# Complete Deployment Guide - Direct Public IP Routing **Last Updated:** 2026-01-31 **Document Version:** 1.0 **Status:** Active Documentation --- **Date**: 2026-01-09 **Architecture**: Cloudflare DNS (DNS Only) → Public IP → ER605 NAT → Nginx → Backend Services **Status**: ✅ All Scripts Ready --- ## Overview This guide provides step-by-step instructions to deploy the complete direct public IP routing solution, replacing Cloudflare tunnels with stable NAT-based routing. --- ## Prerequisites 1. **Cloudflare Account Access** - API Token OR Email + API Key - Access to zones: sankofa.nexus, d-bis.org, mim4u.org, defi-oracle.io 2. **ER605 Router Access** - Omada Controller access OR direct ER605 GUI access - Ability to configure NAT rules 3. **Proxmox Access** - SSH access to Proxmox host (192.168.11.10) - Access to VMID 105 (Nginx) 4. **Public IP** - Single public IP: 76.53.10.35 (from Block #1) --- ## Quick Start (Automated) ### Option 1: Run Complete Deployment Script ```bash cd /home/intlc/projects/proxmox ./scripts/deploy-complete-solution.sh ``` This script orchestrates all steps automatically. ### Option 2: Manual Step-by-Step Follow the steps below for manual execution. --- ## Step-by-Step Deployment ### Step 1: Get Cloudflare Zone IDs **Purpose**: Identify Zone IDs needed for DNS updates ```bash ./scripts/get-cloudflare-zone-ids.sh ``` **Output**: Zone IDs for each domain **Action**: Add Zone IDs to `.env` file: ```bash CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=your-zone-id CLOUDFLARE_ZONE_ID_D_BIS_ORG=your-zone-id CLOUDFLARE_ZONE_ID_MIM4U_ORG=your-zone-id CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=your-zone-id ``` --- ### Step 2: Update Cloudflare DNS Records **Purpose**: Point all domains to public IP (76.53.10.35) with DNS only mode ```bash ./scripts/update-all-dns-to-public-ip.sh ``` **What it does**: - Updates 19 DNS records across 4 zones - Sets all records to DNS only (gray cloud) - Points all to 76.53.10.35 **Expected output**: Success indicators for each record --- ### Step 3: Verify DNS Resolution **Purpose**: Confirm DNS records are resolving correctly ```bash ./scripts/verify-dns-resolution.sh ``` **What it does**: - Tests all 19 domains - Verifies they resolve to 76.53.10.35 - Reports any issues **Note**: Wait 1-5 minutes after DNS update for propagation --- ### Step 4: Configure ER605 NAT Rules **Purpose**: Forward public IP traffic to Nginx ```bash ./scripts/configure-er605-nat-rules.sh ``` **Output**: NAT rule configuration details **Action**: Manually configure in Omada Controller or ER605 GUI: #### Rule 1: HTTPS (All Services) ``` Rule Name: Web Services (All Domains) Enabled: ✅ Yes Interface: WAN1 External IP: 76.53.10.35 External Port: 443 Internal IP: 192.168.11.26 Internal Port: 443 Protocol: TCP Source IP: 0.0.0.0/0 ``` #### Rule 2: HTTP (Let's Encrypt) ``` Rule Name: HTTP (Let's Encrypt) Enabled: ✅ Yes Interface: WAN1 External IP: 76.53.10.35 External Port: 80 Internal IP: 192.168.11.26 Internal Port: 80 Protocol: TCP Source IP: 0.0.0.0/0 ``` **Also configure firewall rules**: - Allow HTTPS (443) from WAN to 192.168.11.26 - Allow HTTP (80) from WAN to 192.168.11.26 --- ### Step 5: Deploy Nginx Configuration **Purpose**: Configure Nginx on VMID 105 to route all domains ```bash ./scripts/deploy-complete-nginx-config.sh ``` **What it does**: - Creates complete Nginx configuration - Deploys to VMID 105 - Tests configuration - Reloads Nginx **Note**: Update placeholder IPs for Phoenix and The Order services --- ### Step 6: Obtain SSL Certificates **Purpose**: Get Let's Encrypt certificates for all domains ```bash # Set email for Let's Encrypt export SSL_EMAIL=your-email@example.com ./scripts/obtain-all-ssl-certificates.sh ``` **What it does**: - Installs certbot if needed - Obtains certificates for all 19 domains - Configures Nginx with certificates **Requirements**: - DNS records must resolve to 76.53.10.35 - ER605 NAT rules must be configured - Port 80 must be accessible from internet --- ## Verification ### Test DNS Resolution ```bash ./scripts/verify-dns-resolution.sh ``` ### Test RPC Endpoints ```bash # Test RPC Public curl -X POST https://rpc-http-pub.d-bis.org \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' # Expected: {"jsonrpc":"2.0","result":"0x8a","id":1} # Test ThirdWeb RPC curl -X POST https://rpc.public-0138.defi-oracle.io \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' ``` ### Test Web Services ```bash # Test Sankofa curl -I https://sankofa.nexus # Test DBIS Secure Portal curl -I https://secure.d-bis.org # Test MIM4U curl -I https://mim4u.org ``` --- ## Troubleshooting ### DNS Not Resolving **Symptoms**: `dig domain.com +short` returns nothing or wrong IP **Solutions**: 1. Wait 1-5 minutes for DNS propagation 2. Check Cloudflare DNS dashboard - verify records exist 3. Verify Zone IDs in `.env` are correct 4. Check DNS update script output for errors ### ER605 NAT Not Working **Symptoms**: Can't reach services from internet **Solutions**: 1. Verify NAT rules are enabled 2. Check firewall rules allow traffic 3. Test from internal network: `curl -I http://192.168.11.26` 4. Verify public IP is correct (76.53.10.35) ### Nginx Not Routing Correctly **Symptoms**: 502 Bad Gateway or wrong service **Solutions**: 1. Check Nginx configuration: `pct exec 105 -- nginx -t` 2. Check Nginx logs: `pct exec 105 -- tail -f /var/log/nginx/error.log` 3. Verify backend services are running 4. Test backend directly: `curl http://192.168.11.130:80` ### SSL Certificate Issues **Symptoms**: Certificate errors or Let's Encrypt validation fails **Solutions**: 1. Verify DNS resolves to 76.53.10.35 2. Verify port 80 is accessible (for validation) 3. Check ER605 NAT rule for port 80 4. Retry certificate acquisition: `./scripts/obtain-all-ssl-certificates.sh` --- ## Architecture Summary ``` Internet ↓ Cloudflare DNS (DNS Only - Gray Cloud) ↓ 76.53.10.35 (Single Public IP) ↓ ER605 NAT (Port 443 → 192.168.11.26:443) ↓ Nginx on VMID 105 (Hostname-based routing via SNI) ↓ Backend Services: - RPC Nodes (192.168.11.240, 250, 251, 252) - Explorer (192.168.11.140) - DBIS (192.168.11.130, 155, 156) - MIM4U (192.168.11.19) - Sankofa/Phoenix (10.160.0.10, 10.160.0.11) ``` --- ## Complete Domain List ### All 19 Domains (Single IP: 76.53.10.35) 1. `sankofa.nexus` + `www.sankofa.nexus` 2. `phoenix.sankofa.nexus` + `www.phoenix.sankofa.nexus` 3. `the-order.sankofa.nexus` 4. `rpc.public-0138.defi-oracle.io` 5. `rpc-http-pub.d-bis.org` 6. `rpc-ws-pub.d-bis.org` 7. `rpc-http-prv.d-bis.org` 8. `rpc-ws-prv.d-bis.org` 9. `explorer.d-bis.org` 10. `dbis-admin.d-bis.org` 11. `dbis-api.d-bis.org` 12. `dbis-api-2.d-bis.org` 13. `secure.d-bis.org` 14. `mim4u.org` + `www.mim4u.org` 15. `secure.mim4u.org` 16. `training.mim4u.org` --- ## Scripts Created 1. **`update-all-dns-to-public-ip.sh`** - Updates Cloudflare DNS 2. **`get-cloudflare-zone-ids.sh`** - Gets Zone IDs 3. **`verify-dns-resolution.sh`** - Verifies DNS 4. **`configure-er605-nat-rules.sh`** - Generates NAT config 5. **`deploy-complete-nginx-config.sh`** - Deploys Nginx config 6. **`obtain-all-ssl-certificates.sh`** - Gets SSL certificates 7. **`deploy-complete-solution.sh`** - Orchestrates all steps --- ## Related Documentation - DNS Update Script Guide: `docs/04-configuration/DNS_UPDATE_SCRIPT_GUIDE.md` - ER605 Router Config: `docs/04-configuration/ER605_ROUTER_CONFIGURATION.md` - Nginx Configurations: `docs/04-configuration/NGINX_CONFIGURATIONS_VMIDS_2400-2508.md` - Network Architecture: `docs/02-architecture/NETWORK_ARCHITECTURE.md` --- **Status**: ✅ **All Scripts Ready - Ready to Deploy**