotte-forge (134.199.243.61); become HTTPS endpoints
once Caddy/LE is up, replacing the interim bare-IP plaintext npm registry
- outputs: uvlava_nameservers (for joker.com NS delegation) + ct_infra_hosts
Inert until uvlava.com NS is delegated to DO at the registrar.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Dedicated home for uvlava.com infra (forge, registry, DB, mesh) serving
lilith v2 + cocotte v4. Terraform init/validate/plan verified against live DO
(13 resources). Migrated out of the v2 product tree per the v2/v4 boundary.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
