proxmox/docs/00-meta/STEPS_FROM_PROXMOX_OR_LAN_WITH_SECRETS.md

# Steps You Can Do From Proxmox / LAN With Secrets

**Last Updated:** 2026-02-14  
**Purpose:** When you have SSH to the Proxmox host (or any host on the same LAN as 192.168.11.x) and access to `.env` files (PRIVATE_KEY, NPM_PASSWORD, RPC URLs, etc.), you can run many more tasks than the "from anywhere" set. This document lists all of them.

**From anywhere (no LAN/creds):** See [run-completable-tasks-from-anywhere.sh](../../scripts/run-completable-tasks-from-anywhere.sh) — config validation, on-chain check (SKIP_EXIT=1 if RPC unreachable), run-all-validation --skip-genesis, reconcile-env.

**Single script (LAN + secrets):** [run-all-operator-tasks-from-lan.sh](../../scripts/run-all-operator-tasks-from-lan.sh) — **always loads dotenv** from repo `.env` and `smom-dbis-138/.env` (NPM_PASSWORD, PRIVATE_KEY, RPC, etc.). Optional phases: backup, contract verify, contract deploy, VM/container creation. Use `--dry-run` to print steps.

---

## 1. Contract deployment (Chain 138)

Requires: `smom-dbis-138/.env` with `PRIVATE_KEY`, `RPC_URL_138` (Chain 138 Core, e.g. `http://192.168.11.211:8545`). All Forge deploys must use `--with-gas-price 1000000000` (or `GAS_PRICE=1000000000`).

| Step | Command / action | Notes |
|------|------------------|--------|
| Deploy core (Multicall, Oracle, MultiSig) | `cd smom-dbis-138 && source .env && bash scripts/deployment/deploy-all-contracts.sh` | If already deployed, script overwrites; check CONTRACT_ADDRESSES_REFERENCE. |
| Deploy CCIPReceiver + Voting | Set `CCIP_ROUTER_ADDRESS`, `ORACLE_AGGREGATOR_ADDRESS` in .env; run deploy script or phased script | See [CONTRACT_DEPLOYMENT_RUNBOOK](../03-deployment/CONTRACT_DEPLOYMENT_RUNBOOK.md). |
| Deploy phased (01–06) | `cd smom-dbis-138 && ./scripts/deployment/deploy-all-phases.sh` | Skips phases when env vars already set; use `--all` to run all. |
| Deploy TransactionMirror | `./scripts/deployment/deploy-transaction-mirror-chain138.sh` | Use if forge script fails (constructor-args decode); add `TRANSACTION_MIRROR_ADDRESS` to .env after. |
| Update config | After any deploy: update `config/smart-contracts-master.json` (and optionally `config/contract-addresses.conf` for verify scripts), [CONTRACT_ADDRESSES_REFERENCE](../11-references/CONTRACT_ADDRESSES_REFERENCE.md) | Then re-run on-chain check. |

---

## 2. Contract verification (Blockscout)

Requires: Host that can reach Blockscout (explorer.d-bis.org or LAN IP). Load `smom-dbis-138/.env` for contract list. The forge-verification-proxy accepts both JSON and form-encoded bodies (fix applied 2026-02).

| Step | Command / action | Notes |
|------|------------------|--------|
| Verify all (proxy) | `source smom-dbis-138/.env 2>/dev/null; ./scripts/verify/run-contract-verification-with-proxy.sh` | Submits source to Blockscout via proxy (starts proxy automatically). |
| Verify one contract | `./scripts/verify/run-contract-verification-with-proxy.sh --only ContractName` | Retry single contract. |
| On-chain check | `./scripts/verify/check-contracts-on-chain-138.sh` (uses `RPC_URL_138`) or `.../check-contracts-on-chain-138.sh $RPC_URL_138` | Confirms 36 addresses exist; no Blockscout needed. |

---

## 3. Fix E2E 502s (backends + NPMplus + RPC)

Requires: LAN (SSH to Proxmox, reach NPMplus). When public domains (dbis-admin, secure, dbis-api, rpc-http-prv, rpc-alltra*, rpc-hybx*) return 502, use this flow first.

| Step | Command / action | Notes |
|------|------------------|--------|
| **Address all 502s** | `./scripts/maintenance/address-all-remaining-502s.sh` | Backends + NPMplus proxy update (if NPM_PASSWORD set) + RPC diagnostics. |
| With Besu fix + E2E | `./scripts/maintenance/address-all-remaining-502s.sh --run-besu-fix --e2e` | Also runs fix-all-besu-nodes.sh and verify-end-to-end-routing.sh. |
| E2E only | `./scripts/verify/verify-end-to-end-routing.sh` | Re-check after fixes. Use `E2E_ACCEPT_502_INTERNAL=1` to allow exit 0 when only 502s remain. |

**Runbook:** [502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md](../00-meta/502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md) — backend map, per-step fix, NPMplus refresh, RPC diagnostics.

---

## 4. Backups and NPMplus

Requires: LAN access to NPMplus (192.168.11.x) and `NPM_PASSWORD` in env (or script prompt).

| Step | Command / action | Notes |
|------|------------------|--------|
| NPMplus backup | `./scripts/verify/backup-npmplus.sh` | Backs up NPMplus container config. |
| NPMplus RPC proxy fix | `./scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` | Updates proxy hosts via API. |
| Schedule backup cron | `./scripts/maintenance/schedule-npmplus-backup-cron.sh --install` | Cron for periodic backup. |

---

## 5. Proxmox VM/container creation (capacity and HA)

Requires: SSH to Proxmox host (e.g. `root@192.168.11.10` or r630-01/r630-02). See [PROXMOX_VM_CREATION_RUNBOOK](../03-deployment/PROXMOX_VM_CREATION_RUNBOOK.md) for capacity and availability best practices.

| Step | Command / action | Notes |
|------|------------------|--------|
| DBIS Core containers (6) | `./dbis_core/scripts/deployment/create-dbis-core-containers.sh` | Creates 10100, 10101, 10120, 10150, 10151, 10130 on PROXMOX_HOST. |
| Create missing RPC containers | `./scripts/create-missing-containers-2506-2508.sh` (if VMIDs 2506–2508 needed) | Per VMID allocation. |
| Chain 138 containers | `./scripts/create-chain138-containers.sh` (if defined) | Besu/RPC/explorer as per docs. |
| Spread VMs across nodes | Prefer r630-01 / r630-02 for new VMs to balance load; ml110 already has 34 containers | See PROXMOX_COMPLETE_RECOMMENDATIONS. |

---

## 6. Bridge and cross-chain (LAN + PRIVATE_KEY + LINK)

| Step | Command / action | Notes |
|------|------------------|--------|
| sendCrossChain (real) | `./scripts/bridge/run-send-cross-chain.sh <amount> [recipient]` | Omit `--dry-run`; requires LINK in deployer wallet. |
| Fund mainnet relay | `./scripts/bridge/fund-mainnet-relay-bridge.sh` | When configuring mainnet bridge. |
| Grant relayer role | `./scripts/bridge/grant-relayer-role-mainnet.sh` | When configuring roles. |

---

## 7. Security and maintenance (from LAN)

| Step | Command / action | Notes |
|------|------------------|--------|
| SSH key auth | `./scripts/security/setup-ssh-key-auth.sh [--dry-run|--apply]` | Centralize key-based SSH. |
| Firewall 8006 | `./scripts/security/firewall-proxmox-8006.sh [--dry-run|--apply] [CIDR]` | Restrict Proxmox API. |
| Daily/weekly cron | `./scripts/maintenance/schedule-daily-weekly-cron.sh --install` | Health and cleanup. |

---

## 8. Tests (with RPC / env)

From repo root, with `smom-dbis-138/.env` and RPC reachable:

| Step | Command / action | Notes |
|------|------------------|--------|
| Forge tests (Chain 138) | `cd smom-dbis-138 && forge test` | Unit tests. |
| alltra-lifi-settlement | `cd alltra-lifi-settlement && forge test && npm run test:e2e -- --forceExit` | Settlement tests. |

---

## 9. Config and docs (after deploys)

| Step | Action | Notes |
|------|--------|--------|
| Reconcile .env | `./scripts/verify/reconcile-env-canonical.sh --print` | Emit canonical lines; merge into smom-dbis-138/.env. |
| Update CONTRACT_ADDRESSES_REFERENCE and master JSON | Add any new addresses to `config/smart-contracts-master.json` and [CONTRACT_ADDRESSES_REFERENCE](../11-references/CONTRACT_ADDRESSES_REFERENCE.md) | Keep CONTRACT_INVENTORY in sync. |
| Verify on explorer | Open https://explorer.d-bis.org/address/<addr> for new contracts | Confirm bytecode and verification. |

---

## Quick reference: run-all-operator-tasks-from-lan.sh

```bash
# From repo root, on a host on LAN with secrets available
source smom-dbis-138/.env 2>/dev/null
./scripts/run-all-operator-tasks-from-lan.sh --dry-run   # print all steps
./scripts/run-all-operator-tasks-from-lan.sh            # run backup + verify (default)
./scripts/run-all-operator-tasks-from-lan.sh --deploy   # also run contract deploy (if not yet deployed)
./scripts/run-all-operator-tasks-from-lan.sh --create-vms  # also create DBIS Core / missing containers
```

See script help for `--skip-backup`, `--skip-verify`, and phase ordering.