d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add master secrets reference and .env.master.example; gitignore .env.master
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
defiQUG
2026-02-21 15:50:13 -08:00
parent bea1903ac9
commit e4a19db0ae
3 changed files with 417 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

198
.env.master.example Normal file
View File

@@ -0,0 +1,198 @@
# ============================================================================
# Master Secrets Template — ALL keys used across the workspace
# ============================================================================
# Copy to .env (repo root) or .env.master (local only). Fill values; NEVER commit.
# See: docs/04-configuration/MASTER_SECRETS.md for where each is used.
# ============================================================================
# --- Proxmox ---
PROXMOX_ML110=
PROXMOX_R630_01=
PROXMOX_R630_02=
PROXMOX_HOST=
PROXMOX_PORT=
PROXMOX_USER=
PROXMOX_TOKEN_NAME=
PROXMOX_TOKEN_VALUE=
PROXMOX_ALLOW_ELEVATED=
# --- Cloudflare ---
CLOUDFLARE_API_TOKEN=
CLOUDFLARE_EMAIL=
CLOUDFLARE_API_KEY=
CLOUDFLARE_ZONE_ID=
CLOUDFLARE_ZONE_ID_D_BIS_ORG=
CLOUDFLARE_ZONE_ID_MIM4U_ORG=
CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=
CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=
CLOUDFLARE_TUNNEL_TOKEN=
CLOUDFLARE_TUNNEL_ID=
CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX=
CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=
CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02=
CLOUDFLARE_ORIGIN_CA_KEY=
CLOUDFLARE_ACCOUNT_ID=
# --- ClouDNS ---
CLOUDNS_AUTH_ID=
CLOUDNS_AUTH_PASSWORD=
# --- NPM / NPMplus ---
NPM_URL=
NPM_EMAIL=
NPM_PASSWORD=
NPM_HOST=
NPM_PROXMOX_HOST=
NPMPLUS_HOST=
NPM_VMID=
NPMPLUS_VMID=
NPMPLUS_ALLTRA_HYBX_VMID=
IP_NPMPLUS_ALLTRA_HYBX=
NPM_URL_MIFOS=
# --- Fastly ---
FASTLY_API_TOKEN=
# --- Network / UniFi / Omada ---
PUBLIC_IP=
PROXMOX_HOST_FOR_TEST=
UNIFI_UDM_URL=
UNIFI_API_KEY=
UNIFI_API_MODE=
UNIFI_SITE_ID=
UNIFI_VERIFY_SSL=
OMADA_API_KEY=
OMADA_CLIENT_SECRET=
# --- Gitea ---
GITEA_URL=
GITEA_TOKEN=
GITEA_ORG=
# --- Database & app auth ---
DATABASE_URL=
JWT_SECRET=
JWT_REFRESH_SECRET=
JWT_EXPIRES_IN=
JWT_REFRESH_EXPIRES_IN=
SESSION_SECRET=
ADMIN_CENTRAL_API_KEY=
DBIS_CENTRAL_URL=
ADMIN_JWT_SECRET=
# --- Storage (AWS / Azure) ---
STORAGE_TYPE=
STORAGE_PATH=
AWS_REGION=
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_S3_BUCKET=
AZURE_STORAGE_CONNECTION_STRING=
AZURE_STORAGE_CONTAINER=
# --- Blockchain / SMOM-DBIS-138 (use smom-dbis-138/.env for PRIVATE_KEY) ---
PRIVATE_KEY=
RPC_URL_138=
RPC_URL_138_PUBLIC=
ETHEREUM_MAINNET_RPC=
CHAIN_651940_RPC_URL=
ETHERLINK_RPC_URL=
TEZOS_RPC_URL=
ETHERSCAN_API_KEY=
ETHERLINK_CCIP_SELECTOR=
TEZOS_BRIDGE_ENABLED=
ETHERLINK_BRIDGE_ENABLED=
TEZOS_RELAY_ORACLE_KEY=
ETHERLINK_RELAY_BRIDGE=
ETHERLINK_RELAY_PRIVATE_KEY=
JUMPER_API_KEY=
ONEINCH_API_KEY=
MOONPAY_API_KEY=
MOONPAY_SECRET_KEY=
RAMP_NETWORK_API_KEY=
ONRAMPER_API_KEY=
# --- Alerts & monitoring ---
SLACK_WEBHOOK_URL=
PAGERDUTY_INTEGRATION_KEY=
EMAIL_ALERT_API_URL=
EMAIL_ALERT_RECIPIENTS=
SENTRY_DSN=
# --- Legal / e-signature ---
E_SIGNATURE_BASE_URL=
# --- OTC / exchanges (dbis_core) ---
CRYPTO_COM_API_KEY=
CRYPTO_COM_API_SECRET=
CRYPTO_COM_ENVIRONMENT=
BINANCE_API_KEY=
BINANCE_API_SECRET=
KRAKEN_API_KEY=
KRAKEN_PRIVATE_KEY=
OANDA_API_KEY=
OANDA_ACCOUNT_ID=
OANDA_ENVIRONMENT=
FXCM_API_TOKEN=
# --- Price / market data ---
COINGECKO_API_KEY=
COINDESK_API_KEY=
COINMARKETCAP_API_KEY=
DEXSCREENER_API_KEY=
# --- Mifos / Fineract / OMNL ---
MIFOS_BASE_URL=
MIFOS_TENANT=
MIFOS_USER=
MIFOS_PASSWORD=
MIFOS_INSECURE=
OMNL_FINERACT_BASE_URL=
OMNL_FINERACT_TENANT=
OMNL_FINERACT_USER=
OMNL_FINERACT_PASSWORD=
# --- Phoenix / Sankofa / OMNIS backend ---
SANKOFA_PHOENIX_API_URL=
SANKOFA_PHOENIX_CLIENT_ID=
SANKOFA_PHOENIX_CLIENT_SECRET=
SANKOFA_PHOENIX_TENANT_ID=
# --- Frontend / MetaMask / Explorer ---
VITE_WALLETCONNECT_PROJECT_ID=
VITE_THIRDWEB_CLIENT_ID=
VITE_ETHERSCAN_API_KEY=
VITE_SENTRY_DSN=
VITE_API_URL=
VITE_API_BASE_URL=
NEXT_PUBLIC_API_URL=
NEXT_PUBLIC_CHAIN_ID=
METAMASK_API_KEY=
THIRDWEB_SECRET_KEY=
NPM_ACCESS_TOKEN=
# --- DeFi aggregators (alltra-lifi-settlement) ---
PARASWAP_API_KEY=
ZEROX_API_KEY=
# --- ProxmoxVE API (MongoDB) ---
MONGO_USER=
MONGO_PASSWORD=
MONGO_IP=
MONGO_PORT=
MONGO_DATABASE=
# --- Chain138 RPC (config) ---
CHAIN138_RPC_URL=
RPC_URL_138_FIREBLOCKS=
WS_URL_138_FIREBLOCKS=
CHAIN_ID_138=
# --- Phoenix deploy API ---
PORT=
GITEA_TOKEN=
# --- Optional / per-service ---
MARKET_REPORTING_API_KEY=
E_FILING_ENABLED=
NODE_ENV=

1
.gitignore vendored
View File

@@ -10,6 +10,7 @@ yarn.lock
.env
.env.local
.env.*.local
.env.master
# Logs
*.log

218
docs/04-configuration/MASTER_SECRETS.md Normal file
View File

@@ -0,0 +1,218 @@
# Master Secrets Reference
**Single authoritative list of all secrets** used across the Proxmox workspace and related projects.
**No values are stored here.** Use root `.env`, service-specific `.env` files, or a secrets store (e.g. Vault); see [.env.master.example](../../.env.master.example) for a single template of all keys.
**Last updated:** 2026-02-21
---
## How to use
- **Reference:** This file lists every secret **name**, **where it is used**, and **required/optional**.
- **Template:** Copy [.env.master.example](../../.env.master.example) to `.env` (root) or `.env.master` (local only), fill values, and never commit. Ensure `.env` and `.env.master` are in `.gitignore`.
- **Per-project:** Many secrets live in project-specific `.env` (e.g. `smom-dbis-138/.env`, `dbis_core/.env`). Root `.env` is used by scripts in this repo; subprojects use their own `.env`.
---
## 1. Proxmox & infrastructure
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `PROXMOX_ML110`, `PROXMOX_R630_01`, `PROXMOX_R630_02` | Root `.env`, config | Yes | Host IPs (can be non-secret) |
| `PROXMOX_HOST`, `PROXMOX_PORT`, `PROXMOX_USER` | Root `.env`, scripts | Yes | API target |
| `PROXMOX_TOKEN_NAME`, `PROXMOX_TOKEN_VALUE` | Root `.env` | Yes (for API) | Or password per host |
| `PROXMOX_PASS_ML110`, `PROXMOX_PASS_R630_01`, `PROXMOX_PASS_R630_02` | Scripts (if no token) | If no token | SSH/API |
---
## 2. Cloudflare
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `CLOUDFLARE_API_TOKEN` | Root `.env` | Preferred | Prefer over API_KEY |
| `CLOUDFLARE_EMAIL`, `CLOUDFLARE_API_KEY` | Root `.env` | If no token | Legacy |
| `CLOUDFLARE_ZONE_ID`, `CLOUDFLARE_ZONE_ID_*` | Root `.env` | Yes | Per zone |
| `CLOUDFLARE_ACCOUNT_ID` | Root `.env` | Yes | Tunnels / account API |
| `CLOUDFLARE_TUNNEL_TOKEN` | Root `.env` | Yes (tunnels) | cloudflared |
| `CLOUDFLARE_TUNNEL_ID`, `CLOUDFLARE_TUNNEL_ID_*` | Root `.env` | If using tunnel DNS | Tunnel UUIDs |
| `CLOUDFLARE_ORIGIN_CA_KEY` | Root `.env` | Optional | Origin cert |
---
## 3. NPM / NPMplus
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `NPM_URL`, `NPM_EMAIL`, `NPM_PASSWORD` | Root `.env` | Yes (NPM scripts) | All NPMplus instances |
| `NPM_HOST`, `NPM_VMID`, `NPMPLUS_HOST`, `NPMPLUS_VMID` | Root `.env` | Yes | Config |
| `NPM_URL_MIFOS`, `NPMPLUS_ALLTRA_HYBX_VMID`, `IP_NPMPLUS_ALLTRA_HYBX` | Root `.env` | Per setup | Optional |
---
## 4. DNS / TLS (ClouDNS, etc.)
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | Root `.env` | If Certbot ClouDNS | NPMplus TLS |
---
## 5. Network / UniFi / Omada
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `UNIFI_UDM_URL`, `UNIFI_API_KEY`, `UNIFI_SITE_ID` | Root `.env`, unifi-api | Yes (if automating) | UDM Pro API |
| `OMADA_API_KEY`, `OMADA_CLIENT_SECRET` | omada-api/.env | If using Omada | Omada Controller |
---
## 6. Gitea
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `GITEA_URL`, `GITEA_TOKEN` | Root `.env` | Yes (push/create repos) | push-to-gitea.sh, push-all-projects-to-gitea.sh |
| `GITEA_ORG` | Optional override | No | Default d-bis |
---
## 7. Blockchain / SMOM-DBIS-138
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `PRIVATE_KEY` | smom-dbis-138/.env | Yes (deploy/bridge) | Deployer key; move to HSM |
| `RPC_URL_138`, `RPC_URL_138_PUBLIC` | Root/smom-dbis-138 `.env`, config | Yes | Chain 138 RPC |
| `ETHEREUM_MAINNET_RPC`, `CHAIN_651940_RPC_URL`, etc. | smom-dbis-138/.env | Per use | Other chains |
| `ETHERSCAN_API_KEY` | Root, smom-dbis-138 | Yes (verification) | Etherscan/Blockscan |
| Contract addresses (e.g. `CCIP_ROUTER`, `LINK_TOKEN`) | smom-dbis-138/.env, config | Yes | See config/contract-addresses.conf |
---
## 8. Database & app auth
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `DATABASE_URL` | Root, dbis_core, OMNIS, explorer, token-aggregation | Yes (per app) | PostgreSQL connection string |
| `JWT_SECRET`, `JWT_REFRESH_SECRET` | OMNIS/backend, explorer, dbis_core | Yes (per service) | Min 32 chars |
| `SESSION_SECRET` | Explorer, OMNIS | If sessions | Session signing |
| `ADMIN_CENTRAL_API_KEY` | dbis_core, orchestration, token-aggregation | Yes (central API) | Service-to-service |
| `DBIS_CENTRAL_URL` | Callers of dbis_core | Yes | API base URL |
---
## 9. Storage (AWS / Azure)
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_S3_BUCKET` | Root, OMNIS, the-order | If S3 | Storage |
| `AZURE_STORAGE_CONNECTION_STRING`, `AZURE_STORAGE_CONTAINER` | Root, OMNIS | If Azure | Blob storage |
---
## 10. Third-party APIs (price, ramps, exchanges)
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `COINGECKO_API_KEY` | Root, token-aggregation, oracle | Recommended | Price feeds |
| `COINDESK_API_KEY` | Root | Optional | Market data |
| `MOONPAY_API_KEY`, `MOONPAY_SECRET_KEY` | Root, metamask-integration | Optional | On/off ramp |
| `RAMP_NETWORK_API_KEY`, `ONRAMPER_API_KEY` | Root, metamask-integration | Optional | Ramps |
| `CRYPTO_COM_API_KEY`, `CRYPTO_COM_API_SECRET` | dbis_core | If OTC | Exchange OTC |
| `BINANCE_API_KEY`, `BINANCE_API_SECRET` | dbis_core | Optional | Ticker/private |
| `KRAKEN_API_KEY`, `KRAKEN_PRIVATE_KEY` | dbis_core | Optional | Same |
| `OANDA_API_KEY`, `OANDA_ACCOUNT_ID` | dbis_core | Optional | Forex |
| `FXCM_API_TOKEN` | dbis_core | Optional | Forex |
| `ONEINCH_API_KEY`, `PARASWAP_API_KEY`, `ZEROX_API_KEY` | alltra-lifi-settlement | Optional | DeFi rate limits |
---
## 11. Frontend / MetaMask / Explorer
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `VITE_WALLETCONNECT_PROJECT_ID`, `VITE_THIRDWEB_CLIENT_ID` | smom-dbis-138/frontend-dapp | Yes (WalletConnect) | Reown/Thirdweb |
| `VITE_ETHERSCAN_API_KEY`, `VITE_SENTRY_DSN` | Frontends | Optional | Build-time |
| `NEXT_PUBLIC_*` | explorer-monorepo/frontend | Per feature | Next.js public env |
| `METAMASK_API_KEY`, `THIRDWEB_SECRET_KEY` | metamask-integration | If integrated | Backend |
---
## 12. Alerts & monitoring
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `SLACK_WEBHOOK_URL` | Root, dbis_core | Optional | Alerts |
| `PAGERDUTY_INTEGRATION_KEY` | Root, dbis_core | Optional | |
| `EMAIL_ALERT_API_URL`, `EMAIL_ALERT_RECIPIENTS` | Root, dbis_core | Optional | |
| `SENTRY_DSN` | Various | Optional | Error tracking |
---
## 13. Legal / e-signature / e-filing
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `E_SIGNATURE_BASE_URL` | Root, the-order/legal-documents | Optional | E-signature API |
| E-filing / court API keys | the-order/legal-documents | If enabled | Per integration |
---
## 14. Mifos / Fineract / OMNL
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `MIFOS_BASE_URL`, `MIFOS_TENANT`, `MIFOS_USER`, `MIFOS_PASSWORD` | Root `.env` | If central-bank scripts | Fineract API |
| `OMNL_FINERACT_BASE_URL`, `OMNL_FINERACT_TENANT`, `OMNL_FINERACT_USER`, `OMNL_FINERACT_PASSWORD` | Root `.env`, omnl-fineract | If OMNL | OMNL tenant |
---
## 15. Phoenix / Sankofa / OMNIS backend
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `SANKOFA_PHOENIX_API_URL`, `SANKOFA_PHOENIX_CLIENT_ID`, `SANKOFA_PHOENIX_CLIENT_SECRET`, `SANKOFA_PHOENIX_TENANT_ID` | OMNIS/backend | If Phoenix OAuth | OAuth client |
| Phoenix/Vault app role credentials | .secure/ or Vault | If Phoenix deploy | Phoenix deploy API |
---
## 16. Tezos / Etherlink / Jumper
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `TEZOS_RELAY_ORACLE_KEY`, `ETHERLINK_RELAY_BRIDGE`, `ETHERLINK_RELAY_PRIVATE_KEY` | Root, smom-dbis-138 | If Tezos bridge | Relay |
| `JUMPER_API_KEY` | Root | Optional | Jumper bridge |
---
## 17. Fastly / other CDN
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `FASTLY_API_TOKEN` | Root `.env` | If using Fastly API | Purge/config |
---
## 18. Proxmox VE API subproject
| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `MONGO_USER`, `MONGO_PASSWORD`, `MONGO_IP`, `MONGO_PORT`, `MONGO_DATABASE` | ProxmoxVE/api/.env | If MongoDB | ProxmoxVE API |
---
## Security
- **Never commit** `.env`, `.env.master`, or any file containing real secrets.
- **Private keys:** Prefer HSM/Vault; do not store in repo or committed files.
- **Rotation:** Rotate API tokens and passwords periodically; document in this repo.
- **Scopes:** Use least-privilege tokens (e.g. Gitea: write:organization, write:repository).
---
## Related docs
- [.env.master.example](../../.env.master.example) — Single template with all keys (placeholders).
- [.env.example](../../.env.example) — Root .env template with comments.
- [MASTER_SECRETS_INVENTORY.md](MASTER_SECRETS_INVENTORY.md) — Detailed inventory and HSM migration plan.
- [REQUIRED_SECRETS_INVENTORY.md](REQUIRED_SECRETS_INVENTORY.md) — Required secrets checklist.
- [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md](REMAINING_ITEMS_DOTENV_AND_ACTIONS.md) — Where to store secrets and which scripts use them.