Dev / Codespaces-like Setup — 76.53.10.40 + Fourth NPMplus + Cloudflare Tunnel

Status: Plan / Runbook. Automated setup completed 2026-02-08: see verification-evidence/DEV_CODESPACES_SETUP_COMPLETE_20260208.md.
Public IP: 76.53.10.40
Fourth NPMplus: 192.168.11.170 (VMID TBD when deployed)
Dev VM: 192.168.11.59 (VMID 5700)
Purpose: Codespaces-like environment for Cursor; all access via 76.53.10.40; Cloudflare tunnel dedicated to this stack; fourth NPMplus; Proxmox VE admin panels; dotenv inventory.

1. Overview

Component	Value
Public IP	76.53.10.40
Fourth NPMplus (internal)	192.168.11.170
Dev VM (Cursor + Gitea)	192.168.11.59 (VMID 5700)
Proxmox hosts	ml110 192.168.11.10, r630-01 192.168.11.11, r630-02 192.168.11.12
Tunnel	Dedicated Cloudflare Tunnel → origin `https://192.168.11.170:443` (fourth NPMplus)

Access flow:

HTTPS (hostnames): User → Cloudflare (DNS CNAME to tunnel) → Tunnel connector → Fourth NPMplus (192.168.11.170:443) → NPMplus proxy hosts → Dev VM (Gitea, etc.) or Proxmox (8006).
Direct via 76.53.10.40: UDM Pro port forward 76.53.10.40:80/81/443 → 192.168.11.170; optional 76.53.10.40:22 → 192.168.11.59 (SSH to dev VM).
SSH (Cursor / remote operators): ssh dev1@76.53.10.40 (if UDM port 22 is forwarded; see §5), or SSH via Cloudflare Access + cloudflared tunnel (DEV_VM_SSH_REMOTE_ACCESS.md), or LAN ssh dev1@192.168.11.59 / ssh root@192.168.11.59 for service work.

2. Required Ports

Port	Service	Backend	Notes
22	SSH (Cursor Remote)	192.168.11.59 (dev VM)	Forward 76.53.10.40:22 → 192.168.11.59:22 on UDM Pro, or use Cloudflare TCP / LAN
80	HTTP	192.168.11.170 (NPMplus 4)	UDM: 76.53.10.40:80 → 192.168.11.170:80
81	NPMplus Admin UI	192.168.11.170	UDM: 76.53.10.40:81 → 192.168.11.170:81 (restrict by IP/VPN)
443	HTTPS	192.168.11.170 (NPMplus 4)	UDM: 76.53.10.40:443 → 192.168.11.170:443; Tunnel also terminates here
3000	Gitea (internal)	192.168.11.59	Proxied via NPMplus 4 (hostname gitea.d-bis.org → 192.168.11.59:3000)
8006	Proxmox VE (x3)	.10, .11, .12	Proxied via NPMplus 4 (pve.ml110, pve.r630-01, pve.r630-02)

3. Cloudflare Tunnel (Dedicated for This VM / Fourth NPMplus)

Tunnel name: e.g. dev-codespaces or npmplus-fourth.
Connector: Run cloudflared on the host that can reach 192.168.11.170 (e.g. on the fourth NPMplus LXC, or a small VM on the same LAN). Origin = https://127.0.0.1:443 if cloudflared runs on the same box as NPMplus, or https://192.168.11.170:443 if cloudflared runs elsewhere.
Ingress hostnames (CNAME to tunnel):
- dev.d-bis.org → Dev VM (NPMplus proxy to 192.168.11.59, e.g. Gitea or a simple info page)
- gitea.d-bis.org → 192.168.11.59:3000 (Gitea)
- codespaces.d-bis.org → same as dev (optional alias)
- pve.ml110.d-bis.org → 192.168.11.10:8006 (Proxmox ml110)
- pve.r630-01.d-bis.org → 192.168.11.11:8006 (Proxmox r630-01)
- pve.r630-02.d-bis.org → 192.168.11.12:8006 (Proxmox r630-02)

Script: scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh — sets tunnel ingress and DNS CNAMEs (requires CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES in .env).

4. Fourth NPMplus — Proxy Hosts (Direction to Proxmox + Dev)

Configure proxy hosts on fourth NPMplus (192.168.11.170:81 admin):

Domain	Forward to	Port	Websocket	Use
dev.d-bis.org	192.168.11.59	3000 or 80	No	Dev VM (e.g. Gitea or landing)
gitea.d-bis.org	192.168.11.59	3000	No	Gitea UI
codespaces.d-bis.org	192.168.11.59	3000	No	Alias for dev
pve.ml110.d-bis.org	192.168.11.10	8006	Yes	Proxmox ml110 admin
pve.r630-01.d-bis.org	192.168.11.11	8006	Yes	Proxmox r630-01 admin
pve.r630-02.d-bis.org	192.168.11.12	8006	Yes	Proxmox r630-02 admin

Script: scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh — adds/updates these proxy hosts via NPM API (NPM_URL=https://192.168.11.170:81, credentials in .env).

Proxmox admin panels: After tunnel and NPMplus are up, open:

ml110: https://pve.ml110.d-bis.org (or https://76.53.10.40 with host header / separate port if you add a catch-all)
r630-01: https://pve.r630-01.d-bis.org
r630-02: https://pve.r630-02.d-bis.org

Use HTTPS and allow self-signed certs (or add Let’s Encrypt for these hostnames in NPMplus). Websocket support must be enabled for the Proxmox console.

5. UDM Pro Port Forward (76.53.10.40)

Add in UniFi Network → Settings → Firewall & Security (Port Forwarding):

Rule Name	Destination IP	Dest Port	Forward to IP	Forward to Port	Protocol
NPMplus Fourth HTTP	76.53.10.40	80	192.168.11.170	80	TCP
NPMplus Fourth HTTPS	76.53.10.40	443	192.168.11.170	443	TCP
NPMplus Fourth Admin	76.53.10.40	81	192.168.11.170	81	TCP
Dev VM SSH (optional)	76.53.10.40	22	192.168.11.59	22	TCP

Note: 76.53.10.40 must be assigned/available on the UDM Pro (or the interface that receives this traffic). Restrict admin port 81 to VPN or IP allowlist. Forward target must be VMID 5700 (dev VM) at 192.168.11.59 — an older draft listed .60; that was incorrect. See DEV_VM_SSH_REMOTE_ACCESS.md for tunnel-based SSH (no public :22 required).

6. Dotenv Files (Include in Dev VM / Accessibility)

These .env (and related) files should be present in the dev VM or in a secure store so all projects and Cursor have the required env:

Path (relative to repo root)	Purpose
`.env`	Proxmox/Cloudflare/NPM credentials, hosts
`.env.example`	Template
`scripts/.env.r630-01`	Host-specific script env
`config/production/.env.production.example`	Production template
`dbis_core/.env`, `.env.example`	DBIS Core
`explorer-monorepo/.env`, `frontend/.env.production`, `.env.example`	Explorer
`smom-dbis-138/.env`, `.env.example`, `frontend-dapp/.env`, `services/*/.env`	SMOM / Chain 138
`alltra-lifi-settlement/.env`	Alltra LIFI
`OMNIS/backend/.env`, `.env.example`	OMNIS
`the-order/services/legal-documents/.env.example`	Order
`unifi-api/.env`, `.env.example`	Unifi API
`rpc-translator-138/.env`	RPC translator
`miracles_in_motion/.env.*`	MIM
`ProxmoxVE/api/.env.example`	Proxmox API
`omada-api/.env`	Omada API

Action: When syncing /home/intlc/projects to the dev VM (/srv/projects), include these files (or use a secrets manager and symlink). Do not commit real .env with secrets to Git; use .env.example as templates and document which vars are required in REQUIRED_SECRETS_SUMMARY.md.

7. Proxmox VE Hosts (Admin Access)

Host	Internal IP	Admin URL (via NPMplus 4)	Notes
ml110	192.168.11.10	https://pve.ml110.d-bis.org	Proxmox web UI port 8006
r630-01	192.168.11.11	https://pve.r630-01.d-bis.org	Proxmox web UI port 8006
r630-02	192.168.11.12	https://pve.r630-02.d-bis.org	Proxmox web UI port 8006

NPMplus fourth instance directs these hostnames to the three Proxmox hosts’ admin panels (HTTPS, port 8006, Websocket enabled for console).

8. Implementation Order

Create fourth NPMplus LXC (VMID e.g. 10236) at 192.168.11.170 if not already deployed; install NPMplus and cloudflared (tunnel connector).
Create dev VM (5700) at 192.168.11.60: scripts/create-dev-vm-5700.sh; then scripts/setup-dev-vm-users-and-gitea.sh.
UDM Pro: Add port forward rules for 76.53.10.40 → 192.168.11.170 (80/81/443) and optionally 22 → 192.168.11.60.
Cloudflare: Create tunnel (Zero Trust → Networks → Tunnels), install connector on fourth NPMplus (or host that can reach 192.168.11.170). Set CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES in .env.
Run: bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh — tunnel ingress + DNS CNAMEs.
Run: NPM_URL=https://192.168.11.170:81 NPM_PASSWORD=... bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh — add proxy hosts (dev, gitea, pve.ml110, pve.r630-01, pve.r630-02).
Request Let’s Encrypt in NPMplus UI for dev.d-bis.org, gitea.d-bis.org, codespaces.d-bis.org, pve.ml110.d-bis.org, pve.r630-01.d-bis.org, pve.r630-02.d-bis.org.
Sync projects and dotenv: Rsync /home/intlc/projects to dev VM; ensure dotenv files are present (or templated) for Cursor and services.

9. References

DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md — Full ordered checklist to complete this setup
DEV_VM_GITOPS_PLAN.md — Dev VM (5700) and Gitea
NPMPLUS_FOUR_INSTANCES_MASTER.md — Four NPMplus mapping
config/ip-addresses.conf — IP_DEV_VM, IP_NPMPLUS_FOURTH, PUBLIC_IP_NPMPLUS_FOURTH
REQUIRED_SECRETS_SUMMARY.md — Env vars and secrets

9.5 KiB Raw Blame History Unescape Escape