d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa5de3ba0110f8f6c19d43df484a805dc1d857f0
proxmox/docs/04-configuration/MIFOS_NPMPLUS_TUNNEL.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

96 lines
4.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Mifos: Tunnel via NPMplus (Option — dedicated NPMplus for mifos.d-bis.org)
**Last Updated:** 2026-02-09
**Status:** Optional architecture
**Context:** Use a dedicated NPMplus VM (10237) as the tunnel origin; NPMplus proxies to VMID 5800 (Mifos). SSL and proxy managed in NPMplus UI (e.g. Let's Encrypt).
---
## Yes, we run NPMplus
Existing instances:
| VMID | Host | IP | Role / Public |
|-------|---------|----------------|----------------------|
| 10233 | r630-01 | 192.168.11.167 | Main NPMplus (76.53.10.36) |
| 10234 | r630-02 | 192.168.11.168 | Secondary |
| 10235 | r630-01 | 192.168.11.169 | Alltra/HYBX (76.53.10.42) |
| 10236 | r630-01 | 192.168.11.170 | Fourth dev/Codespaces (76.53.10.40) |
| **10237** | **r630-02** | **192.168.11.171** | **NPMplus Mifos** tunnel origin → 5800 |
---
## Flow: Tunnel → NPMplus (10237) → VMID 5800
1. **Cloudflare** terminates HTTPS for `mifos.d-bis.org` and sends traffic through the tunnel.
2. **Tunnel connector** runs either:
- **In 10237 (NPMplus Mifos):** cloudflared in 10237; Service = `https://127.0.0.1:443` or `https://192.168.11.171:443`.
- **In 5800 (current):** cloudflared in 5800; Service = `https://192.168.11.171:443` (origin = NPMplus).
3. **NPMplus (10237)** has a proxy host: **mifos.d-bis.org****http://192.168.11.85:80** (Mifos in 5800). SSL for mifos.d-bis.org can be Let's Encrypt in NPMplus.
4. **5800** serves Mifos on port 80 only; no Nginx/SSL on 5800 if you use this path.
---
## 1. Create NPMplus Mifos container (10237)
From project root:
```bash
./scripts/npmplus/create-npmplus-mifos-container.sh
```
- **VMID:** 10237
- **Host:** r630-02 (192.168.11.12)
- **IP:** 192.168.11.171
- **Overrides:** `STORAGE_R630_02_NPMPLUS_MIFOS`, `TEMPLATE`
---
## 2. Install NPMplus in 10237
Inside 10237 (same pattern as other NPMplus containers):
- Install Docker, then Nginx Proxy Manager: `./scripts/npmplus/install-npmplus-mifos.sh`.
- **Credentials:** All five NPMplus instances use the **same** `NPM_EMAIL` and `NPM_PASSWORD` (in `.env`). Use them to log in at **https://192.168.11.171:81**. For a newly created instance, first log in with the auto-generated password (`ssh root@<host> 'pct exec 10237 -- cat /opt/.npm_pwd'`), then change the admin password in the UI to match `NPM_PASSWORD` so it stays in sync with the others.
- Add **Proxy Host:**
- **Domain:** `mifos.d-bis.org`
- **Forward hostname / IP:** `192.168.11.85`
- **Forward port:** `80`
- **SSL:** Request Let's Encrypt for `mifos.d-bis.org` (or use existing cert).
---
## 3. Point the tunnel at NPMplus
**Option A — Tunnel connector in 10237 (recommended for this design)**
- Install cloudflared in 10237 with the same tunnel token (or a dedicated tunnel for Mifos).
- **Zero Trust** → **Published application routes:**
- **Domain:** `mifos.d-bis.org`
- **Service:** `https://127.0.0.1:443` (NPMplus in same container) or `https://192.168.11.171:443`
- Add **Origin configuration****No TLS Verify** only if NPMplus uses a self-signed cert for the origin; if NPM has Let's Encrypt for mifos.d-bis.org, verification can stay on.
**Option B — Tunnel connector stays in 5800**
- **Published application routes:** Service = `https://192.168.11.171:443`.
- cloudflared in 5800 connects to NPMplus at 192.168.11.171:443; NPMplus proxies to 192.168.11.85:80.
---
## 4. DNS
Unchanged: **mifos.d-bis.org****CNAME** to `<tunnel-id>.cfargotunnel.com` (Proxied).
Script: `MIFOS_DNS_MODE=tunnel ./scripts/cloudflare/configure-mifos-dns.sh`
---
## 5. Summary
| Step | Action |
|------|--------|
| 1 | Create 10237: `./scripts/npmplus/create-npmplus-mifos-container.sh` |
| 2 | Install NPM in 10237 (Docker + NPM); add proxy mifos.d-bis.org → http://192.168.11.85:80; SSL in NPM (Let's Encrypt) |
| 3 | Install cloudflared in 10237 (or keep in 5800); set tunnel Service to https://192.168.11.171:443 (or https://127.0.0.1:443 if connector in 10237) |
| 4 | DNS: CNAME mifos → tunnel (already done if using tunnel) |
**Config:** `IP_NPMPLUS_MIFOS`, `NPMPLUS_MIFOS_VMID` in `config/ip-addresses.conf`; VMID 10237 → r630-02 in `scripts/lib/load-project-env.sh`.
**Credentials:** All five NPMplus instances (10233, 10234, 10235, 10236, 10237) use the same `NPM_EMAIL` and `NPM_PASSWORD` in `.env`.
Reference in New Issue View Git Blame Copy Permalink