refactor(entrypoint): use standard .env pattern instead of in-container bw#39
Merged
Merged
Conversation
…er bw Removes the bw CLI from the image and the entrypoint that fetched GUARD_PRIVATE_KEY at container start. The infrastructure repo now provides GUARD_PRIVATE_KEY directly via .env (generated by generate-env.sh from Vaultwarden at deploy time), consistent with how every other secret is wired into this stack. Trade-off: GUARD_PRIVATE_KEY now lives on the host's .env file (chmod 600) between deploys; redeploy is required to rotate it. The added complexity of bw-in-container was not worth the divergence from the established pattern.
2 tasks
- .env.example: document GUARD_ENABLED, GUARD_PRIVATE_KEY,
GUARD_HELPER_ADDRESS, GUARD_WHITELIST_FILE in the same style as the
other sections
- README.md: add Minter Guard to the architecture list
- whitelist.{testnet,mainnet}.json: rewrite stale "_comment". The
service denies bridge proposals too — the previous comment promised
the opposite.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GUARD_PRIVATE_KEYat container startGUARD_PRIVATE_KEYdirectly via.env(generated bygenerate-env.shfrom Vaultwarden at deploy time), consistent with every other secret in this stackTrade-off
GUARD_PRIVATE_KEYnow lives on the host's.envfile (chmod 600) between deploys; redeploy is required to rotate it. The added complexity of bw-in-container was not worth diverging from the established pattern.Companion PR
DFXServer/server PR (coming next) — moves env var to standard form and removes the vault-credentials volume mounts.
Test plan
MinterGuard ENABLEDlog line appears whenGUARD_PRIVATE_KEYis set on the host