d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f411a89908042c5778f47e4e62b1e2e17735ecb5
proxmox/docs/04-configuration/MASTER_SECRETS.md

222 lines
10 KiB
Markdown
Raw Normal View History

Add master secrets reference and .env.master.example; gitignore .env.master Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 15:50:13 -08:00
# Master Secrets Reference
**Single authoritative list of all secrets** used across the Proxmox workspace and related projects.
**No values are stored here.** Use root `.env`, service-specific `.env` files, or a secrets store (e.g. Vault); see [.env.master.example](../../.env.master.example) for a single template of all keys.
chore: sync docs, config schemas, scripts, and meta task alignment - Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON - Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path) - Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README - Meta docs, integration gaps, live verification log, architecture updates - CI validate-config workflow updates Operator/LAN items, submodule working trees, and public token-aggregation edge routes remain follow-up (see TODOS_CONSOLIDATED P1). Made-with: Cursor
2026-03-31 22:31:39 -07:00
**Last updated:** 2026-03-29
Add master secrets reference and .env.master.example; gitignore .env.master Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 15:50:13 -08:00
---
## How to use
- **Reference:** This file lists every secret **name**, **where it is used**, and **required/optional**.
- **Template:** Copy [.env.master.example](../../.env.master.example) to `.env` (root) or `.env.master` (local only), fill values, and never commit. Ensure `.env` and `.env.master` are in `.gitignore`.
- **Per-project:** Many secrets live in project-specific `.env` (e.g. `smom-dbis-138/.env`, `dbis_core/.env`). Root `.env` is used by scripts in this repo; subprojects use their own `.env`.
---
## 1. Proxmox & infrastructure
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `PROXMOX_ML110`, `PROXMOX_R630_01`, `PROXMOX_R630_02` | Root `.env`, config | Yes | Host IPs (can be non-secret) |
| `PROXMOX_HOST`, `PROXMOX_PORT`, `PROXMOX_USER` | Root `.env`, scripts | Yes | API target |
| `PROXMOX_TOKEN_NAME`, `PROXMOX_TOKEN_VALUE` | Root `.env` | Yes (for API) | Or password per host |
| `PROXMOX_PASS_ML110`, `PROXMOX_PASS_R630_01`, `PROXMOX_PASS_R630_02` | Scripts (if no token) | If no token | SSH/API |
---
## 2. Cloudflare
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `CLOUDFLARE_API_TOKEN` | Root `.env` | Preferred | Prefer over API_KEY |
| `CLOUDFLARE_EMAIL`, `CLOUDFLARE_API_KEY` | Root `.env` | If no token | Legacy |
| `CLOUDFLARE_ZONE_ID`, `CLOUDFLARE_ZONE_ID_*` | Root `.env` | Yes | Per zone |
| `CLOUDFLARE_ACCOUNT_ID` | Root `.env` | Yes | Tunnels / account API |
| `CLOUDFLARE_TUNNEL_TOKEN` | Root `.env` | Yes (tunnels) | cloudflared |
| `CLOUDFLARE_TUNNEL_ID`, `CLOUDFLARE_TUNNEL_ID_*` | Root `.env` | If using tunnel DNS | Tunnel UUIDs |
| `CLOUDFLARE_ORIGIN_CA_KEY` | Root `.env` | Optional | Origin cert |
chore: sync docs, config schemas, scripts, and meta task alignment - Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON - Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path) - Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README - Meta docs, integration gaps, live verification log, architecture updates - CI validate-config workflow updates Operator/LAN items, submodule working trees, and public token-aggregation edge routes remain follow-up (see TODOS_CONSOLIDATED P1). Made-with: Cursor
2026-03-31 22:31:39 -07:00
| `CLOUDFLARE_TURNSTILE_SECRET_KEY` | `dbis_core` API `.env` (or merged operator env / xotenv → API process) | Optional | **Turnstile widget secret***not* DNS API. Enforces `cfTurnstileResponse` on `POST /api/v1/iru/marketplace/inquiries` when set (unless `IRU_MARKETPLACE_TURNSTILE_DISABLED=1`). Aliases: `TURNSTILE_SECRET_KEY`, `CF_TURNSTILE_SECRET_KEY`. |
| `VITE_CLOUDFLARE_TURNSTILE_SITE_KEY` | `dbis_core/frontend` build `.env` | Optional (required if API secret set) | Public Turnstile site key for marketplace inquiry widget. See [SANKOFA_MARKETPLACE_SURFACES.md](../03-deployment/SANKOFA_MARKETPLACE_SURFACES.md). |
| `NEXT_PUBLIC_CLOUDFLARE_TURNSTILE_SITE_KEY` | `Sankofa/portal` Next.js build (`.env.local`) | Optional | Same Cloudflare Turnstile **site** key for portal Sign In gate (home + partner unauthenticated). Rebuild portal after changing. |
Add master secrets reference and .env.master.example; gitignore .env.master Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 15:50:13 -08:00
---
## 3. NPM / NPMplus
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `NPM_URL`, `NPM_EMAIL`, `NPM_PASSWORD` | Root `.env` | Yes (NPM scripts) | All NPMplus instances |
| `NPM_HOST`, `NPM_VMID`, `NPMPLUS_HOST`, `NPMPLUS_VMID` | Root `.env` | Yes | Config |
| `NPM_URL_MIFOS`, `NPMPLUS_ALLTRA_HYBX_VMID`, `IP_NPMPLUS_ALLTRA_HYBX` | Root `.env` | Per setup | Optional |
---
## 4. DNS / TLS (ClouDNS, etc.)
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | Root `.env` | If Certbot ClouDNS | NPMplus TLS |
---
## 5. Network / UniFi / Omada
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `UNIFI_UDM_URL`, `UNIFI_API_KEY`, `UNIFI_SITE_ID` | Root `.env`, unifi-api | Yes (if automating) | UDM Pro API |
| `OMADA_API_KEY`, `OMADA_CLIENT_SECRET` | omada-api/.env | If using Omada | Omada Controller |
---
## 6. Gitea
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `GITEA_URL`, `GITEA_TOKEN` | Root `.env` | Yes (push/create repos) | push-to-gitea.sh, push-all-projects-to-gitea.sh |
| `GITEA_ORG` | Optional override | No | Default d-bis |
---
## 7. Blockchain / SMOM-DBIS-138
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `PRIVATE_KEY` | smom-dbis-138/.env | Yes (deploy/bridge) | Deployer key; move to HSM |
| `RPC_URL_138`, `RPC_URL_138_PUBLIC` | Root/smom-dbis-138 `.env`, config | Yes | Chain 138 RPC |
| `ETHEREUM_MAINNET_RPC`, `CHAIN_651940_RPC_URL`, etc. | smom-dbis-138/.env | Per use | Other chains |
| `ETHERSCAN_API_KEY` | Root, smom-dbis-138 | Yes (verification) | Etherscan/Blockscan |
| Contract addresses (e.g. `CCIP_ROUTER`, `LINK_TOKEN`) | smom-dbis-138/.env, config | Yes | See config/contract-addresses.conf |
---
## 8. Database & app auth
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `DATABASE_URL` | Root, dbis_core, OMNIS, explorer, token-aggregation | Yes (per app) | PostgreSQL connection string |
| `JWT_SECRET`, `JWT_REFRESH_SECRET` | OMNIS/backend, explorer, dbis_core | Yes (per service) | Min 32 chars |
| `SESSION_SECRET` | Explorer, OMNIS | If sessions | Session signing |
| `ADMIN_CENTRAL_API_KEY` | dbis_core, orchestration, token-aggregation | Yes (central API) | Service-to-service |
| `DBIS_CENTRAL_URL` | Callers of dbis_core | Yes | API base URL |
---
## 9. Storage (AWS / Azure)
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_S3_BUCKET` | Root, OMNIS, the-order | If S3 | Storage |
| `AZURE_STORAGE_CONNECTION_STRING`, `AZURE_STORAGE_CONTAINER` | Root, OMNIS | If Azure | Blob storage |
---
## 10. Third-party APIs (price, ramps, exchanges)
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `COINGECKO_API_KEY` | Root, token-aggregation, oracle | Recommended | Price feeds |
| `COINDESK_API_KEY` | Root | Optional | Market data |
| `MOONPAY_API_KEY`, `MOONPAY_SECRET_KEY` | Root, metamask-integration | Optional | On/off ramp |
| `RAMP_NETWORK_API_KEY`, `ONRAMPER_API_KEY` | Root, metamask-integration | Optional | Ramps |
| `CRYPTO_COM_API_KEY`, `CRYPTO_COM_API_SECRET` | dbis_core | If OTC | Exchange OTC |
| `BINANCE_API_KEY`, `BINANCE_API_SECRET` | dbis_core | Optional | Ticker/private |
| `KRAKEN_API_KEY`, `KRAKEN_PRIVATE_KEY` | dbis_core | Optional | Same |
| `OANDA_API_KEY`, `OANDA_ACCOUNT_ID` | dbis_core | Optional | Forex |
| `FXCM_API_TOKEN` | dbis_core | Optional | Forex |
| `ONEINCH_API_KEY`, `PARASWAP_API_KEY`, `ZEROX_API_KEY` | alltra-lifi-settlement | Optional | DeFi rate limits |
---
## 11. Frontend / MetaMask / Explorer
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `VITE_WALLETCONNECT_PROJECT_ID`, `VITE_THIRDWEB_CLIENT_ID` | smom-dbis-138/frontend-dapp | Yes (WalletConnect) | Reown/Thirdweb |
| `VITE_ETHERSCAN_API_KEY`, `VITE_SENTRY_DSN` | Frontends | Optional | Build-time |
| `NEXT_PUBLIC_*` | explorer-monorepo/frontend | Per feature | Next.js public env |
| `METAMASK_API_KEY`, `THIRDWEB_SECRET_KEY` | metamask-integration | If integrated | Backend |
---
## 12. Alerts & monitoring
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `SLACK_WEBHOOK_URL` | Root, dbis_core | Optional | Alerts |
| `PAGERDUTY_INTEGRATION_KEY` | Root, dbis_core | Optional | |
| `EMAIL_ALERT_API_URL`, `EMAIL_ALERT_RECIPIENTS` | Root, dbis_core | Optional | |
| `SENTRY_DSN` | Various | Optional | Error tracking |
---
## 13. Legal / e-signature / e-filing
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `E_SIGNATURE_BASE_URL` | Root, the-order/legal-documents | Optional | E-signature API |
| E-filing / court API keys | the-order/legal-documents | If enabled | Per integration |
---
## 14. Mifos / Fineract / OMNL
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `MIFOS_BASE_URL`, `MIFOS_TENANT`, `MIFOS_USER`, `MIFOS_PASSWORD` | Root `.env` | If central-bank scripts | Fineract API |
| `OMNL_FINERACT_BASE_URL`, `OMNL_FINERACT_TENANT`, `OMNL_FINERACT_USER`, `OMNL_FINERACT_PASSWORD` | Root `.env`, omnl-fineract | If OMNL | OMNL tenant |
---
## 15. Phoenix / Sankofa / OMNIS backend
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `SANKOFA_PHOENIX_API_URL`, `SANKOFA_PHOENIX_CLIENT_ID`, `SANKOFA_PHOENIX_CLIENT_SECRET`, `SANKOFA_PHOENIX_TENANT_ID` | OMNIS/backend | If Phoenix OAuth | OAuth client |
| Phoenix/Vault app role credentials | .secure/ or Vault | If Phoenix deploy | Phoenix deploy API |
---
## 16. Tezos / Etherlink / Jumper
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `TEZOS_RELAY_ORACLE_KEY`, `ETHERLINK_RELAY_BRIDGE`, `ETHERLINK_RELAY_PRIVATE_KEY` | Root, smom-dbis-138 | If Tezos bridge | Relay |
| `JUMPER_API_KEY` | Root | Optional | Jumper bridge |
---
## 17. Fastly / other CDN
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `FASTLY_API_TOKEN` | Root `.env` | If using Fastly API | Purge/config |
---
## 18. Proxmox VE API subproject
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `MONGO_USER`, `MONGO_PASSWORD`, `MONGO_IP`, `MONGO_PORT`, `MONGO_DATABASE` | ProxmoxVE/api/.env | If MongoDB | ProxmoxVE API |
---
## Security
- **Never commit** `.env`, `.env.master`, or any file containing real secrets.
- **Private keys:** Prefer HSM/Vault; do not store in repo or committed files.
- **Rotation:** Rotate API tokens and passwords periodically; document in this repo.
- **Scopes:** Use least-privilege tokens (e.g. Gitea: write:organization, write:repository).
---
## Related docs
- [.env.master.example](../../.env.master.example) — Single template with all keys (placeholders).
- [.env.example](../../.env.example) — Root .env template with comments.
- [MASTER_SECRETS_INVENTORY.md](MASTER_SECRETS_INVENTORY.md) — Detailed inventory and HSM migration plan.
- [REQUIRED_SECRETS_INVENTORY.md](REQUIRED_SECRETS_INVENTORY.md) — Required secrets checklist.
- [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md](REMAINING_ITEMS_DOTENV_AND_ACTIONS.md) — Where to store secrets and which scripts use them.
Reference in New Issue Copy Permalink