# Dev / Codespaces-like Setup — 76.53.10.40 + Fourth NPMplus + Cloudflare Tunnel **Status:** Plan / Runbook. **Automated setup completed 2026-02-08:** see [verification-evidence/DEV_CODESPACES_SETUP_COMPLETE_20260208.md](verification-evidence/DEV_CODESPACES_SETUP_COMPLETE_20260208.md). **Public IP:** 76.53.10.40 **Fourth NPMplus:** 192.168.11.170 (VMID TBD when deployed) **Dev VM:** 192.168.11.59 (VMID 5700) **Purpose:** Codespaces-like environment for Cursor; all access via 76.53.10.40; Cloudflare tunnel dedicated to this stack; fourth NPMplus; Proxmox VE admin panels; dotenv inventory. --- ## 1. Overview | Component | Value | |-----------|--------| | **Public IP** | 76.53.10.40 | | **Fourth NPMplus (internal)** | 192.168.11.170 | | **Dev VM (Cursor + Gitea)** | 192.168.11.59 (VMID 5700) | | **Proxmox hosts** | ml110 192.168.11.10, r630-01 192.168.11.11, r630-02 192.168.11.12 | | **Tunnel** | Dedicated Cloudflare Tunnel → origin `https://192.168.11.170:443` (fourth NPMplus) | Access flow: - **HTTPS (hostnames):** User → Cloudflare (DNS CNAME to tunnel) → Tunnel connector → **Fourth NPMplus** (192.168.11.170:443) → NPMplus proxy hosts → Dev VM (Gitea, etc.) or Proxmox (8006). - **Direct via 76.53.10.40:** UDM Pro port forward 76.53.10.40:80/81/443 → 192.168.11.170; optional 76.53.10.40:22 → 192.168.11.59 (SSH to dev VM). - **SSH (Cursor):** Either `ssh dev1@76.53.10.40` (if port 22 forwarded to dev VM) or via Zero Trust TCP route, or LAN-only `ssh dev1@192.168.11.59`. --- ## 2. Required Ports | Port | Service | Backend | Notes | |------|---------|---------|--------| | **22** | SSH (Cursor Remote) | 192.168.11.59 (dev VM) | Forward 76.53.10.40:22 → 192.168.11.59:22 on UDM Pro, or use Cloudflare TCP / LAN | | **80** | HTTP | 192.168.11.170 (NPMplus 4) | UDM: 76.53.10.40:80 → 192.168.11.170:80 | | **81** | NPMplus Admin UI | 192.168.11.170 | UDM: 76.53.10.40:81 → 192.168.11.170:81 (restrict by IP/VPN) | | **443** | HTTPS | 192.168.11.170 (NPMplus 4) | UDM: 76.53.10.40:443 → 192.168.11.170:443; Tunnel also terminates here | | **3000** | Gitea (internal) | 192.168.11.59 | Proxied via NPMplus 4 (hostname gitea.d-bis.org → 192.168.11.59:3000) | | **8006** | Proxmox VE (x3) | .10, .11, .12 | Proxied via NPMplus 4 (pve.ml110, pve.r630-01, pve.r630-02) | --- ## 3. Cloudflare Tunnel (Dedicated for This VM / Fourth NPMplus) - **Tunnel name:** e.g. `dev-codespaces` or `npmplus-fourth`. - **Connector:** Run `cloudflared` on the host that can reach 192.168.11.170 (e.g. on the fourth NPMplus LXC, or a small VM on the same LAN). Origin = `https://127.0.0.1:443` if cloudflared runs on the same box as NPMplus, or `https://192.168.11.170:443` if cloudflared runs elsewhere. - **Ingress hostnames (CNAME to tunnel):** - `dev.d-bis.org` → Dev VM (NPMplus proxy to 192.168.11.59, e.g. Gitea or a simple info page) - `gitea.d-bis.org` → 192.168.11.59:3000 (Gitea) - `codespaces.d-bis.org` → same as dev (optional alias) - `pve.ml110.d-bis.org` → 192.168.11.10:8006 (Proxmox ml110) - `pve.r630-01.d-bis.org` → 192.168.11.11:8006 (Proxmox r630-01) - `pve.r630-02.d-bis.org` → 192.168.11.12:8006 (Proxmox r630-02) **Script:** `scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` — sets tunnel ingress and DNS CNAMEs (requires `CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES` in `.env`). --- ## 4. Fourth NPMplus — Proxy Hosts (Direction to Proxmox + Dev) Configure proxy hosts on **fourth NPMplus** (192.168.11.170:81 admin): | Domain | Forward to | Port | Websocket | Use | |--------|------------|------|-----------|-----| | dev.d-bis.org | 192.168.11.59 | 3000 or 80 | No | Dev VM (e.g. Gitea or landing) | | gitea.d-bis.org | 192.168.11.59 | 3000 | No | Gitea UI | | codespaces.d-bis.org | 192.168.11.59 | 3000 | No | Alias for dev | | pve.ml110.d-bis.org | 192.168.11.10 | 8006 | Yes | Proxmox ml110 admin | | pve.r630-01.d-bis.org | 192.168.11.11 | 8006 | Yes | Proxmox r630-01 admin | | pve.r630-02.d-bis.org | 192.168.11.12 | 8006 | Yes | Proxmox r630-02 admin | **Script:** `scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` — adds/updates these proxy hosts via NPM API (NPM_URL=https://192.168.11.170:81, credentials in `.env`). **Proxmox admin panels:** After tunnel and NPMplus are up, open: - **ml110:** https://pve.ml110.d-bis.org (or https://76.53.10.40 with host header / separate port if you add a catch-all) - **r630-01:** https://pve.r630-01.d-bis.org - **r630-02:** https://pve.r630-02.d-bis.org Use **HTTPS** and allow self-signed certs (or add Let’s Encrypt for these hostnames in NPMplus). Websocket support must be enabled for the Proxmox console. --- ## 5. UDM Pro Port Forward (76.53.10.40) Add in **UniFi Network** → **Settings** → **Firewall & Security** (Port Forwarding): | Rule Name | Destination IP | Dest Port | Forward to IP | Forward to Port | Protocol | |-----------|----------------|-----------|---------------|-----------------|----------| | NPMplus Fourth HTTP | 76.53.10.40 | 80 | 192.168.11.170 | 80 | TCP | | NPMplus Fourth HTTPS | 76.53.10.40 | 443 | 192.168.11.170 | 443 | TCP | | NPMplus Fourth Admin | 76.53.10.40 | 81 | 192.168.11.170 | 81 | TCP | | Dev VM SSH (optional) | 76.53.10.40 | 22 | 192.168.11.60 | 22 | TCP | **Note:** 76.53.10.40 must be assigned/available on the UDM Pro (or the interface that receives this traffic). Restrict admin port 81 to VPN or IP allowlist. See also: [UDM_PRO_DEV_CODESPACES_PORT_FORWARD.md](UDM_PRO_DEV_CODESPACES_PORT_FORWARD.md). --- ## 6. Dotenv Files (Include in Dev VM / Accessibility) These `.env` (and related) files should be present in the dev VM or in a secure store so all projects and Cursor have the required env: | Path (relative to repo root) | Purpose | |------------------------------|--------| | `.env` | Proxmox/Cloudflare/NPM credentials, hosts | | `.env.example` | Template | | `scripts/.env.r630-01` | Host-specific script env | | `config/production/.env.production.example` | Production template | | `dbis_core/.env`, `.env.example` | DBIS Core | | `explorer-monorepo/.env`, `frontend/.env.production`, `.env.example` | Explorer | | `smom-dbis-138/.env`, `.env.example`, `frontend-dapp/.env`, `services/*/.env` | SMOM / Chain 138 | | `alltra-lifi-settlement/.env` | Alltra LIFI | | `OMNIS/backend/.env`, `.env.example` | OMNIS | | `the-order/services/legal-documents/.env.example` | Order | | `unifi-api/.env`, `.env.example` | Unifi API | | `rpc-translator-138/.env` | RPC translator | | `miracles_in_motion/.env.*` | MIM | | `ProxmoxVE/api/.env.example` | Proxmox API | | `omada-api/.env` | Omada API | **Action:** When syncing `/home/intlc/projects` to the dev VM (`/srv/projects`), include these files (or use a secrets manager and symlink). Do not commit real `.env` with secrets to Git; use `.env.example` as templates and document which vars are required in [REQUIRED_SECRETS_SUMMARY.md](REQUIRED_SECRETS_SUMMARY.md). --- ## 7. Proxmox VE Hosts (Admin Access) | Host | Internal IP | Admin URL (via NPMplus 4) | Notes | |------|-------------|---------------------------|--------| | ml110 | 192.168.11.10 | https://pve.ml110.d-bis.org | Proxmox web UI port 8006 | | r630-01 | 192.168.11.11 | https://pve.r630-01.d-bis.org | Proxmox web UI port 8006 | | r630-02 | 192.168.11.12 | https://pve.r630-02.d-bis.org | Proxmox web UI port 8006 | NPMplus fourth instance **directs** these hostnames to the three Proxmox hosts’ admin panels (HTTPS, port 8006, Websocket enabled for console). --- ## 8. Implementation Order 1. **Create fourth NPMplus** LXC (VMID e.g. 10236) at 192.168.11.170 if not already deployed; install NPMplus and cloudflared (tunnel connector). 2. **Create dev VM** (5700) at 192.168.11.60: `scripts/create-dev-vm-5700.sh`; then `scripts/setup-dev-vm-users-and-gitea.sh`. 3. **UDM Pro:** Add port forward rules for 76.53.10.40 → 192.168.11.170 (80/81/443) and optionally 22 → 192.168.11.60. 4. **Cloudflare:** Create tunnel (Zero Trust → Networks → Tunnels), install connector on fourth NPMplus (or host that can reach 192.168.11.170). Set `CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES` in `.env`. 5. **Run:** `bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` — tunnel ingress + DNS CNAMEs. 6. **Run:** `NPM_URL=https://192.168.11.170:81 NPM_PASSWORD=... bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` — add proxy hosts (dev, gitea, pve.ml110, pve.r630-01, pve.r630-02). 7. **Request Let’s Encrypt** in NPMplus UI for dev.d-bis.org, gitea.d-bis.org, codespaces.d-bis.org, pve.ml110.d-bis.org, pve.r630-01.d-bis.org, pve.r630-02.d-bis.org. 8. **Sync projects and dotenv:** Rsync `/home/intlc/projects` to dev VM; ensure dotenv files are present (or templated) for Cursor and services. --- ## 9. References - **[DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md](DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md)** — **Full ordered checklist to complete this setup** - [DEV_VM_GITOPS_PLAN.md](DEV_VM_GITOPS_PLAN.md) — Dev VM (5700) and Gitea - [NPMPLUS_FOUR_INSTANCES_MASTER.md](NPMPLUS_FOUR_INSTANCES_MASTER.md) — Four NPMplus mapping - [config/ip-addresses.conf](../../config/ip-addresses.conf) — `IP_DEV_VM`, `IP_NPMPLUS_FOURTH`, `PUBLIC_IP_NPMPLUS_FOURTH` - [REQUIRED_SECRETS_SUMMARY.md](REQUIRED_SECRETS_SUMMARY.md) — Env vars and secrets