proxmox/docs/00-meta/ALL_TASKS_DETAILED_STEPS.md

All Tasks — Detailed Steps (Single Reference)

Last Updated: 2026-02-12
Purpose: One place for every task with concrete steps to execute.
Sources: NEXT_STEPS_MASTER.md, REMAINING_WORK_DETAILED_STEPS.md, CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md, CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md, TODO_TASK_LIST_MASTER.md, IMPLEMENTATION_CHECKLIST.md.

---

How to use this document

• Wave order: Wave 0 → Wave 1 → Wave 2 → Wave 3 → Ongoing. Within a wave, run tasks in parallel where possible.
• Blocker: Each task notes what is required (LAN, PRIVATE_KEY, etc.).
• References: Links point to runbooks and scripts; runbooks have the full command set.

Runner scripts (run in parallel where possible)

Script	When to use	What it runs
scripts/run-completable-tasks-from-anywhere.sh	From dev machine / WSL / CI (no LAN or secrets)	Config validation, on-chain contract check (Chain 138), run-all-validation --skip-genesis, canonical .env output for reconciliation.
scripts/run-operator-tasks-from-lan.sh	From a host on LAN with NPM_PASSWORD (and optionally PRIVATE_KEY for O-1)	W0-1 (NPMplus RPC fix), W0-3 (NPMplus backup), O-1 (Blockscout verification). Prints next steps for W0-2, W1-*, cron, CR-1, API keys.
scripts/run-wave0-from-lan.sh	Same as above (subset)	W0-1 + W0-3 only.
scripts/run-all-remaining-tasks.sh	From project root; set RUN_W02=1 AMOUNT=…, RUN_SECURITY=1, or RUN_VALIDATOR_KEYS=1 to execute	W0-2 (sendCrossChain), W1-1/W1-2 (--apply), W1-19 (validator keys), and prints runbook commands for W2-2 through W3-2, CR-1, API, Paymaster.

---

Task index (by category)

ID	Task	Wave	Blocker
W0-1	NPMplus RPC fix (405)	0	LAN
W0-2	sendCrossChain (real transfer)	0	PRIVATE_KEY, LINK
W0-3	NPMplus backup	0	NPM_PASSWORD, LAN
CR-1	Config-ready chains (Gnosis, Celo, Wemix)	—	CCIP support, keys, gas
O-1	Run Blockscout source verification	—	LAN / Blockscout reachable
O-2	Reconcile .env (canonical addresses)	—	CONTRACT_ADDRESSES_REFERENCE
O-3	On-chain contract check (Chain 138)	—	RPC (e.g. VMID 2101)
W1-1	SSH key-based auth; disable password	1	Proxmox/SSH
W1-2	Firewall — restrict Proxmox API 8006	1	Proxmox/SSH
W1-8	NPMplus backup run + cron	1	NPM_PASSWORD, LAN
W1-19	Secure validator key permissions	1	Proxmox host
W2-1	Deploy monitoring stack	2	Infra
W2-2	Grafana via Cloudflare; alerts	2	W2-1
W2-3	VLAN enablement	2	UDM Pro, Proxmox
W2-4	Phase 3 CCIP Ops/Admin; NAT pools	2	CCIP_DEPLOYMENT_SPEC
W2-5	Phase 4 sovereign tenant VLANs	2	Runbook
W2-7	DBIS / Hyperledger services	2	Runbooks
W3-1	CCIP Fleet (commit/execute/RMN)	3	W2-4
W3-2	Phase 4 tenant isolation enforcement	3	W2-5
Cron-1	NPMplus backup cron	—	Target host
Cron-2	Daily/weekly checks cron	—	Target host
API	API keys — obtain and set	—	Sign-up
Paymaster	Deploy Paymaster (optional)	—	smom-dbis-138, RPC

---

W0 — Gates (do first when credentials allow)

W0-1: NPMplus RPC fix (405)

Blocker: Host on LAN (e.g. 192.168.11.x).

Steps:

1. From a machine on LAN: cd /path/to/proxmox.
2. Option A — Full Wave 0: bash scripts/run-wave0-from-lan.sh (use --skip-backup for RPC only).
3. Option B — RPC only: bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh.
4. Verify: bash scripts/verify/verify-end-to-end-routing.sh — RPC domains should pass.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W0-1.

---

W0-2: sendCrossChain (real)

Blocker: PRIVATE_KEY and LINK approved in .env; bridge 0x971cD9D156f193df8051E48043C476e53ECd4693.

Steps:

1. Ensure smom-dbis-138/.env has PRIVATE_KEY and LINK (or fee token) approved for bridge.
2. Run: bash scripts/bridge/run-send-cross-chain.sh <amount> [recipient] (omit --dry-run).
3. Confirm tx on chain and destination.

Ref: scripts/README.md §8, REMAINING_WORK_DETAILED_STEPS.md § W0-2.

---

W0-3: NPMplus backup

Blocker: NPM_PASSWORD in .env; NPMplus API reachable (LAN).

Steps:

1. Set NPM_PASSWORD (and optionally NPM_HOST) in .env.
2. From host that can reach NPMplus: bash scripts/verify/backup-npmplus.sh.
3. Or: bash scripts/run-wave0-from-lan.sh (includes backup).

Ref: REMAINING_WORK_DETAILED_STEPS.md § W0-3.

---

CR — Config-ready chains (Gnosis, Celo, Wemix)

Blocker: CCIP support per chain (verify at https://docs.chain.link/ccip/supported-networks); deployer key with gas on each chain; Chain 138 RPC and CHAIN138_SELECTOR.

Steps:

1. Verify CCIP: Confirm Gnosis, Celo, Wemix in Chainlink CCIP supported networks.
2. Deploy bridges (per chain): From smom-dbis-138/: set RPC_URL, CCIP_ROUTER_ADDRESS, LINK_TOKEN_ADDRESS, WETH9_ADDRESS, WETH10_ADDRESS, PRIVATE_KEY for that chain; run:

   forge script script/deploy/bridge/DeployWETHBridges.s.sol:DeployWETHBridges --rpc-url "$RPC_URL" --broadcast -vvvv
   

   Record deployed bridge addresses.
3. Env: Copy smom-dbis-138/docs/deployment/ENV_CONFIG_READY_CHAINS.example into smom-dbis-138/.env; set CCIPWETH9_BRIDGE_GNOSIS, CCIPWETH10_BRIDGE_GNOSIS, same for Celo/Wemix; set CHAIN138_SELECTOR (decimal).
4. Configure destinations: cd smom-dbis-138 && ./scripts/deployment/complete-config-ready-chains.sh (use DRY_RUN=1 first).
5. Fund LINK: Send ~10 LINK per bridge on Gnosis, Celo, Wemix to each bridge address.

Ref: CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md, ENV_CONFIG_READY_CHAINS.example.

---

O — Operator / contract (any time)

O-1: Blockscout source verification

Blocker: Host that can reach Blockscout (e.g. LAN to 192.168.11.140:4000).

Steps:

1. source smom-dbis-138/.env 2>/dev/null
2. ./scripts/verify/run-contract-verification-with-proxy.sh
3. Optionally retry single contract: --only ContractName

Ref: CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md § Operator action.

---

O-2: Reconcile .env (canonical addresses)

Blocker: None (edit only).

Steps:

1. Open CONTRACT_ADDRESSES_REFERENCE § Canonical source of truth.
2. Ensure smom-dbis-138/.env has one entry per variable; remove duplicates; align values with the canonical table.

Ref: CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md.

---

O-3: On-chain contract check (Chain 138)

Blocker: RPC reachable — set RPC_URL_138 (e.g. http://192.168.11.211:8545 or https://rpc-core.d-bis.org).

Steps:

1. From repo root: ./scripts/verify/check-contracts-on-chain-138.sh (uses RPC_URL_138)
2. Or pass URL: ./scripts/verify/check-contracts-on-chain-138.sh $RPC_URL_138
3. Fix any MISS: deploy or correct address in docs/.env.

Ref: CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md § Part 2.

---

W1 — Operator / security / cron

W1-1: SSH key-based auth; disable password

Blocker: Proxmox/SSH access; break-glass method in place.

Steps:

1. Deploy SSH public key(s): ssh-copy-id root@<host>.
2. Test: ssh root@<host> (no password).
3. Dry-run: bash scripts/security/setup-ssh-key-auth.sh --dry-run.
4. Apply: bash scripts/security/setup-ssh-key-auth.sh --apply.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W1-1, OPERATIONAL_RUNBOOKS § Access Control.

---

W1-2: Firewall — restrict Proxmox API 8006

Blocker: Proxmox host or SSH from admin network.

Steps:

1. Decide allowed CIDR(s) for Proxmox API.
2. Dry-run: bash scripts/security/firewall-proxmox-8006.sh --dry-run [CIDR].
3. Apply: bash scripts/security/firewall-proxmox-8006.sh --apply [CIDR].
4. Verify: https://:8006 only from allowed IP.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W1-2.

---

W1-8: NPMplus backup run + cron

Steps (one-time run):

1. With NPM_PASSWORD set: bash scripts/verify/backup-npmplus.sh.
2. Full automated backup: bash scripts/backup/automated-backup.sh [--with-npmplus].

Cron: See Cron-1 and Cron-2 below.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W1-8, Crontab installs.

---

W1-19: Secure validator key permissions

Blocker: Run on Proxmox host (or SSH from LAN).

Steps:

1. SSH to each host that runs validators (e.g. VMIDs 1000–1004).
2. Dry-run: bash scripts/secure-validator-keys.sh --dry-run.
3. Apply: bash scripts/secure-validator-keys.sh.
4. Confirm Besu still starts: pct exec <vmid> -- systemctl status besu.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W1-19.

---

Cron installs (on target host)

Cron-1: NPMplus backup cron

Steps:

1. On host: cd /path/to/proxmox.
2. Show: bash scripts/maintenance/schedule-npmplus-backup-cron.sh --show.
3. Install: bash scripts/maintenance/schedule-npmplus-backup-cron.sh --install.
4. Default: daily 03:00; log: logs/npmplus-backup.log.

---

Cron-2: Daily/weekly checks cron

Steps:

1. On host: cd /path/to/proxmox.
2. Show: bash scripts/maintenance/schedule-daily-weekly-cron.sh --show.
3. Install: bash scripts/maintenance/schedule-daily-weekly-cron.sh --install.
4. Defaults: daily 08:00 (explorer sync, RPC 2201); weekly Sunday 09:00 (Config API).

Ref: REMAINING_WORK_DETAILED_STEPS.md § Crontab installs.

---

W2 — Infra / deploy

W2-1: Deploy monitoring stack

Steps:

1. Use configs: smom-dbis-138/monitoring/, scripts/monitoring/.
2. Run or adapt: scripts/deployment/phase2-observability.sh (or manual per runbook).
3. Ensure Prometheus scrapes Besu 9545; add targets from export-prometheus-targets.sh if used.

Ref: OPERATIONAL_RUNBOOKS § Phase 2, REMAINING_WORK_DETAILED_STEPS.md § W2-1.

---

W2-2: Grafana via Cloudflare Access; alerts

Steps:

1. After W2-1, publish Grafana via Cloudflare Access (or chosen ingress).
2. Configure Alertmanager routes in alertmanager/alertmanager.yml.
3. Test alert routing.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W2-2.

---

W2-3: VLAN enablement (UDM Pro + Proxmox)

Steps:

1. Configure sovereign VLANs on UDM Pro (e.g. 200–203).
2. Enable VLAN-aware bridge on Proxmox; attach VMs/containers to VLANs.
3. Migrate services per NETWORK_ARCHITECTURE §3–5 and UDM_PRO_VLAN_* docs.
4. Verify connectivity and firewall.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W2-3.

---

W2-4: Phase 3 CCIP — Ops/Admin; NAT pools

Steps:

1. Run: bash scripts/ccip/ccip-deploy-checklist.sh (validates env, prints order).
2. Deploy CCIP Ops/Admin (VMIDs 5400, 5401) per CCIP_DEPLOYMENT_SPEC.
3. Configure NAT pools on ER605 (Blocks #2–4 for commit/execute/RMN).
4. Expand commit/execute/RMN scripts for full fleet (for Wave 3).

Ref: REMAINING_WORK_DETAILED_STEPS.md § W2-4.

---

W2-5: Phase 4 — Sovereign tenant VLANs

Steps:

1. Show steps: bash scripts/deployment/phase4-sovereign-tenants.sh --show-steps.
2. Dry-run: bash scripts/deployment/phase4-sovereign-tenants.sh --dry-run.
3. Execute manual steps: OPERATIONAL_RUNBOOKS § Phase 4; UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.
4. (1) UDM Pro VLANs 200–203, (2) Proxmox VLAN-aware bridge, (3) migrate tenant containers, (4) access control, (5) Block #6 egress NAT and verify.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W2-5.

---

W2-7: DBIS / Hyperledger services

Steps:

1. Follow deployment runbooks for DBIS VMIDs (10100–10151).
2. Start/configure Hyperledger (Firefly etc.) per MISSING_CONTAINERS_LIST.
3. Parallelize by host where possible.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W2-7.

---

W3 — After W2

W3-1: CCIP Fleet (16 commit, 16 execute, 7 RMN)

Depends on: W2-4.

Steps:

1. Deploy 16 commit nodes: VMIDs 5410–5425.
2. Deploy 16 execute nodes: VMIDs 5440–5455.
3. Deploy 7 RMN nodes: VMIDs 5470–5476.
4. Use scripts/runbooks from W2-4; spec: CCIP_DEPLOYMENT_SPEC.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W3-1.

---

W3-2: Phase 4 tenant isolation enforcement

Depends on: W2-3 / W2-5.

Steps:

1. Apply firewall rules and ACLs for east-west denial between tenants.
2. Verify tenant isolation and egress NAT (Block #6).
3. Document exceptions and review periodically.

Ref: REMAINING_WORK_DETAILED_STEPS.md § W3-2.

---

API keys

Steps:

1. Open reports/API_KEYS_REQUIRED.md.
2. Obtain each key (sign-up URLs in report); set in root and subproject .env.
3. Restart services that use those vars.

Ref: REMAINING_WORK_DETAILED_STEPS.md § API Keys & Secrets.

---

Paymaster (optional)

Blocker: smom-dbis-138 contract sources; Chain 138 RPC.

Steps:

1. From smom-dbis-138/: forge script script/smart-accounts/DeployPaymaster.s.sol --rpc-url $RPC_URL_138 --broadcast.
2. See SMART_ACCOUNTS_DEPLOYMENT_NOTE.

Ref: TODO_TASK_LIST_MASTER §2.

---

Ongoing (no wave)

ID	Task	Frequency	Steps
O-1	Monitor explorer sync	Daily	Cron or bash scripts/maintenance/daily-weekly-checks.sh daily
O-2	Monitor RPC 2201	Daily	Same script
O-3	Config API uptime	Weekly	daily-weekly-checks.sh weekly
O-4	Review explorer logs	Weekly	e.g. ssh root@<host> journalctl -u blockscout -n 200
O-5	Update token list	As needed	Update token-list.json / explorer config

Ref: REMAINING_WORK_DETAILED_STEPS.md § Ongoing.

---

Validation commands (re-run anytime)

Check	Command
All validation	bash scripts/verify/run-all-validation.sh [--skip-genesis]
Full verification	bash scripts/verify/run-full-verification.sh
E2E routing	bash scripts/verify/verify-end-to-end-routing.sh
Config files	bash scripts/validation/validate-config-files.sh
Genesis	bash smom-dbis-138/scripts/validation/validate-genesis.sh
Wave 0 dry-run	bash scripts/run-wave0-from-lan.sh --dry-run

---

Deferred / backlog (no steps here)

• W1-3, W1-4: smom security audits (VLT-024, ISO-024); bridge integrations (BRG-VLT, BRG-ISO) — smom backlog.
• W1-14: dbis_core ~1186 TypeScript errors — fix by module; npx prisma generate; explicit types.
• W1-15–W1-17: smom placeholders (canonical env-only, AlltraAdapter fee, smart accounts, quote Fabric 999, .bak deprecation) — see PLACEHOLDERS_AND_*.
• Improvements 1–139: ALL_IMPROVEMENTS_AND_GAPS_INDEX.md by cohort.

---

Related documents

• NEXT_STEPS_MASTER.md — Master list and phases
• REMAINING_WORK_DETAILED_STEPS.md — Wave 0–3 and “can do now”
• CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md — Contract operator actions
• CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md — Gnosis, Celo, Wemix
• TODO_TASK_LIST_MASTER.md — Full checklist and improvements index
• OPERATIONAL_RUNBOOKS.md — Phase 2–4 runbooks