docs/04-configuration/MIFOS_REMAINING_STEPS.md

# Mifos — Remaining Steps (after automated setup)

**Last Updated:** 2026-02-09  
**Status:** Checklist for operator  
**Context:** LXC 5800 created; Mifos X 24.04.30 (Docker) running on 192.168.11.85:80; DNS mifos.d-bis.org → 76.53.10.41 (A, Proxied).

---

## Done automatically

- [x] LXC 5800 created on r630-02 (192.168.11.85)
- [x] Nesting + keyctl + AppArmor unconfined set on 5800
- [x] Docker + Mifos 24.04.30 (Docker Compose) installed and running in 5800
- [x] Cloudflare DNS: mifos.d-bis.org → **76.53.10.41** (A record, Proxied) via `MIFOS_DNS_MODE=direct ./scripts/cloudflare/configure-mifos-dns.sh`

---

## Remaining (manual or with secrets)

### 1. UDM Pro port forward (for direct access via 76.53.10.41)

- In **UniFi Network** → **Settings** → **Firewall & Security** → **Port Forwarding** add:
  - **76.53.10.41:80** → **192.168.11.85:80** (TCP)
  - **76.53.10.41:443** → **192.168.11.85:443** (TCP) if you add TLS later
- Ensure 76.53.10.41 is assigned on the UDM Pro.
- See [UDM_PRO_MIFOS_76_53_10_41_PORT_FORWARD.md](UDM_PRO_MIFOS_76_53_10_41_PORT_FORWARD.md).

### 2. Optional: Cloudflare Tunnel + UK egress (no port forward)

If you want traffic via Tunnel instead of direct IP:

1. **Zero Trust** → **Networks** → **Tunnels** → **Create a tunnel** → name `mifos-r630-02` → copy the **tunnel token**.
2. In `.env` set:
   - `CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02='<token>'`
   - `CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02='<tunnel-uuid>'` (from dashboard or `cloudflared tunnel list` after install)
3. Run: `./scripts/install-tunnel-mifos-r630-02.sh`
4. In Zero Trust → **mifos-r630-02** → **Published application routes**: add **mifos.d-bis.org** → **Service** either `http://192.168.11.85:80` (no SSL on origin) or `https://192.168.11.85:443` (run `./scripts/mifos/install-nginx-https-5800.sh` first, then add Origin config **No TLS Verify**).
5. **Switch DNS to use the tunnel:** In `.env` set `CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=<tunnel-uuid>`, then run:
   ```bash
   MIFOS_DNS_MODE=tunnel ./scripts/cloudflare/configure-mifos-dns.sh
   ```
   (mifos.d-bis.org becomes CNAME to `<tunnel-id>.cfargotunnel.com`; no UDM port forward needed for this hostname.)
6. **Regional Services (UK):** Zero Trust / Data Localization → **Regional Services** → attach **mifos.d-bis.org** → select UK (or EU) region.

### 3. Change default password

- Log in at https://mifos.d-bis.org (after port forward or tunnel) with **mifos** / **password** and change the password.

### 4. Verification

- **Direct (76.53.10.41):** After UDM port forward: `curl -I https://mifos.d-bis.org`
- **Tunnel:** After tunnel + DNS switch: same URL; tunnel status in Zero Trust should be Healthy.
- **UK egress:** Check `Cf-Ray` header or Cloudflare analytics for UK colo.

### 5. Troubleshooting HTTP 530 (tunnel)

Cloudflare returns **530** when the tunnel can’t reach the origin. Check:

1. **Run from project root:** `./scripts/verify/verify-mifos-tunnel-530.sh`  
   Confirms: cloudflared active in LXC 5800, and `http://127.0.0.1:80` responds inside the container.

2. **Zero Trust → Networks → Tunnels** → **mifos-r630-02** → **Published application routes**  
   - For **HTTP to origin:** Service `http://192.168.11.85:80`.  
   - For **HTTPS to origin:** Service `https://192.168.11.85:443`; run `./scripts/mifos/install-nginx-https-5800.sh` first, then add an **Origin configuration** for this route with **No TLS Verify** (required for self-signed cert).

3. **Tunnel status** in the dashboard should be **Healthy**. If not, restart in 5800:  
   `ssh root@<r630-02> 'pct exec 5800 -- systemctl restart cloudflared'`
-												docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates

- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-02-12 15:46:57 -08:00
+								# Mifos — Remaining Steps (after automated setup)
 								**Last Updated:** 2026-02-09
 								**Status:** Checklist for operator
 								**Context:** LXC 5800 created; Mifos X 24.04.30 (Docker) running on 192.168.11.85:80; DNS mifos.d-bis.org → 76.53.10.41 (A, Proxied).
 								---
 								## Done automatically
 								- [x] LXC 5800 created on r630-02 (192.168.11.85)
 								- [x] Nesting + keyctl + AppArmor unconfined set on 5800
 								- [x] Docker + Mifos 24.04.30 (Docker Compose) installed and running in 5800
 								- [x] Cloudflare DNS: mifos.d-bis.org → **76.53.10.41** (A record, Proxied) via `MIFOS_DNS_MODE=direct ./scripts/cloudflare/configure-mifos-dns.sh`
 								---
 								## Remaining (manual or with secrets)
 								### 1. UDM Pro port forward (for direct access via 76.53.10.41)
 								- In **UniFi Network** → **Settings** → **Firewall & Security** → **Port Forwarding** add:
 								  - **76.53.10.41:80** → **192.168.11.85:80** (TCP)
 								  - **76.53.10.41:443** → **192.168.11.85:443** (TCP) if you add TLS later
 								- Ensure 76.53.10.41 is assigned on the UDM Pro.
 								- See [UDM_PRO_MIFOS_76_53_10_41_PORT_FORWARD.md](UDM_PRO_MIFOS_76_53_10_41_PORT_FORWARD.md).
 								### 2. Optional: Cloudflare Tunnel + UK egress (no port forward)
 								If you want traffic via Tunnel instead of direct IP:
 . **Zero Trust** → **Networks** → **Tunnels** → **Create a tunnel** → name `mifos-r630-02` → copy the **tunnel token**.
 . In `.env` set:
 								   - `CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02='<token>'`
 								   - `CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02='<tunnel-uuid>'` (from dashboard or `cloudflared tunnel list` after install)
 . Run: `./scripts/install-tunnel-mifos-r630-02.sh`
 . In Zero Trust → **mifos-r630-02** → **Published application routes**: add **mifos.d-bis.org** → **Service** either `http://192.168.11.85:80` (no SSL on origin) or `https://192.168.11.85:443` (run `./scripts/mifos/install-nginx-https-5800.sh` first, then add Origin config **No TLS Verify**).
 . **Switch DNS to use the tunnel:** In `.env` set `CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=<tunnel-uuid>`, then run:
 								   ```bash
 								   MIFOS_DNS_MODE=tunnel ./scripts/cloudflare/configure-mifos-dns.sh
 								   ```
 								   (mifos.d-bis.org becomes CNAME to `<tunnel-id>.cfargotunnel.com`; no UDM port forward needed for this hostname.)
 . **Regional Services (UK):** Zero Trust / Data Localization → **Regional Services** → attach **mifos.d-bis.org** → select UK (or EU) region.
 								### 3. Change default password
 								- Log in at https://mifos.d-bis.org (after port forward or tunnel) with **mifos** / **password** and change the password.
 								### 4. Verification
 								- **Direct (76.53.10.41):** After UDM port forward: `curl -I https://mifos.d-bis.org`
 								- **Tunnel:** After tunnel + DNS switch: same URL; tunnel status in Zero Trust should be Healthy.
 								- **UK egress:** Check `Cf-Ray` header or Cloudflare analytics for UK colo.
 								### 5. Troubleshooting HTTP 530 (tunnel)
 								Cloudflare returns **530** when the tunnel can’t reach the origin. Check:
 . **Run from project root:** `./scripts/verify/verify-mifos-tunnel-530.sh`
 								   Confirms: cloudflared active in LXC 5800, and `http://127.0.0.1:80` responds inside the container.
 . **Zero Trust → Networks → Tunnels** → **mifos-r630-02** → **Published application routes**
 								   - For **HTTP to origin:** Service `http://192.168.11.85:80`.
 								   - For **HTTPS to origin:** Service `https://192.168.11.85:443`; run `./scripts/mifos/install-nginx-https-5800.sh` first, then add an **Origin configuration** for this route with **No TLS Verify** (required for self-signed cert).
 . **Tunnel status** in the dashboard should be **Healthy**. If not, restart in 5800:
 								   `ssh root@<r630-02> 'pct exec 5800 -- systemctl restart cloudflared'`