proxmox/docs/04-configuration/COMPLETE_DEPLOYMENT_GUIDE.md

# Complete Deployment Guide - Direct Public IP Routing

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Date**: 2026-01-09  
**Architecture**: Cloudflare DNS (DNS Only) → Public IP → ER605 NAT → Nginx → Backend Services  
**Status**: ✅ All Scripts Ready

---

## Overview

This guide provides step-by-step instructions to deploy the complete direct public IP routing solution, replacing Cloudflare tunnels with stable NAT-based routing.

---

## Prerequisites

1. **Cloudflare Account Access**
   - API Token OR Email + API Key
   - Access to zones: sankofa.nexus, d-bis.org, mim4u.org, defi-oracle.io

2. **ER605 Router Access**
   - Omada Controller access OR direct ER605 GUI access
   - Ability to configure NAT rules

3. **Proxmox Access**
   - SSH access to Proxmox host (192.168.11.10)
   - Access to VMID 105 (Nginx)

4. **Public IP**
   - Single public IP: 76.53.10.35 (from Block #1)

---

## Quick Start (Automated)

### Option 1: Run Complete Deployment Script

```bash
cd /home/intlc/projects/proxmox
./scripts/deploy-complete-solution.sh
```

This script orchestrates all steps automatically.

### Option 2: Manual Step-by-Step

Follow the steps below for manual execution.

---

## Step-by-Step Deployment

### Step 1: Get Cloudflare Zone IDs

**Purpose**: Identify Zone IDs needed for DNS updates

```bash
./scripts/get-cloudflare-zone-ids.sh
```

**Output**: Zone IDs for each domain

**Action**: Add Zone IDs to `.env` file:
```bash
CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=your-zone-id
CLOUDFLARE_ZONE_ID_D_BIS_ORG=your-zone-id
CLOUDFLARE_ZONE_ID_MIM4U_ORG=your-zone-id
CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=your-zone-id
```

---

### Step 2: Update Cloudflare DNS Records

**Purpose**: Point all domains to public IP (76.53.10.35) with DNS only mode

```bash
./scripts/update-all-dns-to-public-ip.sh
```

**What it does**:
- Updates 19 DNS records across 4 zones
- Sets all records to DNS only (gray cloud)
- Points all to 76.53.10.35

**Expected output**: Success indicators for each record

---

### Step 3: Verify DNS Resolution

**Purpose**: Confirm DNS records are resolving correctly

```bash
./scripts/verify-dns-resolution.sh
```

**What it does**:
- Tests all 19 domains
- Verifies they resolve to 76.53.10.35
- Reports any issues

**Note**: Wait 1-5 minutes after DNS update for propagation

---

### Step 4: Configure ER605 NAT Rules

**Purpose**: Forward public IP traffic to Nginx

```bash
./scripts/configure-er605-nat-rules.sh
```

**Output**: NAT rule configuration details

**Action**: Manually configure in Omada Controller or ER605 GUI:

#### Rule 1: HTTPS (All Services)
```
Rule Name: Web Services (All Domains)
Enabled: ✅ Yes
Interface: WAN1
External IP: 76.53.10.35
External Port: 443
Internal IP: 192.168.11.26
Internal Port: 443
Protocol: TCP
Source IP: 0.0.0.0/0
```

#### Rule 2: HTTP (Let's Encrypt)
```
Rule Name: HTTP (Let's Encrypt)
Enabled: ✅ Yes
Interface: WAN1
External IP: 76.53.10.35
External Port: 80
Internal IP: 192.168.11.26
Internal Port: 80
Protocol: TCP
Source IP: 0.0.0.0/0
```

**Also configure firewall rules**:
- Allow HTTPS (443) from WAN to 192.168.11.26
- Allow HTTP (80) from WAN to 192.168.11.26

---

### Step 5: Deploy Nginx Configuration

**Purpose**: Configure Nginx on VMID 105 to route all domains

```bash
./scripts/deploy-complete-nginx-config.sh
```

**What it does**:
- Creates complete Nginx configuration
- Deploys to VMID 105
- Tests configuration
- Reloads Nginx

**Note**: Update placeholder IPs for Phoenix and The Order services

---

### Step 6: Obtain SSL Certificates

**Purpose**: Get Let's Encrypt certificates for all domains

```bash
# Set email for Let's Encrypt
export SSL_EMAIL=your-email@example.com

./scripts/obtain-all-ssl-certificates.sh
```

**What it does**:
- Installs certbot if needed
- Obtains certificates for all 19 domains
- Configures Nginx with certificates

**Requirements**:
- DNS records must resolve to 76.53.10.35
- ER605 NAT rules must be configured
- Port 80 must be accessible from internet

---

## Verification

### Test DNS Resolution

```bash
./scripts/verify-dns-resolution.sh
```

### Test RPC Endpoints

```bash
# Test RPC Public
curl -X POST https://rpc-http-pub.d-bis.org \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
# Expected: {"jsonrpc":"2.0","result":"0x8a","id":1}

# Test ThirdWeb RPC
curl -X POST https://rpc.public-0138.defi-oracle.io \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

### Test Web Services

```bash
# Test Sankofa
curl -I https://sankofa.nexus

# Test DBIS Secure Portal
curl -I https://secure.d-bis.org

# Test MIM4U
curl -I https://mim4u.org
```

---

## Troubleshooting

### DNS Not Resolving

**Symptoms**: `dig domain.com +short` returns nothing or wrong IP

**Solutions**:
1. Wait 1-5 minutes for DNS propagation
2. Check Cloudflare DNS dashboard - verify records exist
3. Verify Zone IDs in `.env` are correct
4. Check DNS update script output for errors

### ER605 NAT Not Working

**Symptoms**: Can't reach services from internet

**Solutions**:
1. Verify NAT rules are enabled
2. Check firewall rules allow traffic
3. Test from internal network: `curl -I http://192.168.11.26`
4. Verify public IP is correct (76.53.10.35)

### Nginx Not Routing Correctly

**Symptoms**: 502 Bad Gateway or wrong service

**Solutions**:
1. Check Nginx configuration: `pct exec 105 -- nginx -t`
2. Check Nginx logs: `pct exec 105 -- tail -f /var/log/nginx/error.log`
3. Verify backend services are running
4. Test backend directly: `curl http://192.168.11.130:80`

### SSL Certificate Issues

**Symptoms**: Certificate errors or Let's Encrypt validation fails

**Solutions**:
1. Verify DNS resolves to 76.53.10.35
2. Verify port 80 is accessible (for validation)
3. Check ER605 NAT rule for port 80
4. Retry certificate acquisition: `./scripts/obtain-all-ssl-certificates.sh`

---

## Architecture Summary

```
Internet
  ↓
Cloudflare DNS (DNS Only - Gray Cloud)
  ↓
76.53.10.35 (Single Public IP)
  ↓
ER605 NAT (Port 443 → 192.168.11.26:443)
  ↓
Nginx on VMID 105 (Hostname-based routing via SNI)
  ↓
Backend Services:
  - RPC Nodes (192.168.11.240, 250, 251, 252)
  - Explorer (192.168.11.140)
  - DBIS (192.168.11.130, 155, 156)
  - MIM4U (192.168.11.19)
  - Sankofa/Phoenix (10.160.0.10, 10.160.0.11)
```

---

## Complete Domain List

### All 19 Domains (Single IP: 76.53.10.35)

1. `sankofa.nexus` + `www.sankofa.nexus`
2. `phoenix.sankofa.nexus` + `www.phoenix.sankofa.nexus`
3. `the-order.sankofa.nexus`
4. `rpc.public-0138.defi-oracle.io`
5. `rpc-http-pub.d-bis.org`
6. `rpc-ws-pub.d-bis.org`
7. `rpc-http-prv.d-bis.org`
8. `rpc-ws-prv.d-bis.org`
9. `explorer.d-bis.org`
10. `dbis-admin.d-bis.org`
11. `dbis-api.d-bis.org`
12. `dbis-api-2.d-bis.org`
13. `secure.d-bis.org`
14. `mim4u.org` + `www.mim4u.org`
15. `secure.mim4u.org`
16. `training.mim4u.org`

---

## Scripts Created

1. **`update-all-dns-to-public-ip.sh`** - Updates Cloudflare DNS
2. **`get-cloudflare-zone-ids.sh`** - Gets Zone IDs
3. **`verify-dns-resolution.sh`** - Verifies DNS
4. **`configure-er605-nat-rules.sh`** - Generates NAT config
5. **`deploy-complete-nginx-config.sh`** - Deploys Nginx config
6. **`obtain-all-ssl-certificates.sh`** - Gets SSL certificates
7. **`deploy-complete-solution.sh`** - Orchestrates all steps

---

## Related Documentation

- DNS Update Script Guide: `docs/04-configuration/DNS_UPDATE_SCRIPT_GUIDE.md`
- ER605 Router Config: `docs/04-configuration/ER605_ROUTER_CONFIGURATION.md`
- Nginx Configurations: `docs/04-configuration/NGINX_CONFIGURATIONS_VMIDS_2400-2508.md`
- Network Architecture: `docs/02-architecture/NETWORK_ARCHITECTURE.md`

---

**Status**: ✅ **All Scripts Ready - Ready to Deploy**