proxmox/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md

# Complete VMID and Endpoints Reference

**Last Updated:** 2026-03-30  
**Document Version:** 1.2  
**Status:** Active Documentation — **Master (source of truth)** for VMID, IP, port, and domain mapping. See [MASTER_DOCUMENTATION_INDEX.md](../00-meta/MASTER_DOCUMENTATION_INDEX.md).

**Operational template (hosts, peering, deployment gates, JSON):** [../03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](../03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](../../config/proxmox-operational-template.json)

---

**Date**: 2026-01-20  
**Status**: Current Active Configuration (Verified)  
**Last Updated**: 2026-01-20  
**Verification Status**: ✅ Complete - All VMIDs verified across 3 hosts

---

## Quick Summary

- **Total VMIDs**: 50+ (excluding deprecated Cloudflared)
- **Running**: 45+
- **Stopped**: 5
- **Infrastructure Services**: 10
- **Blockchain Nodes**: 22 (Validators: 5, Sentries: 4, RPC: 13)
- **Application Services**: 22

---

## Infrastructure Services

### Proxmox Infrastructure (r630-01)

**Host note (verified 2026-03-30):** CTs **100–105** run on **r630-01** (`192.168.11.11`), not r630-02. Older notes may say r630-02; use `pct list` on each node to confirm if you move guests.

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 100 | 192.168.11.32 | proxmox-mail-gateway | ✅ Running | SMTP: 25, 587, 465 | **Proxmox Mail Proxy** / email gateway (LAN SMTP relay); **587/465 enabled** on Postfix (`master.cf` append 2026-03-30) |
| 101 | 192.168.11.33 | proxmox-datacenter-manager | ✅ Running | Web: 8006 | Datacenter management |
| 103 | 192.168.11.30 | omada | ✅ Running | Web: 8043 | Omada controller |
| 104 | 192.168.11.31 | gitea | ✅ Running | Web: 80, 443 | Git repository |
| 105 | 192.168.11.26 | nginxproxymanager | ✅ Running | Web: 80, 81, 443 | Nginx Proxy Manager (legacy) |
| 130 | 192.168.11.27 | monitoring-1 | ✅ Running | Web: 80, 443 | Monitoring services — **Proxmox node not re-verified 2026-03-30** (confirm with `pct list` if needed). |

**Proxmox Mail Proxy (VMID 100):** On Proxmox VE this CT is the **mail proxy / gateway** for the lab (`proxmox-mail-gateway`, `192.168.11.32`). **Postfix listens on 25, 587 (STARTTLS, `smtpd_tls_security_level=may`), and 465 (SMTPS wrapper)** for `192.168.11.0/24` without SMTP AUTH; the server cert is **self-signed** (`CN=proxmox-mail-gateway`, `/etc/pmg/pmg-api.pem`). Apps should set **`SMTP_TLS_REJECT_UNAUTHORIZED=false`** on LAN (see `dbis_core/.env.example`) or install a trust anchor. Plain **25** remains available for trusted networks. Public SaaS (SES, SendGrid) is optional if you prefer not to relay internally.

### NPMplus (r630-01 / r630-02)

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 10233 | 192.168.11.167 | npmplus | ✅ Running | Web: 80, 81, 443 | NPMplus reverse proxy |
| 10234 | 192.168.11.168 | npmplus-secondary | ✅ Running | Web: 80, 81, 443 | NPMplus secondary (HA); restarted 2026-02-03 |

**Note**: NPMplus primary is on VLAN 11 (192.168.11.167). Secondary NPMplus instance on r630-02 for HA configuration.

**Operational note (2026-03-26):** if `192.168.11.167:81` accepts TCP but hangs without returning HTTP, CT `10233` may be wedged even when networking looks healthy. Rebooting it from `r630-01` with `pct reboot 10233` restored the expected `301` on port `81` and unblocked the API updater.

---

## RPC Translator Supporting Services

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 106 | 192.168.11.110 | redis-rpc-translator | ✅ Running | Redis: 6379 | Distributed nonce management |
| 107 | 192.168.11.111 | web3signer-rpc-translator | ✅ Running | Web3Signer: 9000 | Transaction signing |
| 108 | 192.168.11.112 | vault-rpc-translator | ✅ Running | Vault: 8200 | Secrets management |

---

## Blockchain Nodes - Validators (ChainID 138)

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 1000 | 192.168.11.100 | besu-validator-1 | ✅ Running | P2P: 30303, Metrics: 9545 | Validator node 1 |
| 1001 | 192.168.11.101 | besu-validator-2 | ✅ Running | P2P: 30303, Metrics: 9545 | Validator node 2 |
| 1002 | 192.168.11.102 | besu-validator-3 | ✅ Running | P2P: 30303, Metrics: 9545 | Validator node 3 |
| 1003 | 192.168.11.103 | besu-validator-4 | ✅ Running | P2P: 30303, Metrics: 9545 | Validator node 4 |
| 1004 | 192.168.11.104 | besu-validator-5 | ✅ Running | P2P: 30303, Metrics: 9545 | Validator node 5 |

---

## Blockchain Nodes - Sentries (ChainID 138)

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 1500 | 192.168.11.150 | besu-sentry-1 | ✅ Running | P2P: 30303, Metrics: 9545 | Sentry node 1 |
| 1501 | 192.168.11.151 | besu-sentry-2 | ✅ Running | P2P: 30303, Metrics: 9545 | Sentry node 2 |
| 1502 | 192.168.11.152 | besu-sentry-3 | ✅ Running | P2P: 30303, Metrics: 9545 | Sentry node 3 |
| 1503 | 192.168.11.153 | besu-sentry-4 | ✅ Running | P2P: 30303, Metrics: 9545 | Sentry node 4 |
| 1504 | 192.168.11.154 | besu-sentry-ali | ✅ Running | P2P: 30303, Metrics: 9545 | Sentry node (Ali) |
| 1505 | 192.168.11.213 | besu-sentry-alltra-1 | ✅ Running | P2P: 30303, Metrics: 9545 | Sentry (Alltra 1) |
| 1506 | 192.168.11.214 | besu-sentry-alltra-2 | ✅ Running | P2P: 30303, Metrics: 9545 | Sentry (Alltra 2) |

**Note:** 1505-1506 moved from .170/.171 to .213/.214 (2026-02-01) to free CCIP Ops interim range.

---

## RPC Nodes - NEW VMID Structure (ChainID 138)

**Migration Status**: ✅ Complete (2026-01-18)

All RPC nodes have been migrated to a new VMID structure for better organization.

### Core RPC Nodes

| VMID | IP Address | Hostname | Status | Block | Peers | Endpoints | Purpose |
|------|------------|----------|--------|-------|-------|-----------|---------|
| 2101 | 192.168.11.211 | besu-rpc-core-1 | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Core RPC node |
| **2201** | **192.168.11.221** | besu-rpc-public-1 | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Public RPC node **(FIXED PERMANENT)** |
| 2301 | 192.168.11.232 | besu-rpc-private-1 | ⏸️ Stopped | - | - | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Private RPC node (startup error) |

### Named RPC Nodes (Ali/Luis/Putu)

| VMID | IP Address | Hostname | Status | Block | Peers | Endpoints | Purpose |
|------|------------|----------|--------|-------|-------|-----------|---------|
| 2303 | 192.168.11.233 | besu-rpc-ali-0x8a | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Ali RPC (0x8a identity) |
| 2304 | 192.168.11.234 | besu-rpc-ali-0x1 | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Ali RPC (0x1 identity) |
| 2305 | 192.168.11.235 | besu-rpc-luis-0x8a | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Luis RPC (0x8a identity) |
| 2306 | 192.168.11.236 | besu-rpc-luis-0x1 | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Luis RPC (0x1 identity) |
| 2307 | 192.168.11.237 | besu-rpc-putu-0x8a | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Putu RPC (0x8a identity) |
| 2308 | 192.168.11.238 | besu-rpc-putu-0x1 | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Putu RPC (0x1 identity) |

### ThirdWeb RPC Nodes

| VMID | IP Address | Hostname | Status | Block | Peers | Endpoints | Purpose |
|------|------------|----------|--------|-------|-------|-----------|---------|
| 2400 | 192.168.11.240 | thirdweb-rpc-1 | ✅ Running | 1,149,992 | 2 | **Nginx: 443**, Besu: 8545/8546, P2P: 30303, Metrics: 9545, Translator: 9645/9646 | ThirdWeb RPC with translator (primary) |
| 2401 | 192.168.11.241 | besu-rpc-thirdweb-0x8a-1 | ✅ Running | 1,149,992 | 2 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | ThirdWeb RPC instance 1 |
| 2402 | 192.168.11.242 | besu-rpc-thirdweb-0x8a-2 | ✅ Running | 1,149,992 | 2 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | ThirdWeb RPC instance 2 |
| 2403 | 192.168.11.243 | besu-rpc-thirdweb-0x8a-3 | ✅ Running | 600,172 | 0 | Besu: 8545/8546, P2P: 30303 | ThirdWeb RPC instance 3 (syncing) |

**Note**: VMID 2400 is the primary ThirdWeb RPC with Nginx and RPC Translator. VMID 2403 metrics disabled due to port conflict, node is syncing.

**Public Domain**: `rpc.public-0138.defi-oracle.io` → Routes to VMID 2400:443

---

## OLD RPC Nodes (Decommissioned)

**Status**: ✅ **DECOMMISSIONED** (2026-01-18)

The following VMIDs have been permanently removed:

| VMID | Old IP Address | Old Hostname | Status | Replaced By |
|------|----------------|--------------|--------|-------------|
| 2500 | 192.168.11.250 | besu-rpc-1 | 🗑️ Destroyed | VMID 2101 |
| 2501 | 192.168.11.251 | besu-rpc-2 | 🗑️ Destroyed | VMID 2201 |
| 2502 | 192.168.11.252 | besu-rpc-3 | 🗑️ Destroyed | VMID 2301 |
| 2503 | 192.168.11.253 | besu-rpc-ali-0x8a | 🗑️ Destroyed | VMID 2303 |
| 2504 | 192.168.11.254 | besu-rpc-ali-0x1 | 🗑️ Destroyed | VMID 2304 |
| 2505 | 192.168.11.201 | besu-rpc-luis-0x8a | 🗑️ Destroyed | VMID 2305 |
| 2506 | 192.168.11.202 | besu-rpc-luis-0x1 | 🗑️ Destroyed | VMID 2306 |
| 2507 | 192.168.11.203 | besu-rpc-putu-0x8a | 🗑️ Destroyed | VMID 2307 |
| 2508 | 192.168.11.204 | besu-rpc-putu-0x1 | 🗑️ Destroyed | VMID 2308 |

**Public Domains** (need updating to new IPs):
- `rpc-http-prv.d-bis.org` → Should route to new RPC nodes
- `rpc-ws-prv.d-bis.org` → Should route to new RPC nodes
- `rpc-http-pub.d-bis.org` → Should route to new RPC nodes
- `rpc-ws-pub.d-bis.org` → Should route to new RPC nodes
- `rpc.public-0138.defi-oracle.io` → Should route to 2401-2403

---

## Application Services

### Blockchain Explorer

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 5000 | 192.168.11.140 | blockscout-1 | ✅ Running | Web: 80, 443; API: 4000 | Blockchain explorer |

**Public Domain**: `explorer.d-bis.org` → Routes to VMID 5000:80 (nginx serves web UI, proxies /api/* to port 4000)

---

### Firefly

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 6200 | 192.168.11.35 | firefly-1 | ✅ Running | Web: 80, 443, API: 5000 | Firefly DLT platform |
| 6201 | 192.168.11.57 | firefly-ali-1 | ✅ Running | Web: 80, 443, API: 5000 | Firefly (Ali instance) |

**Note:** Firefly instances run on r630-02. VMID 6200 also on r630-02.

---

### DBIS RTGS first-slice sidecars

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 5802 | 192.168.11.89 | rtgs-scsm-1 | ✅ Running | App: 8080, Redis: 6379 | DBIS RTGS `mifos-fineract-sidecar` / SCSM |
| 5803 | 192.168.11.90 | rtgs-funds-1 | ✅ Running | App: 8080, Redis: 6379 | DBIS RTGS `server-funds-sidecar` |
| 5804 | 192.168.11.92 | rtgs-xau-1 | ✅ Running | App: 8080, Redis: 6379 | DBIS RTGS `off-ledger-2-on-ledger-sidecar` |

**Operational note (2026-03-28/29):**
- These three sidecars are deployed internally on `r630-02` and return local actuator health.
- They can reach the live Mifos / Fineract surface on VMID `5800` at the HTTP layer.
- Canonical authenticated RTGS flow is still pending final Fineract tenant/auth freeze, so these should currently be treated as `runtime deployed, functionally partial`.

---

### Hyperledger Fabric

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 6000 | 192.168.11.65 | fabric-1 | ✅ Running | Peer: 7051, Orderer: 7050 | Hyperledger Fabric network |

---

### Hyperledger Indy

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 6400 | 192.168.11.64 | indy-1 | ✅ Running | Indy: 9701-9708 | Hyperledger Indy network |

---

### Hyperledger Aries / AnonCreds

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 6500 | 192.168.11.88 | aries-1 | ✅ Running | ACA-Py DIDComm: 8030, Admin API: 8031 | Hyperledger Aries / AnonCreds agent runtime |

---

### Hyperledger Caliper

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 6600 | 192.168.11.93 | caliper-1 | ✅ Running | Local CLI workspace, outbound RPC to 192.168.11.211:8545 / 8546 | Hyperledger Caliper benchmark harness |

---

### DBIS Core Services

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 10100 | 192.168.11.105 | dbis-postgres-primary | ✅ Running | PostgreSQL: 5432 | Primary database |
| 10101 | 192.168.11.106 | dbis-postgres-replica-1 | ✅ Running | PostgreSQL: 5432 | Database replica |
| 10120 | 192.168.11.125 | dbis-redis | ✅ Running | Redis: 6379 | Cache layer |
| 10130 | 192.168.11.130 | dbis-frontend | ✅ Running | Web: 80, 443 | Admin + secure **web** shell (see canonical hostnames below) |
| 10150 | 192.168.11.155 | dbis-api-primary | ✅ Running | TCP **3000** | **Placeholder:** `python3 -m http.server 3000` (not dbis_core Node API). **Host:** r630-01. **SMTP template:** `/tmp/smtp.env.example` (via `pct push` / operator; copy into `/opt/dbis-core/.env` when the real API is deployed). |
| 10151 | 192.168.11.156 | dbis-api-secondary | ✅ Running | TCP **3000** | Same as 10150 (placeholder static server). |

**Canonical public hostnames (operator intent)**

| Hostname | Role | Typical NPM upstream (today) |
|----------|------|------------------------------|
| **d-bis.org** | Public institutional web | TBD — Gov Portals **DBIS** Next app or static export when cut over |
| **admin.d-bis.org** | Admin console | VMID **10130** `:80` |
| **secure.d-bis.org** | Member secure portal | VMID **10130** `:80` (path-based routing; see below) |
| **core.d-bis.org** | **DBIS Core** banking — **client** portal (`dbis_core`) | **TBD** — wire when UI/API for core banking clients is exposed (often **10150**/10151 or dedicated LXC) |

**Legacy:** `dbis-admin.d-bis.org` → same upstream as **admin.d-bis.org** if still in DNS.

**Public Domains (inventory)**:
- `admin.d-bis.org` → VMID 10130:80 (canonical admin)
- `dbis-admin.d-bis.org` → VMID 10130:80 (legacy alias, if configured)
- `secure.d-bis.org` → VMID 10130:80
- `dbis-api.d-bis.org` → NPM target VMID 10150:3000 (**currently static placeholder**, not production API)
- `dbis-api-2.d-bis.org` → NPM target VMID 10151:3000 (**placeholder**)

**No other LAN host** in this inventory currently exposes the compiled **dbis_core** integration API; `192.168.11.150` / `.151` from older deployment notes were **unreachable** from the operator LAN (2026-03-30). Deploy Node + systemd on 10150/10151 (or update NPM to a new upstream) when the API is ready.

---

### Miracles In Motion (MIM4U)

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 7810 | 192.168.11.37 | mim-web-1 | ✅ Running | Web: 80, 443 | MIM4U web frontend |
| 7811 | 192.168.11.36 | mim-api-1 | ✅ Running | Web: 80, 443, API: Various | MIM4U service (web + API) |

**Public Domains** (NPMplus config):
- `mim4u.org` → Routes to `http://192.168.11.37:80` (VMID 7810 mim-web-1)
- `www.mim4u.org` → Routes to `http://192.168.11.37:80` (VMID 7810; optional NPMplus redirect www → apex)
- `secure.mim4u.org` → Routes to `http://192.168.11.37:80` (VMID 7810)
- `training.mim4u.org` → Routes to `http://192.168.11.37:80` (VMID 7810)

**Note**: All MIM4U domains route to VMID 7810 (mim-web-1) at 192.168.11.37. nginx on 7810 proxies `/api/` to VMID 7811 (192.168.11.36:3001).

---

### Sankofa Phoenix Services

**Status**: ✅ **DEPLOYED AND OPERATIONAL** (2026-01-20)

**Verified Deployed Services:**

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 7800 | 192.168.11.50 | sankofa-api-1 | ✅ Running | GraphQL: 4000, Health: /health | Phoenix API (Cloud Platform Portal) |
| 7801 | 192.168.11.51 | sankofa-portal-1 | ✅ Running | Web: 3000 | Hybrid cloud **client portal** (`portal.sankofa.nexus` / `admin.sankofa.nexus` when NPM routes); not the long-term corporate apex app — see `IP_SANKOFA_PUBLIC_WEB` / `sync-sankofa-public-web-to-ct.sh` |
| 7802 | 192.168.11.52 | sankofa-keycloak-1 | ✅ Running | Keycloak: 8080, Admin: /admin | Identity and Access Management |
| 7803 | 192.168.11.53 | sankofa-postgres-1 | ✅ Running | PostgreSQL: 5432 | Database Service |
| 7804 | 192.168.11.54 | (Gov Portals dev) | ✅ Running | Web: 80 | Gov Portals — DBIS, ICCC, OMNL, XOM (*.xom-dev.phoenix.sankofa.nexus) |
| 7805 | 192.168.11.72 | sankofa-studio | — | API: 8000 | Sankofa Studio (FusionAI Creator) — studio.sankofa.nexus (IP .72; .55 = VMID 10230 order-vault) |
| 7806 | 192.168.11.63 | sankofa-public-web | ✅ Running | Web: 3000 | Corporate / marketing Next.js (Sankofa **repo root**); provision: `scripts/deployment/provision-sankofa-public-web-lxc-7806.sh`; deploy: `scripts/deployment/sync-sankofa-public-web-to-ct.sh`; NPM apex via **`IP_SANKOFA_PUBLIC_WEB`** (`.env` or override) |

**Public Domains** (NPMplus routing):
- `sankofa.nexus` / `www.sankofa.nexus` → **`IP_SANKOFA_PUBLIC_WEB`:`SANKOFA_PUBLIC_WEB_PORT** (typical: **7806** `192.168.11.63:3000` when `.env` sets `IP_SANKOFA_PUBLIC_WEB`; else defaults to portal **7801**); fleet script: `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`. **`www`** → **301** → apex `https://sankofa.nexus` (`$request_uri`). ✅
- `portal.sankofa.nexus` / `admin.sankofa.nexus` → **`IP_SANKOFA_CLIENT_SSO`:`SANKOFA_CLIENT_SSO_PORT** (typical: 7801 `:3000`). NextAuth / OIDC public URL: **`https://portal.sankofa.nexus`**. ✅ when NPM proxy rows exist (fleet script creates/updates them).
- `dash.sankofa.nexus` → Set **`IP_SANKOFA_DASH`** (+ `SANKOFA_DASH_PORT`) in `config/ip-addresses.conf` to enable upstream in the fleet script; IP allowlist at NPM is operator policy. 🔶 until dash app + env are set.
- `phoenix.sankofa.nexus` → Routes to `http://192.168.11.50:4000` (Phoenix API/VMID 7800) ✅
- `www.phoenix.sankofa.nexus` → Same upstream; **301** to **`https://phoenix.sankofa.nexus`**. ✅
- `the-order.sankofa.nexus` / `www.the-order.sankofa.nexus` → OSJ management portal (secure auth). App source: **the_order** at `~/projects/the_order`. NPMplus default upstream: **order-haproxy** `http://192.168.11.39:80` (VMID **10210**), which proxies to Sankofa portal `http://192.168.11.51:3000` (7801). Fallback: set `THE_ORDER_UPSTREAM_IP` / `THE_ORDER_UPSTREAM_PORT` to `.51` / `3000` if HAProxy is offline. **`www.the-order.sankofa.nexus`** → **301** **`https://the-order.sankofa.nexus`** (same as `www.sankofa` / `www.phoenix`).
- `studio.sankofa.nexus` → Routes to `http://192.168.11.72:8000` (Sankofa Studio / VMID 7805)

**Public verification evidence (2026-03-26):** `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` passed with `Failed: 0`; Sankofa root, Phoenix, Studio, and The Order returned `200`. See [verification_report.md](verification-evidence/e2e-verification-20260326_100057/verification_report.md).

**Service Details:**
- **Host:** r630-01 (192.168.11.11)
- **Network:** VLAN 11 (192.168.11.0/24)
- **Gateway:** 192.168.11.1
- **All services verified and operational**

**Note:** Sankofa services are deployed on VLAN 11 (192.168.11.x) as intended. All services are running and accessible.

---

### The Order — microservices (r630-01)

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 10030 | 192.168.11.40 | order-identity | ✅ Running | API | Identity |
| 10040 | 192.168.11.41 | order-intake | ✅ Running | API | Intake |
| 10050 | 192.168.11.49 | order-finance | ✅ Running | API | Finance |
| 10060 | 192.168.11.42 | order-dataroom | ✅ Running | Web: 80 | Dataroom |
| 10070 | **192.168.11.87** | order-legal | ✅ Running | API | Legal — **use `IP_ORDER_LEGAL` (.87); not .54** |
| 10080 | 192.168.11.43 | order-eresidency | ✅ Running | API | eResidency |
| 10090 | 192.168.11.36 | order-portal-public | ✅ Running | Web | Public portal |
| 10091 | 192.168.11.35 | order-portal-internal | ✅ Running | Web | Internal portal |
| 10092 | 192.168.11.94 | order-mcp-legal | ✅ Running | API | MCP legal — moved off `.37` on 2026-03-29 to avoid MIM4U ARP conflict |
| 10200 | 192.168.11.46 | order-prometheus | ✅ Running | 9090 | Metrics (`IP_ORDER_PROMETHEUS`; not Order Redis) |
| 10201 | 192.168.11.47 | order-grafana | ✅ Running | 3000 | Dashboards |
| 10202 | 192.168.11.48 | order-opensearch | ✅ Running | 9200 | Search |
| 10210 | 192.168.11.39 | order-haproxy | ✅ Running | 80 (HAProxy → portal :3000) | Edge for **the-order.sankofa.nexus**; HAProxy config via `config/haproxy/order-haproxy-10210.cfg.template` + `scripts/deployment/provision-order-haproxy-10210.sh` |

**Gov portals vs Order:** VMID **7804** alone uses **192.168.11.54** (`IP_GOV_PORTALS_DEV`). Order-legal must not use .54.

**MIM4U vs order-mcp-legal:** VMID **7810** alone uses **192.168.11.37** (`IP_MIM_WEB`). VMID **10092** now uses **192.168.11.94** (`IP_ORDER_MCP_LEGAL`) after the 2026-03-29 ARP conflict fix.

---

### Phoenix Vault Cluster (8640-8642)

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 8640 | 192.168.11.200 | vault-phoenix-1 | ✅ Running | Vault: 8200 | Phoenix Vault node 1 |
| 8641 | 192.168.11.215 | vault-phoenix-2 | ✅ Running | Vault: 8200 | Phoenix Vault node 2 |
| 8642 | 192.168.11.202 | vault-phoenix-3 | ✅ Running | Vault: 8200 | Phoenix Vault node 3 |

**Note:** 8641 moved from .201 to .215 (2026-02-01) to free CCIP Execute interim range. See [IP_CONFLICTS_CCIP_RANGE_RESOLVED_20260201.md](../../reports/status/IP_CONFLICTS_CCIP_RANGE_RESOLVED_20260201.md).

---

### Other Services

| VMID | IP Address | Hostname | Status | Endpoints | Purpose | Notes |
|------|------------|----------|--------|-----------|---------|-------|
| 5800 | 192.168.11.85 | (Mifos) | ✅ Running | Web: 80 | Mifos X + Fineract (OMNL) | LXC on r630-02; mifos.d-bis.org; see [MIFOS_R630_02_DEPLOYMENT.md](MIFOS_R630_02_DEPLOYMENT.md) |
| 5801 | 192.168.11.58 | dapp-smom | — | Web: 80 | DApp (frontend-dapp) for Chain 138 bridge | LXC; see [DAPP_LXC_DEPLOYMENT.md](../03-deployment/DAPP_LXC_DEPLOYMENT.md); NPMplus/tunnel dapp.d-bis.org |
| 10232 | 192.168.11.56 | CT10232 | ✅ Running | Various | Container service | ✅ **IP CONFLICT RESOLVED** |
| 10234 | 192.168.11.168 | npmplus-secondary | ⏸️ Stopped | Web: 80, 81, 443 | NPMplus secondary (HA) | On r630-02 |

---

### Oracle & Monitoring

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 3500 | 192.168.11.29 | oracle-publisher-1 | ✅ Running (verify on-chain) | Oracle: Various | **r630-02** `thin5`. Reprovisioned 2026-03-28 via `scripts/deployment/provision-oracle-publisher-lxc-3500.sh` (systemd `oracle-publisher`). If `updateAnswer` txs revert, set `PRIVATE_KEY` in `/opt/oracle-publisher/.env` to an EOA **authorized on the aggregator** (may differ from deployer). Metrics: `:8000/metrics`. |
| 3501 | 192.168.11.28 | ccip-monitor-1 | ✅ Running | Monitor: Various | CCIP monitoring; **migrated 2026-03-28** to **r630-02** `thin5` (`pvesh` … `/migrate --target-storage thin5`). |
| 5200 | 192.168.11.80 | cacti-1 | ✅ Running | Web: 80, 443 | Network monitoring (Cacti); **host r630-02** (migrated 2026-02-15) |

---

### Machine Learning Nodes

| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
|------|------------|----------|--------|-----------|---------|
| 3000 | 192.168.11.60 | ml110 | ✅ Running | ML Services: Various | ML node 1 |
| 3001 | 192.168.11.61 | ml110 | ✅ Running | ML Services: Various | ML node 2 |
| 3002 | 192.168.11.62 | ml110 | ✅ Running | ML Services: Various | ML node 3 |
| 3003 | 192.168.11.63 | ml110 | ✅ Running | ML Services: Various | ML node 4 |

---

## Port Reference

### Standard Besu Ports
- **8545**: HTTP JSON-RPC
- **8546**: WebSocket JSON-RPC
- **30303**: P2P networking (TCP/UDP)
- **9545**: Prometheus metrics

### Standard Application Ports
- **80**: HTTP
- **443**: HTTPS
- **3000**: Node.js API
- **5432**: PostgreSQL
- **6379**: Redis
- **9000**: Web3Signer
- **8200**: Vault

---

## Network Architecture

### Public Internet Access Flow

```
Internet
  ↓
Cloudflare (DNS + DDoS Protection)
  ↓
NPMplus (VMID 10233: 192.168.0.166:443)
  ↓
VM Nginx (443) → Backend Services
```

### Internal RPC Access

```
Internal Network (192.168.11.0/24)
  ↓
Direct to RPC Nodes:
  - VMID 2101: 192.168.11.211:8545 (HTTP) / 8546 (WS) - Core RPC
  - VMID 2201: 192.168.11.221:8545 (HTTP) / 8546 (WS) - Public RPC
  - VMID 2303: 192.168.11.233:8545 (HTTP) / 8546 (WS) - Ali 0x8a
  - VMID 2304: 192.168.11.234:8545 (HTTP) / 8546 (WS) - Ali 0x1
  - VMID 2305: 192.168.11.235:8545 (HTTP) / 8546 (WS) - Luis 0x8a
  - VMID 2306: 192.168.11.236:8545 (HTTP) / 8546 (WS) - Luis 0x1
  - VMID 2307: 192.168.11.237:8545 (HTTP) / 8546 (WS) - Putu 0x8a
  - VMID 2308: 192.168.11.238:8545 (HTTP) / 8546 (WS) - Putu 0x1
  - VMID 2400: 192.168.11.240:8545 (HTTP) / 8546 (WS) - ThirdWeb Primary
  - VMID 2401: 192.168.11.241:8545 (HTTP) / 8546 (WS) - ThirdWeb 1
  - VMID 2402: 192.168.11.242:8545 (HTTP) / 8546 (WS) - ThirdWeb 2
  - VMID 2403: 192.168.11.243:8545 (HTTP) / 8546 (WS) - ThirdWeb 3
```

---

## Known Issues & Notes

### ✅ IP Address Conflicts - **RESOLVED**

**Status:** ✅ **RESOLVED** - All conflicts fixed (2026-01-20)

1. **192.168.11.50**: ✅ **RESOLVED**
   - VMID 7800 (sankofa-api-1): 192.168.11.50 ✅ **UNIQUE**
   - VMID 10070 (order-legal): **192.168.11.87** (`IP_ORDER_LEGAL`) — moved off .54 2026-03-25 (ARP conflict with VMID 7804 gov-portals) ✅

2. **192.168.11.51**: ✅ **RESOLVED**
   - VMID 7801 (sankofa-portal-1): 192.168.11.51 ✅ **UNIQUE**
   - VMID 10230 (order-vault): Reassigned to 192.168.11.55 ✅

3. **192.168.11.52**: ✅ **RESOLVED**
   - VMID 7802 (sankofa-keycloak-1): 192.168.11.52 ✅ **UNIQUE**
   - VMID 10232 (CT10232): Reassigned to 192.168.11.56 ✅

4. **192.168.11.55**: ✅ **IN USE** — VMID 10230 (order-vault) only. Sankofa Studio (VMID 7805) uses **192.168.11.72** to avoid conflict.

**Resolution:** All IP conflicts resolved using `scripts/resolve-ip-conflicts.sh`

**Verification:** ✅ All IPs verified unique, all services operational

**IP conflicts (canonical):** [reports/status/IP_CONFLICTS_RESOLUTION_COMPLETE.md](../../reports/status/IP_CONFLICTS_RESOLUTION_COMPLETE.md); CCIP range move: [reports/status/IP_CONFLICTS_CCIP_RANGE_RESOLVED_20260201.md](../../reports/status/IP_CONFLICTS_CCIP_RANGE_RESOLVED_20260201.md). **Script:** `scripts/resolve-ip-conflicts.sh` (uses `config/ip-addresses.conf`).

---

### Port Conflicts

1. **VMID 2400**: Port conflict resolved ✅
   - **Previous**: Besu metrics (9545) conflicted with RPC Translator HTTP (9545)
   - **Resolution**: Translator moved to 9645/9646 (completed)
   - **Current**: Nginx routes to translator on 9645/9646

### NPMplus Routing Issues

1. **`rpc.public-0138.defi-oracle.io`**: Currently routes to wrong VMID
   - **Current**: `https://192.168.11.252:443` (VMID 2502 - decommissioned)
   - **Should be**: `https://192.168.11.240:443` (VMID 2400)
   - **Fix**: Update NPMplus proxy host configuration

---

## Quick Access Commands

### Test RPC Endpoints

```bash
# Public RPC (HTTP)
curl -X POST https://rpc-http-pub.d-bis.org \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

# Private RPC (HTTP) - requires JWT
curl -X POST https://rpc-http-prv.d-bis.org \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <JWT_TOKEN>' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

# ThirdWeb RPC
curl -X POST https://rpc.public-0138.defi-oracle.io \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

### Check Container Status

```bash
# From Proxmox host
pct status <VMID>
qm status <VMID>

# Check specific service
pct exec <VMID> -- systemctl status <service-name>
```

---

## Related Documentation

- **VMID IP List**: `reports/VMID_IP_ADDRESS_LIST.md`
- **NPMplus Setup**: `docs/04-configuration/NPMPLUS_COMPLETE_SETUP_SUMMARY.md`
- **Nginx Configurations**: `docs/04-configuration/NGINX_CONFIGURATIONS_VMIDS_2400-2508.md`
- **RPC Translator**: `rpc-translator-138/VMID_ALLOCATION.md`

---

---

## NPMplus Endpoint Configuration Reference

This section lists all endpoints that should be configured in NPMplus, extracted from NPM (VMID 105) configuration files.

### Complete NPMplus Domain Mapping

| Domain | Target | Scheme | Port | WebSocket | Notes |
|--------|--------|--------|------|-----------|-------|
| **RPC Services** |
| `rpc.public-0138.defi-oracle.io` | `192.168.11.240` | `https` | `443` | ✅ Yes | ThirdWeb RPC (VMID 2400) |
| `rpc-http-pub.d-bis.org` | `192.168.11.221` | `https` | `443` | ✅ Yes | Public RPC (VMID 2201) |
| `rpc-ws-pub.d-bis.org` | `192.168.11.221` | `https` | `443` | ✅ Yes | Public WebSocket RPC (VMID 2201) |
| `rpc-http-prv.d-bis.org` | `192.168.11.211` | `https` | `443` | ✅ Yes | Private RPC with JWT (VMID 2101) |
| `rpc-ws-prv.d-bis.org` | `192.168.11.211` | `https` | `443` | ✅ Yes | Private WebSocket RPC with JWT (VMID 2101) |
| **Explorer** |
| `explorer.d-bis.org` | `192.168.11.140` | `http` | `4000` | ❌ No | Blockchain Explorer (VMID 5000 - Direct Route) |
| **DBIS Services** |
| `d-bis.org` | `192.168.11.54` | `http` | `3001` | ❌ No | Public apex — Gov Portals DBIS on **7804** (override `IP_DBIS_PUBLIC_APEX` / `DBIS_PUBLIC_APEX_PORT`) |
| `www.d-bis.org` | `192.168.11.54` | `http` | `3001` | ❌ No | Same upstream as apex; NPM **301** → `https://d-bis.org` when `advanced_config` set by fleet script |
| `admin.d-bis.org` | `192.168.11.130` | `http` | `80` | ❌ No | DBIS **admin** console (VMID 10130); canonical |
| `dbis-admin.d-bis.org` | `192.168.11.130` | `http` | `80` | ❌ No | Legacy alias — same upstream as **admin.d-bis.org** |
| `core.d-bis.org` | `192.168.11.155` | `http` | `3000` | ❌ No | **DBIS Core** client portal — default **10150** until `IP_DBIS_CORE_CLIENT` / `DBIS_CORE_CLIENT_PORT` repointed |
| `dbis-api.d-bis.org` | `192.168.11.155` | `http` | `3000` | ❌ No | VMID 10150 — **placeholder** static server until Node API deployed |
| `dbis-api-2.d-bis.org` | `192.168.11.156` | `http` | `3000` | ❌ No | VMID 10151 — **placeholder** |
| `secure.d-bis.org` | `192.168.11.130` | `http` | `80` | ❌ No | DBIS Secure Portal (VMID 10130) - Path-based routing |
| **MIM4U Services** |
| `mim4u.org` | `192.168.11.37` | `http` | `80` | ❌ No | MIM4U Main Site (VMID 7810 mim-web-1) |
| `www.mim4u.org` | `192.168.11.37` | `http` | `80` | ❌ No | MIM4U (VMID 7810; optional redirect www → apex) |
| `secure.mim4u.org` | `192.168.11.37` | `http` | `80` | ❌ No | MIM4U Secure Portal (VMID 7810) |
| `training.mim4u.org` | `192.168.11.37` | `http` | `80` | ❌ No | MIM4U Training Portal (VMID 7810) |
| **Sankofa Phoenix Services** |
| `sankofa.nexus` | **`IP_SANKOFA_PUBLIC_WEB`** (default `.51` until public-web CT) | `http` | **`SANKOFA_PUBLIC_WEB_PORT`** (`3000`) | ❌ No | Corporate apex; fleet script `update-npmplus-proxy-hosts-api.sh` |
| `www.sankofa.nexus` | same as apex | `http` | same | ❌ No | **301** → `https://sankofa.nexus` |
| `portal.sankofa.nexus` | **`IP_SANKOFA_CLIENT_SSO`** (typ. `.51` / 7801) | `http` | **`SANKOFA_CLIENT_SSO_PORT`** (`3000`) | ❌ No | Client SSO portal; `NEXTAUTH_URL=https://portal.sankofa.nexus` |
| `admin.sankofa.nexus` | same as portal | `http` | same | ❌ No | Client access admin (same upstream until split) |
| `dash.sankofa.nexus` | **`IP_SANKOFA_DASH`** (set in `ip-addresses.conf`) | `http` | **`SANKOFA_DASH_PORT`** | ❌ No | Operator dash — row omitted from fleet script until `IP_SANKOFA_DASH` set |
| `phoenix.sankofa.nexus` | `192.168.11.50` | `http` | `4000` | ❌ No | Phoenix API - Cloud Platform Portal (VMID 7800) ✅ **Deployed** |
| `www.phoenix.sankofa.nexus` | `192.168.11.50` | `http` | `4000` | ❌ No | Phoenix API (VMID 7800) ✅ **Deployed** |
| `the-order.sankofa.nexus`, `www.the-order.sankofa.nexus` | `192.168.11.39` (10210 HAProxy; default) or `192.168.11.51` (direct portal if env override) | `http` | `80` or `3000` | ❌ No | NPM → **.39:80** by default; HAProxy → **.51:3000** |
| `studio.sankofa.nexus` | `192.168.11.72` | `http` | `8000` | ❌ No | Sankofa Studio (FusionAI Creator) — VMID 7805 |

### Path-Based Routing Notes

Some domains use path-based routing in NPM configs:

**`secure.d-bis.org`**:
- `/admin` → `http://192.168.11.130:80` (DBIS Frontend)
- `/api` → `http://192.168.11.155:3000` (intended DBIS API — **upstream is placeholder** until 10150 runs dbis_core)
- `/graph` → `http://192.168.11.155:3000` (same)
- `/` → `http://192.168.11.130:80` (DBIS Frontend)

**`sankofa.nexus`** (intent): corporate marketing at **`IP_SANKOFA_PUBLIC_WEB`**; **`portal.sankofa.nexus`** serves the authenticated portal at **`IP_SANKOFA_CLIENT_SSO`**. Legacy path-based splits (if any) should be reconciled with [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).

**Note**: NPMplus may need custom location blocks or separate proxy hosts for path-based routing.

### NPMplus routing (authoritative targets)

**Use this document as the source of truth** for domain → VMID:port. Only **explorer.d-bis.org** should point to Blockscout (VMID 5000, 192.168.11.140). All other domains must point to their correct VMID and port:

| Domain | Correct target (VMID, IP:port) | Do NOT point to |
|--------|--------------------------------|-----------------|
| `explorer.d-bis.org` | 5000, 192.168.11.140:80 (web), :4000 (API) | — |
| `sankofa.nexus`, `www.sankofa.nexus` | **Public web:** target **7806** (or `IP_SANKOFA_PUBLIC_WEB`) when split; defaults still **7801**, 192.168.11.51:3000 | 192.168.11.140 (Blockscout) |
| `portal.sankofa.nexus`, `admin.sankofa.nexus` | **7801**, 192.168.11.51:3000 (`IP_SANKOFA_CLIENT_SSO`) | 192.168.11.140 (Blockscout) |
| `dash.sankofa.nexus` | Set **`IP_SANKOFA_DASH`** when operator dash exists | 192.168.11.140 (Blockscout) |
| `phoenix.sankofa.nexus`, `www.phoenix.sankofa.nexus` | 7800, 192.168.11.50:4000 | 192.168.11.140 (Blockscout) |
| `the-order.sankofa.nexus`, `www.the-order.sankofa.nexus` | 10210, 192.168.11.39:80 | 192.168.11.140 (Blockscout) |
| `studio.sankofa.nexus` | 7805, 192.168.11.72:8000 | — |

If NPMplus proxy hosts for sankofa.nexus or phoenix.sankofa.nexus currently point to 192.168.11.140, update them to the correct IP:port above. See [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md) and table "Sankofa Phoenix Services" in this document.

**Note**: All `www.*` subdomains redirect to their parent domains to reduce the number of proxy host configurations needed.

---

**Last Updated**: 2026-03-29  
**Maintained By**: Infrastructure Team

---

## RPC Node Quick Reference

### Active RPC Endpoints (12/13 Running)

| IP Address | VMID | Name | Status |
|------------|------|------|--------|
| 192.168.11.211 | 2101 | besu-rpc-core-1 | ✅ Running |
| 192.168.11.221 | 2201 | besu-rpc-public-1 | ✅ Running |
| 192.168.11.232 | 2301 | besu-rpc-private-1 | ⏸️ Stopped |
| 192.168.11.233 | 2303 | besu-rpc-ali-0x8a | ✅ Running |
| 192.168.11.234 | 2304 | besu-rpc-ali-0x1 | ✅ Running |
| 192.168.11.235 | 2305 | besu-rpc-luis-0x8a | ✅ Running |
| 192.168.11.236 | 2306 | besu-rpc-luis-0x1 | ✅ Running |
| 192.168.11.237 | 2307 | besu-rpc-putu-0x8a | ✅ Running |
| 192.168.11.238 | 2308 | besu-rpc-putu-0x1 | ✅ Running |
| 192.168.11.240 | 2400 | thirdweb-rpc-1 | ✅ Running |
| 192.168.11.241 | 2401 | besu-rpc-thirdweb-0x8a-1 | ✅ Running |
| 192.168.11.242 | 2402 | besu-rpc-thirdweb-0x8a-2 | ✅ Running |
| 192.168.11.243 | 2403 | besu-rpc-thirdweb-0x8a-3 | ✅ Running |

### Test All RPC Nodes

```bash
# Quick test all RPC nodes
for ip in 192.168.11.211 192.168.11.221 192.168.11.233 192.168.11.234 192.168.11.235 192.168.11.236 192.168.11.237 192.168.11.238 192.168.11.240 192.168.11.241 192.168.11.242 192.168.11.243; do
  curl -s -X POST -H "Content-Type: application/json" \
    --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' \
    http://$ip:8545 | grep -q "result" && echo "✓ $ip" || echo "✗ $ip"
done
```