# ============================================================================ # Proxmox Workspace - Root Environment Variables # ============================================================================ # Copy to .env in repo root and/or ~/.env (scripts use repo root .env when # run from repo; setup.sh and load-env.sh use ~/.env for PROXMOX_*). # DO NOT commit actual .env files to version control # ============================================================================ # ---------------------------------------------------------------------------- # Proxmox Configuration # ---------------------------------------------------------------------------- PROXMOX_ML110=192.168.11.10 PROXMOX_R630_01=192.168.11.11 PROXMOX_R630_02=192.168.11.12 PROXMOX_HOST=192.168.11.11 PROXMOX_PORT=8006 PROXMOX_USER=root@pam # Create token: ./scripts/proxmox/create-and-store-proxmox-api-token.sh (or Datacenter → API Tokens in UI) PROXMOX_TOKEN_NAME=your-token-name PROXMOX_TOKEN_VALUE=your-token-secret-value PROXMOX_ALLOW_ELEVATED=false # ---------------------------------------------------------------------------- # Cloudflare Configuration (both methods supported) # ---------------------------------------------------------------------------- # Scripts (DNS, NPMplus, tunnel): use CLOUDFLARE_API_TOKEN first, else CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY. # Certbot (dns-cloudflare): use ONE method per credentials file (token-only OR email+key-only). # See: docs/04-configuration/CLOUDFLARE_CREDENTIALS_BOTH_METHODS.md CLOUDFLARE_API_TOKEN=your-cloudflare-api-token CLOUDFLARE_EMAIL=your-email@example.com CLOUDFLARE_API_KEY=your-cloudflare-api-key CLOUDFLARE_ZONE_ID_D_BIS_ORG=your-zone-id CLOUDFLARE_ZONE_ID_MIM4U_ORG=your-zone-id CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=your-zone-id CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=your-zone-id # Optional fallback for d-bis.org (create-dns-record-rpc-core, update-all-dns-to-public-ip) # CLOUDFLARE_ZONE_ID=your-d-bis-org-zone-id # Required for Chain 138 RPC DNS: rpc.defi-oracle.io, wss.defi-oracle.io, rpc.public-0138.defi-oracle.io CLOUDFLARE_TUNNEL_TOKEN=your-tunnel-token CLOUDFLARE_ORIGIN_CA_KEY=your-origin-ca-key CLOUDFLARE_ACCOUNT_ID=your-account-id # Tunnel ID for Option B RPC DNS (set-rpc-dns-to-tunnel.sh): from Zero Trust → Tunnels → tunnel UUID # CLOUDFLARE_TUNNEL_ID=10ab22da-8ea3-4e2e-a896-27ece2211a05 # Alltra/HYBX tunnel (configure-alltra-hybx-tunnel-and-dns.sh) # CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX=892bd3fe-c6fa-4ddf-8b60-a8ed2b849c3d # Mifos on r630-02 (configure-mifos-dns.sh tunnel mode; install-tunnel-mifos-r630-02.sh) # CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=your-tunnel-uuid # CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02=your-tunnel-token # Fineract API (central-bank-config scripts). Use full API path e.g. https://mifos.d-bis.org/fineract-provider/api/v1 # MIFOS_BASE_URL=https://mifos.d-bis.org/fineract-provider/api/v1 # MIFOS_TENANT=default # MIFOS_USER=mifos # MIFOS_PASSWORD=your-fineract-password # MIFOS_INSECURE=0 # OMNL tenancy (https://omnl.hybxfinance.io/) – same scripts, different vars if needed # OMNL_FINERACT_BASE_URL=https://omnl.hybxfinance.io/fineract-provider/api/v1 # OMNL_FINERACT_TENANT=omnl # OMNL_FINERACT_USER=app.omnl # OMNL_FINERACT_PASSWORD=your-omnl-fineract-password # Certbot dns_cloudflare (optional): in the file certbot reads, use ONE of: # dns_cloudflare_email=your-email@example.com + dns_cloudflare_api_key=your-api-key # OR dns_cloudflare_api_token=your-api-token # ---------------------------------------------------------------------------- # ClouDNS (Certbot dns-cloudns) – NPMplus Certbot DNS challenge # ---------------------------------------------------------------------------- # For NPMplus TLS: Add TLS Certificate → DNS Challenge → ClouDNS → paste output of: # ./scripts/certbot/print-cloudns-credentials-from-env.sh # See: https://www.cloudns.net/api-settings/ CLOUDNS_AUTH_ID=1234 CLOUDNS_AUTH_PASSWORD=your-cloudns-api-password # Optional: use sub-account (one of the two below, not both) # CLOUDNS_SUB_AUTH_ID=1234 # CLOUDNS_SUB_AUTH_USER=foobar # ---------------------------------------------------------------------------- # NPM (Nginx Proxy Manager) / NPMplus Configuration # ---------------------------------------------------------------------------- # Required for: update-npmplus-proxy-hosts-api.sh, configure-npmplus-domains.js, # scripts/fix-rpc-chain138-npmplus.sh (RPC ChainID 138 + Ledger) # scripts/complete-chain138-rpc-setup.sh (full Chain 138 RPC from .env) # See: docs/04-configuration/NEXT_STEPS_CHAIN138_RPC.md for complete .env → script mapping # NPMplus (VMID 10233) is reachable on 192.168.11.167:81 (eth1). All five NPMplus instances (10233, 10234, 10235, 10236, 10237) use the same NPM_EMAIL and NPM_PASSWORD. NPM_URL=https://192.168.11.167:81 NPM_EMAIL=admin@example.org NPM_PASSWORD=your-npm-password # NPM_HOST = NPMplus container IP (for split-DNS, LAN tests, verify-ws) NPM_HOST=192.168.11.167 # NPM_PROXMOX_HOST / NPMPLUS_HOST = Proxmox host where NPMplus runs (SSH for pct exec, backup) NPM_PROXMOX_HOST=192.168.11.11 NPMPLUS_HOST=192.168.11.11 NPM_VMID=10233 # NPMPLUS_VMID = same as NPM_VMID (used by list-npmplus-certificates-status, install-certbot-dns-cloudflare-in-npm, backup-npmplus, etc.) NPMPLUS_VMID=10233 # NPMplus Mifos (VMID 10237, 192.168.11.171) — tunnel origin for mifos.d-bis.org → 5800. Same NPM_EMAIL/NPM_PASSWORD as above. # NPM_URL_MIFOS=https://192.168.11.171:81 # NPMplus Alltra/HYBX (dedicated instance for Alltra + HYBX Sentries, RPC, Cacti, Firefly, Fabric, Indy) # See: docs/04-configuration/NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md NPMPLUS_ALLTRA_HYBX_VMID=10235 IP_NPMPLUS_ALLTRA_HYBX=192.168.11.169 # ---------------------------------------------------------------------------- # Fastly (edge CDN / origin) # ---------------------------------------------------------------------------- # For Fastly API (purge, service config, health). See docs/05-network/CLOUDFLARE_ROUTING_MASTER.md FASTLY_API_TOKEN=your-fastly-api-token # ---------------------------------------------------------------------------- # Network Configuration # ---------------------------------------------------------------------------- # PUBLIC_IP: used by update-all-dns-to-public-ip.sh for all Cloudflare A records (Chain 138 RPC) PUBLIC_IP=76.53.10.36 PROXMOX_HOST_FOR_TEST=192.168.11.11 # ---------------------------------------------------------------------------- # UniFi (UDM Pro) API – Official Network API (X-API-KEY) # ---------------------------------------------------------------------------- # Used by: create-firewall-rules.sh, UNIFI_API_SETUP.md, unifi:cli # Get API key: UniFi Network UI → Settings → System → API (or Developer / API Access) UNIFI_UDM_URL=https://192.168.0.1 UNIFI_API_KEY=your-unifi-api-key UNIFI_API_MODE=official UNIFI_SITE_ID=default UNIFI_VERIFY_SSL=false # ---------------------------------------------------------------------------- # OMNIS Backend Configuration # ---------------------------------------------------------------------------- # Database DATABASE_URL=postgresql://user:password@localhost:5432/omnis # JWT Authentication (REQUIRED - no defaults for security) JWT_SECRET=your-strong-random-jwt-secret-min-32-chars JWT_REFRESH_SECRET=your-strong-random-refresh-secret-min-32-chars JWT_EXPIRES_IN=7d JWT_REFRESH_EXPIRES_IN=30d # File Storage STORAGE_TYPE=local STORAGE_PATH=./uploads # AWS S3 (if using S3 storage) AWS_REGION=us-east-1 AWS_ACCESS_KEY_ID=your-aws-access-key AWS_SECRET_ACCESS_KEY=your-aws-secret-key AWS_S3_BUCKET=omnis-uploads # Azure Blob Storage (if using Azure storage) AZURE_STORAGE_CONNECTION_STRING=your-azure-connection-string AZURE_STORAGE_CONTAINER=omnis-uploads # ---------------------------------------------------------------------------- # The Order Configuration # ---------------------------------------------------------------------------- # See the-order/packages/shared/src/env.ts for complete schema # Database # DATABASE_URL=postgresql://user:password@localhost:5432/theorder # Storage # STORAGE_TYPE=s3 # STORAGE_BUCKET=the-order-documents # STORAGE_REGION=us-east-1 # AWS_ACCESS_KEY_ID=your-aws-key # AWS_SECRET_ACCESS_KEY=your-aws-secret # KMS # KMS_TYPE=aws # KMS_KEY_ID=your-kms-key-id # KMS_REGION=us-east-1 # Authentication # JWT_SECRET=your-jwt-secret-min-32-chars # OIDC_ISSUER=https://your-oidc-issuer.com # OIDC_CLIENT_ID=your-client-id # OIDC_CLIENT_SECRET=your-client-secret # ---------------------------------------------------------------------------- # dbis_core AS4 Settlement (optional - enables real API calls) # ---------------------------------------------------------------------------- # SANCTIONS_API_URL=https://... # OFAC/EU/UN sanctions screening # AML_SERVICE_URL=https://... # AML/CTF checks # LEDGER_SERVICE_URL=https://... # Ledger balance queries for liquidity # dbis_core IRU (optional) # AWS_SES_REGION=us-east-1 # AWS_ACCESS_KEY_ID=... # AWS_SECRET_ACCESS_KEY=... # SANCTIONS_OFAC_API_URL=... # SANCTIONS_EU_API_URL=... # SANCTIONS_UN_API_URL=... # ---------------------------------------------------------------------------- # Verification Scripts (scripts/verify/) # ---------------------------------------------------------------------------- # See docs/04-configuration/VERIFICATION_GAPS_AND_TODOS.md # FABRIC_CHAIN_ID=999 # Fabric chain ID for quote-service (when integrated) # BRIDGE_REGISTRY_ADDRESS= # For bridge quote service # ---------------------------------------------------------------------------- # SMOM-DBIS-138 Blockchain Configuration # ---------------------------------------------------------------------------- # Canonical place for Chain 138 deploy: smom-dbis-138/.env (PRIVATE_KEY, RPC_URL or RPC_URL_138). # Optional deployments (docs/07-ccip/OPTIONAL_DEPLOYMENTS_START_HERE.md): set in smom-dbis-138/.env: # ORACLE_PRICE_FEED or RESERVE_KEEPER (Phase 4), DODO_VENDING_MACHINE_ADDRESS (Phase 7), # GAS_PRICE_138 (if "Replacement transaction underpriced"), CRONOS_RPC_URL (other-chain AddressMapper). # Scripts source both root .env and smom-dbis-138/.env via load-project-env.sh; no need to duplicate here. # Deployment Account (MOVE TO HSM - DO NOT STORE IN FILES) # PRIVATE_KEY=0x... # ⚠️ Set in smom-dbis-138/.env (or here); never commit real key # RPC Endpoints (see docs/04-configuration/RPC_ENDPOINTS_MASTER.md for Infura/Alchemy/public options) ETHEREUM_MAINNET_RPC=https://eth.llamarpc.com RPC_URL_138=https://rpc.d-bis.org # Tezos / Etherlink / Jumper (see docs/07-ccip/TEZOS_NETWORK_CONFIG_ENV_MATRIX.md) CHAIN_651940_RPC_URL=https://mainnet-rpc.alltra.global ETHERLINK_RPC_URL=https://node.mainnet.etherlink.com TEZOS_RPC_URL=https://api.tzkt.io ETHERLINK_CCIP_SELECTOR= TEZOS_BRIDGE_ENABLED=false ETHERLINK_BRIDGE_ENABLED=false TEZOS_RELAY_ORACLE_KEY= ETHERLINK_RELAY_BRIDGE= ETHERLINK_RELAY_PRIVATE_KEY= JUMPER_API_KEY= # Contract Verification (Etherscan / Blockscan — same key for both) ETHERSCAN_API_KEY=your-etherscan-api-key # Optional: Infura RPC/Gas — set ETHEREUM_MAINNET_RPC to https://mainnet.infura.io/v3/, INFURA_GAS_API, etc. in smom-dbis-138/.env # External Integrations (see reports/API_KEYS_REQUIRED.md) ONEINCH_API_KEY= MOONPAY_API_KEY= MOONPAY_SECRET_KEY= RAMP_NETWORK_API_KEY= ONRAMPER_API_KEY= # ---------------------------------------------------------------------------- # Alerts & Monitoring (dbis_core alert.service) # ---------------------------------------------------------------------------- # See: reports/API_KEYS_REQUIRED.md SLACK_WEBHOOK_URL= PAGERDUTY_INTEGRATION_KEY= EMAIL_ALERT_API_URL= EMAIL_ALERT_RECIPIENTS= # ---------------------------------------------------------------------------- # Legal / E-Signature (the-order legal-documents) # ---------------------------------------------------------------------------- E_SIGNATURE_BASE_URL= # ---------------------------------------------------------------------------- # OTC (dbis_core) # ---------------------------------------------------------------------------- CRYPTO_COM_API_KEY= CRYPTO_COM_API_SECRET= # ---------------------------------------------------------------------------- # Bridge (optional: LayerZero, Wormhole) # ---------------------------------------------------------------------------- # LAYERZERO_*= # WORMHOLE_*= # ---------------------------------------------------------------------------- # Price Feed & Market Data APIs # ---------------------------------------------------------------------------- # CoinGecko API Key (for Oracle Publisher and Token Aggregation services) # Get free key at: https://www.coingecko.com/en/api/pricing COINGECKO_API_KEY=your-coingecko-api-key # CoinDesk API Key (price/market data) COINDESK_API_KEY=your-coindesk-api-key # ---------------------------------------------------------------------------- # Explorer Configuration # ---------------------------------------------------------------------------- # See explorer-monorepo/deployment/ENVIRONMENT_TEMPLATE.env # ---------------------------------------------------------------------------- # MetaMask Integration # ---------------------------------------------------------------------------- # See metamask-integration/.env.example # ---------------------------------------------------------------------------- # Gitea (Dev VM / d-bis org) # ---------------------------------------------------------------------------- # For push-to-gitea.sh and gitea-create-orgs-and-repos.sh. Create token at: # https://gitea.d-bis.org/user/settings/applications (scopes: write:organization, write:repository) # GITEA_URL=https://gitea.d-bis.org # GITEA_TOKEN= # ---------------------------------------------------------------------------- # Security Notes # ---------------------------------------------------------------------------- # 1. NEVER commit .env files to version control # 2. Use strong, randomly generated secrets (min 32 characters for JWT) # 3. Rotate secrets regularly # 4. Use HSM/Key Vault for private keys (never store in files) # 5. Limit access to .env files (chmod 600) # 6. Use different secrets for development, staging, and production # ---------------------------------------------------------------------------- # Environment-Specific Overrides # ---------------------------------------------------------------------------- # For development: NODE_ENV=development # For staging: NODE_ENV=staging # For production: NODE_ENV=production NODE_ENV=development