proxmox/docs/04-configuration/VMID2400_ENV_SECRETS_CHECKLIST.md

VMID 2400 Cloudflare Tunnel - Environment Secrets Checklist

Date: 2025-01-23
Purpose: Complete list of all secrets and environment variables needed for VMID 2400 ThirdWeb RPC Cloudflare tunnel setup

---

Summary

This document lists all required secrets and environment variables for setting up the Cloudflare tunnel for VMID 2400 (ThirdWeb RPC node) on the defi-oracle.io domain.

---

Required Secrets for Cloudflare Tunnel Setup

1. Cloudflare Tunnel Token 🔴 CRITICAL

Variable Name: TUNNEL_TOKEN_VMID2400 (or pass directly to script)

Description: Token for the new Cloudflare tunnel to be created for VMID 2400

Status: ⚠️ NEEDS TO BE CREATED

How to Obtain:

1. Go to: https://one.dash.cloudflare.com/
2. Navigate to: Zero Trust → Networks → Tunnels
3. Click: Create a tunnel
4. Select: Cloudflared
5. Name: thirdweb-rpc-2400
6. Copy the token (starts with eyJ...)

Format:

TUNNEL_TOKEN_VMID2400="eyJhIjoi..."

Usage:

• Passed directly to script: ./scripts/setup-cloudflared-vmid2400.sh <TOKEN>
• Or set in environment: export TUNNEL_TOKEN_VMID2400="eyJ..."

---

2. Cloudflare API Token (Optional - for automated DNS/tunnel config)

Variable Name: CLOUDFLARE_API_TOKEN

Description: API token for programmatic Cloudflare API access (to configure DNS records and tunnel routes automatically)

Status: ⚠️ OPTIONAL (can configure manually in dashboard)

How to Obtain:

1. Go to: https://dash.cloudflare.com/profile/api-tokens
2. Click: Create Token
3. Use Edit zone DNS template OR create custom token with:
   • Zone → DNS → Edit
   • Account → Cloudflare Tunnel → Edit
4. Copy the token

Format:

CLOUDFLARE_API_TOKEN="your-api-token-here"

Alternative (Legacy):

CLOUDFLARE_EMAIL="your-email@example.com"
CLOUDFLARE_API_KEY="your-global-api-key"

Usage:

• For automated DNS record creation
• For automated tunnel route configuration
• Not strictly required - can be done manually in dashboard

---

3. Cloudflare Zone ID (Optional - auto-detected if not set)

Variable Name: CLOUDFLARE_ZONE_ID_DEFI_ORACLE

Description: Zone ID for defi-oracle.io domain (can be auto-detected if API token is provided)

Status: ⚠️ OPTIONAL

How to Obtain:

1. Go to Cloudflare Dashboard
2. Select domain: defi-oracle.io
3. Scroll down in Overview page - Zone ID is shown in right sidebar
4. Or use API: curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" https://api.cloudflare.com/client/v4/zones?name=defi-oracle.io

Format:

CLOUDFLARE_ZONE_ID_DEFI_ORACLE="your-zone-id-here"

---

4. Cloudflare Account ID (Optional - auto-detected if not set)

Variable Name: CLOUDFLARE_ACCOUNT_ID

Description: Cloudflare Account ID (can be auto-detected if API token is provided)

Status: ⚠️ OPTIONAL

How to Obtain:

1. Go to Cloudflare Dashboard
2. Right sidebar shows Account ID
3. Or use API: curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" https://api.cloudflare.com/client/v4/accounts

Format:

CLOUDFLARE_ACCOUNT_ID="your-account-id-here"

---

Optional: ThirdWeb API Key (for chain configuration)

5. ThirdWeb API Key (Optional - for RPC URL configuration)

Variable Name: THIRDWEB_API_KEY

Description: API key for ThirdWeb RPC endpoints (used in chain configuration JSON)

Status: ⚠️ OPTIONAL (for RPC URL configuration in chainlist)

How to Obtain:

1. Go to: https://thirdweb.com
2. Sign up or log in
3. Navigate to Dashboard → Settings → API Keys
4. Generate API key

Format:

THIRDWEB_API_KEY="your-api-key-here"

Usage:

• Used in chain configuration: pr-workspace/chains/_data/chains/eip155-138.json
• URLs: https://defi-oracle-meta.rpc.thirdweb.com/${THIRDWEB_API_KEY}
• Not required for tunnel setup itself

---

Complete .env File Template

For VMID 2400 Tunnel Setup Only

File: .env (in project root: /home/intlc/projects/proxmox/.env)

# ============================================
# Cloudflare Configuration for VMID 2400
# ============================================

# Cloudflare Tunnel Token (REQUIRED for VMID 2400 setup)
# Get from: Zero Trust → Networks → Tunnels → Create tunnel
TUNNEL_TOKEN_VMID2400="eyJhIjoi..."

# Cloudflare API Token (OPTIONAL - for automated DNS/tunnel config)
# Get from: https://dash.cloudflare.com/profile/api-tokens
CLOUDFLARE_API_TOKEN="your-api-token-here"

# Cloudflare Zone ID for defi-oracle.io (OPTIONAL - auto-detected)
CLOUDFLARE_ZONE_ID_DEFI_ORACLE="your-zone-id-here"

# Cloudflare Account ID (OPTIONAL - auto-detected)
CLOUDFLARE_ACCOUNT_ID="your-account-id-here"

# Domain for VMID 2400
DOMAIN_DEFI_ORACLE="defi-oracle.io"

# ============================================
# ThirdWeb Configuration (OPTIONAL)
# ============================================

# ThirdWeb API Key (for RPC URL configuration)
THIRDWEB_API_KEY="your-api-key-here"

# ============================================
# Existing Cloudflare Config (if already present)
# ============================================

# Existing domain (d-bis.org)
DOMAIN="d-bis.org"
CLOUDFLARE_ZONE_ID="existing-zone-id"
CLOUDFLARE_ACCOUNT_ID="existing-account-id"

# Existing tunnel token (for pve2 tunnel)
TUNNEL_TOKEN="eyJhIjoi..."

---

Minimum Required Secrets

For basic tunnel setup (manual DNS/tunnel config in dashboard), you only need:

1. ✅ TUNNEL_TOKEN_VMID2400 - To install cloudflared service on VMID 2400

For automated setup (script configures DNS/tunnel routes), you need:

1. ✅ TUNNEL_TOKEN_VMID2400 - To install cloudflared service
2. ✅ CLOUDFLARE_API_TOKEN - To configure DNS records and tunnel routes via API

---

Step-by-Step Setup

Option 1: Manual Setup (Minimum Secrets)

1. Create Tunnel Token:

   • Go to Cloudflare Dashboard → Zero Trust → Networks → Tunnels
   • Create tunnel: thirdweb-rpc-2400
   • Copy token

2. Run Installation Script:

   ./scripts/setup-cloudflared-vmid2400.sh <TUNNEL_TOKEN>
   

3. Configure Manually in Dashboard:

   • Configure tunnel route (rpc.public-0138.defi-oracle.io → http://127.0.0.1:8545)
   • Create DNS CNAME record (rpc.public-0138 → .cfargotunnel.com)

Required: Only TUNNEL_TOKEN_VMID2400

---

Option 2: Automated Setup (More Secrets)

1. Create Tunnel Token (same as above)

2. Get API Token:

   • Go to: https://dash.cloudflare.com/profile/api-tokens
   • Create token with Zone DNS Edit and Tunnel Edit permissions

3. Add to .env:

   TUNNEL_TOKEN_VMID2400="eyJ..."
   CLOUDFLARE_API_TOKEN="your-token"
   DOMAIN_DEFI_ORACLE="defi-oracle.io"
   

4. Run Scripts (future automation scripts can use these)

Required: TUNNEL_TOKEN_VMID2400 + CLOUDFLARE_API_TOKEN

---

Security Notes

File Permissions

# Ensure .env file has restrictive permissions
chmod 600 .env

Gitignore

Ensure .env is in .gitignore:

echo ".env" >> .gitignore

Secrets Management

• ✅ Never commit .env file to git
• ✅ Use .env.example for templates (without actual secrets)
• ✅ Rotate API tokens regularly
• ✅ Use different tokens for different purposes
• ✅ Keep tunnel tokens secure (they provide full tunnel access)

---

Verification Checklist

After setup, verify:

• Tunnel token created and copied
• Cloudflared installed on VMID 2400
• Tunnel service running on VMID 2400
• Tunnel route configured in Cloudflare Dashboard
• DNS CNAME record created
• DNS record resolves correctly
• RPC endpoint accessible: https://rpc.public-0138.defi-oracle.io

---

Quick Reference

Secret	Required	How to Get	Used For
TUNNEL_TOKEN_VMID2400	✅ YES	Zero Trust → Tunnels → Create	Install cloudflared service
CLOUDFLARE_API_TOKEN	⚠️ Optional	Profile → API Tokens	Automated DNS/tunnel config
CLOUDFLARE_ZONE_ID_DEFI_ORACLE	⚠️ Optional	Dashboard → Domain → Overview	Auto-detected if token provided
CLOUDFLARE_ACCOUNT_ID	⚠️ Optional	Dashboard → Right sidebar	Auto-detected if token provided
THIRDWEB_API_KEY	⚠️ Optional	ThirdWeb Dashboard → API Keys	Chain configuration JSON

---

Next Steps

1. ✅ Create tunnel token in Cloudflare Dashboard
2. ✅ Run installation script with token
3. ✅ Configure tunnel route (manual or automated)
4. ✅ Create DNS record (manual or automated)
5. ✅ Verify setup and test endpoint

---

Last Updated: 2025-01-23
Status: ✅ Documentation Complete - Ready for Setup