every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2
every.channel/evolution/proposals/ECP-0103-mullvad-philadelphia-egress-for-forge-nbc-philadelphia.md
every.channel 3402f7dab2
Advance forge NBC worker and Ethereum full nodes
2026-04-03 02:01:34 -07:00

1.2 KiB
Raw Blame History

ECP-0103: Mullvad Philadelphia Egress for Forge NBC Philadelphia

Why

The forge-side NBC worker is currently dependent on a reverse-tunneled proxy for US egress. That is enough to prove the geo-boundary, but it is the wrong long-term operator shape for NBC Sports Philadelphia.

Decision

  1. Enable the Mullvad daemon on ecp-forge.
  2. Keep the Mullvad account number out of committed Nix configuration; log in operationally from founder-provided material.
  3. Use a Philadelphia Mullvad relay for NBC Sports Philadelphia work on forge.
  4. Start the forge NBC publish worker after the Mullvad daemon is available.

Consequences

  • Forge NBC egress becomes self-contained instead of depending on a local reverse proxy.
  • The account credential stays operational-only rather than being copied into repo config.
  • Relay choice remains runtime-controlled, so it can be swapped if a specific Philadelphia host degrades.

Rejected Alternatives

  • Keep relying on the reverse-tunneled local proxy: rejected because it couples forge origin to a founder workstation.
  • Commit the Mullvad account number into NixOS config: rejected because it expands secret exposure for no benefit.