**Status:** Plan / Runbook. **Automated setup completed 2026-02-08:** see [verification-evidence/DEV_CODESPACES_SETUP_COMPLETE_20260208.md](verification-evidence/DEV_CODESPACES_SETUP_COMPLETE_20260208.md).
**Public IP:** 76.53.10.40
**Fourth NPMplus:** 192.168.11.170 (VMID TBD when deployed)
**Purpose:** Codespaces-like environment for Cursor; all access via 76.53.10.40; Cloudflare tunnel dedicated to this stack; fourth NPMplus; Proxmox VE admin panels; dotenv inventory.
| **8006** | Proxmox VE (x3) | .10, .11, .12 | Proxied via NPMplus 4 (pve.ml110, pve.r630-01, pve.r630-02) |
---
## 3. Cloudflare Tunnel (Dedicated for This VM / Fourth NPMplus)
- **Tunnel name:** e.g. `dev-codespaces` or `npmplus-fourth`.
- **Connector:** Run `cloudflared` on the host that can reach 192.168.11.170 (e.g. on the fourth NPMplus LXC, or a small VM on the same LAN). Origin = `https://127.0.0.1:443` if cloudflared runs on the same box as NPMplus, or `https://192.168.11.170:443` if cloudflared runs elsewhere.
**Script:** `scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` — sets tunnel ingress and DNS CNAMEs (requires `CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES` in `.env`).
**Script:** `scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` — adds/updates these proxy hosts via NPM API (NPM_URL=https://192.168.11.170:81, credentials in `.env`).
**Proxmox admin panels:** After tunnel and NPMplus are up, open:
- **ml110:** https://pve.ml110.d-bis.org (or https://76.53.10.40 with host header / separate port if you add a catch-all)
- **r630-01:** https://pve.r630-01.d-bis.org
- **r630-02:** https://pve.r630-02.d-bis.org
Use **HTTPS** and allow self-signed certs (or add Let’s Encrypt for these hostnames in NPMplus). Websocket support must be enabled for the Proxmox console.
| Dev VM SSH (optional) | 76.53.10.40 | 22 | 192.168.11.60 | 22 | TCP |
**Note:** 76.53.10.40 must be assigned/available on the UDM Pro (or the interface that receives this traffic). Restrict admin port 81 to VPN or IP allowlist.
See also: [UDM_PRO_DEV_CODESPACES_PORT_FORWARD.md](UDM_PRO_DEV_CODESPACES_PORT_FORWARD.md).
---
## 6. Dotenv Files (Include in Dev VM / Accessibility)
These `.env` (and related) files should be present in the dev VM or in a secure store so all projects and Cursor have the required env:
| `the-order/services/legal-documents/.env.example` | Order |
| `unifi-api/.env`, `.env.example` | Unifi API |
| `rpc-translator-138/.env` | RPC translator |
| `miracles_in_motion/.env.*` | MIM |
| `ProxmoxVE/api/.env.example` | Proxmox API |
| `omada-api/.env` | Omada API |
**Action:** When syncing `/home/intlc/projects` to the dev VM (`/srv/projects`), include these files (or use a secrets manager and symlink). Do not commit real `.env` with secrets to Git; use `.env.example` as templates and document which vars are required in [REQUIRED_SECRETS_SUMMARY.md](REQUIRED_SECRETS_SUMMARY.md).
| ml110 | 192.168.11.10 | https://pve.ml110.d-bis.org | Proxmox web UI port 8006 |
| r630-01 | 192.168.11.11 | https://pve.r630-01.d-bis.org | Proxmox web UI port 8006 |
| r630-02 | 192.168.11.12 | https://pve.r630-02.d-bis.org | Proxmox web UI port 8006 |
NPMplus fourth instance **directs** these hostnames to the three Proxmox hosts’ admin panels (HTTPS, port 8006, Websocket enabled for console).
---
## 8. Implementation Order
1.**Create fourth NPMplus** LXC (VMID e.g. 10236) at 192.168.11.170 if not already deployed; install NPMplus and cloudflared (tunnel connector).
2.**Create dev VM** (5700) at 192.168.11.60: `scripts/create-dev-vm-5700.sh`; then `scripts/setup-dev-vm-users-and-gitea.sh`.
3.**UDM Pro:** Add port forward rules for 76.53.10.40 → 192.168.11.170 (80/81/443) and optionally 22 → 192.168.11.60.
4.**Cloudflare:** Create tunnel (Zero Trust → Networks → Tunnels), install connector on fourth NPMplus (or host that can reach 192.168.11.170). Set `CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES` in `.env`.
5.**Run:**`bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` — tunnel ingress + DNS CNAMEs.
