From 9fbff79df4dc4e97750f426097441fc643ebcc5e Mon Sep 17 00:00:00 2001 From: Egutierrez Date: Sun, 7 Jun 2026 18:56:28 +0200 Subject: [PATCH] chore(deploy): fill cluster nodes.env with the real 3-node topology Set magnus's public IP (135.125.201.30) and switch ROUTE_NETWORK to "public": the three nodes have no WireGuard mesh (homer/datardos do not even have wg installed), so server-to-server routes go over the public IPs, still protected by the separate cluster route CA (mutual TLS). KV_REPLICAS is raised to 3 now that the cluster runs at R3. Co-Authored-By: Claude Opus 4.8 (1M context) --- deploy/cluster/nodes.env | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/deploy/cluster/nodes.env b/deploy/cluster/nodes.env index 4cdb8e0..3a0886d 100644 --- a/deploy/cluster/nodes.env +++ b/deploy/cluster/nodes.env @@ -2,10 +2,10 @@ # # This file is SOURCED by generate-cluster-certs.sh and deploy-cluster.sh. # -# HUMAN: fill in every with the real value before running the +# HUMAN: fill in every placeholder with the real value before running the # scripts. The public IPs known at authoring time are pre-filled; the WireGuard # mesh IPs and magnus's public IP must be supplied. The scripts refuse to run -# while any remains. +# while any unfilled placeholder remains. # Cluster identity (must be identical on every node). CLUSTER_NAME="unibus" @@ -16,7 +16,7 @@ CLUSTER_USER="unibus-cluster" # KV/nonce replication factor. START AT 1 for the initial 1->3 rollout, then raise # to 3 IN PLACE (see README "Scale to R3") once all three nodes have joined. Only # set this to 3 here after the third node is up and you re-run the KV update. -KV_REPLICAS=1 +KV_REPLICAS=3 # Ports (same on every node; the route port is server-to-server only). NATS_CLIENT_PORT=4250 @@ -30,15 +30,28 @@ SSH_USER="root" # Which address family the inter-node routes use. "wg" builds --routes from the # WireGuard mesh IPs (private server-to-server links, preferred); "public" uses # the public IPs. The route layer is always mutual-TLS regardless. -ROUTE_NETWORK="wg" +# +# DEPLOY DECISION (2026-06-07): set to "public". No WireGuard mesh exists between +# the three cluster nodes — homer and datardos do not even have the `wg` binary +# installed, and om's only WG peers are the operator's personal PCs, not the VPS. +# Rather than stand up a fresh mesh blindly, the routes go over the public IPs, +# still protected by the separate cluster route CA (mutual-TLS). On magnus (the +# only node with ufw active) the route port 6250 is restricted to the homer and +# datardos public IPs; homer/datardos run ufw inactive (Docker hosts) and rely on +# the route mutual-TLS for 6250. +ROUTE_NETWORK="public" # One row per node: NAME SSH_HOST PUBLIC_IP WG_IP # NAME -> --server-name and the per-node cert filenames (unique). -# SSH_HOST -> the `ssh ` alias (see ~/.ssh/config). +# SSH_HOST -> the `ssh ALIAS` alias (see ~/.ssh/config). # PUBLIC_IP -> public address; goes in the cert SANs (client-facing data plane). # WG_IP -> WireGuard mesh address; cert SAN + route target when ROUTE_NETWORK=wg. +# NOTE: with ROUTE_NETWORK=public and no WireGuard mesh, the WG_IP column is set to +# each node's public IP so the cert SAN covers the address actually used by the +# public routes and no unfilled placeholder remains (scripts refuse to run otherwise). +# magnus == organic-machine.com == om (135.125.201.30); SSH alias `magnus` enters as root. CLUSTER_NODES=( - "magnus magnus " - "homer homer 141.94.69.66 " - "datardos dd 51.91.100.142 " + "magnus magnus 135.125.201.30 135.125.201.30" + "homer homer 141.94.69.66 141.94.69.66" + "datardos dd 51.91.100.142 51.91.100.142" )