fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
3.6 KiB
3.6 KiB
Mifos — Remaining Steps (after automated setup)
Last Updated: 2026-02-09
Status: Checklist for operator
Context: LXC 5800 created; Mifos X 24.04.30 (Docker) running on 192.168.11.85:80; DNS mifos.d-bis.org → 76.53.10.41 (A, Proxied).
Done automatically
- LXC 5800 created on r630-02 (192.168.11.85)
- Nesting + keyctl + AppArmor unconfined set on 5800
- Docker + Mifos 24.04.30 (Docker Compose) installed and running in 5800
- Cloudflare DNS: mifos.d-bis.org → 76.53.10.41 (A record, Proxied) via
MIFOS_DNS_MODE=direct ./scripts/cloudflare/configure-mifos-dns.sh
Remaining (manual or with secrets)
1. UDM Pro port forward (for direct access via 76.53.10.41)
- In UniFi Network → Settings → Firewall & Security → Port Forwarding add:
- 76.53.10.41:80 → 192.168.11.85:80 (TCP)
- 76.53.10.41:443 → 192.168.11.85:443 (TCP) if you add TLS later
- Ensure 76.53.10.41 is assigned on the UDM Pro.
- See UDM_PRO_MIFOS_76_53_10_41_PORT_FORWARD.md.
2. Optional: Cloudflare Tunnel + UK egress (no port forward)
If you want traffic via Tunnel instead of direct IP:
- Zero Trust → Networks → Tunnels → Create a tunnel → name
mifos-r630-02→ copy the tunnel token. - In
.envset:CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02='<token>'CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02='<tunnel-uuid>'(from dashboard orcloudflared tunnel listafter install)
- Run:
./scripts/install-tunnel-mifos-r630-02.sh - In Zero Trust → mifos-r630-02 → Published application routes: add mifos.d-bis.org → Service either
http://192.168.11.85:80(no SSL on origin) orhttps://192.168.11.85:443(run./scripts/mifos/install-nginx-https-5800.shfirst, then add Origin config No TLS Verify). - Switch DNS to use the tunnel: In
.envsetCLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=<tunnel-uuid>, then run:(mifos.d-bis.org becomes CNAME toMIFOS_DNS_MODE=tunnel ./scripts/cloudflare/configure-mifos-dns.sh<tunnel-id>.cfargotunnel.com; no UDM port forward needed for this hostname.) - Regional Services (UK): Zero Trust / Data Localization → Regional Services → attach mifos.d-bis.org → select UK (or EU) region.
3. Change default password
- Log in at https://mifos.d-bis.org (after port forward or tunnel) with mifos / password and change the password.
4. Verification
- Direct (76.53.10.41): After UDM port forward:
curl -I https://mifos.d-bis.org - Tunnel: After tunnel + DNS switch: same URL; tunnel status in Zero Trust should be Healthy.
- UK egress: Check
Cf-Rayheader or Cloudflare analytics for UK colo.
5. Troubleshooting HTTP 530 (tunnel)
Cloudflare returns 530 when the tunnel can’t reach the origin. Check:
-
Run from project root:
./scripts/verify/verify-mifos-tunnel-530.sh
Confirms: cloudflared active in LXC 5800, andhttp://127.0.0.1:80responds inside the container. -
Zero Trust → Networks → Tunnels → mifos-r630-02 → Published application routes
- For HTTP to origin: Service
http://192.168.11.85:80. - For HTTPS to origin: Service
https://192.168.11.85:443; run./scripts/mifos/install-nginx-https-5800.shfirst, then add an Origin configuration for this route with No TLS Verify (required for self-signed cert).
- For HTTP to origin: Service
-
Tunnel status in the dashboard should be Healthy. If not, restart in 5800:
ssh root@<r630-02> 'pct exec 5800 -- systemctl restart cloudflared'