every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2

Advance forge rollout, Ethereum rails, and NBC sources

Browse source
This commit is contained in:
every.channel 2026-04-01 15:58:49 -07:00
parent be26313225
commit 7d84510eac
No known key found for this signature in database
88 changed files with 11230 additions and 302 deletions
Download patch file Download diff file Expand all files Collapse all files

35
evolution/proposals/ECP-0084-sovereign-ecp-forge-host-deploy.md Normal file
View file

@ -0,0 +1,35 @@
# ECP-0084: Sovereign `ecp-forge` Host Deploy from every.channel
Status: Implemented
## Context
`git.every.channel` (Hetzner 300TB host) has been operated from external infra repos. That creates coupling and weakens operational independence for every.channel infrastructure changes, especially netboot/PXE and archive workflows.
The constitutional direction is explicit repository ownership over its infrastructure path. every.channel should be able to deploy its own forge host from this repository, with age/agenix material stored here.
## Decision
1. Add a sovereign `nixosConfigurations.ecp-forge` target to this repository.
2. Keep the forge role (`services.forgejo`, `services.caddy`) and archive role (`services.every-channel.ec-node`) in that host target.
3. Enable persistent netboot from this repository using `services.every-channel.netboot`, with local sovereign tarball staging as the default source path.
4. Keep UniFi-only mode as default (`proxyDhcp.enable = false`) to avoid cross-domain DHCP coupling.
5. Store host-consumed runtime secrets in this repository (`secrets/*.age`) and decrypt on-host via `agenix`.
6. Deploy directly from this repository to `git.every.channel`.
## Alternatives considered
- Continue deploying `git.every.channel` from shared infra repos. Rejected due ownership/coupling drift.
- Keep runtime-only netboot scripts on host. Rejected because boot resilience should survive reboot and config rebuilds.
- Move to ProxyDHCP-first by default. Rejected for now to keep DHCP authority in UniFi.
## Rollout / teardown plan
- Rollout:
- build/evaluate `.#nixosConfigurations.ecp-forge`,
- deploy from every.channel to `git.every.channel`,
- verify `every-channel-netboot-stage` and `every-channel-netboot`.
- Teardown:
- disable `services.every-channel.netboot.enable` in `nix/nixos/ecp-forge.nix`,
- redeploy,
- fall back to manual script flow (`docs/NUC_UNIFI_NETBOOT.md`) if required.