d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a41c3adea04c6d405a663e720288dfa4e78a6429
proxmox/docs/02-architecture/DBIS_NODE_ROLE_MATRIX.md
defiQUG 7ac74f432b chore: sync docs, config schemas, scripts, and meta task alignment 
- Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON
- Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path)
- Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README
- Meta docs, integration gaps, live verification log, architecture updates
- CI validate-config workflow updates

Operator/LAN items, submodule working trees, and public token-aggregation edge
routes remain follow-up (see TODOS_CONSOLIDATED P1).

Made-with: Cursor
2026-03-31 22:31:39 -07:00

169 lines
20 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# DBIS Node Role Matrix
**Last updated:** 2026-03-29 (UTC) — regenerate machine-derived rows: `bash scripts/docs/generate-dbis-node-role-matrix-md.sh`
**Status:** Active — infrastructure constitution for DBIS Chain 138 and colocated workloads.
## Purpose
This matrix assigns **node type**, **preferred host placement**, **validator/signing role** (for Besu), and **security tier** per workload. It implements the entity-placement model in [dbis_chain_138_technical_master_plan.md](../../dbis_chain_138_technical_master_plan.md) (Sections 67) in a form operators can maintain.
**Canonical pairs (keep in sync):**
- Human detail and status: [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md)
- Machine-readable services: [config/proxmox-operational-template.json](../../config/proxmox-operational-template.json)
When you change VMID, IP, hostname, or placement, update **ALL_VMIDS** and **operational-template.json** first, then regenerate the table below with this script (or edit the static sections manually).
## Columns
| Column | Meaning |
|--------|---------|
| **Entity owner** | DBIS Core, Central Bank, IFI, Regional Operator, etc. — use **TBD** until governance assigns. |
| **Region** | Geographic or site label — **TBD** until multi-site is formalized. |
| **IP note** | Flags duplicate IPv4 entries in the planning template. A duplicate means **shared or historical mapping**, not concurrent ownership — verify live owner in ALL_VMIDS or on-cluster. |
| **Runtime state** | Current disposition from the planning template, e.g. active, placeholder CT only, or retired standby. |
| **Preferred host** | Preferred Proxmox node (`r630-01`, `r630-02`, `ml110`, `any`). This is a planning target, not an assertion of current placement. |
| **Validator / signing** | For Chain 138 Besu: QBFT signer, sentry (no signer), RPC-only, or N/A. |
| **Security tier** | High-level zone: validator-tier, DMZ/RPC, edge ingress, identity/DLT, application, etc. |
## Proxmox hypervisor nodes
| Hostname | MGMT IP | Cluster | Role (summary) |
|----------|---------|---------|------------------|
| ml110 | 192.168.11.10 | h — verify | legacy_cluster_member_or_wan_aggregator |
| r630-01 | 192.168.11.11 | h | primary_compute_chain138_rpc_ccip_relay_sankofa |
| r630-02 | 192.168.11.12 | h | firefly_npmplus_secondary_mim4u_mifos_support |
## Workloads (from operational template)
Machine-derived rows below come from `services[]` in `config/proxmox-operational-template.json`. Duplicate IPv4 notes are warnings that the planning template still contains alternative or legacy ownership for the same address; they must not be read as concurrent live allocations.
| VMID | Hostname | IPv4 | IP note | Node type | Runtime state | Entity owner | Region | Preferred host | Validator / signing | Security tier |
|------|----------|------|---------|-----------|---------------|--------------|--------|----------------|---------------------|---------------|
| — | order-redis-primary | 192.168.11.38 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 100 | proxmox-mail-gateway | 192.168.11.32 | unique in template | Infra LXC | unspecified | TBD | TBD | r630-02 | N/A | management / secrets |
| 101 | proxmox-datacenter-manager | 192.168.11.33 | unique in template | Infra LXC | unspecified | TBD | TBD | r630-02 | N/A | management / secrets |
| 102 | cloudflared | 192.168.11.34 | unique in template | Cloudflare tunnel | unspecified | TBD | TBD | r630-01 | N/A | edge ingress |
| 103 | omada | 192.168.11.30 | unique in template | Infra LXC | unspecified | TBD | TBD | r630-02 | N/A | management / secrets |
| 104 | gitea | 192.168.11.31 | unique in template | Infra LXC | unspecified | TBD | TBD | r630-02 | N/A | management / secrets |
| 105 | nginxproxymanager | 192.168.11.26 | unique in template | Legacy NPM | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 130 | monitoring-1 | 192.168.11.27 | unique in template | Monitoring | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 1000 | besu-validator-1 | 192.168.11.100 | unique in template | Besu validator | unspecified | TBD | TBD | r630-01 | QBFT signer | validator-tier |
| 1001 | besu-validator-2 | 192.168.11.101 | unique in template | Besu validator | unspecified | TBD | TBD | r630-01 | QBFT signer | validator-tier |
| 1002 | besu-validator-3 | 192.168.11.102 | unique in template | Besu validator | unspecified | TBD | TBD | r630-01 | QBFT signer | validator-tier |
| 1003 | besu-validator-4 | 192.168.11.103 | unique in template | Besu validator | unspecified | TBD | TBD | r630-01 | QBFT signer | validator-tier |
| 1004 | besu-validator-5 | 192.168.11.104 | unique in template | Besu validator | unspecified | TBD | TBD | r630-01 | QBFT signer | validator-tier |
| 1500 | besu-sentry-1 | 192.168.11.150 | unique in template | Besu sentry | unspecified | TBD | TBD | r630-01 | Sentry (no signer) | validator-tier |
| 1501 | besu-sentry-2 | 192.168.11.151 | unique in template | Besu sentry | unspecified | TBD | TBD | r630-01 | Sentry (no signer) | validator-tier |
| 1502 | besu-sentry-3 | 192.168.11.152 | unique in template | Besu sentry | unspecified | TBD | TBD | r630-01 | Sentry (no signer) | validator-tier |
| 1503 | besu-sentry-4 | 192.168.11.153 | unique in template | Besu sentry | unspecified | TBD | TBD | r630-01 | Sentry (no signer) | validator-tier |
| 1504 | besu-sentry-ali | 192.168.11.154 | unique in template | Besu sentry | unspecified | TBD | TBD | r630-01 | Sentry (no signer) | validator-tier |
| 1505 | besu-sentry-alltra-1 | 192.168.11.213 | unique in template | Besu sentry | unspecified | TBD | TBD | r630-01 | Sentry (no signer) | validator-tier |
| 1506 | besu-sentry-alltra-2 | 192.168.11.214 | unique in template | Besu sentry | unspecified | TBD | TBD | r630-01 | Sentry (no signer) | validator-tier |
| 1507 | besu-sentry-hybx-1 | 192.168.11.244 | unique in template | Besu sentry | unspecified | TBD | TBD | ml110 | Sentry (no signer) | validator-tier |
| 1508 | besu-sentry-hybx-2 | 192.168.11.245 | unique in template | Besu sentry | unspecified | TBD | TBD | ml110 | Sentry (no signer) | validator-tier |
| 2101 | besu-rpc-core-1 | 192.168.11.211 | unique in template | Besu RPC (rpc_core) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2102 | besu-rpc-core-2 | 192.168.11.212 | unique in template | Besu RPC (rpc_core) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2103 | besu-rpc-core-thirdweb | 192.168.11.217 | unique in template | Besu RPC (rpc_core) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2201 | besu-rpc-public-1 | 192.168.11.221 | unique in template | Besu RPC (rpc_public) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2301 | besu-rpc-private-1 | 192.168.11.232 | unique in template | Besu RPC (rpc_private) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2303 | besu-rpc-ali-0x8a | 192.168.11.233 | unique in template | Besu RPC (rpc_named) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2304 | besu-rpc-ali-0x1 | 192.168.11.234 | unique in template | Besu RPC (rpc_named) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2305 | besu-rpc-luis-0x8a | 192.168.11.235 | unique in template | Besu RPC (rpc_named) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2306 | besu-rpc-luis-0x1 | 192.168.11.236 | unique in template | Besu RPC (rpc_named) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2307 | besu-rpc-putu-0x8a | 192.168.11.237 | unique in template | Besu RPC (rpc_named) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2308 | besu-rpc-putu-0x1 | 192.168.11.238 | unique in template | Besu RPC (rpc_named) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2400 | thirdweb-rpc-1 | 192.168.11.240 | unique in template | Besu RPC (rpc_thirdweb) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2401 | besu-rpc-thirdweb-0x8a-1 | 192.168.11.241 | unique in template | Besu RPC (rpc_thirdweb) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2402 | besu-rpc-thirdweb-0x8a-2 | 192.168.11.242 | unique in template | Besu RPC (rpc_thirdweb) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2403 | besu-rpc-thirdweb-0x8a-3 | 192.168.11.243 | unique in template | Besu RPC (rpc_thirdweb) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2500 | besu-rpc-alltra-1 | 192.168.11.172 | unique in template | Besu RPC (rpc_alltra_hybx) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2501 | besu-rpc-alltra-2 | 192.168.11.173 | unique in template | Besu RPC (rpc_alltra_hybx) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2502 | besu-rpc-alltra-3 | 192.168.11.174 | unique in template | Besu RPC (rpc_alltra_hybx) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2503 | besu-rpc-hybx-1 | 192.168.11.246 | unique in template | Besu RPC (rpc_alltra_hybx) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2504 | besu-rpc-hybx-2 | 192.168.11.247 | unique in template | Besu RPC (rpc_alltra_hybx) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 2505 | besu-rpc-hybx-3 | 192.168.11.248 | unique in template | Besu RPC (rpc_alltra_hybx) | unspecified | TBD | TBD | r630-01 | RPC only | DMZ / RPC exposure |
| 3000 | ml-node-1 | 192.168.11.60 | unique in template | ML node | unspecified | TBD | TBD | ml110 | N/A | standard internal |
| 3001 | ml-node-2 | 192.168.11.61 | unique in template | ML node | unspecified | TBD | TBD | ml110 | N/A | standard internal |
| 3002 | ml-node-3 | 192.168.11.62 | unique in template | ML node | unspecified | TBD | TBD | ml110 | N/A | standard internal |
| 3003 | ml-node-4 | 192.168.11.63 | unique in template | ML node | unspecified | TBD | TBD | ml110 | N/A | standard internal |
| 3500 | oracle-publisher-1 | 192.168.11.29 | unique in template | Oracle publisher | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 3501 | ccip-monitor-1 | 192.168.11.28 | unique in template | CCIP monitor | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 5000 | blockscout-1 | 192.168.11.140 | unique in template | Blockscout | unspecified | TBD | TBD | r630-01 | N/A | standard internal |
| 5010 | tsunamiswap | 192.168.11.91 | unique in template | DeFi | unspecified | TBD | TBD | r630-01 | N/A | standard internal |
| 5200 | cacti-1 | 192.168.11.80 | unique in template | Cacti | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 5201 | cacti-alltra-1 | 192.168.11.177 | unique in template | Cacti | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 5202 | cacti-hybx-1 | 192.168.11.251 | unique in template | Cacti | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 5700 | dev-vm-gitops | 192.168.11.59 | unique in template | Dev | unspecified | TBD | TBD | any | N/A | standard internal |
| 5702 | ai-inf-1 | 192.168.11.82 | unique in template | AI infra | unspecified | TBD | TBD | r630-01 | N/A | standard internal |
| 5705 | ai-inf-2 | 192.168.11.86 | unique in template | AI infra | unspecified | TBD | TBD | r630-01 | N/A | standard internal |
| 5800 | mifos-fineract | 192.168.11.85 | unique in template | Mifos | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 5801 | dapp-smom | 192.168.11.58 | unique in template | DApp | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 6000 | fabric-1 | 192.168.11.65 | unique in template | Fabric | reserved_placeholder_stopped | TBD | TBD | r630-02 | N/A | identity / workflow DLT |
| 6001 | fabric-alltra-1 | 192.168.11.178 | unique in template | Fabric | reserved_placeholder_stopped | TBD | TBD | r630-02 | N/A | identity / workflow DLT |
| 6002 | fabric-hybx-1 | 192.168.11.252 | unique in template | Fabric | reserved_placeholder_stopped | TBD | TBD | r630-02 | N/A | identity / workflow DLT |
| 6200 | firefly-1 | 192.168.11.35 | shared / non-concurrent mapping — verify live owner | FireFly | active_minimal_gateway | TBD | TBD | r630-02 | N/A | identity / workflow DLT |
| 6201 | firefly-ali-1 | 192.168.11.57 | unique in template | FireFly | retired_standby_until_rebuilt | TBD | TBD | r630-02 | N/A | identity / workflow DLT |
| 6400 | indy-1 | 192.168.11.64 | unique in template | Indy | reserved_placeholder_stopped | TBD | TBD | r630-02 | N/A | identity / workflow DLT |
| 6401 | indy-alltra-1 | 192.168.11.179 | unique in template | Indy | reserved_placeholder_stopped | TBD | TBD | r630-02 | N/A | identity / workflow DLT |
| 6402 | indy-hybx-1 | 192.168.11.253 | unique in template | Indy | reserved_placeholder_stopped | TBD | TBD | r630-02 | N/A | identity / workflow DLT |
| 7800 | sankofa-api-1 | 192.168.11.50 | unique in template | Sankofa / Phoenix | unspecified | TBD | TBD | r630-01 | N/A | application |
| 7801 | sankofa-portal-1 | 192.168.11.51 | unique in template | Sankofa / Phoenix | unspecified | TBD | TBD | r630-01 | N/A | application |
| 7802 | sankofa-keycloak-1 | 192.168.11.52 | unique in template | Sankofa / Phoenix | unspecified | TBD | TBD | r630-01 | N/A | application |
| 7803 | sankofa-postgres-1 | 192.168.11.53 | unique in template | Sankofa / Phoenix | unspecified | TBD | TBD | r630-01 | N/A | application |
| 7804 | gov-portals-dev | 192.168.11.54 | unique in template | Sankofa / Phoenix | unspecified | TBD | TBD | r630-01 | N/A | application |
| 7805 | sankofa-studio | 192.168.11.72 | unique in template | Sankofa / Phoenix | unspecified | TBD | TBD | r630-01 | N/A | application |
| 7810 | mim-web-1 | 192.168.11.37 | unique live owner after 2026-03-29 ARP cleanup | MIM4U | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 7811 | mim-api-1 | 192.168.11.36 | shared / non-concurrent mapping — verify live owner | MIM4U | unspecified | TBD | TBD | r630-02 | N/A | standard internal |
| 8640 | vault-phoenix-1 | 192.168.11.200 | unique in template | HashiCorp Vault | unspecified | TBD | TBD | r630-01 | N/A | management / secrets |
| 8641 | vault-phoenix-2 | 192.168.11.215 | unique in template | HashiCorp Vault | unspecified | TBD | TBD | r630-01 | N/A | management / secrets |
| 8642 | vault-phoenix-3 | 192.168.11.202 | unique in template | HashiCorp Vault | unspecified | TBD | TBD | r630-01 | N/A | management / secrets |
| 10030 | order-identity | 192.168.11.40 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10040 | order-intake | 192.168.11.41 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10050 | order-finance | 192.168.11.49 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10060 | order-dataroom | 192.168.11.42 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10070 | order-legal | 192.168.11.87 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10080 | order-eresidency | 192.168.11.43 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10090 | order-portal-public | 192.168.11.36 | shared / non-concurrent mapping — verify live owner | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10091 | order-portal-internal | 192.168.11.35 | shared / non-concurrent mapping — verify live owner | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10092 | order-mcp-legal | 192.168.11.94 | unique live owner after 2026-03-29 ARP cleanup | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10100 | dbis-postgres-primary | 192.168.11.105 | unique in template | DBIS stack | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10101 | dbis-postgres-replica-1 | 192.168.11.106 | unique in template | DBIS stack | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10120 | dbis-redis | 192.168.11.125 | unique in template | DBIS stack | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10130 | dbis-frontend | 192.168.11.130 | unique in template | DBIS stack | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10150 | dbis-api-primary | 192.168.11.155 | unique in template | DBIS stack | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10151 | dbis-api-secondary | 192.168.11.156 | unique in template | DBIS stack | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10200 | order-prometheus | 192.168.11.46 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10201 | order-grafana | 192.168.11.47 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10202 | order-opensearch | 192.168.11.48 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10210 | order-haproxy | 192.168.11.39 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10230 | order-vault | 192.168.11.55 | unique in template | The Order service | unspecified | TBD | TBD | r630-01 | N/A | application |
| 10232 | ct10232 | 192.168.11.56 | unique in template | General CT | unspecified | TBD | TBD | r630-01 | N/A | standard internal |
| 10233 | npmplus-primary | 192.168.11.167 | unique in template | NPMplus ingress | unspecified | TBD | TBD | r630-01 | N/A | edge ingress |
| 10234 | npmplus-secondary | 192.168.11.168 | unique in template | NPMplus ingress | unspecified | TBD | TBD | r630-02 | N/A | edge ingress |
| 10235 | npmplus-alltra-hybx | 192.168.11.169 | unique in template | NPMplus ingress | unspecified | TBD | TBD | r630-02 | N/A | edge ingress |
| 10236 | npmplus-fourth-dev | 192.168.11.170 | unique in template | NPMplus ingress | unspecified | TBD | TBD | r630-02 | N/A | edge ingress |
| 10237 | npmplus-mifos | 192.168.11.171 | unique in template | NPMplus ingress | unspecified | TBD | TBD | r630-02 | N/A | edge ingress |
## Supplementary rows (not in template JSON)
These appear in [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md) but are not modeled as `services[]` entries in `proxmox-operational-template.json`. They are **manual supplements**, not generator-backed source of truth.
| VMID | Hostname | IPv4 | IP note | Node type | Runtime state | Entity owner | Region | Preferred host | Validator / signing | Security tier |
|------|----------|------|---------|-----------|---------------|--------------|--------|----------------|---------------------|---------------|
| 106 | redis-rpc-translator | 192.168.11.110 | manual supplement | RPC translator (Redis) | manual supplement | TBD | TBD | r630-01 (per ALL_VMIDS) | N/A | DMZ / RPC exposure |
| 107 | web3signer-rpc-translator | 192.168.11.111 | manual supplement | RPC translator (Web3Signer) | manual supplement | TBD | TBD | r630-01 | N/A | DMZ / RPC exposure |
| 108 | vault-rpc-translator | 192.168.11.112 | manual supplement | RPC translator (Vault) | manual supplement | TBD | TBD | r630-01 | N/A | management / secrets |
## Host-level services (no VMID)
| Name | Location | Node type | Notes |
|------|----------|-----------|-------|
| CCIP relay | r630-01 host `/opt/smom-dbis-138/services/relay` | Cross-chain relay | Uses RPC (e.g. VMID 2201); see [NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md), [docs/07-ccip/](../07-ccip/). |
## Related
- [dbis_chain_138_technical_master_plan.md](../../dbis_chain_138_technical_master_plan.md)
- [CHAIN138_CANONICAL_NETWORK_ROLES_VALIDATORS_SENTRY_AND_RPC.md](CHAIN138_CANONICAL_NETWORK_ROLES_VALIDATORS_SENTRY_AND_RPC.md)
- [VMID_ALLOCATION_FINAL.md](VMID_ALLOCATION_FINAL.md)
Reference in New Issue View Git Blame Copy Permalink