every.channel/evolution/proposals/ECP-0084-sovereign-ecp-forge-host-deploy.md

ECP-0084: Sovereign ecp-forge Host Deploy from every.channel

Status: Implemented

Context

git.every.channel (Hetzner 300TB host) has been operated from external infra repos. That creates coupling and weakens operational independence for every.channel infrastructure changes, especially netboot/PXE and archive workflows.

The constitutional direction is explicit repository ownership over its infrastructure path. every.channel should be able to deploy its own forge host from this repository, with age/agenix material stored here.

Decision

1. Add a sovereign nixosConfigurations.ecp-forge target to this repository.
2. Keep the forge role (services.forgejo, services.caddy) and archive role (services.every-channel.ec-node) in that host target.
3. Enable persistent netboot from this repository using services.every-channel.netboot, with local sovereign tarball staging as the default source path.
4. Keep UniFi-only mode as default (proxyDhcp.enable = false) to avoid cross-domain DHCP coupling.
5. Store host-consumed runtime secrets in this repository (secrets/*.age) and decrypt on-host via agenix.
6. Deploy directly from this repository to git.every.channel.

Alternatives considered

• Continue deploying git.every.channel from shared infra repos. Rejected due ownership/coupling drift.
• Keep runtime-only netboot scripts on host. Rejected because boot resilience should survive reboot and config rebuilds.
• Move to ProxyDHCP-first by default. Rejected for now to keep DHCP authority in UniFi.

Rollout / teardown plan

• Rollout:
  • build/evaluate .#nixosConfigurations.ecp-forge,
  • deploy from every.channel to git.every.channel,
  • verify every-channel-netboot-stage and every-channel-netboot.
• Teardown:
  • disable services.every-channel.netboot.enable in nix/nixos/ecp-forge.nix,
  • redeploy,
  • fall back to manual script flow (docs/NUC_UNIFI_NETBOOT.md) if required.