The backend droplet rebuild wiped the manually-deployed macsync server because backend.yaml only installed pgbouncer. Install the macsync RUNTIME at boot (unzip, redis, bun -> /root/.bun, caddy) + open ufw 80/443, so a rebuilt droplet is ready for a one-command `macsync/deploy/deploy-server.sh`. RUNTIME ONLY — no secrets, no app code (secrets are metadata-readable in user-data, so they are pushed over SSH by the deploy script; the gpu.sh credential finding applied). Note: backend.yaml is shared with the gpu droplet template (droplet.tf), so a gpu rebuild also gets these idle packages — harmless. The DO cloud firewall (network.tf) must also allow 80/443 for the edge to be reachable post-rebuild. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .project | ||
| services/dns-updater | ||
| terraform/do | ||
| .gitignore | ||
| README.md | ||
| run | ||
uvlava
uvlava.com — the shared infranet. The infrastructure layer beneath both
product lines, replacing the dead homelan hosts black + apricot (died
2026-06-27). Not a product; the substrate the products run on.
- lilith (v2) —
~/Code/@projects/@lilith/lilith-platform.live - cocotte (v4) —
~/Code/@projects/@cocottetech
Both consume uvlava; neither owns it. Infra config lives here so it isn't buried in a product repo.
Topology
PUBLIC INTERNET ─► serve tier (NOT uvlava): 1984.is / vps-0 (Iceland)
nginx · SPAs · edge cache · mail · adult content
│ private (WireGuard mesh)
uvlava ───────────► store/infra tier: DigitalOcean (ct:prod, nyc3)
Forgejo · Verdaccio · Managed PG · Spaces · workers
uvlava is store/infra only — it never serves adult content to the public (provider-AUP + the serve tier stays on content-tolerant 1984.is).
What's live
| Service | Host | Endpoint |
|---|---|---|
| Forgejo (git canonical) | ct-forge droplet | https://forge.ct.uvlava.com (live, Caddy + LE) |
Verdaccio (@lilith/* npm) |
same droplet | https://npm.ct.uvlava.com |
DO account ct / project ct:prod / region nyc3. uvlava.com is registered
(joker.com) and delegated to DigitalOcean — joker.com publishes
ns1/ns2/ns3.digitalocean.com at the .com registry (verified 2026-06-30).
DNS resolves publicly and Caddy auto-provisions Let's Encrypt certs per
hostname: forge.ct.uvlava.com serves HTTP/2 200 with a valid LE cert
(CN=forge.ct.uvlava.com). Only hostnames explicitly in the zone resolve —
there is no wildcard, so each new subdomain needs its own A record.
Layout
terraform/do/— DO store tier IaC (Managed PG + Spaces + backend droplet + WG peer + optional GPU).init/validate/planverified against the live account (13 resources, no GPU); not yet applied. Seeterraform/do/README.mdfor the apply guide.
Secrets
None in-tree. All under ~/.vault/ (0600): do-pat-ct.token,
forge-admin-quinn.*. .gitignore blocks *.tfstate / *.tfvars.