d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Packages Projects Releases Wiki Activity
Files
dc8abb06e2bbd33e30803ca59d284ead8ea970c6
proxmox/docs/04-configuration/MIFOS_NPMPLUS_TUNNEL.md

96 lines
4.3 KiB
Markdown
Raw Normal View History

docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00
# Mifos: Tunnel via NPMplus (Option — dedicated NPMplus for mifos.d-bis.org)
**Last Updated:** 2026-02-09
**Status:** Optional architecture
**Context:** Use a dedicated NPMplus VM (10237) as the tunnel origin; NPMplus proxies to VMID 5800 (Mifos). SSL and proxy managed in NPMplus UI (e.g. Let's Encrypt).
---
## Yes, we run NPMplus
Existing instances:
| VMID | Host | IP | Role / Public |
|-------|---------|----------------|----------------------|
| 10233 | r630-01 | 192.168.11.167 | Main NPMplus (76.53.10.36) |
| 10234 | r630-02 | 192.168.11.168 | Secondary |
| 10235 | r630-01 | 192.168.11.169 | Alltra/HYBX (76.53.10.42) |
| 10236 | r630-01 | 192.168.11.170 | Fourth dev/Codespaces (76.53.10.40) |
| **10237** | **r630-02** | **192.168.11.171** | **NPMplus Mifos** tunnel origin → 5800 |
---
## Flow: Tunnel → NPMplus (10237) → VMID 5800
1. **Cloudflare** terminates HTTPS for `mifos.d-bis.org` and sends traffic through the tunnel.
2. **Tunnel connector** runs either:
- **In 10237 (NPMplus Mifos):** cloudflared in 10237; Service = `https://127.0.0.1:443` or `https://192.168.11.171:443`.
- **In 5800 (current):** cloudflared in 5800; Service = `https://192.168.11.171:443` (origin = NPMplus).
3. **NPMplus (10237)** has a proxy host: **mifos.d-bis.org****http://192.168.11.85:80** (Mifos in 5800). SSL for mifos.d-bis.org can be Let's Encrypt in NPMplus.
4. **5800** serves Mifos on port 80 only; no Nginx/SSL on 5800 if you use this path.
---
## 1. Create NPMplus Mifos container (10237)
From project root:
```bash
./scripts/npmplus/create-npmplus-mifos-container.sh
```
- **VMID:** 10237
- **Host:** r630-02 (192.168.11.12)
- **IP:** 192.168.11.171
- **Overrides:** `STORAGE_R630_02_NPMPLUS_MIFOS`, `TEMPLATE`
---
## 2. Install NPMplus in 10237
Inside 10237 (same pattern as other NPMplus containers):
- Install Docker, then Nginx Proxy Manager: `./scripts/npmplus/install-npmplus-mifos.sh`.
- **Credentials:** All five NPMplus instances use the **same** `NPM_EMAIL` and `NPM_PASSWORD` (in `.env`). Use them to log in at **https://192.168.11.171:81**. For a newly created instance, first log in with the auto-generated password (`ssh root@<host> 'pct exec 10237 -- cat /opt/.npm_pwd'`), then change the admin password in the UI to match `NPM_PASSWORD` so it stays in sync with the others.
- Add **Proxy Host:**
- **Domain:** `mifos.d-bis.org`
- **Forward hostname / IP:** `192.168.11.85`
- **Forward port:** `80`
- **SSL:** Request Let's Encrypt for `mifos.d-bis.org` (or use existing cert).
---
## 3. Point the tunnel at NPMplus
**Option A — Tunnel connector in 10237 (recommended for this design)**
- Install cloudflared in 10237 with the same tunnel token (or a dedicated tunnel for Mifos).
- **Zero Trust** → **Published application routes:**
- **Domain:** `mifos.d-bis.org`
- **Service:** `https://127.0.0.1:443` (NPMplus in same container) or `https://192.168.11.171:443`
- Add **Origin configuration****No TLS Verify** only if NPMplus uses a self-signed cert for the origin; if NPM has Let's Encrypt for mifos.d-bis.org, verification can stay on.
**Option B — Tunnel connector stays in 5800**
- **Published application routes:** Service = `https://192.168.11.171:443`.
- cloudflared in 5800 connects to NPMplus at 192.168.11.171:443; NPMplus proxies to 192.168.11.85:80.
---
## 4. DNS
Unchanged: **mifos.d-bis.org****CNAME** to `<tunnel-id>.cfargotunnel.com` (Proxied).
Script: `MIFOS_DNS_MODE=tunnel ./scripts/cloudflare/configure-mifos-dns.sh`
---
## 5. Summary
| Step | Action |
|------|--------|
| 1 | Create 10237: `./scripts/npmplus/create-npmplus-mifos-container.sh` |
| 2 | Install NPM in 10237 (Docker + NPM); add proxy mifos.d-bis.org → http://192.168.11.85:80; SSL in NPM (Let's Encrypt) |
| 3 | Install cloudflared in 10237 (or keep in 5800); set tunnel Service to https://192.168.11.171:443 (or https://127.0.0.1:443 if connector in 10237) |
| 4 | DNS: CNAME mifos → tunnel (already done if using tunnel) |
**Config:** `IP_NPMPLUS_MIFOS`, `NPMPLUS_MIFOS_VMID` in `config/ip-addresses.conf`; VMID 10237 → r630-02 in `scripts/lib/load-project-env.sh`.
**Credentials:** All five NPMplus instances (10233, 10234, 10235, 10236, 10237) use the same `NPM_EMAIL` and `NPM_PASSWORD` in `.env`.
Reference in New Issue Copy Permalink