Advance forge rollout, Ethereum rails, and NBC sources

evolution/proposals/ECP-0088-ecp-forge-public-rpc-hardening.md

@@ -0,0 +1,30 @@
+# ECP-0088: Public RPC/NFS Hardening for `ecp-forge`
+
+Status: Implemented
+
+## Context
+
+`ecp-forge` exports `/tank` over NFS for private consumers, but the host firewall also exposed `rpcbind` (`111/tcp,udp`) and NFS (`2049/tcp,udp`) on the public Hetzner address. CERT-Bund flagged the host because public `rpcbind` allowed internet enumeration of registered RPC services.
+
+The current exports already constrain clients to private address space, so the exposure is a firewall boundary issue rather than a requirement for public access.
+
+## Decision
+
+1. Remove public firewall allowances for `111/tcp,udp` and `2049/tcp,udp` on `ecp-forge`.
+2. Keep NFS enabled for trusted/private paths, including the existing `tailscale0` trusted interface and private-source exports.
+3. Treat public RPC/NFS exposure on forge hosts as an anti-pattern unless a later ECP explicitly justifies it.
+
+## Alternatives considered
+
+- Disable NFS entirely. Rejected because `/tank` export remains useful for private consumers.
+- Keep public ports open and rely only on `/etc/exports` CIDR restrictions. Rejected because `rpcbind` enumeration is itself enough to trigger abuse notifications and increases attack surface.
+- Add bespoke public-interface firewall exceptions per private CIDR. Rejected because `ecp-forge` already has a trusted overlay path and does not need public-interface exposure for NFS.
+
+## Rollout / teardown plan
+
+- Rollout:
+  - evaluate `.#nixosConfigurations.ecp-forge`,
+  - deploy `ecp-forge`,
+  - verify `rpcbind`/NFS are no longer reachable on the public IP.
+- Teardown:
+  - restore the public firewall allowances only with a replacement ECP that documents the requirement and compensating controls.