proxmox/docs/03-deployment/INFRA_DEPLOYMENT_LOCKED_AND_LOADED.md

# Infra Deployment: Locked and Loaded Checklist

**Last Updated:** 2026-02-05  
**Purpose:** Confirm that everything (including optional tooling) is in place to deploy all necessary infrastructure to Proxmox VE, and what remains to unblock completion tasks.

---

## ✅ Locked and loaded (repo and hosts)

The following are **in place** and ready for deployment. No further repo or template setup is required to *run* the deployment from a suitable host.

### 1. Templates on all Proxmox hosts

| Item | Status | Notes |
|------|--------|--------|
| File templates + scripts on ml110, r630-01, r630-02 | ✅ Done | `scripts/push-templates-to-proxmox.sh` run 2026-02-05 |
| Remote path | `/opt/smom-dbis-138-proxmox/` | templates/, config/, scripts/, lib/, install/ |
| LXC OS templates (Debian 12, Ubuntu 22.04) | ✅ On all hosts | `--download-templates` run; r630-02 had Debian 12 downloaded |

**Run Wave 0 from a machine without LAN:** copy scripts to a Proxmox host and run there (host is on LAN):  
`bash scripts/run-via-proxmox-ssh.sh wave0 [--skip-backup] [--host 192.168.11.11]`  
Use `--host 192.168.11.11` (r630-01) if NPMplus (VMID 10233) is on that host and the default host cannot reach NPMplus. Ensure NPM_URL in .env is reachable from the chosen host (e.g. `https://192.168.11.167:81` if .166 is not reachable from the node).

**Re-push or refresh:**  
`bash scripts/push-templates-to-proxmox.sh`  
`bash scripts/push-templates-to-proxmox.sh --download-templates`  
See [PROXMOX_TEMPLATES_REFERENCE.md](PROXMOX_TEMPLATES_REFERENCE.md).

### 2. Dependencies (required + optional)

| Category | Status | Install |
|----------|--------|--------|
| Required (bash, curl, jq, openssl, ssh) | ✅ Checked by scripts | Default or `apt install curl jq openssl openssh-client` |
| Optional (sshpass, rsync, dnsutils, screen, tmux, htop, shellcheck, parallel, sqlite3) | ✅ Documented | `sudo apt install -y sshpass rsync dnsutils iproute2 screen tmux htop shellcheck parallel sqlite3` |

**Check:** `bash scripts/verify/check-dependencies.sh`  
**Ref:** [11-references/APT_PACKAGES_CHECKLIST.md](../11-references/APT_PACKAGES_CHECKLIST.md) § Automation / jump host, [01-getting-started/PREREQUISITES.md](../01-getting-started/PREREQUISITES.md).

### 3. Scripts and automation

| Script / area | Purpose |
|---------------|---------|
| `scripts/push-templates-to-proxmox.sh` | Push templates + optional OS template download to all hosts |
| `scripts/run-via-proxmox-ssh.sh` | Copy scripts + .env to a Proxmox host and run Wave 0 / npmplus / backup via SSH (no LAN on your machine) |
| `scripts/run-wave0-from-lan.sh` | W0-1 (NPMplus RPC fix) + W0-3 (NPMplus backup) from LAN |
| `scripts/bridge/run-send-cross-chain.sh` | W0-2 sendCrossChain (real; needs PRIVATE_KEY, omit --dry-run) |
| `scripts/security/setup-ssh-key-auth.sh` | W1-1 SSH key auth |
| `scripts/security/firewall-proxmox-8006.sh` | W1-2 Firewall Proxmox API |
| `scripts/secure-validator-keys.sh` | W1-19 Validator key permissions (run on Proxmox host) |
| `scripts/verify/backup-npmplus.sh` | NPMplus backup |
| `scripts/verify/verify-npmplus-running-and-network.sh` | NPMplus: running, IP, gateway check |
| `scripts/npmplus/fix-npmplus-ip-and-gateway.sh` | NPMplus: set IP .167, gateway .1, start (run on r630-01) |
| `scripts/validation/validate-ips-and-gateways.sh` | Validate key IPs and gateway vs config/ip-addresses.conf |
| `scripts/verify/run-full-connection-and-fastly-tests.sh` | Full connection tests: validations, DNS, SSL, E2E, NPMplus FQDN+SSL, Fastly/origin 76.53.10.36 |
| `scripts/maintenance/schedule-npmplus-backup-cron.sh` | NPMplus backup cron (--show / --install) |
| `scripts/maintenance/schedule-daily-weekly-cron.sh` | Daily/weekly checks cron |
| `scripts/backup/automated-backup.sh` | Full automated backup |
| `scripts/ccip/ccip-deploy-checklist.sh` | CCIP env check + deployment order |
| `scripts/deployment/phase4-sovereign-tenants.sh` | Phase 4 steps (--show-steps / --dry-run) |
| smom-dbis-138-proxmox (on hosts) | deploy-phased.sh, pre-cache-os-template.sh, deploy-besu-nodes.sh, etc. |

### 4. Config and docs

| Item | Location |
|------|----------|
| Host IPs | `config/ip-addresses.conf` (ml110 .10, r630-01 .11, r630-02 .12) |
| Env template | `.env.example` (root and subprojects) |
| Step-by-step remaining work | [00-meta/REMAINING_WORK_DETAILED_STEPS.md](../00-meta/REMAINING_WORK_DETAILED_STEPS.md) |
| E2E task list + blockers | [00-meta/E2E_COMPLETION_TASKS_DETAILED_LIST.md](../00-meta/E2E_COMPLETION_TASKS_DETAILED_LIST.md) |
| Wave 2/3 operator checklist | [00-meta/WAVE2_WAVE3_OPERATOR_CHECKLIST.md](../00-meta/WAVE2_WAVE3_OPERATOR_CHECKLIST.md) |
| Validation commands | run-all-validation, validate-config-files, validate-genesis, verify-end-to-end-routing, run-full-verification |

---

## What still unblocks completion (operator / environment)

Deployment **scripts and templates** are ready. The following are **environment or operator actions** that unblock the actual run of Wave 0 → 2 → 3.

### Run from a host that has

1. **Network:** Access to LAN 192.168.11.x (for W0-1 NPMplus RPC fix, W0-3 backup, and SSH to Proxmox).
2. **SSH:** Key-based or password-based SSH to root@192.168.11.10, .11, .12 (for push, security scripts, and deploy). Optional: `sshpass` if using password auth (see APT checklist).
3. **Secrets (as needed):**
   - **W0-2 (sendCrossChain):** `PRIVATE_KEY`, LINK approved in `.env`.
   - **W0-3 / W1-8 (NPMplus backup):** `NPM_PASSWORD` in `.env`, NPMplus reachable.
   - **Proxmox API (if used):** `PROXMOX_TOKEN_VALUE` or password for API (e.g. MCP, some deploy paths).
   - **CCIP (Wave 2/3):** `CCIP_ETH_ROUTER`, `CCIP_ETH_LINK_TOKEN`, etc. per [ccip-deploy-checklist.sh](../../scripts/ccip/ccip-deploy-checklist.sh).

### Execution order to unblock

1. **Wave 0 (from LAN):**  
   `bash scripts/run-wave0-from-lan.sh`  
   Then W0-2 when ready: `bash scripts/bridge/run-send-cross-chain.sh <amount> [recipient]` (no --dry-run).
2. **Wave 1 (security/backup/cron):**  
   SSH/firewall (W1-1, W1-2), secure-validator-keys (W1-19), backup + cron install (W1-8) from the same host or Proxmox.
3. **Wave 2 / Wave 3:**  
   Follow [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](../00-meta/WAVE2_WAVE3_OPERATOR_CHECKLIST.md) and [REMAINING_WORK_DETAILED_STEPS.md](../00-meta/REMAINING_WORK_DETAILED_STEPS.md) from a host with Proxmox/SSH access.

---

## Pre-flight (run anytime)

From project root, on the machine you will use for deployment (or any machine to verify repo side):

```bash
# Dependencies (required + optional report)
bash scripts/verify/check-dependencies.sh

# Config and validation
bash scripts/validation/validate-config-files.sh
bash scripts/verify/run-all-validation.sh

# Optional: dry-run push (requires SSH to hosts)
bash scripts/push-templates-to-proxmox.sh --dry-run
```

If you have LAN + SSH: run `scripts/push-templates-to-proxmox.sh` (and `--download-templates` if needed) once to ensure all three hosts have the latest templates and OS images.

---

## Summary

| Question | Answer |
|----------|--------|
| Are all necessary templates and scripts in the repo and on the Proxmox hosts? | **Yes.** Templates and scripts are pushed to ml110, r630-01, r630-02. OS templates (Debian 12, Ubuntu 22.04) are on all hosts. |
| Are required and optional dependencies documented and installable? | **Yes.** check-dependencies.sh; APT_PACKAGES_CHECKLIST § Automation; PREREQUISITES. |
| Is everything locked and loaded so we can deploy infra and unblock completion tasks? | **Yes, from the repo/host side.** To actually run deployment and unblock W0→W2→W3, run from a host with **LAN access**, **SSH to Proxmox**, and the **credentials** above. |

**Single reference for remaining steps:** [00-meta/REMAINING_WORK_DETAILED_STEPS.md](../00-meta/REMAINING_WORK_DETAILED_STEPS.md).