Files
Sankofa/docs/proxmox/dotenv-review.md
defiQUG 33d50fb91e
Some checks failed
API CI / API Lint (push) Successful in 47s
API CI / API Type Check (push) Failing after 47s
API CI / API Test (push) Successful in 1m0s
API CI / API Build (push) Failing after 50s
API CI / Build Docker Image (push) Has been skipped
Build Crossplane Provider / build (push) Failing after 5m51s
CD Pipeline / Deploy to Staging (push) Failing after 29s
CI Pipeline / Lint and Type Check (push) Failing after 36s
CI Pipeline / Build (push) Has been skipped
CI Pipeline / Test Backend (push) Failing after 1m33s
CI Pipeline / Test Frontend (push) Failing after 30s
CI Pipeline / Security Scan (push) Failing after 1m16s
Crossplane Provider CI / Go Test (push) Failing after 3m23s
Crossplane Provider CI / Go Lint (push) Failing after 7m27s
Crossplane Provider CI / Go Build (push) Failing after 3m27s
Deploy to Staging / Deploy to Staging (push) Failing after 30s
Portal CI / Portal Lint (push) Failing after 21s
Portal CI / Portal Type Check (push) Failing after 21s
Portal CI / Portal Test (push) Failing after 21s
Portal CI / Portal Build (push) Failing after 22s
Test Suite / frontend-tests (push) Failing after 30s
Test Suite / api-tests (push) Failing after 49s
Test Suite / blockchain-tests (push) Failing after 30s
Type Check / type-check (map[directory:. name:root]) (push) Failing after 23s
Type Check / type-check (map[directory:api name:api]) (push) Failing after 21s
Type Check / type-check (map[directory:portal name:portal]) (push) Failing after 19s
Validate Configuration Files / validate (push) Failing after 1m52s
CD Pipeline / Deploy to Production (push) Has been skipped
chore: consolidate local WIP (repo cleanup 20260707)
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-07 09:41:34 -07:00

6.6 KiB
Raw Blame History

.env File Review and Recommendations

Review Date: 2024-12-19
File: .env (49 lines)

Current Configuration Summary

Cloudflare Configuration

  1. Global API Key + Email (Lines 4-6)

    • Configured: CLOUDFLARE_API_KEY and CLOUDFLARE_EMAIL
    • ⚠️ Security Risk: Global API Key provides full account access
    • 📝 Recommendation: Prefer API tokens with limited scope
  2. Origin CA Key (Line 9)

    • Configured: CLOUDFLARE_ORIGIN_CA_KEY
    • 📝 Used for Cloudflare Origin Certificates
    • Not needed for ACME DNS-01 setup
  3. API Token (Line 12)

    • Missing: CLOUDFLARE_API_TOKEN is commented out
    • 🔴 Critical for ACME: Required for Proxmox ACME DNS-01 plugin
    • 📝 Action Required: Uncomment and add token
  4. Zone and Account IDs (Lines 26-28)

    • Configured: CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_ZONE_ID
    • Domain: DOMAIN=sankofa.nexus
    • Values appear correct

Proxmox Configuration

  1. Instance 1 (ML110-01) (Lines 35-36)

    • Username: root@pam
    • API Token: Configured with proper format
    • Well-structured
  2. Instance 2 (R630-01) (Lines 39-40)

    • Username: root@pam
    • API Token: Configured with proper format
    • Well-structured
  3. Root Password (Line 44)

    • ⚠️ Security Risk: Plain text password stored
    • 📝 Recommendation: Consider using password manager or secrets management

Critical Issues

🔴 Missing: CLOUDFLARE_API_TOKEN for ACME

Location: Line 12 (currently commented)

Impact:

  • Proxmox ACME DNS-01 plugin requires this token
  • Without it, automatic certificate issuance/renewal will fail

Action Required:

# Uncomment and add your ACME-specific token
CLOUDFLARE_API_TOKEN=your-acme-dns01-token-here

Token Requirements:

⚠️ Security: Global API Key Exposure

Issue: Global API Key provides full account access if compromised

Recommendation:

  1. Use API tokens with limited scope instead
  2. If Global API Key is needed, ensure:
    • File has proper permissions (600)
    • Not committed to version control
    • Consider rotating periodically

⚠️ Security: Plain Text Password

Issue: PROXMOX_ROOT_PASS stored in plain text

Recommendation:

  1. Use API tokens instead (already configured )
  2. If password must be stored:
    • Use secrets management (Vault, Kubernetes Secrets)
    • Encrypt the .env file
    • Restrict file permissions (chmod 600 .env)

Recommendations

1. Add Missing ACME Token

Add this after line 12:

# Cloudflare API Token for ACME DNS-01 (Proxmox certificate setup)
# Create token with Zone DNS Edit permissions for sankofa.nexus
CLOUDFLARE_API_TOKEN=your-acme-dns01-token-here

2. File Permissions

Ensure .env file has restrictive permissions:

chmod 600 .env

3. Verify .gitignore

Ensure .env is in .gitignore:

grep -q "^\.env$" .gitignore && echo "✅ .env in .gitignore" || echo "❌ Add .env to .gitignore"

4. Token Naming Convention

Consider using descriptive names in comments:

# Cloudflare API Token for ACME DNS-01 (Proxmox Let's Encrypt)
# Token Name: proxmox-acme-dns01
# Scope: sankofa.nexus zone, DNS Edit only
CLOUDFLARE_API_TOKEN=your-token-here

5. Environment-Specific Files

Consider using:

  • .env.local for local development
  • .env.production for production
  • .env.example as template (without secrets)

Configuration Completeness Check

For ACME Setup

  • CLOUDFLARE_ACCOUNT_ID - Configured
  • CLOUDFLARE_ZONE_ID - Configured
  • DOMAIN - Configured (sankofa.nexus)
  • CLOUDFLARE_API_TOKEN - Missing (commented out, needs value)

For Proxmox Integration

  • PROXMOX_TOKEN_ML110_01 - Configured
  • PROXMOX_TOKEN_R630_01 - Configured
  • PROXMOX_USERNAME_ML110_01 - Configured
  • PROXMOX_USERNAME_R630_01 - Configured

Suggested .env Structure

# =============================================================================
# Cloudflare Configuration
# =============================================================================

# Cloudflare Global API Key (legacy - prefer API tokens)
CLOUDFLARE_API_KEY=e5153f7f2dcf64fec7f25ede78c15482bc950
CLOUDFLARE_EMAIL=pandoramannli@gmail.com

# Cloudflare API Token for ACME DNS-01 (Proxmox Let's Encrypt certificates)
# Token Name: proxmox-acme-dns01
# Permissions: Zone DNS Edit (sankofa.nexus only)
# Create at: https://dash.cloudflare.com/profile/api-tokens
CLOUDFLARE_API_TOKEN=your-acme-dns01-token-here

# Cloudflare Account and Zone IDs
CLOUDFLARE_ACCOUNT_ID=52ad57a71671c5fc009edf0744658196
CLOUDFLARE_ZONE_ID=13e2c26acc5eda15eafa7c8735b00239
DOMAIN=sankofa.nexus

# Cloudflare Origin CA Key (for Origin Certificates)
CLOUDFLARE_ORIGIN_CA_KEY=v1.0-40220c19a24f6e2980fb37b0-...

# =============================================================================
# Proxmox Configuration
# =============================================================================

# Instance 1 (ML110-01) - Admin Node
PROXMOX_USERNAME_ML110_01=root@pam
PROXMOX_TOKEN_ML110_01=root@pam!sankofa-instance-1-api-token=73c7e1a2-...

# Instance 2 (R630-01) - VM/Compute Node
PROXMOX_USERNAME_R630_01=root@pam
PROXMOX_TOKEN_R630_01=root@pam!sankofa-instance-2-api-token=d0d45212-...

# Root Password (consider using secrets management instead)
PROXMOX_ROOT_PASS=L@KERS2010

# Proxmox Endpoints (optional - defaults to FQDNs)
# PROXMOX_ENDPOINT_ML110_01=https://ml110-01.sankofa.nexus:8006
# PROXMOX_ENDPOINT_R630_01=https://r630-01.sankofa.nexus:8006

Security Checklist

  • .env file permissions set to 600
  • .env in .gitignore
  • No secrets committed to version control
  • API tokens use minimal required permissions
  • Consider rotating Global API Key periodically
  • Use API tokens instead of Global API Key where possible
  • Consider using secrets management for sensitive values

Next Steps

  1. Immediate: Add CLOUDFLARE_API_TOKEN for ACME setup
  2. Security: Review and rotate Global API Key if possible
  3. Best Practice: Use API tokens with limited scope
  4. Documentation: Document token purposes in comments
  5. Monitoring: Set up alerts for token expiration/rotation