# Mifos: Tunnel via NPMplus (Option — dedicated NPMplus for mifos.d-bis.org) **Last Updated:** 2026-02-09 **Status:** Optional architecture **Context:** Use a dedicated NPMplus VM (10237) as the tunnel origin; NPMplus proxies to VMID 5800 (Mifos). SSL and proxy managed in NPMplus UI (e.g. Let's Encrypt). --- ## Yes, we run NPMplus Existing instances: | VMID | Host | IP | Role / Public | |-------|---------|----------------|----------------------| | 10233 | r630-01 | 192.168.11.167 | Main NPMplus (76.53.10.36) | | 10234 | r630-02 | 192.168.11.168 | Secondary | | 10235 | r630-01 | 192.168.11.169 | Alltra/HYBX (76.53.10.42) | | 10236 | r630-01 | 192.168.11.170 | Fourth – dev/Codespaces (76.53.10.40) | | **10237** | **r630-02** | **192.168.11.171** | **NPMplus Mifos** – tunnel origin → 5800 | --- ## Flow: Tunnel → NPMplus (10237) → VMID 5800 1. **Cloudflare** terminates HTTPS for `mifos.d-bis.org` and sends traffic through the tunnel. 2. **Tunnel connector** runs either: - **In 10237 (NPMplus Mifos):** cloudflared in 10237; Service = `https://127.0.0.1:443` or `https://192.168.11.171:443`. - **In 5800 (current):** cloudflared in 5800; Service = `https://192.168.11.171:443` (origin = NPMplus). 3. **NPMplus (10237)** has a proxy host: **mifos.d-bis.org** → **http://192.168.11.85:80** (Mifos in 5800). SSL for mifos.d-bis.org can be Let's Encrypt in NPMplus. 4. **5800** serves Mifos on port 80 only; no Nginx/SSL on 5800 if you use this path. --- ## 1. Create NPMplus Mifos container (10237) From project root: ```bash ./scripts/npmplus/create-npmplus-mifos-container.sh ``` - **VMID:** 10237 - **Host:** r630-02 (192.168.11.12) - **IP:** 192.168.11.171 - **Overrides:** `STORAGE_R630_02_NPMPLUS_MIFOS`, `TEMPLATE` --- ## 2. Install NPMplus in 10237 Inside 10237 (same pattern as other NPMplus containers): - Install Docker, then Nginx Proxy Manager: `./scripts/npmplus/install-npmplus-mifos.sh`. - **Credentials:** All five NPMplus instances use the **same** `NPM_EMAIL` and `NPM_PASSWORD` (in `.env`). Use them to log in at **https://192.168.11.171:81**. For a newly created instance, first log in with the auto-generated password (`ssh root@ 'pct exec 10237 -- cat /opt/.npm_pwd'`), then change the admin password in the UI to match `NPM_PASSWORD` so it stays in sync with the others. - Add **Proxy Host:** - **Domain:** `mifos.d-bis.org` - **Forward hostname / IP:** `192.168.11.85` - **Forward port:** `80` - **SSL:** Request Let's Encrypt for `mifos.d-bis.org` (or use existing cert). --- ## 3. Point the tunnel at NPMplus **Option A — Tunnel connector in 10237 (recommended for this design)** - Install cloudflared in 10237 with the same tunnel token (or a dedicated tunnel for Mifos). - **Zero Trust** → **Published application routes:** - **Domain:** `mifos.d-bis.org` - **Service:** `https://127.0.0.1:443` (NPMplus in same container) or `https://192.168.11.171:443` - Add **Origin configuration** → **No TLS Verify** only if NPMplus uses a self-signed cert for the origin; if NPM has Let's Encrypt for mifos.d-bis.org, verification can stay on. **Option B — Tunnel connector stays in 5800** - **Published application routes:** Service = `https://192.168.11.171:443`. - cloudflared in 5800 connects to NPMplus at 192.168.11.171:443; NPMplus proxies to 192.168.11.85:80. --- ## 4. DNS Unchanged: **mifos.d-bis.org** → **CNAME** to `.cfargotunnel.com` (Proxied). Script: `MIFOS_DNS_MODE=tunnel ./scripts/cloudflare/configure-mifos-dns.sh` --- ## 5. Summary | Step | Action | |------|--------| | 1 | Create 10237: `./scripts/npmplus/create-npmplus-mifos-container.sh` | | 2 | Install NPM in 10237 (Docker + NPM); add proxy mifos.d-bis.org → http://192.168.11.85:80; SSL in NPM (Let's Encrypt) | | 3 | Install cloudflared in 10237 (or keep in 5800); set tunnel Service to https://192.168.11.171:443 (or https://127.0.0.1:443 if connector in 10237) | | 4 | DNS: CNAME mifos → tunnel (already done if using tunnel) | **Config:** `IP_NPMPLUS_MIFOS`, `NPMPLUS_MIFOS_VMID` in `config/ip-addresses.conf`; VMID 10237 → r630-02 in `scripts/lib/load-project-env.sh`. **Credentials:** All five NPMplus instances (10233, 10234, 10235, 10236, 10237) use the same `NPM_EMAIL` and `NPM_PASSWORD` in `.env`.