d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
8b0212966b0470d158039852be654a9d68bc3a5f
proxmox/.env.example
defiQUG bea1903ac9
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
Sync all local changes: docs, config, scripts, submodule refs, verification evidence 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 15:46:06 -08:00

311 lines
14 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ============================================================================
# Proxmox Workspace - Root Environment Variables
# ============================================================================
# Copy to .env in repo root and/or ~/.env (scripts use repo root .env when
# run from repo; setup.sh and load-env.sh use ~/.env for PROXMOX_*).
# DO NOT commit actual .env files to version control
# ============================================================================
# ----------------------------------------------------------------------------
# Proxmox Configuration
# ----------------------------------------------------------------------------
PROXMOX_ML110=192.168.11.10
PROXMOX_R630_01=192.168.11.11
PROXMOX_R630_02=192.168.11.12
PROXMOX_HOST=192.168.11.11
PROXMOX_PORT=8006
PROXMOX_USER=root@pam
# Create token: ./scripts/proxmox/create-and-store-proxmox-api-token.sh (or Datacenter → API Tokens in UI)
PROXMOX_TOKEN_NAME=your-token-name
PROXMOX_TOKEN_VALUE=your-token-secret-value
PROXMOX_ALLOW_ELEVATED=false
# ----------------------------------------------------------------------------
# Cloudflare Configuration (both methods supported)
# ----------------------------------------------------------------------------
# Scripts (DNS, NPMplus, tunnel): use CLOUDFLARE_API_TOKEN first, else CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY.
# Certbot (dns-cloudflare): use ONE method per credentials file (token-only OR email+key-only).
# See: docs/04-configuration/CLOUDFLARE_CREDENTIALS_BOTH_METHODS.md
CLOUDFLARE_API_TOKEN=your-cloudflare-api-token
CLOUDFLARE_EMAIL=your-email@example.com
CLOUDFLARE_API_KEY=your-cloudflare-api-key
CLOUDFLARE_ZONE_ID_D_BIS_ORG=your-zone-id
CLOUDFLARE_ZONE_ID_MIM4U_ORG=your-zone-id
CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=your-zone-id
CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=your-zone-id
# Optional fallback for d-bis.org (create-dns-record-rpc-core, update-all-dns-to-public-ip)
# CLOUDFLARE_ZONE_ID=your-d-bis-org-zone-id
# Required for Chain 138 RPC DNS: rpc.defi-oracle.io, wss.defi-oracle.io, rpc.public-0138.defi-oracle.io
CLOUDFLARE_TUNNEL_TOKEN=your-tunnel-token
CLOUDFLARE_ORIGIN_CA_KEY=your-origin-ca-key
CLOUDFLARE_ACCOUNT_ID=your-account-id
# Tunnel ID for Option B RPC DNS (set-rpc-dns-to-tunnel.sh): from Zero Trust → Tunnels → tunnel UUID
# CLOUDFLARE_TUNNEL_ID=10ab22da-8ea3-4e2e-a896-27ece2211a05
# Alltra/HYBX tunnel (configure-alltra-hybx-tunnel-and-dns.sh)
# CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX=892bd3fe-c6fa-4ddf-8b60-a8ed2b849c3d
# Mifos on r630-02 (configure-mifos-dns.sh tunnel mode; install-tunnel-mifos-r630-02.sh)
# CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=your-tunnel-uuid
# CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02=your-tunnel-token
# Fineract API (central-bank-config scripts). Use full API path e.g. https://mifos.d-bis.org/fineract-provider/api/v1
# MIFOS_BASE_URL=https://mifos.d-bis.org/fineract-provider/api/v1
# MIFOS_TENANT=default
# MIFOS_USER=mifos
# MIFOS_PASSWORD=your-fineract-password
# MIFOS_INSECURE=0
# OMNL tenancy (https://omnl.hybxfinance.io/) same scripts, different vars if needed
# OMNL_FINERACT_BASE_URL=https://omnl.hybxfinance.io/fineract-provider/api/v1
# OMNL_FINERACT_TENANT=omnl
# OMNL_FINERACT_USER=app.omnl
# OMNL_FINERACT_PASSWORD=your-omnl-fineract-password
# Certbot dns_cloudflare (optional): in the file certbot reads, use ONE of:
# dns_cloudflare_email=your-email@example.com + dns_cloudflare_api_key=your-api-key
# OR dns_cloudflare_api_token=your-api-token
# ----------------------------------------------------------------------------
# ClouDNS (Certbot dns-cloudns) NPMplus Certbot DNS challenge
# ----------------------------------------------------------------------------
# For NPMplus TLS: Add TLS Certificate → DNS Challenge → ClouDNS → paste output of:
# ./scripts/certbot/print-cloudns-credentials-from-env.sh
# See: https://www.cloudns.net/api-settings/
CLOUDNS_AUTH_ID=1234
CLOUDNS_AUTH_PASSWORD=your-cloudns-api-password
# Optional: use sub-account (one of the two below, not both)
# CLOUDNS_SUB_AUTH_ID=1234
# CLOUDNS_SUB_AUTH_USER=foobar
# ----------------------------------------------------------------------------
# NPM (Nginx Proxy Manager) / NPMplus Configuration
# ----------------------------------------------------------------------------
# Required for: update-npmplus-proxy-hosts-api.sh, configure-npmplus-domains.js,
# scripts/fix-rpc-chain138-npmplus.sh (RPC ChainID 138 + Ledger)
# scripts/complete-chain138-rpc-setup.sh (full Chain 138 RPC from .env)
# See: docs/04-configuration/NEXT_STEPS_CHAIN138_RPC.md for complete .env → script mapping
# NPMplus (VMID 10233) is reachable on 192.168.11.167:81 (eth1). All five NPMplus instances (10233, 10234, 10235, 10236, 10237) use the same NPM_EMAIL and NPM_PASSWORD.
NPM_URL=https://192.168.11.167:81
NPM_EMAIL=admin@example.org
NPM_PASSWORD=your-npm-password
# NPM_HOST = NPMplus container IP (for split-DNS, LAN tests, verify-ws)
NPM_HOST=192.168.11.167
# NPM_PROXMOX_HOST / NPMPLUS_HOST = Proxmox host where NPMplus runs (SSH for pct exec, backup)
NPM_PROXMOX_HOST=192.168.11.11
NPMPLUS_HOST=192.168.11.11
NPM_VMID=10233
# NPMPLUS_VMID = same as NPM_VMID (used by list-npmplus-certificates-status, install-certbot-dns-cloudflare-in-npm, backup-npmplus, etc.)
NPMPLUS_VMID=10233
# NPMplus Mifos (VMID 10237, 192.168.11.171) — tunnel origin for mifos.d-bis.org → 5800. Same NPM_EMAIL/NPM_PASSWORD as above.
# NPM_URL_MIFOS=https://192.168.11.171:81
# NPMplus Alltra/HYBX (dedicated instance for Alltra + HYBX Sentries, RPC, Cacti, Firefly, Fabric, Indy)
# See: docs/04-configuration/NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md
NPMPLUS_ALLTRA_HYBX_VMID=10235
IP_NPMPLUS_ALLTRA_HYBX=192.168.11.169
# ----------------------------------------------------------------------------
# Fastly (edge CDN / origin)
# ----------------------------------------------------------------------------
# For Fastly API (purge, service config, health). See docs/05-network/CLOUDFLARE_ROUTING_MASTER.md
FASTLY_API_TOKEN=your-fastly-api-token
# ----------------------------------------------------------------------------
# Network Configuration
# ----------------------------------------------------------------------------
# PUBLIC_IP: used by update-all-dns-to-public-ip.sh for all Cloudflare A records (Chain 138 RPC)
PUBLIC_IP=76.53.10.36
PROXMOX_HOST_FOR_TEST=192.168.11.11
# ----------------------------------------------------------------------------
# UniFi (UDM Pro) API Official Network API (X-API-KEY)
# ----------------------------------------------------------------------------
# Used by: create-firewall-rules.sh, UNIFI_API_SETUP.md, unifi:cli
# Get API key: UniFi Network UI → Settings → System → API (or Developer / API Access)
UNIFI_UDM_URL=https://192.168.0.1
UNIFI_API_KEY=your-unifi-api-key
UNIFI_API_MODE=official
UNIFI_SITE_ID=default
UNIFI_VERIFY_SSL=false
# ----------------------------------------------------------------------------
# OMNIS Backend Configuration
# ----------------------------------------------------------------------------
# Database
DATABASE_URL=postgresql://user:password@localhost:5432/omnis
# JWT Authentication (REQUIRED - no defaults for security)
JWT_SECRET=your-strong-random-jwt-secret-min-32-chars
JWT_REFRESH_SECRET=your-strong-random-refresh-secret-min-32-chars
JWT_EXPIRES_IN=7d
JWT_REFRESH_EXPIRES_IN=30d
# File Storage
STORAGE_TYPE=local
STORAGE_PATH=./uploads
# AWS S3 (if using S3 storage)
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=your-aws-access-key
AWS_SECRET_ACCESS_KEY=your-aws-secret-key
AWS_S3_BUCKET=omnis-uploads
# Azure Blob Storage (if using Azure storage)
AZURE_STORAGE_CONNECTION_STRING=your-azure-connection-string
AZURE_STORAGE_CONTAINER=omnis-uploads
# ----------------------------------------------------------------------------
# The Order Configuration
# ----------------------------------------------------------------------------
# See the-order/packages/shared/src/env.ts for complete schema
# Database
# DATABASE_URL=postgresql://user:password@localhost:5432/theorder
# Storage
# STORAGE_TYPE=s3
# STORAGE_BUCKET=the-order-documents
# STORAGE_REGION=us-east-1
# AWS_ACCESS_KEY_ID=your-aws-key
# AWS_SECRET_ACCESS_KEY=your-aws-secret
# KMS
# KMS_TYPE=aws
# KMS_KEY_ID=your-kms-key-id
# KMS_REGION=us-east-1
# Authentication
# JWT_SECRET=your-jwt-secret-min-32-chars
# OIDC_ISSUER=https://your-oidc-issuer.com
# OIDC_CLIENT_ID=your-client-id
# OIDC_CLIENT_SECRET=your-client-secret
# ----------------------------------------------------------------------------
# dbis_core AS4 Settlement (optional - enables real API calls)
# ----------------------------------------------------------------------------
# SANCTIONS_API_URL=https://... # OFAC/EU/UN sanctions screening
# AML_SERVICE_URL=https://... # AML/CTF checks
# LEDGER_SERVICE_URL=https://... # Ledger balance queries for liquidity
# dbis_core IRU (optional)
# AWS_SES_REGION=us-east-1
# AWS_ACCESS_KEY_ID=...
# AWS_SECRET_ACCESS_KEY=...
# SANCTIONS_OFAC_API_URL=...
# SANCTIONS_EU_API_URL=...
# SANCTIONS_UN_API_URL=...
# ----------------------------------------------------------------------------
# Verification Scripts (scripts/verify/)
# ----------------------------------------------------------------------------
# See docs/04-configuration/VERIFICATION_GAPS_AND_TODOS.md
# FABRIC_CHAIN_ID=999 # Fabric chain ID for quote-service (when integrated)
# BRIDGE_REGISTRY_ADDRESS= # For bridge quote service
# ----------------------------------------------------------------------------
# SMOM-DBIS-138 Blockchain Configuration
# ----------------------------------------------------------------------------
# Canonical place for Chain 138 deploy: smom-dbis-138/.env (PRIVATE_KEY, RPC_URL or RPC_URL_138).
# Optional deployments (docs/07-ccip/OPTIONAL_DEPLOYMENTS_START_HERE.md): set in smom-dbis-138/.env:
# ORACLE_PRICE_FEED or RESERVE_KEEPER (Phase 4), DODO_VENDING_MACHINE_ADDRESS (Phase 7),
# GAS_PRICE_138 (if "Replacement transaction underpriced"), CRONOS_RPC_URL (other-chain AddressMapper).
# Scripts source both root .env and smom-dbis-138/.env via load-project-env.sh; no need to duplicate here.
# Deployment Account (MOVE TO HSM - DO NOT STORE IN FILES)
# PRIVATE_KEY=0x... # ⚠️ Set in smom-dbis-138/.env (or here); never commit real key
# RPC Endpoints (see docs/04-configuration/RPC_ENDPOINTS_MASTER.md for Infura/Alchemy/public options)
ETHEREUM_MAINNET_RPC=https://eth.llamarpc.com
RPC_URL_138=https://rpc.d-bis.org
# Tezos / Etherlink / Jumper (see docs/07-ccip/TEZOS_NETWORK_CONFIG_ENV_MATRIX.md)
CHAIN_651940_RPC_URL=https://mainnet-rpc.alltra.global
ETHERLINK_RPC_URL=https://node.mainnet.etherlink.com
TEZOS_RPC_URL=https://api.tzkt.io
ETHERLINK_CCIP_SELECTOR=
TEZOS_BRIDGE_ENABLED=false
ETHERLINK_BRIDGE_ENABLED=false
TEZOS_RELAY_ORACLE_KEY=
ETHERLINK_RELAY_BRIDGE=
ETHERLINK_RELAY_PRIVATE_KEY=
JUMPER_API_KEY=
# Contract Verification (Etherscan / Blockscan — same key for both)
ETHERSCAN_API_KEY=your-etherscan-api-key
# Optional: Infura RPC/Gas — set ETHEREUM_MAINNET_RPC to https://mainnet.infura.io/v3/<PROJECT_ID>, INFURA_GAS_API, etc. in smom-dbis-138/.env
# External Integrations (see reports/API_KEYS_REQUIRED.md)
ONEINCH_API_KEY=
MOONPAY_API_KEY=
MOONPAY_SECRET_KEY=
RAMP_NETWORK_API_KEY=
ONRAMPER_API_KEY=
# ----------------------------------------------------------------------------
# Alerts & Monitoring (dbis_core alert.service)
# ----------------------------------------------------------------------------
# See: reports/API_KEYS_REQUIRED.md
SLACK_WEBHOOK_URL=
PAGERDUTY_INTEGRATION_KEY=
EMAIL_ALERT_API_URL=
EMAIL_ALERT_RECIPIENTS=
# ----------------------------------------------------------------------------
# Legal / E-Signature (the-order legal-documents)
# ----------------------------------------------------------------------------
E_SIGNATURE_BASE_URL=
# ----------------------------------------------------------------------------
# OTC (dbis_core)
# ----------------------------------------------------------------------------
CRYPTO_COM_API_KEY=
CRYPTO_COM_API_SECRET=
# ----------------------------------------------------------------------------
# Bridge (optional: LayerZero, Wormhole)
# ----------------------------------------------------------------------------
# LAYERZERO_*=
# WORMHOLE_*=
# ----------------------------------------------------------------------------
# Price Feed & Market Data APIs
# ----------------------------------------------------------------------------
# CoinGecko API Key (for Oracle Publisher and Token Aggregation services)
# Get free key at: https://www.coingecko.com/en/api/pricing
COINGECKO_API_KEY=your-coingecko-api-key
# CoinDesk API Key (price/market data)
COINDESK_API_KEY=your-coindesk-api-key
# ----------------------------------------------------------------------------
# Explorer Configuration
# ----------------------------------------------------------------------------
# See explorer-monorepo/deployment/ENVIRONMENT_TEMPLATE.env
# ----------------------------------------------------------------------------
# MetaMask Integration
# ----------------------------------------------------------------------------
# See metamask-integration/.env.example
# ----------------------------------------------------------------------------
# Gitea (Dev VM / d-bis org)
# ----------------------------------------------------------------------------
# For push-to-gitea.sh and gitea-create-orgs-and-repos.sh. Create token at:
# https://gitea.d-bis.org/user/settings/applications (scopes: write:organization, write:repository)
# GITEA_URL=https://gitea.d-bis.org
# GITEA_TOKEN=
# ----------------------------------------------------------------------------
# Security Notes
# ----------------------------------------------------------------------------
# 1. NEVER commit .env files to version control
# 2. Use strong, randomly generated secrets (min 32 characters for JWT)
# 3. Rotate secrets regularly
# 4. Use HSM/Key Vault for private keys (never store in files)
# 5. Limit access to .env files (chmod 600)
# 6. Use different secrets for development, staging, and production
# ----------------------------------------------------------------------------
# Environment-Specific Overrides
# ----------------------------------------------------------------------------
# For development: NODE_ENV=development
# For staging: NODE_ENV=staging
# For production: NODE_ENV=production
NODE_ENV=development
Reference in New Issue View Git Blame Copy Permalink