d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
3f76bc950779f8c1a4403abddb952cdbce5fa420
proxmox/docs/04-configuration/REQUIRED_SECRETS_SUMMARY.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

5.2 KiB
Raw Blame History

Required Secrets Summary - Quick Reference

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: 2025-01-20
Status: 📋 Quick Reference
Purpose: Quick checklist of all required secrets

Critical Secrets (Must Have)

Configured

Cloudflare (Root .env)

  • CLOUDFLARE_TUNNEL_TOKEN - Set
  • CLOUDFLARE_API_KEY - Set (⚠️ Consider migrating to API_TOKEN)
  • CLOUDFLARE_ACCOUNT_ID - Set
  • CLOUDFLARE_ZONE_ID - Set (multiple zones)
  • CLOUDFLARE_ORIGIN_CA_KEY - Set
  • CLOUDFLARE_EMAIL - Set

Blockchain Services

  • PRIVATE_KEY - Set (🔒 SECURITY CONCERN - exposed in files)
  • Multiple contract addresses - Set
  • ETHERSCAN_API_KEY - Set (Etherscan/Blockscan: verification, explorer API)
  • Infura (optional) - RPC URLs and/or INFURA_GAS_API when used
  • METAMASK_API_KEY / METAMASK_SECRET - Set
  • THIRDWEB_SECRET_KEY - Set

Database

  • DATABASE_URL - Set (contains password)

Service APIs

  • OMADA_CLIENT_SECRET - Set
  • OMADA_API_KEY - Set
  • Various LINK_TOKEN addresses - Set

⚠️ Missing or Needs Attention

High Priority

  • ⚠️ CLOUDFLARE_API_TOKEN - Not set (using API_KEY instead)
  • ⚠️ OMADA_API_SECRET - Empty in omada-api/.env
  • ⚠️ OMADA_API_KEY - Has placeholder value <your-api-key>

Security Concerns

  • 🔒 Private keys in .env files - Needs secure storage

    • smom-dbis-138/.env
    • explorer-monorepo/.env
    • Backup files (.env.backup.*)

  • 🔒 Backup files with secrets - Should be removed from repository

    • explorer-monorepo/.env.backup.*
    • smom-dbis-138/.env.backup

Optional Secrets (If Used)

Cloudflare Tunnels (per-service)

  • CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02 — Token for mifos-r630-02 tunnel (LXC 5800, mifos.d-bis.org). See MIFOS_R630_02_DEPLOYMENT.md. Do not commit; set in .env when using scripts/install-tunnel-mifos-r630-02.sh.

Fineract/Mifos (OMNL Central Bank config — VMID 5800)

Required when running scripts/mifos/central-bank-config/ (Master Plan 2). Do not commit; set in project root .env.

  • MIFOS_BASE_URL — Full API base URL (e.g. https://mifos.d-bis.org/fineract-provider/api/v1 or http://192.168.11.85/fineract-provider/api/v1).
  • MIFOS_TENANT — Fineract tenant identifier (e.g. default).
  • MIFOS_USER — API user (e.g. mifos).
  • MIFOS_PASSWORD — API password (change default after first login).

Optional: MIFOS_INSECURE=1 — Allow self-signed TLS when calling the API (dev/local only). See mifos-omnl-central-bank/README.md.

Explorer Monorepo

  • DB_REPLICA_PASSWORD - If using replica database
  • SEARCH_PASSWORD - If using Elasticsearch
  • ONEINCH_API_KEY - If using 1inch integration
  • JUMIO_API_KEY/SECRET - If using Jumio KYC
  • MOONPAY_API_KEY - If using MoonPay
  • WALLETCONNECT_PROJECT_ID - If using WalletConnect

Monitoring/Logging

  • SENTRY_DSN - If using Sentry
  • DATADOG_API_KEY - If using Datadog

Third-Party Services

  • Various API keys for optional integrations

Recommendations

Immediate Actions

  1. Verify .gitignore

    # Ensure these patterns are in .gitignore:
.env
.env.*
*.env.backup

  2. Secure Private Keys

    • Move private keys to secure storage
    • Never commit private keys to repository
    • Use environment variable injection

  3. Clean Up Backup Files

    • Remove .env.backup.* files from repository
    • Store backups securely if needed

  4. Migrate to API Tokens

    • Replace CLOUDFLARE_API_KEY with CLOUDFLARE_API_TOKEN
    • More secure and recommended by Cloudflare

Security Best Practices

  • Use API tokens instead of API keys
  • Store secrets in secure storage (key vault, encrypted)
  • Never commit secrets to version control
  • Use separate secrets for different environments
  • Rotate secrets regularly
  • Limit access to secrets

File Status Summary

File Status Critical Secrets Action Needed
./.env Good Cloudflare credentials Migrate to API_TOKEN
omada-api/.env ⚠️ Partial Omada credentials Set OMADA_API_SECRET
smom-dbis-138/.env 🔒 Secure Private key Move to secure storage
dbis_core/.env Good Database password Verify secure storage
explorer-monorepo/.env 🔒 Secure Private key Move to secure storage

Quick Commands

Check Secret Status

./scripts/check-env-secrets.sh

Verify .gitignore

grep -E "\.env|\.env\." .gitignore

List All .env Files

find . -name ".env*" -type f | grep -v node_modules | grep -v venv

Related Documentation

Last Updated: 2025-01-20
Status: 📋 Quick Reference

Reference in New Issue View Git Blame Copy Permalink