proxmox/docs/00-meta/NEXT_STEPS_ALL.md

# All Next Steps — Consolidated List

**Last Updated:** 2026-02-08  
**Purpose:** Single ordered list of everything left to do (Dev/Codespaces + general operator).  
**Run-order:** [NEXT_STEPS_INDEX.md](NEXT_STEPS_INDEX.md) → [OPERATOR_READY_CHECKLIST.md](OPERATOR_READY_CHECKLIST.md); completable first: `./scripts/run-completable-tasks-from-anywhere.sh`, then `./scripts/run-all-operator-tasks-from-lan.sh` from LAN.  
**References:** [DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md](../04-configuration/DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md) | [NEXT_STEPS_OPERATOR.md](NEXT_STEPS_OPERATOR.md)  
**Completion evidence:** [DEV_CODESPACES_COMPLETION_20260207.md](../04-configuration/verification-evidence/DEV_CODESPACES_COMPLETION_20260207.md)  
**Secrets & remaining actions:** [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md](../04-configuration/REMAINING_ITEMS_DOTENV_AND_ACTIONS.md)

---

## Completed 2026-02-07 (automated/scripted)

- **Fourth NPMplus:** Script fixed to use NPM_URL_FOURTH; run requires first-time login and `NPM_PASSWORD_FOURTH` in `.env`. Placeholder added in `.env`.
- **SSH keys:** `scripts/dev-vm/add-dev-user-ssh-keys.sh` added — adds one public key to dev1–dev4 on CT 5700 via Proxmox host.
- **Security:** `scripts/security/run-security-on-proxmox-hosts.sh` added — SSH key-only + UFW 8006 on all three Proxmox hosts (default dry-run; `--apply` when ready).
- **Verification:** dev.d-bis.org, gitea.d-bis.org, codespaces.d-bis.org return HTTP 200; pve.* and 76.53.10.40 time out from workspace (verify from LAN if needed).

---

## Already done (no action)

- Fourth NPMplus LXC 10236 at 192.168.11.170; NPMplus + cloudflared installed; tunnel connector running (systemd).
- Dev VM 5700 at 192.168.11.59; users dev1–dev4, Gitea; tunnel + DNS configured.
- UDM Pro port forward 76.53.10.40 → 192.168.11.170 (80/81/443) and → 192.168.11.59 (22, 3000).

---

## 1. Dev/Codespaces — Fourth NPMplus proxy hosts — **DONE (2026-02-08)**

All six proxy hosts added (script + same credentials). Let's Encrypt (Certbot) requested in UI; all six show **Online**, TLS Certbot, Public. No further action.

---

## 2. Dev/Codespaces — SSH keys for dev1–dev4 — **DONE (2026-02-08)**

Keys added via `add-dev-user-ssh-keys.sh` from repo root. Test: `ssh dev1@192.168.11.59`.

---

## 3. Dev/Codespaces — Gitea first-run — **DONE (2026-02-08)**

Installer completed (git user, SQLite, paths under /opt/gitea/data, app.ini writable). Create repos in UI at https://gitea.d-bis.org as needed.

---

## 4. Dev/Codespaces — Rsync projects + dotenv — **DONE (partial; re-run for full sync)**

Initial rsync run from repo root; large tree may need a second run from your terminal:  
`cd ~/projects/proxmox && bash scripts/dev-vm/rsync-projects-to-dev-vm.sh`  
Ensure dotenv files are under `/srv/projects` (see [DEV_CODESPACES_76_53_10_40.md § 6](../04-configuration/DEV_CODESPACES_76_53_10_40.md#6-dotenv-files-include-in-dev-vm--accessibility)).

---

## 5. Dev/Codespaces — Gitea repos and remotes — **DONE (2026-02-08)**

Org **d-bis** and 18 repos created. **Pushed** to Gitea: proxmox (master), dbis_core (main), smom-dbis-138 (main), miracles_in_motion (main). Future pushes: use `GITEA_TOKEN` with `scripts/dev-vm/push-to-gitea.sh`.

---

## 6. Dev/Codespaces — Verification — **DONE (2026-02-08)**

- **HTTPS:** dev.d-bis.org, gitea.d-bis.org, codespaces.d-bis.org → 200. pve.* and 76.53.10.40 verify from LAN if needed.
- **SSH:** `ssh dev1@192.168.11.59` confirmed; projects visible under `/srv/projects/`. Cursor Remote-SSH → `/srv/projects/proxmox`.
- **Proxmox:** Confirm noVNC/console for pve.ml110, pve.r630-01, pve.r630-02 from browser when on LAN.

---

## 7. General — Bridge (W0-2)

**Secrets:** **PRIVATE_KEY** in **smom-dbis-138/.env**; **same wallet** holds **LINK** for bridge fees.  
**Check:** `bash scripts/bridge/run-send-cross-chain.sh 0.01 --dry-run` (already verified).  
**To run real:** `bash scripts/bridge/run-send-cross-chain.sh 0.01`

---

## 8. General — Security (W1-1, W1-2)

**Check:** Ensure SSH key login works to all three hosts before --apply.  
**Run from repo root:** `bash scripts/security/run-security-on-proxmox-hosts.sh --apply` (disables password SSH, restricts 8006 to 192.168.11.0/24). No .env secrets needed.

---

## 9. General — 2506–2508 (destroyed 2026-02-08)

Containers 2506, 2507, 2508 were **destroyed 2026-02-08** on all Proxmox hosts. Besu RPC range is **2500–2505** only. No JWT/identity action for 2506–2508. See [MISSING_CONTAINERS_LIST.md](../03-deployment/MISSING_CONTAINERS_LIST.md).

---

## 10. General — Explorer SSL

If explorer.d-bis.org shows certificate warning: NPMplus at https://192.168.11.167:81 → SSL Certificates → Let's Encrypt for explorer.d-bis.org → assign to proxy host, Force SSL. See [EXPLORER_TROUBLESHOOTING.md](../04-configuration/EXPLORER_TROUBLESHOOTING.md).

---

## 11. General — NPMplus cert 134 (cross-all.defi-oracle.io)

If verification reports "cert files missing": NPMplus at https://192.168.11.167:81 → SSL Certificates → find cross-all.defi-oracle.io → re-request Let's Encrypt or re-save to restore cert files.

---

## 12. General — Wave 2 & 3

Per [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md): monitoring stack, Grafana + Cloudflare Access, VLAN enablement, CCIP Ops/Admin (5400–5401), DBIS services, NPMplus HA (optional), CCIP Fleet, Phase 4 tenant isolation. (2506–2508 destroyed 2026-02-08.)

---

## 13. General — Smart contracts (deploy and verify)

**Secrets:** PRIVATE_KEY (and RPC_URL_138, LINK_TOKEN_CHAIN138, CCIPWETH9_BRIDGE_CHAIN138) in **smom-dbis-138/.env**. Same wallet for deployment and bridge (holds LINK).

**Remaining:** Deploy any contracts not yet deployed; verify on Blockscout.

- **Deploy (Chain 138):** `cd smom-dbis-138 && source .env && bash scripts/deployment/deploy-all-contracts.sh` (or `deploy-contracts-unified.sh --mode ordered`). WETH bridge: `GAS_PRICE=1000000000 ./scripts/deploy-and-configure-weth9-bridge-chain138.sh` from repo root.
- **Verify:** `source smom-dbis-138/.env && ./scripts/verify/run-contract-verification-with-proxy.sh`

**References:** [CONTRACT_DEPLOYMENT_RUNBOOK.md](../03-deployment/CONTRACT_DEPLOYMENT_RUNBOOK.md), [CONTRACTS_TO_DEPLOY.md](../11-references/CONTRACTS_TO_DEPLOY.md), [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md § 13](../04-configuration/REMAINING_ITEMS_DOTENV_AND_ACTIONS.md#13-smart-contracts--deploy-and-verify).

---

## Quick command index

| Goal | Command |
|------|---------|
| Fourth NPMplus proxy hosts | `NPM_PASSWORD_FOURTH='...' bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` |
| Add dev user SSH keys | `PUBLIC_KEY="$(cat ~/.ssh/id_ed25519.pub)" bash scripts/dev-vm/add-dev-user-ssh-keys.sh` |
| Rsync to dev VM | `bash scripts/dev-vm/rsync-projects-to-dev-vm.sh [--dry-run]` (after SSH keys) |
| Dev/Codespaces tunnel+DNS | `bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` |
| Security on Proxmox hosts | `bash scripts/security/run-security-on-proxmox-hosts.sh [--apply]` |
| NPMplus backup | `bash scripts/verify/backup-npmplus.sh` |
| Wave 0 via SSH | `bash scripts/run-via-proxmox-ssh.sh wave0 --host 192.168.11.11` |
| Bridge (real) | `bash scripts/bridge/run-send-cross-chain.sh 0.01` |
| Deploy contracts (Chain 138) | `cd smom-dbis-138 && source .env && bash scripts/deployment/deploy-all-contracts.sh` |
| Verify contracts (Blockscout) | `source smom-dbis-138/.env && ./scripts/verify/run-contract-verification-with-proxy.sh` |
| Push all projects to Gitea | `GITEA_TOKEN=xxx bash scripts/dev-vm/push-all-projects-to-gitea.sh` |
| Add as4-411 submodule to Sankofa (Phoenix) | `bash scripts/dev-vm/add-as4-411-submodule-to-sankofa.sh` |
| SSH key auth | `bash scripts/security/setup-ssh-key-auth.sh --apply` (on each host) |
| Firewall 8006 | `bash scripts/security/firewall-proxmox-8006.sh --apply` |