d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/04-configuration/PROXMOX_API_SECRETS_DOTENV.md
defiQUG bea1903ac9
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
Sync all local changes: docs, config, scripts, submodule refs, verification evidence 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 15:46:06 -08:00

67 lines
2.5 KiB
Markdown
Raw Permalink Blame History

# Proxmox API Secrets and Dotenv
**Purpose:** How Proxmox API tokens and related secrets are stored for automation (dotenv).
---
## Where secrets live
- **Repo root:** `/.env` — used by scripts run from the repo (validation, mcp-proxmox, maintenance). **Do not commit** (`.env` is in `.gitignore`).
- **Template:** `/.env.example` — placeholders only; copy to `.env` and fill, or run the token script below.
---
## Proxmox API token (for API automations)
Scripts that call the Proxmox REST API (e.g. `scripts/lib/proxmox-api.sh`, `scripts/validation/validate-config-files.sh`, mcp-proxmox) expect:
| Variable | Example | Description |
|----------|---------|-------------|
| `PROXMOX_HOST` | `192.168.11.11` | Proxmox host (primary; e.g. r630-01). |
| `PROXMOX_PORT` | `8006` | API port. |
| `PROXMOX_USER` | `root@pam` | User for the token. |
| `PROXMOX_TOKEN_NAME` | `proxmox-workspace-api` | Token ID (name). |
| `PROXMOX_TOKEN_VALUE` | `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` | Token secret (UUID). |
**Authorization header:** `PVEAPIToken=${PROXMOX_USER}!${PROXMOX_TOKEN_NAME}=${PROXMOX_TOKEN_VALUE}`
---
## Obtain token and store in .env
**Option A — Script (recommended):** From repo root, with SSH to the Proxmox host:
```bash
./scripts/proxmox/create-and-store-proxmox-api-token.sh
```
This creates a new API token on the host, parses the secret from the one-time output, and updates `/.env` with `PROXMOX_HOST`, `PROXMOX_USER`, `PROXMOX_TOKEN_NAME`, `PROXMOX_TOKEN_VALUE`. Use `--no-update-env` to only print the values.
**Option B — Manual:** In Proxmox UI: **Datacenter → Permissions → API Tokens → Add**. Create token, copy the secret once, then set in `.env`:
```bash
PROXMOX_HOST=192.168.11.11
PROXMOX_PORT=8006
PROXMOX_USER=root@pam
PROXMOX_TOKEN_NAME=your-token-name
PROXMOX_TOKEN_VALUE=<paste-secret-here>
```
---
## Other API secrets (dotenv)
Other automation secrets are also stored in the repo root `.env` (see `/.env.example`):
- **NPMplus:** `NPM_EMAIL`, `NPM_PASSWORD`, `NPM_URL`, etc.
- **Cloudflare:** `CLOUDFLARE_API_TOKEN` or `CLOUDFLARE_EMAIL` + `CLOUDFLARE_API_KEY`, zone IDs, tunnel tokens.
- **Gitea:** `GITEA_TOKEN`, `GITEA_URL`.
- **Fastly:** `FASTLY_API_TOKEN`.
- **CoinGecko / CMC:** `COINGECKO_API_KEY`, etc.
Keep `.env` out of version control and restrict access to the file (e.g. `chmod 600 .env`).
---
**Refs:** `.env.example` (root) | [SCRIPT_ENV_VARS_REFERENCE](../11-references/SCRIPT_ENV_VARS_REFERENCE.md) | [MASTER_SECRETS_INVENTORY](MASTER_SECRETS_INVENTORY.md)
Reference in New Issue View Git Blame Copy Permalink