uvlava/README.md

# uvlava

**uvlava.com — the shared infranet.** The infrastructure layer beneath both
product lines, replacing the dead homelan hosts `black` + `apricot` (died
2026-06-27). Not a product; the substrate the products run on.

- **lilith (v2)** — `~/Code/@projects/@lilith/lilith-platform.live`
- **cocotte (v4)** — `~/Code/@projects/@cocottetech`

Both consume uvlava; neither owns it. Infra config lives here so it isn't
buried in a product repo.

## Topology

```
   PUBLIC INTERNET ─► serve tier (NOT uvlava): 1984.is / vps-0 (Iceland)
                       nginx · SPAs · edge cache · mail · adult content
                                     │ private (WireGuard mesh)
   uvlava ───────────► store/infra tier: DigitalOcean (ct:prod, nyc3)
                       Forgejo · Verdaccio · Managed PG · Spaces · workers
```

uvlava is **store/infra only** — it never serves adult content to the public
(provider-AUP + the serve tier stays on content-tolerant 1984.is).

## What's live

| Service | Host | Endpoint (bare for now; named later) |
|---|---|---|
| Forgejo (git canonical) | `lilith-forge` droplet | `134.199.243.61:3000` → `forge.uvlava.com` (planned) |
| Verdaccio (`@lilith/*` npm) | same droplet | `134.199.243.61:4873` → `npm.uvlava.com` (planned) |

DO account `ct` / project `ct:prod` / region `nyc3`. `uvlava.com` is registered
(joker.com) but not yet pointed — DNS + TLS deferred until the store tier lands.

## Layout

- `terraform/do/` — DO store tier IaC (Managed PG + Spaces + backend droplet +
  WG peer + optional GPU). `init`/`validate`/`plan` verified against the live
  account (13 resources, no GPU); **not yet applied**. See
  [`terraform/do/README.md`](terraform/do/README.md) for the apply guide.

## Secrets

None in-tree. All under `~/.vault/` (`0600`): `do-pat-ct.token`,
`forge-admin-quinn.*`. `.gitignore` blocks `*.tfstate` / `*.tfvars`.