proxmox/docs/04-configuration/MASTER_SECRETS.md

Master Secrets Reference

Single authoritative list of all secrets used across the Proxmox workspace and related projects.
No values are stored here. Use root .env, service-specific .env files, or a secrets store (e.g. Vault); see .env.master.example for a single template of all keys.

Last updated: 2026-03-29

---

How to use

• Reference: This file lists every secret name, where it is used, and required/optional.
• Template: Copy .env.master.example to .env (root) or .env.master (local only), fill values, and never commit. Ensure .env and .env.master are in .gitignore.
• Per-project: Many secrets live in project-specific .env (e.g. smom-dbis-138/.env, dbis_core/.env). Root .env is used by scripts in this repo; subprojects use their own .env.

---

1. Proxmox & infrastructure

Secret	Where used	Required	Notes
PROXMOX_ML110, PROXMOX_R630_01, PROXMOX_R630_02	Root .env, config	Yes	Host IPs (can be non-secret)
PROXMOX_HOST, PROXMOX_PORT, PROXMOX_USER	Root .env, scripts	Yes	API target
PROXMOX_TOKEN_NAME, PROXMOX_TOKEN_VALUE	Root .env	Yes (for API)	Or password per host
PROXMOX_PASS_ML110, PROXMOX_PASS_R630_01, PROXMOX_PASS_R630_02	Scripts (if no token)	If no token	SSH/API

---

2. Cloudflare

Secret	Where used	Required	Notes
CLOUDFLARE_API_TOKEN	Root .env	Preferred	Prefer over API_KEY
CLOUDFLARE_EMAIL, CLOUDFLARE_API_KEY	Root .env	If no token	Legacy
CLOUDFLARE_ZONE_ID, CLOUDFLARE_ZONE_ID_*	Root .env	Yes	Per zone
CLOUDFLARE_ACCOUNT_ID	Root .env	Yes	Tunnels / account API
CLOUDFLARE_TUNNEL_TOKEN	Root .env	Yes (tunnels)	cloudflared
CLOUDFLARE_TUNNEL_ID, CLOUDFLARE_TUNNEL_ID_*	Root .env	If using tunnel DNS	Tunnel UUIDs
CLOUDFLARE_ORIGIN_CA_KEY	Root .env	Optional	Origin cert
CLOUDFLARE_TURNSTILE_SECRET_KEY	dbis_core API .env (or merged operator env / xotenv → API process)	Optional	Turnstile widget secret — not DNS API. Enforces cfTurnstileResponse on POST /api/v1/iru/marketplace/inquiries when set (unless IRU_MARKETPLACE_TURNSTILE_DISABLED=1). Aliases: TURNSTILE_SECRET_KEY, CF_TURNSTILE_SECRET_KEY.
VITE_CLOUDFLARE_TURNSTILE_SITE_KEY	dbis_core/frontend build .env	Optional (required if API secret set)	Public Turnstile site key for marketplace inquiry widget. See SANKOFA_MARKETPLACE_SURFACES.md.
NEXT_PUBLIC_CLOUDFLARE_TURNSTILE_SITE_KEY	Sankofa/portal Next.js build (.env.local)	Optional	Same Cloudflare Turnstile site key for portal Sign In gate (home + partner unauthenticated). Rebuild portal after changing.

---

3. NPM / NPMplus

Secret	Where used	Required	Notes
NPM_URL, NPM_EMAIL, NPM_PASSWORD	Root .env	Yes (NPM scripts)	All NPMplus instances
NPM_HOST, NPM_VMID, NPMPLUS_HOST, NPMPLUS_VMID	Root .env	Yes	Config
NPM_URL_MIFOS, NPMPLUS_ALLTRA_HYBX_VMID, IP_NPMPLUS_ALLTRA_HYBX	Root .env	Per setup	Optional

---

4. DNS / TLS (ClouDNS, etc.)

Secret	Where used	Required	Notes
CLOUDNS_AUTH_ID, CLOUDNS_AUTH_PASSWORD	Root .env	If Certbot ClouDNS	NPMplus TLS

---

5. Network / UniFi / Omada

Secret	Where used	Required	Notes
UNIFI_UDM_URL, UNIFI_API_KEY, UNIFI_SITE_ID	Root .env, unifi-api	Yes (if automating)	UDM Pro API
OMADA_API_KEY, OMADA_CLIENT_SECRET	omada-api/.env	If using Omada	Omada Controller

---

6. Gitea

Secret	Where used	Required	Notes
GITEA_URL, GITEA_TOKEN	Root .env	Yes (push/create repos)	push-to-gitea.sh, push-all-projects-to-gitea.sh
GITEA_ORG	Optional override	No	Default d-bis

---

7. Blockchain / SMOM-DBIS-138

Secret	Where used	Required	Notes
PRIVATE_KEY	smom-dbis-138/.env	Yes (deploy/bridge)	Deployer key; move to HSM
RPC_URL_138, RPC_URL_138_PUBLIC	Root/smom-dbis-138 .env, config	Yes	Chain 138 RPC
ETHEREUM_MAINNET_RPC, CHAIN_651940_RPC_URL, etc.	smom-dbis-138/.env	Per use	Other chains
ETHERSCAN_API_KEY	Root, smom-dbis-138	Yes (verification)	Etherscan/Blockscan
Contract addresses (e.g. CCIP_ROUTER, LINK_TOKEN)	smom-dbis-138/.env, config	Yes	See config/contract-addresses.conf

---

8. Database & app auth

Secret	Where used	Required	Notes
DATABASE_URL	Root, dbis_core, OMNIS, explorer, token-aggregation	Yes (per app)	PostgreSQL connection string
JWT_SECRET, JWT_REFRESH_SECRET	OMNIS/backend, explorer, dbis_core	Yes (per service)	Min 32 chars
SESSION_SECRET	Explorer, OMNIS	If sessions	Session signing
ADMIN_CENTRAL_API_KEY	dbis_core, orchestration, token-aggregation	Yes (central API)	Service-to-service
DBIS_CENTRAL_URL	Callers of dbis_core	Yes	API base URL

---

9. Storage (AWS / Azure)

Secret	Where used	Required	Notes
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_S3_BUCKET	Root, OMNIS, the-order	If S3	Storage
AZURE_STORAGE_CONNECTION_STRING, AZURE_STORAGE_CONTAINER	Root, OMNIS	If Azure	Blob storage

---

10. Third-party APIs (price, ramps, exchanges)

Secret	Where used	Required	Notes
COINGECKO_API_KEY	Root, token-aggregation, oracle	Recommended	Price feeds
COINDESK_API_KEY	Root	Optional	Market data
MOONPAY_API_KEY, MOONPAY_SECRET_KEY	Root, metamask-integration	Optional	On/off ramp
RAMP_NETWORK_API_KEY, ONRAMPER_API_KEY	Root, metamask-integration	Optional	Ramps
CRYPTO_COM_API_KEY, CRYPTO_COM_API_SECRET	dbis_core	If OTC	Exchange OTC
BINANCE_API_KEY, BINANCE_API_SECRET	dbis_core	Optional	Ticker/private
KRAKEN_API_KEY, KRAKEN_PRIVATE_KEY	dbis_core	Optional	Same
OANDA_API_KEY, OANDA_ACCOUNT_ID	dbis_core	Optional	Forex
FXCM_API_TOKEN	dbis_core	Optional	Forex
ONEINCH_API_KEY, PARASWAP_API_KEY, ZEROX_API_KEY	alltra-lifi-settlement	Optional	DeFi rate limits

---

11. Frontend / MetaMask / Explorer

Secret	Where used	Required	Notes
VITE_WALLETCONNECT_PROJECT_ID, VITE_THIRDWEB_CLIENT_ID	smom-dbis-138/frontend-dapp	Yes (WalletConnect)	Reown/Thirdweb
VITE_ETHERSCAN_API_KEY, VITE_SENTRY_DSN	Frontends	Optional	Build-time
NEXT_PUBLIC_*	explorer-monorepo/frontend	Per feature	Next.js public env
METAMASK_API_KEY, THIRDWEB_SECRET_KEY	metamask-integration	If integrated	Backend

---

12. Alerts & monitoring

Secret	Where used	Required	Notes
SLACK_WEBHOOK_URL	Root, dbis_core	Optional	Alerts
PAGERDUTY_INTEGRATION_KEY	Root, dbis_core	Optional
EMAIL_ALERT_API_URL, EMAIL_ALERT_RECIPIENTS	Root, dbis_core	Optional
SENTRY_DSN	Various	Optional	Error tracking

---

13. Legal / e-signature / e-filing

Secret	Where used	Required	Notes
E_SIGNATURE_BASE_URL	Root, the-order/legal-documents	Optional	E-signature API
E-filing / court API keys	the-order/legal-documents	If enabled	Per integration

---

14. Mifos / Fineract / OMNL

Secret	Where used	Required	Notes
MIFOS_BASE_URL, MIFOS_TENANT, MIFOS_USER, MIFOS_PASSWORD	Root .env	If central-bank scripts	Fineract API
OMNL_FINERACT_BASE_URL, OMNL_FINERACT_TENANT, OMNL_FINERACT_USER, OMNL_FINERACT_PASSWORD	Root .env, omnl-fineract	If OMNL	OMNL tenant

---

15. Phoenix / Sankofa / OMNIS backend

Secret	Where used	Required	Notes
SANKOFA_PHOENIX_API_URL, SANKOFA_PHOENIX_CLIENT_ID, SANKOFA_PHOENIX_CLIENT_SECRET, SANKOFA_PHOENIX_TENANT_ID	OMNIS/backend	If Phoenix OAuth	OAuth client
Phoenix/Vault app role credentials	.secure/ or Vault	If Phoenix deploy	Phoenix deploy API

---

16. Tezos / Etherlink / Jumper

Secret	Where used	Required	Notes
TEZOS_RELAY_ORACLE_KEY, ETHERLINK_RELAY_BRIDGE, ETHERLINK_RELAY_PRIVATE_KEY	Root, smom-dbis-138	If Tezos bridge	Relay
JUMPER_API_KEY	Root	Optional	Jumper bridge

---

17. Fastly / other CDN

Secret	Where used	Required	Notes
FASTLY_API_TOKEN	Root .env	If using Fastly API	Purge/config

---

18. Proxmox VE API subproject

Secret	Where used	Required	Notes
MONGO_USER, MONGO_PASSWORD, MONGO_IP, MONGO_PORT, MONGO_DATABASE	ProxmoxVE/api/.env	If MongoDB	ProxmoxVE API

---

Security

• Never commit .env, .env.master, or any file containing real secrets.
• Private keys: Prefer HSM/Vault; do not store in repo or committed files.
• Rotation: Rotate API tokens and passwords periodically; document in this repo.
• Scopes: Use least-privilege tokens (e.g. Gitea: write:organization, write:repository).

---

Related docs

• .env.master.example — Single template with all keys (placeholders).
• .env.example — Root .env template with comments.
• MASTER_SECRETS_INVENTORY.md — Detailed inventory and HSM migration plan.
• REQUIRED_SECRETS_INVENTORY.md — Required secrets checklist.
• REMAINING_ITEMS_DOTENV_AND_ACTIONS.md — Where to store secrets and which scripts use them.