d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Packages Projects Releases Wiki Activity

docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details

Browse Source 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
defiQUG
2026-02-12 15:46:57 -08:00
parent cc8dcaf356
commit fbda1b4beb
5114 changed files with 498901 additions and 4567 deletions
Download Patch File Download Diff File Expand all files Collapse all files

304
.env.example Normal file
View File

@@ -0,0 +1,304 @@
# ============================================================================
# Proxmox Workspace - Root Environment Variables
# ============================================================================
# Copy to .env in repo root and/or ~/.env (scripts use repo root .env when
# run from repo; setup.sh and load-env.sh use ~/.env for PROXMOX_*).
# DO NOT commit actual .env files to version control
# ============================================================================
# ----------------------------------------------------------------------------
# Proxmox Configuration
# ----------------------------------------------------------------------------
PROXMOX_ML110=192.168.11.10
PROXMOX_R630_01=192.168.11.11
PROXMOX_R630_02=192.168.11.12
PROXMOX_HOST=192.168.11.11
PROXMOX_PORT=8006
PROXMOX_USER=root@pam
PROXMOX_TOKEN_NAME=your-token-name
PROXMOX_TOKEN_VALUE=your-token-secret-value
PROXMOX_ALLOW_ELEVATED=false
# ----------------------------------------------------------------------------
# Cloudflare Configuration (both methods supported)
# ----------------------------------------------------------------------------
# Scripts (DNS, NPMplus, tunnel): use CLOUDFLARE_API_TOKEN first, else CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY.
# Certbot (dns-cloudflare): use ONE method per credentials file (token-only OR email+key-only).
# See: docs/04-configuration/CLOUDFLARE_CREDENTIALS_BOTH_METHODS.md
CLOUDFLARE_API_TOKEN=your-cloudflare-api-token
CLOUDFLARE_EMAIL=your-email@example.com
CLOUDFLARE_API_KEY=your-cloudflare-api-key
CLOUDFLARE_ZONE_ID_D_BIS_ORG=your-zone-id
CLOUDFLARE_ZONE_ID_MIM4U_ORG=your-zone-id
CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=your-zone-id
CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=your-zone-id
# Optional fallback for d-bis.org (create-dns-record-rpc-core, update-all-dns-to-public-ip)
# CLOUDFLARE_ZONE_ID=your-d-bis-org-zone-id
# Required for Chain 138 RPC DNS: rpc.defi-oracle.io, wss.defi-oracle.io, rpc.public-0138.defi-oracle.io
CLOUDFLARE_TUNNEL_TOKEN=your-tunnel-token
CLOUDFLARE_ORIGIN_CA_KEY=your-origin-ca-key
CLOUDFLARE_ACCOUNT_ID=your-account-id
# Tunnel ID for Option B RPC DNS (set-rpc-dns-to-tunnel.sh): from Zero Trust → Tunnels → tunnel UUID
# CLOUDFLARE_TUNNEL_ID=10ab22da-8ea3-4e2e-a896-27ece2211a05
# Alltra/HYBX tunnel (configure-alltra-hybx-tunnel-and-dns.sh)
# CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX=892bd3fe-c6fa-4ddf-8b60-a8ed2b849c3d
# Mifos on r630-02 (configure-mifos-dns.sh tunnel mode; install-tunnel-mifos-r630-02.sh)
# CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=your-tunnel-uuid
# CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02=your-tunnel-token
# Fineract API (central-bank-config scripts). Use full API path e.g. https://mifos.d-bis.org/fineract-provider/api/v1
# MIFOS_BASE_URL=https://mifos.d-bis.org/fineract-provider/api/v1
# MIFOS_TENANT=default
# MIFOS_USER=mifos
# MIFOS_PASSWORD=your-fineract-password
# MIFOS_INSECURE=0
# OMNL tenancy (https://omnl.hybxfinance.io/) same scripts, different vars if needed
# OMNL_FINERACT_BASE_URL=https://omnl.hybxfinance.io/fineract-provider/api/v1
# OMNL_FINERACT_TENANT=omnl
# OMNL_FINERACT_USER=app.omnl
# OMNL_FINERACT_PASSWORD=your-omnl-fineract-password
# Certbot dns_cloudflare (optional): in the file certbot reads, use ONE of:
# dns_cloudflare_email=your-email@example.com + dns_cloudflare_api_key=your-api-key
# OR dns_cloudflare_api_token=your-api-token
# ----------------------------------------------------------------------------
# ClouDNS (Certbot dns-cloudns) NPMplus Certbot DNS challenge
# ----------------------------------------------------------------------------
# For NPMplus TLS: Add TLS Certificate → DNS Challenge → ClouDNS → paste output of:
# ./scripts/certbot/print-cloudns-credentials-from-env.sh
# See: https://www.cloudns.net/api-settings/
CLOUDNS_AUTH_ID=1234
CLOUDNS_AUTH_PASSWORD=your-cloudns-api-password
# Optional: use sub-account (one of the two below, not both)
# CLOUDNS_SUB_AUTH_ID=1234
# CLOUDNS_SUB_AUTH_USER=foobar
# ----------------------------------------------------------------------------
# NPM (Nginx Proxy Manager) / NPMplus Configuration
# ----------------------------------------------------------------------------
# Required for: update-npmplus-proxy-hosts-api.sh, configure-npmplus-domains.js,
# scripts/fix-rpc-chain138-npmplus.sh (RPC ChainID 138 + Ledger)
# scripts/complete-chain138-rpc-setup.sh (full Chain 138 RPC from .env)
# See: docs/04-configuration/NEXT_STEPS_CHAIN138_RPC.md for complete .env → script mapping
# NPMplus (VMID 10233) is reachable on 192.168.11.167:81 (eth1). All five NPMplus instances (10233, 10234, 10235, 10236, 10237) use the same NPM_EMAIL and NPM_PASSWORD.
NPM_URL=https://192.168.11.167:81
NPM_EMAIL=admin@example.org
NPM_PASSWORD=your-npm-password
# NPM_HOST = NPMplus container IP (for split-DNS, LAN tests, verify-ws)
NPM_HOST=192.168.11.167
# NPM_PROXMOX_HOST / NPMPLUS_HOST = Proxmox host where NPMplus runs (SSH for pct exec, backup)
NPM_PROXMOX_HOST=192.168.11.11
NPMPLUS_HOST=192.168.11.11
NPM_VMID=10233
# NPMPLUS_VMID = same as NPM_VMID (used by list-npmplus-certificates-status, install-certbot-dns-cloudflare-in-npm, backup-npmplus, etc.)
NPMPLUS_VMID=10233
# NPMplus Mifos (VMID 10237, 192.168.11.171) — tunnel origin for mifos.d-bis.org → 5800. Same NPM_EMAIL/NPM_PASSWORD as above.
# NPM_URL_MIFOS=https://192.168.11.171:81
# NPMplus Alltra/HYBX (dedicated instance for Alltra + HYBX Sentries, RPC, Cacti, Firefly, Fabric, Indy)
# See: docs/04-configuration/NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md
NPMPLUS_ALLTRA_HYBX_VMID=10235
IP_NPMPLUS_ALLTRA_HYBX=192.168.11.169
# ----------------------------------------------------------------------------
# Fastly (edge CDN / origin)
# ----------------------------------------------------------------------------
# For Fastly API (purge, service config, health). See docs/05-network/CLOUDFLARE_ROUTING_MASTER.md
FASTLY_API_TOKEN=your-fastly-api-token
# ----------------------------------------------------------------------------
# Network Configuration
# ----------------------------------------------------------------------------
# PUBLIC_IP: used by update-all-dns-to-public-ip.sh for all Cloudflare A records (Chain 138 RPC)
PUBLIC_IP=76.53.10.36
PROXMOX_HOST_FOR_TEST=192.168.11.11
# ----------------------------------------------------------------------------
# UniFi (UDM Pro) API Official Network API (X-API-KEY)
# ----------------------------------------------------------------------------
# Used by: create-firewall-rules.sh, UNIFI_API_SETUP.md, unifi:cli
# Get API key: UniFi Network UI → Settings → System → API (or Developer / API Access)
UNIFI_UDM_URL=https://192.168.0.1
UNIFI_API_KEY=your-unifi-api-key
UNIFI_API_MODE=official
UNIFI_SITE_ID=default
UNIFI_VERIFY_SSL=false
# ----------------------------------------------------------------------------
# OMNIS Backend Configuration
# ----------------------------------------------------------------------------
# Database
DATABASE_URL=postgresql://user:password@localhost:5432/omnis
# JWT Authentication (REQUIRED - no defaults for security)
JWT_SECRET=your-strong-random-jwt-secret-min-32-chars
JWT_REFRESH_SECRET=your-strong-random-refresh-secret-min-32-chars
JWT_EXPIRES_IN=7d
JWT_REFRESH_EXPIRES_IN=30d
# File Storage
STORAGE_TYPE=local
STORAGE_PATH=./uploads
# AWS S3 (if using S3 storage)
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=your-aws-access-key
AWS_SECRET_ACCESS_KEY=your-aws-secret-key
AWS_S3_BUCKET=omnis-uploads
# Azure Blob Storage (if using Azure storage)
AZURE_STORAGE_CONNECTION_STRING=your-azure-connection-string
AZURE_STORAGE_CONTAINER=omnis-uploads
# ----------------------------------------------------------------------------
# The Order Configuration
# ----------------------------------------------------------------------------
# See the-order/packages/shared/src/env.ts for complete schema
# Database
# DATABASE_URL=postgresql://user:password@localhost:5432/theorder
# Storage
# STORAGE_TYPE=s3
# STORAGE_BUCKET=the-order-documents
# STORAGE_REGION=us-east-1
# AWS_ACCESS_KEY_ID=your-aws-key
# AWS_SECRET_ACCESS_KEY=your-aws-secret
# KMS
# KMS_TYPE=aws
# KMS_KEY_ID=your-kms-key-id
# KMS_REGION=us-east-1
# Authentication
# JWT_SECRET=your-jwt-secret-min-32-chars
# OIDC_ISSUER=https://your-oidc-issuer.com
# OIDC_CLIENT_ID=your-client-id
# OIDC_CLIENT_SECRET=your-client-secret
# ----------------------------------------------------------------------------
# dbis_core AS4 Settlement (optional - enables real API calls)
# ----------------------------------------------------------------------------
# SANCTIONS_API_URL=https://... # OFAC/EU/UN sanctions screening
# AML_SERVICE_URL=https://... # AML/CTF checks
# LEDGER_SERVICE_URL=https://... # Ledger balance queries for liquidity
# dbis_core IRU (optional)
# AWS_SES_REGION=us-east-1
# AWS_ACCESS_KEY_ID=...
# AWS_SECRET_ACCESS_KEY=...
# SANCTIONS_OFAC_API_URL=...
# SANCTIONS_EU_API_URL=...
# SANCTIONS_UN_API_URL=...
# ----------------------------------------------------------------------------
# Verification Scripts (scripts/verify/)
# ----------------------------------------------------------------------------
# See docs/04-configuration/VERIFICATION_GAPS_AND_TODOS.md
# FABRIC_CHAIN_ID=999 # Fabric chain ID for quote-service (when integrated)
# BRIDGE_REGISTRY_ADDRESS= # For bridge quote service
# ----------------------------------------------------------------------------
# SMOM-DBIS-138 Blockchain Configuration
# ----------------------------------------------------------------------------
# Deployment Account (MOVE TO HSM - DO NOT STORE IN FILES)
# PRIVATE_KEY=0x... # ⚠️ CRITICAL: Move to HSM/Key Vault immediately
# RPC Endpoints (see docs/04-configuration/RPC_ENDPOINTS_MASTER.md for Infura/Alchemy/public options)
ETHEREUM_MAINNET_RPC=https://eth.llamarpc.com
RPC_URL_138=https://rpc.d-bis.org
# Tezos / Etherlink / Jumper (see docs/07-ccip/TEZOS_NETWORK_CONFIG_ENV_MATRIX.md)
CHAIN_651940_RPC_URL=https://mainnet-rpc.alltra.global
ETHERLINK_RPC_URL=https://node.mainnet.etherlink.com
TEZOS_RPC_URL=https://api.tzkt.io
ETHERLINK_CCIP_SELECTOR=
TEZOS_BRIDGE_ENABLED=false
ETHERLINK_BRIDGE_ENABLED=false
TEZOS_RELAY_ORACLE_KEY=
ETHERLINK_RELAY_BRIDGE=
ETHERLINK_RELAY_PRIVATE_KEY=
JUMPER_API_KEY=
# Contract Verification (Etherscan / Blockscan — same key for both)
ETHERSCAN_API_KEY=your-etherscan-api-key
# Optional: Infura RPC/Gas — set ETHEREUM_MAINNET_RPC to https://mainnet.infura.io/v3/<PROJECT_ID>, INFURA_GAS_API, etc. in smom-dbis-138/.env
# External Integrations (see reports/API_KEYS_REQUIRED.md)
ONEINCH_API_KEY=
MOONPAY_API_KEY=
MOONPAY_SECRET_KEY=
RAMP_NETWORK_API_KEY=
ONRAMPER_API_KEY=
# ----------------------------------------------------------------------------
# Alerts & Monitoring (dbis_core alert.service)
# ----------------------------------------------------------------------------
# See: reports/API_KEYS_REQUIRED.md
SLACK_WEBHOOK_URL=
PAGERDUTY_INTEGRATION_KEY=
EMAIL_ALERT_API_URL=
EMAIL_ALERT_RECIPIENTS=
# ----------------------------------------------------------------------------
# Legal / E-Signature (the-order legal-documents)
# ----------------------------------------------------------------------------
E_SIGNATURE_BASE_URL=
# ----------------------------------------------------------------------------
# OTC (dbis_core)
# ----------------------------------------------------------------------------
CRYPTO_COM_API_KEY=
CRYPTO_COM_API_SECRET=
# ----------------------------------------------------------------------------
# Bridge (optional: LayerZero, Wormhole)
# ----------------------------------------------------------------------------
# LAYERZERO_*=
# WORMHOLE_*=
# ----------------------------------------------------------------------------
# Price Feed & Market Data APIs
# ----------------------------------------------------------------------------
# CoinGecko API Key (for Oracle Publisher and Token Aggregation services)
# Get free key at: https://www.coingecko.com/en/api/pricing
COINGECKO_API_KEY=your-coingecko-api-key
# CoinDesk API Key (price/market data)
COINDESK_API_KEY=your-coindesk-api-key
# ----------------------------------------------------------------------------
# Explorer Configuration
# ----------------------------------------------------------------------------
# See explorer-monorepo/deployment/ENVIRONMENT_TEMPLATE.env
# ----------------------------------------------------------------------------
# MetaMask Integration
# ----------------------------------------------------------------------------
# See metamask-integration/.env.example
# ----------------------------------------------------------------------------
# Gitea (Dev VM / d-bis org)
# ----------------------------------------------------------------------------
# For push-to-gitea.sh and gitea-create-orgs-and-repos.sh. Create token at:
# https://gitea.d-bis.org/user/settings/applications (scopes: write:organization, write:repository)
# GITEA_URL=https://gitea.d-bis.org
# GITEA_TOKEN=
# ----------------------------------------------------------------------------
# Security Notes
# ----------------------------------------------------------------------------
# 1. NEVER commit .env files to version control
# 2. Use strong, randomly generated secrets (min 32 characters for JWT)
# 3. Rotate secrets regularly
# 4. Use HSM/Key Vault for private keys (never store in files)
# 5. Limit access to .env files (chmod 600)
# 6. Use different secrets for development, staging, and production
# ----------------------------------------------------------------------------
# Environment-Specific Overrides
# ----------------------------------------------------------------------------
# For development: NODE_ENV=development
# For staging: NODE_ENV=staging
# For production: NODE_ENV=production
NODE_ENV=development