d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e4a19db0ae96721b9ed70ff8dee304bb35bc6389
proxmox/docs/00-meta/ALL_TASKS_DETAILED_STEPS.md
defiQUG bea1903ac9
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
Sync all local changes: docs, config, scripts, submodule refs, verification evidence 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 15:46:06 -08:00

427 lines
15 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# All Tasks — Detailed Steps (Single Reference)
**Last Updated:** 2026-02-12
**Purpose:** One place for every task with concrete steps to execute.
**Sources:** NEXT_STEPS_MASTER.md, REMAINING_WORK_DETAILED_STEPS.md, CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md, CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md, TODO_TASK_LIST_MASTER.md, IMPLEMENTATION_CHECKLIST.md.
---
## How to use this document
- **Wave order:** Wave 0 → Wave 1 → Wave 2 → Wave 3 → Ongoing. Within a wave, run tasks in parallel where possible.
- **Blocker:** Each task notes what is required (LAN, PRIVATE_KEY, etc.).
- **References:** Links point to runbooks and scripts; runbooks have the full command set.
### Runner scripts (run in parallel where possible)
| Script | When to use | What it runs |
|--------|-------------|--------------|
| **scripts/run-completable-tasks-from-anywhere.sh** | From dev machine / WSL / CI (no LAN or secrets) | Config validation, on-chain contract check (Chain 138), run-all-validation --skip-genesis, canonical .env output for reconciliation. |
| **scripts/run-operator-tasks-from-lan.sh** | From a host on LAN with NPM_PASSWORD (and optionally PRIVATE_KEY for O-1) | W0-1 (NPMplus RPC fix), W0-3 (NPMplus backup), O-1 (Blockscout verification). Prints next steps for W0-2, W1-*, cron, CR-1, API keys. |
| **scripts/run-wave0-from-lan.sh** | Same as above (subset) | W0-1 + W0-3 only. |
| **scripts/run-all-remaining-tasks.sh** | From project root; set RUN_W02=1 AMOUNT=…, RUN_SECURITY=1, or RUN_VALIDATOR_KEYS=1 to execute | W0-2 (sendCrossChain), W1-1/W1-2 (--apply), W1-19 (validator keys), and prints runbook commands for W2-2 through W3-2, CR-1, API, Paymaster. |
---
## Task index (by category)
| ID | Task | Wave | Blocker |
|----|------|------|---------|
| W0-1 | NPMplus RPC fix (405) | 0 | LAN |
| W0-2 | sendCrossChain (real transfer) | 0 | PRIVATE_KEY, LINK |
| W0-3 | NPMplus backup | 0 | NPM_PASSWORD, LAN |
| CR-1 | Config-ready chains (Gnosis, Celo, Wemix) | — | CCIP support, keys, gas |
| O-1 | Run Blockscout source verification | — | LAN / Blockscout reachable |
| O-2 | Reconcile .env (canonical addresses) | — | CONTRACT_ADDRESSES_REFERENCE |
| O-3 | On-chain contract check (Chain 138) | — | RPC (e.g. VMID 2101) |
| W1-1 | SSH key-based auth; disable password | 1 | Proxmox/SSH |
| W1-2 | Firewall — restrict Proxmox API 8006 | 1 | Proxmox/SSH |
| W1-8 | NPMplus backup run + cron | 1 | NPM_PASSWORD, LAN |
| W1-19 | Secure validator key permissions | 1 | Proxmox host |
| W2-1 | Deploy monitoring stack | 2 | Infra |
| W2-2 | Grafana via Cloudflare; alerts | 2 | W2-1 |
| W2-3 | VLAN enablement | 2 | UDM Pro, Proxmox |
| W2-4 | Phase 3 CCIP Ops/Admin; NAT pools | 2 | CCIP_DEPLOYMENT_SPEC |
| W2-5 | Phase 4 sovereign tenant VLANs | 2 | Runbook |
| W2-7 | DBIS / Hyperledger services | 2 | Runbooks |
| W3-1 | CCIP Fleet (commit/execute/RMN) | 3 | W2-4 |
| W3-2 | Phase 4 tenant isolation enforcement | 3 | W2-5 |
| Cron-1 | NPMplus backup cron | — | Target host |
| Cron-2 | Daily/weekly checks cron | — | Target host |
| API | API keys — obtain and set | — | Sign-up |
| Paymaster | Deploy Paymaster (optional) | — | smom-dbis-138, RPC |
---
## W0 — Gates (do first when credentials allow)
### W0-1: NPMplus RPC fix (405)
**Blocker:** Host on LAN (e.g. 192.168.11.x).
**Steps:**
1. From a machine on LAN: `cd /path/to/proxmox`.
2. Option A — Full Wave 0: `bash scripts/run-wave0-from-lan.sh` (use `--skip-backup` for RPC only).
3. Option B — RPC only: `bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`.
4. Verify: `bash scripts/verify/verify-end-to-end-routing.sh` — RPC domains should pass.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W0-1.
---
### W0-2: sendCrossChain (real)
**Blocker:** `PRIVATE_KEY` and LINK approved in `.env`; bridge `0x971cD9D156f193df8051E48043C476e53ECd4693`.
**Steps:**
1. Ensure `smom-dbis-138/.env` has `PRIVATE_KEY` and LINK (or fee token) approved for bridge.
2. Run: `bash scripts/bridge/run-send-cross-chain.sh <amount> [recipient]` (omit `--dry-run`).
3. Confirm tx on chain and destination.
**Ref:** scripts/README.md §8, REMAINING_WORK_DETAILED_STEPS.md § W0-2.
---
### W0-3: NPMplus backup
**Blocker:** `NPM_PASSWORD` in `.env`; NPMplus API reachable (LAN).
**Steps:**
1. Set `NPM_PASSWORD` (and optionally `NPM_HOST`) in `.env`.
2. From host that can reach NPMplus: `bash scripts/verify/backup-npmplus.sh`.
3. Or: `bash scripts/run-wave0-from-lan.sh` (includes backup).
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W0-3.
---
## CR — Config-ready chains (Gnosis, Celo, Wemix)
**Blocker:** CCIP support per chain (verify at https://docs.chain.link/ccip/supported-networks); deployer key with gas on each chain; Chain 138 RPC and `CHAIN138_SELECTOR`.
**Steps:**
1. **Verify CCIP:** Confirm Gnosis, Celo, Wemix in Chainlink CCIP supported networks.
2. **Deploy bridges (per chain):** From `smom-dbis-138/`: set `RPC_URL`, `CCIP_ROUTER_ADDRESS`, `LINK_TOKEN_ADDRESS`, `WETH9_ADDRESS`, `WETH10_ADDRESS`, `PRIVATE_KEY` for that chain; run:
```bash
forge script script/deploy/bridge/DeployWETHBridges.s.sol:DeployWETHBridges --rpc-url "$RPC_URL" --broadcast -vvvv
```
Record deployed bridge addresses.
3. **Env:** Copy `smom-dbis-138/docs/deployment/ENV_CONFIG_READY_CHAINS.example` into `smom-dbis-138/.env`; set `CCIPWETH9_BRIDGE_GNOSIS`, `CCIPWETH10_BRIDGE_GNOSIS`, same for Celo/Wemix; set `CHAIN138_SELECTOR` (decimal).
4. **Configure destinations:** `cd smom-dbis-138 && ./scripts/deployment/complete-config-ready-chains.sh` (use `DRY_RUN=1` first).
5. **Fund LINK:** Send ~10 LINK per bridge on Gnosis, Celo, Wemix to each bridge address.
**Ref:** [CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md](../07-ccip/CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md), ENV_CONFIG_READY_CHAINS.example.
---
## O — Operator / contract (any time)
### O-1: Blockscout source verification
**Blocker:** Host that can reach Blockscout (e.g. LAN to 192.168.11.140:4000).
**Steps:**
1. `source smom-dbis-138/.env 2>/dev/null`
2. `./scripts/verify/run-contract-verification-with-proxy.sh`
3. Optionally retry single contract: `--only ContractName`
**Ref:** CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md § Operator action.
---
### O-2: Reconcile .env (canonical addresses)
**Blocker:** None (edit only).
**Steps:**
1. Open [CONTRACT_ADDRESSES_REFERENCE § Canonical source of truth](../11-references/CONTRACT_ADDRESSES_REFERENCE.md).
2. Ensure `smom-dbis-138/.env` has one entry per variable; remove duplicates; align values with the canonical table.
**Ref:** CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md.
---
### O-3: On-chain contract check (Chain 138)
**Blocker:** RPC reachable — set `RPC_URL_138` (e.g. `http://192.168.11.211:8545` or `https://rpc-core.d-bis.org`).
**Steps:**
1. From repo root: `./scripts/verify/check-contracts-on-chain-138.sh` (uses `RPC_URL_138`)
2. Or pass URL: `./scripts/verify/check-contracts-on-chain-138.sh $RPC_URL_138`
3. Fix any MISS: deploy or correct address in docs/.env.
**Ref:** CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md § Part 2.
---
## W1 — Operator / security / cron
### W1-1: SSH key-based auth; disable password
**Blocker:** Proxmox/SSH access; break-glass method in place.
**Steps:**
1. Deploy SSH public key(s): `ssh-copy-id root@<host>`.
2. Test: `ssh root@<host>` (no password).
3. Dry-run: `bash scripts/security/setup-ssh-key-auth.sh --dry-run`.
4. Apply: `bash scripts/security/setup-ssh-key-auth.sh --apply`.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W1-1, OPERATIONAL_RUNBOOKS § Access Control.
---
### W1-2: Firewall — restrict Proxmox API 8006
**Blocker:** Proxmox host or SSH from admin network.
**Steps:**
1. Decide allowed CIDR(s) for Proxmox API.
2. Dry-run: `bash scripts/security/firewall-proxmox-8006.sh --dry-run [CIDR]`.
3. Apply: `bash scripts/security/firewall-proxmox-8006.sh --apply [CIDR]`.
4. Verify: https://<proxmox>:8006 only from allowed IP.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W1-2.
---
### W1-8: NPMplus backup run + cron
**Steps (one-time run):**
1. With `NPM_PASSWORD` set: `bash scripts/verify/backup-npmplus.sh`.
2. Full automated backup: `bash scripts/backup/automated-backup.sh [--with-npmplus]`.
**Cron:** See **Cron-1** and **Cron-2** below.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W1-8, Crontab installs.
---
### W1-19: Secure validator key permissions
**Blocker:** Run on Proxmox host (or SSH from LAN).
**Steps:**
1. SSH to each host that runs validators (e.g. VMIDs 10001004).
2. Dry-run: `bash scripts/secure-validator-keys.sh --dry-run`.
3. Apply: `bash scripts/secure-validator-keys.sh`.
4. Confirm Besu still starts: `pct exec <vmid> -- systemctl status besu`.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W1-19.
---
## Cron installs (on target host)
### Cron-1: NPMplus backup cron
**Steps:**
1. On host: `cd /path/to/proxmox`.
2. Show: `bash scripts/maintenance/schedule-npmplus-backup-cron.sh --show`.
3. Install: `bash scripts/maintenance/schedule-npmplus-backup-cron.sh --install`.
4. Default: daily 03:00; log: `logs/npmplus-backup.log`.
---
### Cron-2: Daily/weekly checks cron
**Steps:**
1. On host: `cd /path/to/proxmox`.
2. Show: `bash scripts/maintenance/schedule-daily-weekly-cron.sh --show`.
3. Install: `bash scripts/maintenance/schedule-daily-weekly-cron.sh --install`.
4. Defaults: daily 08:00 (explorer sync, RPC 2201); weekly Sunday 09:00 (Config API).
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § Crontab installs.
---
## W2 — Infra / deploy
### W2-1: Deploy monitoring stack
**Steps:**
1. Use configs: `smom-dbis-138/monitoring/`, `scripts/monitoring/`.
2. Run or adapt: `scripts/deployment/phase2-observability.sh` (or manual per runbook).
3. Ensure Prometheus scrapes Besu 9545; add targets from `export-prometheus-targets.sh` if used.
**Ref:** OPERATIONAL_RUNBOOKS § Phase 2, REMAINING_WORK_DETAILED_STEPS.md § W2-1.
---
### W2-2: Grafana via Cloudflare Access; alerts
**Steps:**
1. After W2-1, publish Grafana via Cloudflare Access (or chosen ingress).
2. Configure Alertmanager routes in `alertmanager/alertmanager.yml`.
3. Test alert routing.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-2.
---
### W2-3: VLAN enablement (UDM Pro + Proxmox)
**Steps:**
1. Configure sovereign VLANs on UDM Pro (e.g. 200203).
2. Enable VLAN-aware bridge on Proxmox; attach VMs/containers to VLANs.
3. Migrate services per [NETWORK_ARCHITECTURE](../02-architecture/NETWORK_ARCHITECTURE.md) §35 and UDM_PRO_VLAN_* docs.
4. Verify connectivity and firewall.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-3.
---
### W2-4: Phase 3 CCIP — Ops/Admin; NAT pools
**Steps:**
1. Run: `bash scripts/ccip/ccip-deploy-checklist.sh` (validates env, prints order).
2. Deploy CCIP Ops/Admin (VMIDs 5400, 5401) per [CCIP_DEPLOYMENT_SPEC](../07-ccip/CCIP_DEPLOYMENT_SPEC.md).
3. Configure NAT pools on ER605 (Blocks #24 for commit/execute/RMN).
4. Expand commit/execute/RMN scripts for full fleet (for Wave 3).
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-4.
---
### W2-5: Phase 4 — Sovereign tenant VLANs
**Steps:**
1. Show steps: `bash scripts/deployment/phase4-sovereign-tenants.sh --show-steps`.
2. Dry-run: `bash scripts/deployment/phase4-sovereign-tenants.sh --dry-run`.
3. Execute manual steps: OPERATIONAL_RUNBOOKS § Phase 4; UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.
4. (1) UDM Pro VLANs 200203, (2) Proxmox VLAN-aware bridge, (3) migrate tenant containers, (4) access control, (5) Block #6 egress NAT and verify.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-5.
---
### W2-7: DBIS / Hyperledger services
**Steps:**
1. Follow deployment runbooks for DBIS VMIDs (1010010151).
2. Start/configure Hyperledger (Firefly etc.) per [MISSING_CONTAINERS_LIST](../03-deployment/MISSING_CONTAINERS_LIST.md).
3. Parallelize by host where possible.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-7.
---
## W3 — After W2
### W3-1: CCIP Fleet (16 commit, 16 execute, 7 RMN)
**Depends on:** W2-4.
**Steps:**
1. Deploy 16 commit nodes: VMIDs 54105425.
2. Deploy 16 execute nodes: VMIDs 54405455.
3. Deploy 7 RMN nodes: VMIDs 54705476.
4. Use scripts/runbooks from W2-4; spec: [CCIP_DEPLOYMENT_SPEC](../07-ccip/CCIP_DEPLOYMENT_SPEC.md).
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W3-1.
---
### W3-2: Phase 4 tenant isolation enforcement
**Depends on:** W2-3 / W2-5.
**Steps:**
1. Apply firewall rules and ACLs for east-west denial between tenants.
2. Verify tenant isolation and egress NAT (Block #6).
3. Document exceptions and review periodically.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W3-2.
---
## API keys
**Steps:**
1. Open [reports/API_KEYS_REQUIRED.md](../../reports/API_KEYS_REQUIRED.md).
2. Obtain each key (sign-up URLs in report); set in root and subproject `.env`.
3. Restart services that use those vars.
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § API Keys & Secrets.
---
## Paymaster (optional)
**Blocker:** smom-dbis-138 contract sources; Chain 138 RPC.
**Steps:**
1. From `smom-dbis-138/`: `forge script script/smart-accounts/DeployPaymaster.s.sol --rpc-url $RPC_URL_138 --broadcast`.
2. See [SMART_ACCOUNTS_DEPLOYMENT_NOTE](../../metamask-integration/docs/SMART_ACCOUNTS_DEPLOYMENT_NOTE.md).
**Ref:** TODO_TASK_LIST_MASTER §2.
---
## Ongoing (no wave)
| ID | Task | Frequency | Steps |
|----|------|-----------|--------|
| O-1 | Monitor explorer sync | Daily | Cron or `bash scripts/maintenance/daily-weekly-checks.sh daily` |
| O-2 | Monitor RPC 2201 | Daily | Same script |
| O-3 | Config API uptime | Weekly | `daily-weekly-checks.sh weekly` |
| O-4 | Review explorer logs | Weekly | e.g. `ssh root@<host> journalctl -u blockscout -n 200` |
| O-5 | Update token list | As needed | Update token-list.json / explorer config |
**Ref:** REMAINING_WORK_DETAILED_STEPS.md § Ongoing.
---
## Validation commands (re-run anytime)
| Check | Command |
|-------|---------|
| All validation | `bash scripts/verify/run-all-validation.sh [--skip-genesis]` |
| Full verification | `bash scripts/verify/run-full-verification.sh` |
| E2E routing | `bash scripts/verify/verify-end-to-end-routing.sh` |
| Config files | `bash scripts/validation/validate-config-files.sh` |
| Genesis | `bash smom-dbis-138/scripts/validation/validate-genesis.sh` |
| Wave 0 dry-run | `bash scripts/run-wave0-from-lan.sh --dry-run` |
---
## Deferred / backlog (no steps here)
- **W1-3, W1-4:** smom security audits (VLT-024, ISO-024); bridge integrations (BRG-VLT, BRG-ISO) — smom backlog.
- **W1-14:** dbis_core ~1186 TypeScript errors — fix by module; `npx prisma generate`; explicit types.
- **W1-15W1-17:** smom placeholders (canonical env-only, AlltraAdapter fee, smart accounts, quote Fabric 999, .bak deprecation) — see PLACEHOLDERS_AND_*.
- **Improvements 1139:** [ALL_IMPROVEMENTS_AND_GAPS_INDEX.md](../ALL_IMPROVEMENTS_AND_GAPS_INDEX.md) by cohort.
---
## Related documents
- [NEXT_STEPS_MASTER.md](NEXT_STEPS_MASTER.md) — Master list and phases
- [REMAINING_WORK_DETAILED_STEPS.md](REMAINING_WORK_DETAILED_STEPS.md) — Wave 03 and “can do now”
- [CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md](../11-references/CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md) — Contract operator actions
- [CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md](../07-ccip/CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md) — Gnosis, Celo, Wemix
- [TODO_TASK_LIST_MASTER.md](TODO_TASK_LIST_MASTER.md) — Full checklist and improvements index
- [OPERATIONAL_RUNBOOKS.md](../03-deployment/OPERATIONAL_RUNBOOKS.md) — Phase 24 runbooks
Reference in New Issue View Git Blame Copy Permalink