# Master Secrets Reference

**Single authoritative list of all secrets** used across the Proxmox workspace and related projects.  
**No values are stored here.** Use root `.env`, service-specific `.env` files, or a secrets store (e.g. Vault); see [.env.master.example](../../.env.master.example) for a single template of all keys.

**Last updated:** 2026-02-21

---

## How to use

- **Reference:** This file lists every secret **name**, **where it is used**, and **required/optional**.
- **Template:** Copy [.env.master.example](../../.env.master.example) to `.env` (root) or `.env.master` (local only), fill values, and never commit. Ensure `.env` and `.env.master` are in `.gitignore`.
- **Per-project:** Many secrets live in project-specific `.env` (e.g. `smom-dbis-138/.env`, `dbis_core/.env`). Root `.env` is used by scripts in this repo; subprojects use their own `.env`.

---

## 1. Proxmox & infrastructure

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `PROXMOX_ML110`, `PROXMOX_R630_01`, `PROXMOX_R630_02` | Root `.env`, config | Yes | Host IPs (can be non-secret) |
| `PROXMOX_HOST`, `PROXMOX_PORT`, `PROXMOX_USER` | Root `.env`, scripts | Yes | API target |
| `PROXMOX_TOKEN_NAME`, `PROXMOX_TOKEN_VALUE` | Root `.env` | Yes (for API) | Or password per host |
| `PROXMOX_PASS_ML110`, `PROXMOX_PASS_R630_01`, `PROXMOX_PASS_R630_02` | Scripts (if no token) | If no token | SSH/API |

---

## 2. Cloudflare

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `CLOUDFLARE_API_TOKEN` | Root `.env` | Preferred | Prefer over API_KEY |
| `CLOUDFLARE_EMAIL`, `CLOUDFLARE_API_KEY` | Root `.env` | If no token | Legacy |
| `CLOUDFLARE_ZONE_ID`, `CLOUDFLARE_ZONE_ID_*` | Root `.env` | Yes | Per zone |
| `CLOUDFLARE_ACCOUNT_ID` | Root `.env` | Yes | Tunnels / account API |
| `CLOUDFLARE_TUNNEL_TOKEN` | Root `.env` | Yes (tunnels) | cloudflared |
| `CLOUDFLARE_TUNNEL_ID`, `CLOUDFLARE_TUNNEL_ID_*` | Root `.env` | If using tunnel DNS | Tunnel UUIDs |
| `CLOUDFLARE_ORIGIN_CA_KEY` | Root `.env` | Optional | Origin cert |

---

## 3. NPM / NPMplus

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `NPM_URL`, `NPM_EMAIL`, `NPM_PASSWORD` | Root `.env` | Yes (NPM scripts) | All NPMplus instances |
| `NPM_HOST`, `NPM_VMID`, `NPMPLUS_HOST`, `NPMPLUS_VMID` | Root `.env` | Yes | Config |
| `NPM_URL_MIFOS`, `NPMPLUS_ALLTRA_HYBX_VMID`, `IP_NPMPLUS_ALLTRA_HYBX` | Root `.env` | Per setup | Optional |

---

## 4. DNS / TLS (ClouDNS, etc.)

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | Root `.env` | If Certbot ClouDNS | NPMplus TLS |

---

## 5. Network / UniFi / Omada

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `UNIFI_UDM_URL`, `UNIFI_API_KEY`, `UNIFI_SITE_ID` | Root `.env`, unifi-api | Yes (if automating) | UDM Pro API |
| `OMADA_API_KEY`, `OMADA_CLIENT_SECRET` | omada-api/.env | If using Omada | Omada Controller |

---

## 6. Gitea

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `GITEA_URL`, `GITEA_TOKEN` | Root `.env` | Yes (push/create repos) | push-to-gitea.sh, push-all-projects-to-gitea.sh |
| `GITEA_ORG` | Optional override | No | Default d-bis |

---

## 7. Blockchain / SMOM-DBIS-138

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `PRIVATE_KEY` | smom-dbis-138/.env | Yes (deploy/bridge) | Deployer key; move to HSM |
| `RPC_URL_138`, `RPC_URL_138_PUBLIC` | Root/smom-dbis-138 `.env`, config | Yes | Chain 138 RPC |
| `ETHEREUM_MAINNET_RPC`, `CHAIN_651940_RPC_URL`, etc. | smom-dbis-138/.env | Per use | Other chains |
| `ETHERSCAN_API_KEY` | Root, smom-dbis-138 | Yes (verification) | Etherscan/Blockscan |
| Contract addresses (e.g. `CCIP_ROUTER`, `LINK_TOKEN`) | smom-dbis-138/.env, config | Yes | See config/contract-addresses.conf |

---

## 8. Database & app auth

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `DATABASE_URL` | Root, dbis_core, OMNIS, explorer, token-aggregation | Yes (per app) | PostgreSQL connection string |
| `JWT_SECRET`, `JWT_REFRESH_SECRET` | OMNIS/backend, explorer, dbis_core | Yes (per service) | Min 32 chars |
| `SESSION_SECRET` | Explorer, OMNIS | If sessions | Session signing |
| `ADMIN_CENTRAL_API_KEY` | dbis_core, orchestration, token-aggregation | Yes (central API) | Service-to-service |
| `DBIS_CENTRAL_URL` | Callers of dbis_core | Yes | API base URL |

---

## 9. Storage (AWS / Azure)

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_S3_BUCKET` | Root, OMNIS, the-order | If S3 | Storage |
| `AZURE_STORAGE_CONNECTION_STRING`, `AZURE_STORAGE_CONTAINER` | Root, OMNIS | If Azure | Blob storage |

---

## 10. Third-party APIs (price, ramps, exchanges)

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `COINGECKO_API_KEY` | Root, token-aggregation, oracle | Recommended | Price feeds |
| `COINDESK_API_KEY` | Root | Optional | Market data |
| `MOONPAY_API_KEY`, `MOONPAY_SECRET_KEY` | Root, metamask-integration | Optional | On/off ramp |
| `RAMP_NETWORK_API_KEY`, `ONRAMPER_API_KEY` | Root, metamask-integration | Optional | Ramps |
| `CRYPTO_COM_API_KEY`, `CRYPTO_COM_API_SECRET` | dbis_core | If OTC | Exchange OTC |
| `BINANCE_API_KEY`, `BINANCE_API_SECRET` | dbis_core | Optional | Ticker/private |
| `KRAKEN_API_KEY`, `KRAKEN_PRIVATE_KEY` | dbis_core | Optional | Same |
| `OANDA_API_KEY`, `OANDA_ACCOUNT_ID` | dbis_core | Optional | Forex |
| `FXCM_API_TOKEN` | dbis_core | Optional | Forex |
| `ONEINCH_API_KEY`, `PARASWAP_API_KEY`, `ZEROX_API_KEY` | alltra-lifi-settlement | Optional | DeFi rate limits |

---

## 11. Frontend / MetaMask / Explorer

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `VITE_WALLETCONNECT_PROJECT_ID`, `VITE_THIRDWEB_CLIENT_ID` | smom-dbis-138/frontend-dapp | Yes (WalletConnect) | Reown/Thirdweb |
| `VITE_ETHERSCAN_API_KEY`, `VITE_SENTRY_DSN` | Frontends | Optional | Build-time |
| `NEXT_PUBLIC_*` | explorer-monorepo/frontend | Per feature | Next.js public env |
| `METAMASK_API_KEY`, `THIRDWEB_SECRET_KEY` | metamask-integration | If integrated | Backend |

---

## 12. Alerts & monitoring

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `SLACK_WEBHOOK_URL` | Root, dbis_core | Optional | Alerts |
| `PAGERDUTY_INTEGRATION_KEY` | Root, dbis_core | Optional | |
| `EMAIL_ALERT_API_URL`, `EMAIL_ALERT_RECIPIENTS` | Root, dbis_core | Optional | |
| `SENTRY_DSN` | Various | Optional | Error tracking |

---

## 13. Legal / e-signature / e-filing

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `E_SIGNATURE_BASE_URL` | Root, the-order/legal-documents | Optional | E-signature API |
| E-filing / court API keys | the-order/legal-documents | If enabled | Per integration |

---

## 14. Mifos / Fineract / OMNL

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `MIFOS_BASE_URL`, `MIFOS_TENANT`, `MIFOS_USER`, `MIFOS_PASSWORD` | Root `.env` | If central-bank scripts | Fineract API |
| `OMNL_FINERACT_BASE_URL`, `OMNL_FINERACT_TENANT`, `OMNL_FINERACT_USER`, `OMNL_FINERACT_PASSWORD` | Root `.env`, omnl-fineract | If OMNL | OMNL tenant |

---

## 15. Phoenix / Sankofa / OMNIS backend

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `SANKOFA_PHOENIX_API_URL`, `SANKOFA_PHOENIX_CLIENT_ID`, `SANKOFA_PHOENIX_CLIENT_SECRET`, `SANKOFA_PHOENIX_TENANT_ID` | OMNIS/backend | If Phoenix OAuth | OAuth client |
| Phoenix/Vault app role credentials | .secure/ or Vault | If Phoenix deploy | Phoenix deploy API |

---

## 16. Tezos / Etherlink / Jumper

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `TEZOS_RELAY_ORACLE_KEY`, `ETHERLINK_RELAY_BRIDGE`, `ETHERLINK_RELAY_PRIVATE_KEY` | Root, smom-dbis-138 | If Tezos bridge | Relay |
| `JUMPER_API_KEY` | Root | Optional | Jumper bridge |

---

## 17. Fastly / other CDN

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `FASTLY_API_TOKEN` | Root `.env` | If using Fastly API | Purge/config |

---

## 18. Proxmox VE API subproject

| Secret | Where used | Required | Notes |
|--------|------------|----------|--------|
| `MONGO_USER`, `MONGO_PASSWORD`, `MONGO_IP`, `MONGO_PORT`, `MONGO_DATABASE` | ProxmoxVE/api/.env | If MongoDB | ProxmoxVE API |

---

## Security

- **Never commit** `.env`, `.env.master`, or any file containing real secrets.
- **Private keys:** Prefer HSM/Vault; do not store in repo or committed files.
- **Rotation:** Rotate API tokens and passwords periodically; document in this repo.
- **Scopes:** Use least-privilege tokens (e.g. Gitea: write:organization, write:repository).

---

## Related docs

- [.env.master.example](../../.env.master.example) — Single template with all keys (placeholders).
- [.env.example](../../.env.example) — Root .env template with comments.
- [MASTER_SECRETS_INVENTORY.md](MASTER_SECRETS_INVENTORY.md) — Detailed inventory and HSM migration plan.
- [REQUIRED_SECRETS_INVENTORY.md](REQUIRED_SECRETS_INVENTORY.md) — Required secrets checklist.
- [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md](REMAINING_ITEMS_DOTENV_AND_ACTIONS.md) — Where to store secrets and which scripts use them.