Skip to content

refactor(entrypoint): use standard .env pattern instead of in-container bw#39

Merged
TaprootFreak merged 2 commits into
developfrom
refactor/minter-guard-standard-env
May 16, 2026
Merged

refactor(entrypoint): use standard .env pattern instead of in-container bw#39
TaprootFreak merged 2 commits into
developfrom
refactor/minter-guard-standard-env

Conversation

@TaprootFreak

@TaprootFreak TaprootFreak commented May 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Removes the bw CLI from the image and the entrypoint that fetched GUARD_PRIVATE_KEY at container start
  • The infrastructure repo now provides GUARD_PRIVATE_KEY directly via .env (generated by generate-env.sh from Vaultwarden at deploy time), consistent with every other secret in this stack
  • Closes the bw-config crash-loop on dfxdev (was workaround in fix(entrypoint): skip bw config server while logged in #38) by removing the bw call entirely

Trade-off

GUARD_PRIVATE_KEY now lives on the host's .env file (chmod 600) between deploys; redeploy is required to rotate it. The added complexity of bw-in-container was not worth diverging from the established pattern.

Companion PR

DFXServer/server PR (coming next) — moves env var to standard form and removes the vault-credentials volume mounts.

Test plan

  • Build green
  • After deploy: containers start without bw error
  • MinterGuard ENABLED log line appears when GUARD_PRIVATE_KEY is set on the host

@TaprootFreak
refactor(entrypoint): use standard .env pattern instead of in-contain…
8f7cdc2 
…er bw

Removes the bw CLI from the image and the entrypoint that fetched
GUARD_PRIVATE_KEY at container start. The infrastructure repo now
provides GUARD_PRIVATE_KEY directly via .env (generated by
generate-env.sh from Vaultwarden at deploy time), consistent with how
every other secret is wired into this stack.

Trade-off: GUARD_PRIVATE_KEY now lives on the host's .env file (chmod
600) between deploys; redeploy is required to rotate it. The added
complexity of bw-in-container was not worth the divergence from the
established pattern.
@TaprootFreak TaprootFreak mentioned this pull request May 16, 2026
Closed
2 tasks
@TaprootFreak
docs(minter-guard): document env vars + fix stale whitelist comment
84c2e6d 
- .env.example: document GUARD_ENABLED, GUARD_PRIVATE_KEY,
  GUARD_HELPER_ADDRESS, GUARD_WHITELIST_FILE in the same style as the
  other sections
- README.md: add Minter Guard to the architecture list
- whitelist.{testnet,mainnet}.json: rewrite stale "_comment". The
  service denies bridge proposals too — the previous comment promised
  the opposite.
@TaprootFreak TaprootFreak marked this pull request as ready for review May 16, 2026 18:44
@TaprootFreak TaprootFreak merged commit fee7995 into develop May 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TaprootFreak