docs/04-configuration/VMID2400_ENV_SECRETS_CHECKLIST.md

# VMID 2400 Cloudflare Tunnel - Environment Secrets Checklist

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Date**: 2025-01-23  
**Purpose**: Complete list of all secrets and environment variables needed for VMID 2400 ThirdWeb RPC Cloudflare tunnel setup

---

## Summary

This document lists all required secrets and environment variables for setting up the Cloudflare tunnel for VMID 2400 (ThirdWeb RPC node) on the `defi-oracle.io` domain.

---

## Required Secrets for Cloudflare Tunnel Setup

### 1. Cloudflare Tunnel Token 🔴 **CRITICAL**

**Variable Name**: `TUNNEL_TOKEN_VMID2400` (or pass directly to script)

**Description**: Token for the new Cloudflare tunnel to be created for VMID 2400

**Status**: ⚠️ **NEEDS TO BE CREATED**

**How to Obtain**:
1. Go to: https://one.dash.cloudflare.com/
2. Navigate to: **Zero Trust** → **Networks** → **Tunnels**
3. Click: **Create a tunnel**
4. Select: **Cloudflared**
5. Name: `thirdweb-rpc-2400`
6. Copy the token (starts with `eyJ...`)

**Format**:
```bash
TUNNEL_TOKEN_VMID2400="eyJhIjoi..."
```

**Usage**:
- Passed directly to script: `./scripts/setup-cloudflared-vmid2400.sh <TOKEN>`
- Or set in environment: `export TUNNEL_TOKEN_VMID2400="eyJ..."`

---

### 2. Cloudflare API Token (Optional - for automated DNS/tunnel config)

**Variable Name**: `CLOUDFLARE_API_TOKEN`

**Description**: API token for programmatic Cloudflare API access (to configure DNS records and tunnel routes automatically)

**Status**: ⚠️ **OPTIONAL** (can configure manually in dashboard)

**How to Obtain**:
1. Go to: https://dash.cloudflare.com/profile/api-tokens
2. Click: **Create Token**
3. Use **Edit zone DNS** template OR create custom token with:
   - **Zone** → **DNS** → **Edit**
   - **Account** → **Cloudflare Tunnel** → **Edit**
4. Copy the token

**Format**:
```bash
CLOUDFLARE_API_TOKEN="your-api-token-here"
```

**Alternative (Legacy)**:
```bash
CLOUDFLARE_EMAIL="your-email@example.com"
CLOUDFLARE_API_KEY="your-global-api-key"
```

**Usage**:
- For automated DNS record creation
- For automated tunnel route configuration
- Not strictly required - can be done manually in dashboard

---

### 3. Cloudflare Zone ID (Optional - auto-detected if not set)

**Variable Name**: `CLOUDFLARE_ZONE_ID_DEFI_ORACLE`

**Description**: Zone ID for `defi-oracle.io` domain (can be auto-detected if API token is provided)

**Status**: ⚠️ **OPTIONAL**

**How to Obtain**:
1. Go to Cloudflare Dashboard
2. Select domain: `defi-oracle.io`
3. Scroll down in Overview page - Zone ID is shown in right sidebar
4. Or use API: `curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" https://api.cloudflare.com/client/v4/zones?name=defi-oracle.io`

**Format**:
```bash
CLOUDFLARE_ZONE_ID_DEFI_ORACLE="your-zone-id-here"
```

---

### 4. Cloudflare Account ID (Optional - auto-detected if not set)

**Variable Name**: `CLOUDFLARE_ACCOUNT_ID`

**Description**: Cloudflare Account ID (can be auto-detected if API token is provided)

**Status**: ⚠️ **OPTIONAL**

**How to Obtain**:
1. Go to Cloudflare Dashboard
2. Right sidebar shows Account ID
3. Or use API: `curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" https://api.cloudflare.com/client/v4/accounts`

**Format**:
```bash
CLOUDFLARE_ACCOUNT_ID="your-account-id-here"
```

---

## Optional: ThirdWeb API Key (for chain configuration)

### 5. ThirdWeb API Key (Optional - for RPC URL configuration)

**Variable Name**: `THIRDWEB_API_KEY`

**Description**: API key for ThirdWeb RPC endpoints (used in chain configuration JSON)

**Status**: ⚠️ **OPTIONAL** (for RPC URL configuration in chainlist)

**How to Obtain**:
1. Go to: https://thirdweb.com
2. Sign up or log in
3. Navigate to Dashboard → Settings → API Keys
4. Generate API key

**Format**:
```bash
THIRDWEB_API_KEY="your-api-key-here"
```

**Usage**:
- Used in chain configuration: `pr-workspace/chains/_data/chains/eip155-138.json`
- URLs: `https://defi-oracle-meta.rpc.thirdweb.com/${THIRDWEB_API_KEY}`
- Not required for tunnel setup itself

---

## Complete .env File Template

### For VMID 2400 Tunnel Setup Only

**File**: `.env` (in project root: `/home/intlc/projects/proxmox/.env`)

```bash
# ============================================
# Cloudflare Configuration for VMID 2400
# ============================================

# Cloudflare Tunnel Token (REQUIRED for VMID 2400 setup)
# Get from: Zero Trust → Networks → Tunnels → Create tunnel
TUNNEL_TOKEN_VMID2400="eyJhIjoi..."

# Cloudflare API Token (OPTIONAL - for automated DNS/tunnel config)
# Get from: https://dash.cloudflare.com/profile/api-tokens
CLOUDFLARE_API_TOKEN="your-api-token-here"

# Cloudflare Zone ID for defi-oracle.io (OPTIONAL - auto-detected)
CLOUDFLARE_ZONE_ID_DEFI_ORACLE="your-zone-id-here"

# Cloudflare Account ID (OPTIONAL - auto-detected)
CLOUDFLARE_ACCOUNT_ID="your-account-id-here"

# Domain for VMID 2400
DOMAIN_DEFI_ORACLE="defi-oracle.io"

# ============================================
# ThirdWeb Configuration (OPTIONAL)
# ============================================

# ThirdWeb API Key (for RPC URL configuration)
THIRDWEB_API_KEY="your-api-key-here"

# ============================================
# Existing Cloudflare Config (if already present)
# ============================================

# Existing domain (d-bis.org)
DOMAIN="d-bis.org"
CLOUDFLARE_ZONE_ID="existing-zone-id"
CLOUDFLARE_ACCOUNT_ID="existing-account-id"

# Existing tunnel token (for pve2 tunnel)
TUNNEL_TOKEN="eyJhIjoi..."
```

---

## Minimum Required Secrets

For **basic tunnel setup** (manual DNS/tunnel config in dashboard), you only need:

1. ✅ **TUNNEL_TOKEN_VMID2400** - To install cloudflared service on VMID 2400

For **automated setup** (script configures DNS/tunnel routes), you need:

1. ✅ **TUNNEL_TOKEN_VMID2400** - To install cloudflared service
2. ✅ **CLOUDFLARE_API_TOKEN** - To configure DNS records and tunnel routes via API

---

## Step-by-Step Setup

### Option 1: Manual Setup (Minimum Secrets)

1. **Create Tunnel Token**:
   - Go to Cloudflare Dashboard → Zero Trust → Networks → Tunnels
   - Create tunnel: `thirdweb-rpc-2400`
   - Copy token

2. **Run Installation Script**:
   ```bash
   ./scripts/setup-cloudflared-vmid2400.sh <TUNNEL_TOKEN>
   ```

3. **Configure Manually in Dashboard**:
   - Configure tunnel route (rpc.public-0138.defi-oracle.io → http://127.0.0.1:8545)
   - Create DNS CNAME record (rpc.public-0138 → <tunnel-id>.cfargotunnel.com)

**Required**: Only `TUNNEL_TOKEN_VMID2400`

---

### Option 2: Automated Setup (More Secrets)

1. **Create Tunnel Token** (same as above)

2. **Get API Token**:
   - Go to: https://dash.cloudflare.com/profile/api-tokens
   - Create token with Zone DNS Edit and Tunnel Edit permissions

3. **Add to .env**:
   ```bash
   TUNNEL_TOKEN_VMID2400="eyJ..."
   CLOUDFLARE_API_TOKEN="your-token"
   DOMAIN_DEFI_ORACLE="defi-oracle.io"
   ```

4. **Run Scripts** (future automation scripts can use these)

**Required**: `TUNNEL_TOKEN_VMID2400` + `CLOUDFLARE_API_TOKEN`

---

## Security Notes

### File Permissions

```bash
# Ensure .env file has restrictive permissions
chmod 600 .env
```

### Gitignore

Ensure `.env` is in `.gitignore`:
```bash
echo ".env" >> .gitignore
```

### Secrets Management

- ✅ Never commit `.env` file to git
- ✅ Use `.env.example` for templates (without actual secrets)
- ✅ Rotate API tokens regularly
- ✅ Use different tokens for different purposes
- ✅ Keep tunnel tokens secure (they provide full tunnel access)

---

## Verification Checklist

After setup, verify:

- [ ] Tunnel token created and copied
- [ ] Cloudflared installed on VMID 2400
- [ ] Tunnel service running on VMID 2400
- [ ] Tunnel route configured in Cloudflare Dashboard
- [ ] DNS CNAME record created
- [ ] DNS record resolves correctly
- [ ] RPC endpoint accessible: `https://rpc.public-0138.defi-oracle.io`

---

## Quick Reference

| Secret | Required | How to Get | Used For |
|--------|----------|------------|----------|
| `TUNNEL_TOKEN_VMID2400` | ✅ YES | Zero Trust → Tunnels → Create | Install cloudflared service |
| `CLOUDFLARE_API_TOKEN` | ⚠️ Optional | Profile → API Tokens | Automated DNS/tunnel config |
| `CLOUDFLARE_ZONE_ID_DEFI_ORACLE` | ⚠️ Optional | Dashboard → Domain → Overview | Auto-detected if token provided |
| `CLOUDFLARE_ACCOUNT_ID` | ⚠️ Optional | Dashboard → Right sidebar | Auto-detected if token provided |
| `THIRDWEB_API_KEY` | ⚠️ Optional | ThirdWeb Dashboard → API Keys | Chain configuration JSON |

---

## Next Steps

1. ✅ **Create tunnel token** in Cloudflare Dashboard
2. ✅ **Run installation script** with token
3. ✅ **Configure tunnel route** (manual or automated)
4. ✅ **Create DNS record** (manual or automated)
5. ✅ **Verify setup** and test endpoint

---

**Last Updated**: 2025-01-23  
**Status**: ✅ **Documentation Complete** - Ready for Setup
Complete markdown files cleanup and organization - Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards. 2026-01-06 01:46:25 -08:00			`# VMID 2400 Cloudflare Tunnel - Environment Secrets Checklist`

docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-12 15:46:57 -08:00			`Last Updated: 2026-01-31`
			`Document Version: 1.0`
			`Status: Active Documentation`

			`---`

Complete markdown files cleanup and organization - Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards. 2026-01-06 01:46:25 -08:00			`Date: 2025-01-23`
			`Purpose: Complete list of all secrets and environment variables needed for VMID 2400 ThirdWeb RPC Cloudflare tunnel setup`

			`---`

			`## Summary`

			This document lists all required secrets and environment variables for setting up the Cloudflare tunnel for VMID 2400 (ThirdWeb RPC node) on the `defi-oracle.io` domain.

			`---`

			`## Required Secrets for Cloudflare Tunnel Setup`

			`### 1. Cloudflare Tunnel Token 🔴 CRITICAL`

			Variable Name: `TUNNEL_TOKEN_VMID2400` (or pass directly to script)

			`Description: Token for the new Cloudflare tunnel to be created for VMID 2400`

			`Status: ⚠️ NEEDS TO BE CREATED`

			`How to Obtain:`
			`1. Go to: https://one.dash.cloudflare.com/`
			`2. Navigate to: Zero Trust → Networks → Tunnels`
			`3. Click: Create a tunnel`
			`4. Select: Cloudflared`
			5. Name: `thirdweb-rpc-2400`
			6. Copy the token (starts with `eyJ...`)

			`Format:`
			```bash
			`TUNNEL_TOKEN_VMID2400="eyJhIjoi..."`
			```

			`Usage:`
			- Passed directly to script: `./scripts/setup-cloudflared-vmid2400.sh <TOKEN>`
			- Or set in environment: `export TUNNEL_TOKEN_VMID2400="eyJ..."`

			`---`

			`### 2. Cloudflare API Token (Optional - for automated DNS/tunnel config)`

			Variable Name: `CLOUDFLARE_API_TOKEN`

			`Description: API token for programmatic Cloudflare API access (to configure DNS records and tunnel routes automatically)`

			`Status: ⚠️ OPTIONAL (can configure manually in dashboard)`

			`How to Obtain:`
			`1. Go to: https://dash.cloudflare.com/profile/api-tokens`
			`2. Click: Create Token`
			`3. Use Edit zone DNS template OR create custom token with:`
			`- Zone → DNS → Edit`
			`- Account → Cloudflare Tunnel → Edit`
			`4. Copy the token`

			`Format:`
			```bash
			`CLOUDFLARE_API_TOKEN="your-api-token-here"`
			```

			`Alternative (Legacy):`
			```bash
			`CLOUDFLARE_EMAIL="your-email@example.com"`
			`CLOUDFLARE_API_KEY="your-global-api-key"`
			```

			`Usage:`
			`- For automated DNS record creation`
			`- For automated tunnel route configuration`
			`- Not strictly required - can be done manually in dashboard`

			`---`

			`### 3. Cloudflare Zone ID (Optional - auto-detected if not set)`

			Variable Name: `CLOUDFLARE_ZONE_ID_DEFI_ORACLE`

			Description: Zone ID for `defi-oracle.io` domain (can be auto-detected if API token is provided)

			`Status: ⚠️ OPTIONAL`

			`How to Obtain:`
			`1. Go to Cloudflare Dashboard`
			2. Select domain: `defi-oracle.io`
			`3. Scroll down in Overview page - Zone ID is shown in right sidebar`
			4. Or use API: `curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" https://api.cloudflare.com/client/v4/zones?name=defi-oracle.io`

			`Format:`
			```bash
			`CLOUDFLARE_ZONE_ID_DEFI_ORACLE="your-zone-id-here"`
			```

			`---`

			`### 4. Cloudflare Account ID (Optional - auto-detected if not set)`

			Variable Name: `CLOUDFLARE_ACCOUNT_ID`

			`Description: Cloudflare Account ID (can be auto-detected if API token is provided)`

			`Status: ⚠️ OPTIONAL`

			`How to Obtain:`
			`1. Go to Cloudflare Dashboard`
			`2. Right sidebar shows Account ID`
			3. Or use API: `curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" https://api.cloudflare.com/client/v4/accounts`

			`Format:`
			```bash
			`CLOUDFLARE_ACCOUNT_ID="your-account-id-here"`
			```

			`---`

			`## Optional: ThirdWeb API Key (for chain configuration)`

			`### 5. ThirdWeb API Key (Optional - for RPC URL configuration)`

			Variable Name: `THIRDWEB_API_KEY`

			`Description: API key for ThirdWeb RPC endpoints (used in chain configuration JSON)`

			`Status: ⚠️ OPTIONAL (for RPC URL configuration in chainlist)`

			`How to Obtain:`
			`1. Go to: https://thirdweb.com`
			`2. Sign up or log in`
			`3. Navigate to Dashboard → Settings → API Keys`
			`4. Generate API key`

			`Format:`
			```bash
			`THIRDWEB_API_KEY="your-api-key-here"`
			```

			`Usage:`
			- Used in chain configuration: `pr-workspace/chains/_data/chains/eip155-138.json`
			- URLs: `https://defi-oracle-meta.rpc.thirdweb.com/${THIRDWEB_API_KEY}`
			`- Not required for tunnel setup itself`

			`---`

			`## Complete .env File Template`

			`### For VMID 2400 Tunnel Setup Only`

			File: `.env` (in project root: `/home/intlc/projects/proxmox/.env`)

			```bash
			`# ============================================`
			`# Cloudflare Configuration for VMID 2400`
			`# ============================================`

			`# Cloudflare Tunnel Token (REQUIRED for VMID 2400 setup)`
			`# Get from: Zero Trust → Networks → Tunnels → Create tunnel`
			`TUNNEL_TOKEN_VMID2400="eyJhIjoi..."`

			`# Cloudflare API Token (OPTIONAL - for automated DNS/tunnel config)`
			`# Get from: https://dash.cloudflare.com/profile/api-tokens`
			`CLOUDFLARE_API_TOKEN="your-api-token-here"`

			`# Cloudflare Zone ID for defi-oracle.io (OPTIONAL - auto-detected)`
			`CLOUDFLARE_ZONE_ID_DEFI_ORACLE="your-zone-id-here"`

			`# Cloudflare Account ID (OPTIONAL - auto-detected)`
			`CLOUDFLARE_ACCOUNT_ID="your-account-id-here"`

			`# Domain for VMID 2400`
			`DOMAIN_DEFI_ORACLE="defi-oracle.io"`

			`# ============================================`
			`# ThirdWeb Configuration (OPTIONAL)`
			`# ============================================`

			`# ThirdWeb API Key (for RPC URL configuration)`
			`THIRDWEB_API_KEY="your-api-key-here"`

			`# ============================================`
			`# Existing Cloudflare Config (if already present)`
			`# ============================================`

			`# Existing domain (d-bis.org)`
			`DOMAIN="d-bis.org"`
			`CLOUDFLARE_ZONE_ID="existing-zone-id"`
			`CLOUDFLARE_ACCOUNT_ID="existing-account-id"`

			`# Existing tunnel token (for pve2 tunnel)`
			`TUNNEL_TOKEN="eyJhIjoi..."`
			```

			`---`

			`## Minimum Required Secrets`

			`For basic tunnel setup (manual DNS/tunnel config in dashboard), you only need:`

			`1. ✅ TUNNEL_TOKEN_VMID2400 - To install cloudflared service on VMID 2400`

			`For automated setup (script configures DNS/tunnel routes), you need:`

			`1. ✅ TUNNEL_TOKEN_VMID2400 - To install cloudflared service`
			`2. ✅ CLOUDFLARE_API_TOKEN - To configure DNS records and tunnel routes via API`

			`---`

			`## Step-by-Step Setup`

			`### Option 1: Manual Setup (Minimum Secrets)`

			`1. Create Tunnel Token:`
			`- Go to Cloudflare Dashboard → Zero Trust → Networks → Tunnels`
			- Create tunnel: `thirdweb-rpc-2400`
			`- Copy token`

			`2. Run Installation Script:`
			```bash
			`./scripts/setup-cloudflared-vmid2400.sh <TUNNEL_TOKEN>`
			```

			`3. Configure Manually in Dashboard:`
			`- Configure tunnel route (rpc.public-0138.defi-oracle.io → http://127.0.0.1:8545)`
			`- Create DNS CNAME record (rpc.public-0138 → <tunnel-id>.cfargotunnel.com)`

			Required: Only `TUNNEL_TOKEN_VMID2400`

			`---`

			`### Option 2: Automated Setup (More Secrets)`

			`1. Create Tunnel Token (same as above)`

			`2. Get API Token:`
			`- Go to: https://dash.cloudflare.com/profile/api-tokens`
			`- Create token with Zone DNS Edit and Tunnel Edit permissions`

			`3. Add to .env:`
			```bash
			`TUNNEL_TOKEN_VMID2400="eyJ..."`
			`CLOUDFLARE_API_TOKEN="your-token"`
			`DOMAIN_DEFI_ORACLE="defi-oracle.io"`
			```

			`4. Run Scripts (future automation scripts can use these)`

			Required: `TUNNEL_TOKEN_VMID2400` + `CLOUDFLARE_API_TOKEN`

			`---`

			`## Security Notes`

			`### File Permissions`

			```bash
			`# Ensure .env file has restrictive permissions`
			`chmod 600 .env`
			```

			`### Gitignore`

			Ensure `.env` is in `.gitignore`:
			```bash
			`echo ".env" >> .gitignore`
			```

			`### Secrets Management`

			- ✅ Never commit `.env` file to git
			- ✅ Use `.env.example` for templates (without actual secrets)
			`- ✅ Rotate API tokens regularly`
			`- ✅ Use different tokens for different purposes`
			`- ✅ Keep tunnel tokens secure (they provide full tunnel access)`

			`---`

			`## Verification Checklist`

			`After setup, verify:`

			`- [ ] Tunnel token created and copied`
			`- [ ] Cloudflared installed on VMID 2400`
			`- [ ] Tunnel service running on VMID 2400`
			`- [ ] Tunnel route configured in Cloudflare Dashboard`
			`- [ ] DNS CNAME record created`
			`- [ ] DNS record resolves correctly`
			- [ ] RPC endpoint accessible: `https://rpc.public-0138.defi-oracle.io`

			`---`

			`## Quick Reference`

			`\| Secret \| Required \| How to Get \| Used For \|`
			`\|--------\|----------\|------------\|----------\|`
			\| `TUNNEL_TOKEN_VMID2400` \| ✅ YES \| Zero Trust → Tunnels → Create \| Install cloudflared service \|
			\| `CLOUDFLARE_API_TOKEN` \| ⚠️ Optional \| Profile → API Tokens \| Automated DNS/tunnel config \|
			\| `CLOUDFLARE_ZONE_ID_DEFI_ORACLE` \| ⚠️ Optional \| Dashboard → Domain → Overview \| Auto-detected if token provided \|
			\| `CLOUDFLARE_ACCOUNT_ID` \| ⚠️ Optional \| Dashboard → Right sidebar \| Auto-detected if token provided \|
			\| `THIRDWEB_API_KEY` \| ⚠️ Optional \| ThirdWeb Dashboard → API Keys \| Chain configuration JSON \|

			`---`

			`## Next Steps`

			`1. ✅ Create tunnel token in Cloudflare Dashboard`
			`2. ✅ Run installation script with token`
			`3. ✅ Configure tunnel route (manual or automated)`
			`4. ✅ Create DNS record (manual or automated)`
			`5. ✅ Verify setup and test endpoint`

			`---`

			`Last Updated: 2025-01-23`
			`Status: ✅ Documentation Complete - Ready for Setup`