# VMID 2400 Cloudflare Tunnel - Environment Secrets Checklist

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Date**: 2025-01-23  
**Purpose**: Complete list of all secrets and environment variables needed for VMID 2400 ThirdWeb RPC Cloudflare tunnel setup

---

## Summary

This document lists all required secrets and environment variables for setting up the Cloudflare tunnel for VMID 2400 (ThirdWeb RPC node) on the `defi-oracle.io` domain.

---

## Required Secrets for Cloudflare Tunnel Setup

### 1. Cloudflare Tunnel Token 🔴 **CRITICAL**

**Variable Name**: `TUNNEL_TOKEN_VMID2400` (or pass directly to script)

**Description**: Token for the new Cloudflare tunnel to be created for VMID 2400

**Status**: ⚠️ **NEEDS TO BE CREATED**

**How to Obtain**:
1. Go to: https://one.dash.cloudflare.com/
2. Navigate to: **Zero Trust** → **Networks** → **Tunnels**
3. Click: **Create a tunnel**
4. Select: **Cloudflared**
5. Name: `thirdweb-rpc-2400`
6. Copy the token (starts with `eyJ...`)

**Format**:
```bash
TUNNEL_TOKEN_VMID2400="eyJhIjoi..."
```

**Usage**:
- Passed directly to script: `./scripts/setup-cloudflared-vmid2400.sh <TOKEN>`
- Or set in environment: `export TUNNEL_TOKEN_VMID2400="eyJ..."`

---

### 2. Cloudflare API Token (Optional - for automated DNS/tunnel config)

**Variable Name**: `CLOUDFLARE_API_TOKEN`

**Description**: API token for programmatic Cloudflare API access (to configure DNS records and tunnel routes automatically)

**Status**: ⚠️ **OPTIONAL** (can configure manually in dashboard)

**How to Obtain**:
1. Go to: https://dash.cloudflare.com/profile/api-tokens
2. Click: **Create Token**
3. Use **Edit zone DNS** template OR create custom token with:
   - **Zone** → **DNS** → **Edit**
   - **Account** → **Cloudflare Tunnel** → **Edit**
4. Copy the token

**Format**:
```bash
CLOUDFLARE_API_TOKEN="your-api-token-here"
```

**Alternative (Legacy)**:
```bash
CLOUDFLARE_EMAIL="your-email@example.com"
CLOUDFLARE_API_KEY="your-global-api-key"
```

**Usage**:
- For automated DNS record creation
- For automated tunnel route configuration
- Not strictly required - can be done manually in dashboard

---

### 3. Cloudflare Zone ID (Optional - auto-detected if not set)

**Variable Name**: `CLOUDFLARE_ZONE_ID_DEFI_ORACLE`

**Description**: Zone ID for `defi-oracle.io` domain (can be auto-detected if API token is provided)

**Status**: ⚠️ **OPTIONAL**

**How to Obtain**:
1. Go to Cloudflare Dashboard
2. Select domain: `defi-oracle.io`
3. Scroll down in Overview page - Zone ID is shown in right sidebar
4. Or use API: `curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" https://api.cloudflare.com/client/v4/zones?name=defi-oracle.io`

**Format**:
```bash
CLOUDFLARE_ZONE_ID_DEFI_ORACLE="your-zone-id-here"
```

---

### 4. Cloudflare Account ID (Optional - auto-detected if not set)

**Variable Name**: `CLOUDFLARE_ACCOUNT_ID`

**Description**: Cloudflare Account ID (can be auto-detected if API token is provided)

**Status**: ⚠️ **OPTIONAL**

**How to Obtain**:
1. Go to Cloudflare Dashboard
2. Right sidebar shows Account ID
3. Or use API: `curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" https://api.cloudflare.com/client/v4/accounts`

**Format**:
```bash
CLOUDFLARE_ACCOUNT_ID="your-account-id-here"
```

---

## Optional: ThirdWeb API Key (for chain configuration)

### 5. ThirdWeb API Key (Optional - for RPC URL configuration)

**Variable Name**: `THIRDWEB_API_KEY`

**Description**: API key for ThirdWeb RPC endpoints (used in chain configuration JSON)

**Status**: ⚠️ **OPTIONAL** (for RPC URL configuration in chainlist)

**How to Obtain**:
1. Go to: https://thirdweb.com
2. Sign up or log in
3. Navigate to Dashboard → Settings → API Keys
4. Generate API key

**Format**:
```bash
THIRDWEB_API_KEY="your-api-key-here"
```

**Usage**:
- Used in chain configuration: `pr-workspace/chains/_data/chains/eip155-138.json`
- URLs: `https://defi-oracle-meta.rpc.thirdweb.com/${THIRDWEB_API_KEY}`
- Not required for tunnel setup itself

---

## Complete .env File Template

### For VMID 2400 Tunnel Setup Only

**File**: `.env` (in project root: `/home/intlc/projects/proxmox/.env`)

```bash
# ============================================
# Cloudflare Configuration for VMID 2400
# ============================================

# Cloudflare Tunnel Token (REQUIRED for VMID 2400 setup)
# Get from: Zero Trust → Networks → Tunnels → Create tunnel
TUNNEL_TOKEN_VMID2400="eyJhIjoi..."

# Cloudflare API Token (OPTIONAL - for automated DNS/tunnel config)
# Get from: https://dash.cloudflare.com/profile/api-tokens
CLOUDFLARE_API_TOKEN="your-api-token-here"

# Cloudflare Zone ID for defi-oracle.io (OPTIONAL - auto-detected)
CLOUDFLARE_ZONE_ID_DEFI_ORACLE="your-zone-id-here"

# Cloudflare Account ID (OPTIONAL - auto-detected)
CLOUDFLARE_ACCOUNT_ID="your-account-id-here"

# Domain for VMID 2400
DOMAIN_DEFI_ORACLE="defi-oracle.io"

# ============================================
# ThirdWeb Configuration (OPTIONAL)
# ============================================

# ThirdWeb API Key (for RPC URL configuration)
THIRDWEB_API_KEY="your-api-key-here"

# ============================================
# Existing Cloudflare Config (if already present)
# ============================================

# Existing domain (d-bis.org)
DOMAIN="d-bis.org"
CLOUDFLARE_ZONE_ID="existing-zone-id"
CLOUDFLARE_ACCOUNT_ID="existing-account-id"

# Existing tunnel token (for pve2 tunnel)
TUNNEL_TOKEN="eyJhIjoi..."
```

---

## Minimum Required Secrets

For **basic tunnel setup** (manual DNS/tunnel config in dashboard), you only need:

1. ✅ **TUNNEL_TOKEN_VMID2400** - To install cloudflared service on VMID 2400

For **automated setup** (script configures DNS/tunnel routes), you need:

1. ✅ **TUNNEL_TOKEN_VMID2400** - To install cloudflared service
2. ✅ **CLOUDFLARE_API_TOKEN** - To configure DNS records and tunnel routes via API

---

## Step-by-Step Setup

### Option 1: Manual Setup (Minimum Secrets)

1. **Create Tunnel Token**:
   - Go to Cloudflare Dashboard → Zero Trust → Networks → Tunnels
   - Create tunnel: `thirdweb-rpc-2400`
   - Copy token

2. **Run Installation Script**:
   ```bash
   ./scripts/setup-cloudflared-vmid2400.sh <TUNNEL_TOKEN>
   ```

3. **Configure Manually in Dashboard**:
   - Configure tunnel route (rpc.public-0138.defi-oracle.io → http://127.0.0.1:8545)
   - Create DNS CNAME record (rpc.public-0138 → <tunnel-id>.cfargotunnel.com)

**Required**: Only `TUNNEL_TOKEN_VMID2400`

---

### Option 2: Automated Setup (More Secrets)

1. **Create Tunnel Token** (same as above)

2. **Get API Token**:
   - Go to: https://dash.cloudflare.com/profile/api-tokens
   - Create token with Zone DNS Edit and Tunnel Edit permissions

3. **Add to .env**:
   ```bash
   TUNNEL_TOKEN_VMID2400="eyJ..."
   CLOUDFLARE_API_TOKEN="your-token"
   DOMAIN_DEFI_ORACLE="defi-oracle.io"
   ```

4. **Run Scripts** (future automation scripts can use these)

**Required**: `TUNNEL_TOKEN_VMID2400` + `CLOUDFLARE_API_TOKEN`

---

## Security Notes

### File Permissions

```bash
# Ensure .env file has restrictive permissions
chmod 600 .env
```

### Gitignore

Ensure `.env` is in `.gitignore`:
```bash
echo ".env" >> .gitignore
```

### Secrets Management

- ✅ Never commit `.env` file to git
- ✅ Use `.env.example` for templates (without actual secrets)
- ✅ Rotate API tokens regularly
- ✅ Use different tokens for different purposes
- ✅ Keep tunnel tokens secure (they provide full tunnel access)

---

## Verification Checklist

After setup, verify:

- [ ] Tunnel token created and copied
- [ ] Cloudflared installed on VMID 2400
- [ ] Tunnel service running on VMID 2400
- [ ] Tunnel route configured in Cloudflare Dashboard
- [ ] DNS CNAME record created
- [ ] DNS record resolves correctly
- [ ] RPC endpoint accessible: `https://rpc.public-0138.defi-oracle.io`

---

## Quick Reference

| Secret | Required | How to Get | Used For |
|--------|----------|------------|----------|
| `TUNNEL_TOKEN_VMID2400` | ✅ YES | Zero Trust → Tunnels → Create | Install cloudflared service |
| `CLOUDFLARE_API_TOKEN` | ⚠️ Optional | Profile → API Tokens | Automated DNS/tunnel config |
| `CLOUDFLARE_ZONE_ID_DEFI_ORACLE` | ⚠️ Optional | Dashboard → Domain → Overview | Auto-detected if token provided |
| `CLOUDFLARE_ACCOUNT_ID` | ⚠️ Optional | Dashboard → Right sidebar | Auto-detected if token provided |
| `THIRDWEB_API_KEY` | ⚠️ Optional | ThirdWeb Dashboard → API Keys | Chain configuration JSON |

---

## Next Steps

1. ✅ **Create tunnel token** in Cloudflare Dashboard
2. ✅ **Run installation script** with token
3. ✅ **Configure tunnel route** (manual or automated)
4. ✅ **Create DNS record** (manual or automated)
5. ✅ **Verify setup** and test endpoint

---

**Last Updated**: 2025-01-23  
**Status**: ✅ **Documentation Complete** - Ready for Setup