net-tools: keygen before self-detection; register artifacts as nyc3 spoke

- wg-render: handle --keygen/--pubkey before self-detection. They are host-local and must run BEFORE a host is in mesh-hosts.json (bootstrap order: keygen -> paste pubkey -> apply); previously they aborted for an unregistered host. - Register artifacts (com.uvlava.quinn.artifacts) as nyc3 spoke, wg 10.9.0.8. Verified live: artifacts<->citron handshake, artifacts->lime spoke-to-spoke via hub forwarding (0% loss). nyc3 segment = citron(hub) + lime + artifacts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 22:23:53 -04:00 · 2026-06-29 22:23:53 -04:00 · 9bd6483f33
commit 9bd6483f33
parent 46e25d3e77
2 changed files with 25 additions and 3 deletions
--- a/bin/wg-render
+++ b/bin/wg-render
@ -91,6 +91,13 @@ need_root() {
    echo "wg-render: need root to $1 (run with sudo)" >&2; exit 2
 }

+# --keygen/--pubkey are host-local (generate/print this box's key) and must work
+# BEFORE the host is registered in mesh-hosts.json — that's the bootstrap order
+# (keygen -> paste pubkey into mesh-hosts -> apply). So handle them before the
+# self-detection below, which would otherwise fail for an unregistered host.
+if [ "$mode" = "keygen" ]; then ensure_key; pubkey_of_self; exit 0; fi
+if [ "$mode" = "pubkey" ]; then pubkey_of_self; exit 0; fi
+
 # --- identify self (name/alias or any local IPv4 incl. wg) ---------------------
 short=$(hostname 2>/dev/null | cut -d. -f1); [ -n "$short" ] || short=$(uname -n | cut -d. -f1)
 if command -v ip >/dev/null 2>&1; then
@ -135,9 +142,6 @@ if [ "$mode" = "whoami" ]; then
        "$self" "${self_seg:-<legacy>}" "$role" "$seg_hub" "${seg_ep:-?}"
    exit 0
 fi
-if [ "$mode" = "keygen" ]; then ensure_key; pubkey_of_self; exit 0; fi
-if [ "$mode" = "pubkey" ]; then pubkey_of_self; exit 0; fi
-
 # --- render wg1.conf -----------------------------------------------------------
 # The private key is substituted from $KEY_FILE at install time, not embedded in
 # dry-run output (which prints a placeholder so logs never leak it).
--- a/data/mesh-hosts.json
+++ b/data/mesh-hosts.json
@ -175,6 +175,24 @@
      "public": "143.244.223.5",
      "mac": null,
      "identity": null
+    },
+    {
+      "name": "artifacts",
+      "aliases": [
+        "com.uvlava.quinn.artifacts"
+      ],
+      "class": "cloud",
+      "role": "DigitalOcean shared CI + artifact host (quinn-owned): Forgejo + verdaccio/pypi/swift registries for ct/mc/quinn. nyc3, default vpc. Reserved IP 134.199.243.61 (public forge/registry endpoints). Mesh spoke for private/internal access. IaC: provisioned out-of-band (not in uvlava terraform state).",
+      "os": "linux",
+      "ssh_user": "root",
+      "ssh_identity": "~/.ssh/id_ed25519_1984",
+      "segment": "nyc3",
+      "wg_pubkey": "IJ/nH04KmRSbSoeYSEV1zlHPu1/KbXl4cS1sOj70TU4=",
+      "wg": "10.9.0.8",
+      "lan": null,
+      "public": "134.199.243.61",
+      "mac": null,
+      "identity": null
    }
  ],
  "services": {