data(mesh): add ct.prod host entry (hardened public prod / DMZ)

ct.prod (com.uvlava.ct.prod), nyc3 store-vpc spoke, wg 10.9.0.10: the hardened public Prospector app + Caddy edge host (apps.ftw.pw, 80/443 -> 127.0.0.1:3210, /internal 403'd). DB + people/macsync over VPC/mesh; lime stays internal. wg_pubkey + public IP are post-boot/post-apply placeholders. IaC: uvlava/terraform/do/ct_prod.tf. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 12:17:36 -04:00 · 2026-06-30 12:17:36 -04:00 · 9ae26e3772
commit 9ae26e3772
parent 4ed56dee8c
1 changed files with 23 additions and 0 deletions
--- a/data/mesh-hosts.json
+++ b/data/mesh-hosts.json
@ -195,6 +195,29 @@
      "public": "134.199.243.61",
      "mac": null,
      "identity": null
+    },
+    {
+      "name": "ct.prod",
+      "aliases": [
+        "com.uvlava.ct.prod"
+      ],
+      "class": "cloud",
+      "role": "DigitalOcean hardened PUBLIC prod host (nyc3, store vpc) for the Prospector app + Caddy edge (the DMZ). The ONLY ct host with public app ports: Caddy terminates 80/443 for apps.ftw.pw and reverse-proxies the same-origin NestJS app on 127.0.0.1:3210 (/prospector/* + static console); /internal/* is 403'd at the edge. DB (DO Managed PG) + mesh deps (people/mac-sync/mr-number) reached privately over the store VPC + wg1; lime stays internal. wg leg 10.9.0.10. Reserved public IP set after terraform apply (A record apps.ftw.pw at the ftw.pw registrar). Joins wg1 via phase-b-mesh-join.sh (nyc3 hub = citron). IaC: uvlava/terraform/do/ct_prod.tf.",
+      "os": "linux",
+      "ssh_user": "root",
+      "ssh_identity": "~/.ssh/id_ed25519_1984",
+      "segment": "nyc3",
+      "wg_pubkey": "__SET_AFTER_BOOT__",
+      "wg": "10.9.0.10",
+      "lan": null,
+      "public": "__SET_AFTER_APPLY__",
+      "mac": null,
+      "identity": {
+        "url": "http://{ip}:3210/",
+        "markers": [
+          "ok"
+        ]
+      }
    }
  ],
  "services": {