every.channel/evolution/proposals/ECP-0084-sovereign-ecp-forge-host-deploy.md

# ECP-0084: Sovereign `ecp-forge` Host Deploy from every.channel

Status: Implemented

## Context

`git.every.channel` (Hetzner 300TB host) has been operated from external infra repos. That creates coupling and weakens operational independence for every.channel infrastructure changes, especially netboot/PXE and archive workflows.

The constitutional direction is explicit repository ownership over its infrastructure path. every.channel should be able to deploy its own forge host from this repository, with age/agenix material stored here.

## Decision

1. Add a sovereign `nixosConfigurations.ecp-forge` target to this repository.
2. Keep the forge role (`services.forgejo`, `services.caddy`) and archive role (`services.every-channel.ec-node`) in that host target.
3. Enable persistent netboot from this repository using `services.every-channel.netboot`, with local sovereign tarball staging as the default source path.
4. Keep UniFi-only mode as default (`proxyDhcp.enable = false`) to avoid cross-domain DHCP coupling.
5. Store host-consumed runtime secrets in this repository (`secrets/*.age`) and decrypt on-host via `agenix`.
6. Deploy directly from this repository to `git.every.channel`.

## Alternatives considered

- Continue deploying `git.every.channel` from shared infra repos. Rejected due ownership/coupling drift.
- Keep runtime-only netboot scripts on host. Rejected because boot resilience should survive reboot and config rebuilds.
- Move to ProxyDHCP-first by default. Rejected for now to keep DHCP authority in UniFi.

## Rollout / teardown plan

- Rollout:
  - build/evaluate `.#nixosConfigurations.ecp-forge`,
  - deploy from every.channel to `git.every.channel`,
  - verify `every-channel-netboot-stage` and `every-channel-netboot`.
- Teardown:
  - disable `services.every-channel.netboot.enable` in `nix/nixos/ecp-forge.nix`,
  - redeploy,
  - fall back to manual script flow (`docs/NUC_UNIFI_NETBOOT.md`) if required.