proxmox/docs/04-configuration/REQUIRED_SECRETS_SUMMARY.md

# Required Secrets Summary - Quick Reference

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Date:** 2025-01-20  
**Status:** 📋 Quick Reference  
**Purpose:** Quick checklist of all required secrets

---

## Critical Secrets (Must Have)

### ✅ Configured

#### Cloudflare (Root .env)
- ✅ `CLOUDFLARE_TUNNEL_TOKEN` - Set
- ✅ `CLOUDFLARE_API_KEY` - Set (⚠️ Consider migrating to API_TOKEN)
- ✅ `CLOUDFLARE_ACCOUNT_ID` - Set
- ✅ `CLOUDFLARE_ZONE_ID` - Set (multiple zones)
- ✅ `CLOUDFLARE_ORIGIN_CA_KEY` - Set
- ✅ `CLOUDFLARE_EMAIL` - Set

#### Blockchain Services
- ✅ `PRIVATE_KEY` - Set (🔒 **SECURITY CONCERN** - exposed in files)
- ✅ Multiple contract addresses - Set
- ✅ `ETHERSCAN_API_KEY` - Set (Etherscan/Blockscan: verification, explorer API)
- ✅ Infura (optional) - RPC URLs and/or `INFURA_GAS_API` when used
- ✅ `METAMASK_API_KEY` / `METAMASK_SECRET` - Set
- ✅ `THIRDWEB_SECRET_KEY` - Set

#### Database
- ✅ `DATABASE_URL` - Set (contains password)

#### Service APIs
- ✅ `OMADA_CLIENT_SECRET` - Set
- ✅ `OMADA_API_KEY` - Set
- ✅ Various LINK_TOKEN addresses - Set

---

## ⚠️ Missing or Needs Attention

### High Priority

- ⚠️ `CLOUDFLARE_API_TOKEN` - Not set (using API_KEY instead)
- ⚠️ `OMADA_API_SECRET` - Empty in omada-api/.env
- ⚠️ `OMADA_API_KEY` - Has placeholder value `<your-api-key>`

### Security Concerns

- 🔒 **Private keys in .env files** - Needs secure storage
  - `smom-dbis-138/.env`
  - `explorer-monorepo/.env`
  - Backup files (`.env.backup.*`)

- 🔒 **Backup files with secrets** - Should be removed from repository
  - `explorer-monorepo/.env.backup.*`
  - `smom-dbis-138/.env.backup`

---

## Optional Secrets (If Used)

### Cloudflare Tunnels (per-service)
- `CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02` — Token for mifos-r630-02 tunnel (LXC 5800, mifos.d-bis.org). See [MIFOS_R630_02_DEPLOYMENT.md](MIFOS_R630_02_DEPLOYMENT.md). Do not commit; set in `.env` when using `scripts/install-tunnel-mifos-r630-02.sh`.

### Fineract/Mifos (OMNL Central Bank config — VMID 5800)
Required when running [scripts/mifos/central-bank-config/](../../scripts/mifos/central-bank-config/) (Master Plan 2). Do not commit; set in project root `.env`.

- `MIFOS_BASE_URL` — Full API base URL (e.g. `https://mifos.d-bis.org/fineract-provider/api/v1` or `http://192.168.11.85/fineract-provider/api/v1`).
- `MIFOS_TENANT` — Fineract tenant identifier (e.g. `default`).
- `MIFOS_USER` — API user (e.g. `mifos`).
- `MIFOS_PASSWORD` — API password (change default after first login).

Optional: `MIFOS_INSECURE=1` — Allow self-signed TLS when calling the API (dev/local only). See [mifos-omnl-central-bank/README.md](mifos-omnl-central-bank/README.md).

### Explorer Monorepo
- `DB_REPLICA_PASSWORD` - If using replica database
- `SEARCH_PASSWORD` - If using Elasticsearch
- `ONEINCH_API_KEY` - If using 1inch integration
- `JUMIO_API_KEY/SECRET` - If using Jumio KYC
- `MOONPAY_API_KEY` - If using MoonPay
- `WALLETCONNECT_PROJECT_ID` - If using WalletConnect

### Monitoring/Logging
- `SENTRY_DSN` - If using Sentry
- `DATADOG_API_KEY` - If using Datadog

### Third-Party Services
- Various API keys for optional integrations

---

## Recommendations

### Immediate Actions

1. **Verify .gitignore**
   ```bash
   # Ensure these patterns are in .gitignore:
   .env
   .env.*
   *.env.backup
   ```

2. **Secure Private Keys**
   - Move private keys to secure storage
   - Never commit private keys to repository
   - Use environment variable injection

3. **Clean Up Backup Files**
   - Remove `.env.backup.*` files from repository
   - Store backups securely if needed

4. **Migrate to API Tokens**
   - Replace `CLOUDFLARE_API_KEY` with `CLOUDFLARE_API_TOKEN`
   - More secure and recommended by Cloudflare

### Security Best Practices

- ✅ Use API tokens instead of API keys
- ✅ Store secrets in secure storage (key vault, encrypted)
- ✅ Never commit secrets to version control
- ✅ Use separate secrets for different environments
- ✅ Rotate secrets regularly
- ✅ Limit access to secrets

---

## File Status Summary

| File | Status | Critical Secrets | Action Needed |
|------|--------|------------------|---------------|
| `./.env` | ✅ Good | Cloudflare credentials | Migrate to API_TOKEN |
| `omada-api/.env` | ⚠️ Partial | Omada credentials | Set OMADA_API_SECRET |
| `smom-dbis-138/.env` | 🔒 Secure | Private key | Move to secure storage |
| `dbis_core/.env` | ✅ Good | Database password | Verify secure storage |
| `explorer-monorepo/.env` | 🔒 Secure | Private key | Move to secure storage |

---

## Quick Commands

### Check Secret Status
```bash
./scripts/check-env-secrets.sh
```

### Verify .gitignore
```bash
grep -E "\.env|\.env\." .gitignore
```

### List All .env Files
```bash
find . -name ".env*" -type f | grep -v node_modules | grep -v venv
```

---

## Related Documentation

- [Required Secrets Inventory](REQUIRED_SECRETS_INVENTORY.md) - Comprehensive inventory
- [Environment Secrets Audit Report](ENV_SECRETS_AUDIT_REPORT.md) - Detailed audit
- [Cloudflare API Setup](CLOUDFLARE_API_SETUP.md) - Cloudflare configuration
- [Secrets and Keys Configuration](SECRETS_KEYS_CONFIGURATION.md) - Security guide

---

**Last Updated:** 2025-01-20  
**Status:** 📋 Quick Reference