d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
4f85e0bf0e59e78511998aefc5d2076ed13b0a14
proxmox/docs/04-configuration/COMPLETE_DEPLOYMENT_GUIDE.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

7.7 KiB
Raw Blame History

Complete Deployment Guide - Direct Public IP Routing

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: 2026-01-09
Architecture: Cloudflare DNS (DNS Only) → Public IP → ER605 NAT → Nginx → Backend Services
Status: All Scripts Ready

Overview

This guide provides step-by-step instructions to deploy the complete direct public IP routing solution, replacing Cloudflare tunnels with stable NAT-based routing.

Prerequisites

  1. Cloudflare Account Access

    • API Token OR Email + API Key
    • Access to zones: sankofa.nexus, d-bis.org, mim4u.org, defi-oracle.io

  2. ER605 Router Access

    • Omada Controller access OR direct ER605 GUI access
    • Ability to configure NAT rules

  3. Proxmox Access

    • SSH access to Proxmox host (192.168.11.10)
    • Access to VMID 105 (Nginx)

  4. Public IP

    • Single public IP: 76.53.10.35 (from Block #1)

Quick Start (Automated)

Option 1: Run Complete Deployment Script

cd /home/intlc/projects/proxmox
./scripts/deploy-complete-solution.sh

This script orchestrates all steps automatically.

Option 2: Manual Step-by-Step

Follow the steps below for manual execution.

Step-by-Step Deployment

Step 1: Get Cloudflare Zone IDs

Purpose: Identify Zone IDs needed for DNS updates

./scripts/get-cloudflare-zone-ids.sh

Output: Zone IDs for each domain

Action: Add Zone IDs to .env file:

CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=your-zone-id
CLOUDFLARE_ZONE_ID_D_BIS_ORG=your-zone-id
CLOUDFLARE_ZONE_ID_MIM4U_ORG=your-zone-id
CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=your-zone-id

Step 2: Update Cloudflare DNS Records

Purpose: Point all domains to public IP (76.53.10.35) with DNS only mode

./scripts/update-all-dns-to-public-ip.sh

What it does:

  • Updates 19 DNS records across 4 zones
  • Sets all records to DNS only (gray cloud)
  • Points all to 76.53.10.35

Expected output: Success indicators for each record

Step 3: Verify DNS Resolution

Purpose: Confirm DNS records are resolving correctly

./scripts/verify-dns-resolution.sh

What it does:

  • Tests all 19 domains
  • Verifies they resolve to 76.53.10.35
  • Reports any issues

Note: Wait 1-5 minutes after DNS update for propagation

Step 4: Configure ER605 NAT Rules

Purpose: Forward public IP traffic to Nginx

./scripts/configure-er605-nat-rules.sh

Output: NAT rule configuration details

Action: Manually configure in Omada Controller or ER605 GUI:

Rule 1: HTTPS (All Services)

Rule Name: Web Services (All Domains)
Enabled: ✅ Yes
Interface: WAN1
External IP: 76.53.10.35
External Port: 443
Internal IP: 192.168.11.26
Internal Port: 443
Protocol: TCP
Source IP: 0.0.0.0/0

Rule 2: HTTP (Let's Encrypt)

Rule Name: HTTP (Let's Encrypt)
Enabled: ✅ Yes
Interface: WAN1
External IP: 76.53.10.35
External Port: 80
Internal IP: 192.168.11.26
Internal Port: 80
Protocol: TCP
Source IP: 0.0.0.0/0

Also configure firewall rules:

  • Allow HTTPS (443) from WAN to 192.168.11.26
  • Allow HTTP (80) from WAN to 192.168.11.26

Step 5: Deploy Nginx Configuration

Purpose: Configure Nginx on VMID 105 to route all domains

./scripts/deploy-complete-nginx-config.sh

What it does:

  • Creates complete Nginx configuration
  • Deploys to VMID 105
  • Tests configuration
  • Reloads Nginx

Note: Update placeholder IPs for Phoenix and The Order services

Step 6: Obtain SSL Certificates

Purpose: Get Let's Encrypt certificates for all domains

# Set email for Let's Encrypt
export SSL_EMAIL=your-email@example.com

./scripts/obtain-all-ssl-certificates.sh

What it does:

  • Installs certbot if needed
  • Obtains certificates for all 19 domains
  • Configures Nginx with certificates

Requirements:

  • DNS records must resolve to 76.53.10.35
  • ER605 NAT rules must be configured
  • Port 80 must be accessible from internet

Verification

Test DNS Resolution

./scripts/verify-dns-resolution.sh

Test RPC Endpoints

# Test RPC Public
curl -X POST https://rpc-http-pub.d-bis.org \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
# Expected: {"jsonrpc":"2.0","result":"0x8a","id":1}

# Test ThirdWeb RPC
curl -X POST https://rpc.public-0138.defi-oracle.io \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

Test Web Services

# Test Sankofa
curl -I https://sankofa.nexus

# Test DBIS Secure Portal
curl -I https://secure.d-bis.org

# Test MIM4U
curl -I https://mim4u.org

Troubleshooting

DNS Not Resolving

Symptoms: dig domain.com +short returns nothing or wrong IP

Solutions:

  1. Wait 1-5 minutes for DNS propagation
  2. Check Cloudflare DNS dashboard - verify records exist
  3. Verify Zone IDs in .env are correct
  4. Check DNS update script output for errors

ER605 NAT Not Working

Symptoms: Can't reach services from internet

Solutions:

  1. Verify NAT rules are enabled
  2. Check firewall rules allow traffic
  3. Test from internal network: curl -I http://192.168.11.26
  4. Verify public IP is correct (76.53.10.35)

Nginx Not Routing Correctly

Symptoms: 502 Bad Gateway or wrong service

Solutions:

  1. Check Nginx configuration: pct exec 105 -- nginx -t
  2. Check Nginx logs: pct exec 105 -- tail -f /var/log/nginx/error.log
  3. Verify backend services are running
  4. Test backend directly: curl http://192.168.11.130:80

SSL Certificate Issues

Symptoms: Certificate errors or Let's Encrypt validation fails

Solutions:

  1. Verify DNS resolves to 76.53.10.35
  2. Verify port 80 is accessible (for validation)
  3. Check ER605 NAT rule for port 80
  4. Retry certificate acquisition: ./scripts/obtain-all-ssl-certificates.sh

Architecture Summary

Internet
  ↓
Cloudflare DNS (DNS Only - Gray Cloud)
  ↓
76.53.10.35 (Single Public IP)
  ↓
ER605 NAT (Port 443 → 192.168.11.26:443)
  ↓
Nginx on VMID 105 (Hostname-based routing via SNI)
  ↓
Backend Services:
  - RPC Nodes (192.168.11.240, 250, 251, 252)
  - Explorer (192.168.11.140)
  - DBIS (192.168.11.130, 155, 156)
  - MIM4U (192.168.11.19)
  - Sankofa/Phoenix (10.160.0.10, 10.160.0.11)

Complete Domain List

All 19 Domains (Single IP: 76.53.10.35)

  1. sankofa.nexus + www.sankofa.nexus
  2. phoenix.sankofa.nexus + www.phoenix.sankofa.nexus
  3. the-order.sankofa.nexus
  4. rpc.public-0138.defi-oracle.io
  5. rpc-http-pub.d-bis.org
  6. rpc-ws-pub.d-bis.org
  7. rpc-http-prv.d-bis.org
  8. rpc-ws-prv.d-bis.org
  9. explorer.d-bis.org
  10. dbis-admin.d-bis.org
  11. dbis-api.d-bis.org
  12. dbis-api-2.d-bis.org
  13. secure.d-bis.org
  14. mim4u.org + www.mim4u.org
  15. secure.mim4u.org
  16. training.mim4u.org

Scripts Created

  1. update-all-dns-to-public-ip.sh - Updates Cloudflare DNS
  2. get-cloudflare-zone-ids.sh - Gets Zone IDs
  3. verify-dns-resolution.sh - Verifies DNS
  4. configure-er605-nat-rules.sh - Generates NAT config
  5. deploy-complete-nginx-config.sh - Deploys Nginx config
  6. obtain-all-ssl-certificates.sh - Gets SSL certificates
  7. deploy-complete-solution.sh - Orchestrates all steps

Related Documentation

  • DNS Update Script Guide: docs/04-configuration/DNS_UPDATE_SCRIPT_GUIDE.md
  • ER605 Router Config: docs/04-configuration/ER605_ROUTER_CONFIGURATION.md
  • Nginx Configurations: docs/04-configuration/NGINX_CONFIGURATIONS_VMIDS_2400-2508.md
  • Network Architecture: docs/02-architecture/NETWORK_ARCHITECTURE.md

Status: All Scripts Ready - Ready to Deploy

Reference in New Issue View Git Blame Copy Permalink