d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync workspace: config, docs, scripts, CI, operator rules, and submodule pointers.

Browse Source 
- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains
- Omit embedded publish git dirs and empty placeholders from index

Made-with: Cursor
This commit is contained in:
defiQUG
2026-04-12 06:12:20 -07:00
parent 6fb6bd3993
commit dbd517b279
2935 changed files with 327972 additions and 5533 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
View File

@@ -155,6 +155,33 @@ validate_canonical_https_redirect() {
return 0
}
ADVANCED_CONFIG_CLEAR_SENTINEL="__CLEAR_ADVANCED_CONFIG__"
default_advanced_config_for_domain() {
local domain="${1,,}"
case "$domain" in
explorer.d-bis.org|dbis-admin.d-bis.org|secure.d-bis.org|relay-mainnet-cw.d-bis.org|mim4u.org|www.mim4u.org|secure.mim4u.org|training.mim4u.org|rpc-ws-pub.d-bis.org|rpc-http-prv.d-bis.org|rpc-ws-prv.d-bis.org|rpc.public-0138.defi-oracle.io)
# NPMplus already synthesizes the shared security headers in hsts.conf. For
# these hosts we only keep a single referrer policy at the edge and avoid
# stacking a second CSP / XFO / XCTO / XXSS block from per-host advanced_config.
cat <<'EOF'
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
EOF
return 0
;;
sankofa.nexus|phoenix.sankofa.nexus|the-order.sankofa.nexus|dbis-api.d-bis.org|dbis-api-2.d-bis.org|studio.sankofa.nexus)
# These origins already emit their own CSP / referrer policy. Send an empty
# advanced_config on PUT so stale per-host header blocks are actively cleared.
# Studio now owns its / -> /studio/ redirect in the app layer, not at NPMplus.
printf '%s\n' "$ADVANCED_CONFIG_CLEAR_SENTINEL"
return 0
;;
esac
return 1
}
# Function to add proxy host (POST) when domain does not exist
# Optional 6th arg: canonical HTTPS apex for www-style hosts (sets advanced_config 301 → apex$request_uri)
add_proxy_host() {
@@ -165,11 +192,20 @@ add_proxy_host() {
local block_exploits=${5:-false}
local canonical_https="${6:-}"
local adv_line=""
local manage_adv="false"
if [ -n "$canonical_https" ] && ! validate_canonical_https_redirect "$canonical_https" "add_proxy_host($domain)"; then
return 1
fi
if [ -n "$canonical_https" ]; then
adv_line="return 301 ${canonical_https}\$request_uri;"
manage_adv="true"
elif adv_line="$(default_advanced_config_for_domain "$domain" 2>/dev/null)"; then
manage_adv="true"
if [ "$adv_line" = "$ADVANCED_CONFIG_CLEAR_SENTINEL" ]; then
adv_line=""
fi
else
adv_line=""
fi
local payload
payload=$(jq -n \
@@ -179,6 +215,7 @@ add_proxy_host() {
--argjson ws "$websocket" \
--argjson block_exploits "$([ "$block_exploits" = "true" ] && echo true || echo false)" \
--arg adv "$adv_line" \
--argjson manage_adv "$manage_adv" \
'{
domain_names: [$domain],
forward_scheme: "http",
@@ -188,7 +225,7 @@ add_proxy_host() {
block_exploits: $block_exploits,
certificate_id: null,
ssl_forced: false
} + (if $adv != "" then {advanced_config: $adv} else {} end)' 2>/dev/null)
} + (if $manage_adv then {advanced_config: $adv} else {} end)' 2>/dev/null)
if [ -z "$payload" ]; then
echo " ❌ Failed to build payload for $domain"
return 1
@@ -280,8 +317,17 @@ update_proxy_host() {
local be_json="false"
[ "$block_exploits" = "true" ] && be_json="true"
local adv_line=""
local manage_adv="false"
if [ -n "$canonical_https" ]; then
adv_line="return 301 ${canonical_https}\$request_uri;"
manage_adv="true"
elif adv_line="$(default_advanced_config_for_domain "$domain" 2>/dev/null)"; then
manage_adv="true"
if [ "$adv_line" = "$ADVANCED_CONFIG_CLEAR_SENTINEL" ]; then
adv_line=""
fi
else
adv_line=""
fi
UPDATE_PAYLOAD=$(jq -n \
--arg scheme "$scheme" \
@@ -290,13 +336,14 @@ update_proxy_host() {
--argjson websocket "$websocket" \
--argjson block_exploits "$be_json" \
--arg adv "$adv_line" \
--argjson manage_adv "$manage_adv" \
'{
forward_scheme: $scheme,
forward_host: $hostname,
forward_port: $port,
allow_websocket_upgrade: $websocket,
block_exploits: $block_exploits
} + (if $adv != "" then {advanced_config: $adv} else {} end)' 2>/dev/null || echo "")
} + (if $manage_adv then {advanced_config: $adv} else {} end)' 2>/dev/null || echo "")
UPDATE_RESPONSE=$(curl_npm -X PUT "$NPM_URL/api/nginx/proxy-hosts/$HOST_ID" \
-H "Authorization: Bearer $TOKEN" \
@@ -344,12 +391,27 @@ update_proxy_host "wss.tw-core.d-bis.org" "http://${RPC_THIRDWEB_ADMIN_CORE}:854
# Catch-all for foo.tw-core.d-bis.org → Besu HTTP JSON-RPC :8545 (exact rpc./wss. hosts above take precedence for nginx server_name)
update_proxy_host '*.tw-core.d-bis.org' "http://${RPC_THIRDWEB_ADMIN_CORE}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host '*.tw-core.d-bis.org' "${RPC_THIRDWEB_ADMIN_CORE}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
# RPC Core-2 (Nathan) is on the THIRD NPMplus (192.168.11.169) — use add-rpc-core-2-npmplus-proxy.sh and update-npmplus-alltra-hybx-proxy-hosts.sh
# ThirdWeb / public-0138 edge (VMID 2400 nginx HTTPS) — default IP must match ALL_VMIDS_ENDPOINTS if env is unset
# rpc.public-0138.defi-oracle.io — same Besu JSON-RPC as rpc-http-pub.d-bis.org (VMID 2201). historic: VM 2400 HTTPS edge caused 502 when nginx/tunnel drifted; HTTP upstream avoids HTTPS-to-HTTPS proxy issues for JSON-RPC POST.
RPC_THIRDWEB_PRIMARY="${RPC_THIRDWEB_PRIMARY:-192.168.11.240}"
update_proxy_host "rpc.public-0138.defi-oracle.io" "https://${RPC_THIRDWEB_PRIMARY}:443" true false && updated_count=$((updated_count + 1)) || { sleep 2; echo " ↪ Retry rpc.public-0138.defi-oracle.io after transient NPM/API error..."; update_proxy_host "rpc.public-0138.defi-oracle.io" "https://${RPC_THIRDWEB_PRIMARY}:443" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1)); }
update_proxy_host "rpc.public-0138.defi-oracle.io" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { sleep 2; echo " ↪ Retry rpc.public-0138.defi-oracle.io after transient NPM/API error..."; update_proxy_host "rpc.public-0138.defi-oracle.io" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1)); }
# rpc.defi-oracle.io / wss.defi-oracle.io → same backend as rpc-http-pub / rpc-ws-pub (VMID 2201)
update_proxy_host "rpc.defi-oracle.io" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.defi-oracle.io" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
update_proxy_host "wss.defi-oracle.io" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "wss.defi-oracle.io" "${RPC_PUBLIC_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
# info.defi-oracle.io — Chain 138 info hub SPA on dedicated web LXC (default VMID 2410 / IP_INFO_DEFI_ORACLE_WEB).
# This stays on the primary public edge so publication does not depend on a long-lived Cloudflare tunnel object.
INFO_DEFI_ORACLE_UPSTREAM_IP="${INFO_DEFI_ORACLE_UPSTREAM_IP:-${IP_INFO_DEFI_ORACLE_WEB:-192.168.11.218}}"
INFO_DEFI_ORACLE_UPSTREAM_PORT="${INFO_DEFI_ORACLE_UPSTREAM_PORT:-80}"
update_proxy_host "info.defi-oracle.io" "http://${INFO_DEFI_ORACLE_UPSTREAM_IP}:${INFO_DEFI_ORACLE_UPSTREAM_PORT}" false false && updated_count=$((updated_count + 1)) || { add_proxy_host "info.defi-oracle.io" "${INFO_DEFI_ORACLE_UPSTREAM_IP}" "${INFO_DEFI_ORACLE_UPSTREAM_PORT}" false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
update_proxy_host "www.info.defi-oracle.io" "http://${INFO_DEFI_ORACLE_UPSTREAM_IP}:${INFO_DEFI_ORACLE_UPSTREAM_PORT}" false false "https://info.defi-oracle.io" && updated_count=$((updated_count + 1)) || { add_proxy_host "www.info.defi-oracle.io" "${INFO_DEFI_ORACLE_UPSTREAM_IP}" "${INFO_DEFI_ORACLE_UPSTREAM_PORT}" false false "https://info.defi-oracle.io" && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
# Optional relay health publication for off-LAN monitors like Promod.
# Set CCIP_RELAY_MAINNET_CW_PUBLIC_HOST in .env to publish the mainnet-cw health
# endpoint through NPMplus without exposing a raw UDM Pro port-forward.
CCIP_RELAY_MAINNET_CW_PUBLIC_HOST="${CCIP_RELAY_MAINNET_CW_PUBLIC_HOST:-}"
CCIP_RELAY_MAINNET_CW_UPSTREAM_IP="${CCIP_RELAY_MAINNET_CW_UPSTREAM_IP:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
CCIP_RELAY_MAINNET_CW_UPSTREAM_PORT="${CCIP_RELAY_MAINNET_CW_UPSTREAM_PORT:-9863}"
if [ -n "$CCIP_RELAY_MAINNET_CW_PUBLIC_HOST" ]; then
update_proxy_host "$CCIP_RELAY_MAINNET_CW_PUBLIC_HOST" "http://${CCIP_RELAY_MAINNET_CW_UPSTREAM_IP}:${CCIP_RELAY_MAINNET_CW_UPSTREAM_PORT}" false false && updated_count=$((updated_count + 1)) || { add_proxy_host "$CCIP_RELAY_MAINNET_CW_PUBLIC_HOST" "${CCIP_RELAY_MAINNET_CW_UPSTREAM_IP}" "${CCIP_RELAY_MAINNET_CW_UPSTREAM_PORT}" false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
fi
# rpc.d-bis.org / rpc2.d-bis.org and WS variants → VMID 2201 (besu-rpc-public-1); add if missing to fix 405
update_proxy_host "rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.d-bis.org" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
update_proxy_host "rpc2.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc2.d-bis.org" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
@@ -379,6 +441,10 @@ done
update_proxy_host "data.d-bis.org" "http://${IP_DBIS_API:-192.168.11.155}:3000" false && updated_count=$((updated_count + 1)) || { add_proxy_host "data.d-bis.org" "${IP_DBIS_API:-192.168.11.155}" 3000 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
# DApp (VMID 5801) — frontend-dapp for Chain 138 bridge
update_proxy_host "dapp.d-bis.org" "http://${IP_DAPP_LXC:-192.168.11.58}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "dapp.d-bis.org" "${IP_DAPP_LXC:-192.168.11.58}" 80 false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
# Gitea (VMID 104 default) — aligns primary NPMplus with config/ip-addresses.conf GITEA_PUBLIC_UPSTREAM_*
GITEA_PUBLIC_UPSTREAM_HOST="${GITEA_PUBLIC_UPSTREAM_HOST:-${IP_GITEA_INFRA:-192.168.11.31}}"
GITEA_PUBLIC_UPSTREAM_PORT="${GITEA_PUBLIC_UPSTREAM_PORT:-80}"
update_proxy_host "gitea.d-bis.org" "http://${GITEA_PUBLIC_UPSTREAM_HOST}:${GITEA_PUBLIC_UPSTREAM_PORT}" false && updated_count=$((updated_count + 1)) || { add_proxy_host "gitea.d-bis.org" "${GITEA_PUBLIC_UPSTREAM_HOST}" "${GITEA_PUBLIC_UPSTREAM_PORT}" false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
# MIM4U - VMID 7810 (mim-web-1) @ ${IP_MIM_WEB:-192.168.11.37} - Web Frontend serves main site and proxies /api/* to 7811
update_proxy_host "mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "mim4u.org" "${IP_MIM_WEB:-192.168.11.37}" 80 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
update_proxy_host "www.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "www.mim4u.org" "${IP_MIM_WEB:-192.168.11.37}" 80 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))