firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity

docs: Add Vaultwarden, LuckPerms MySQL, and Cloudflare proxy configurations

Browse Source 
- Vaultwarden SMTP configured and tested
- Holly and Meg invited to Vaultwarden
- Firefrost Gaming organization created
- LuckPerms MySQL database ready (credentials stored in Vaultwarden)
- 11 web services added to Cloudflare proxy for DDoS protection
- vault.firefrostgaming.com SSL warning resolved
- Comprehensive troubleshooting guides included

All services documented and operational. Ready for Holly's mod deployment.
This commit is contained in:
Claude
2026-03-27 02:23:33 +00:00
parent 665afa11c8
commit 43b8d3b01b
3 changed files with 1211 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

413
docs/infrastructure/cloudflare-proxy-configuration.md Normal file
View File

@@ -0,0 +1,413 @@
# Cloudflare Proxy Configuration
**Domain:** firefrostgaming.com
**Cloudflare Account:** [Account details]
**Last Updated:** 2026-03-27
---
## SSL/TLS Configuration
**Encryption Mode:** Full (strict)
**Benefits:**
- End-to-end encryption (browser ↔ Cloudflare ↔ origin server)
- Origin server SSL certificates validated
- Maximum security posture
**Requirements:**
- Origin servers must have valid SSL certificates
- Certificates must match the subdomain
- Can use Cloudflare Origin Certificates (15-year validity)
---
## Proxied Subdomains (Orange Cloud ☁️)
### Web Services (15 total)
All public-facing web services route through Cloudflare proxy for DDoS protection, SSL management, and performance:
1. **firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Main website
- Ghost CMS
2. **www.firefrostgaming.com** (CNAME → firefrostgaming.com)
- WWW subdomain
- Cloudflare Origin Certificate required
3. **billing.firefrostgaming.com** (38.68.14.188 - Billing VPS)
- Paymenter billing portal
- Public customer access
4. **code.firefrostgaming.com** (74.63.218.202)
- Code-Server web IDE
- Staff/developer access
- **Added to proxy:** 2026-03-27
5. **codex.firefrostgaming.com** (38.68.14.26 - TX1)
- Dify RAG system
- AI knowledge base
- **Added to proxy:** 2026-03-27
6. **docs.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Nextcloud file storage
- **Added to proxy:** 2026-03-27
7. **git.firefrostgaming.com** (63.143.34.217 - Command Center)
- Gitea code repository
- **Added to proxy:** 2026-03-27
8. **n8n.firefrostgaming.com** (38.68.14.26 - TX1)
- n8n workflow automation
- **Added to proxy:** 2026-03-27
9. **pokerole.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Wiki.js (Pokérole TTRPG wiki)
- Public wiki access
- **Added to proxy:** 2026-03-27
10. **staff.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Wiki.js (staff wiki)
- Internal documentation
- **Added to proxy:** 2026-03-27
11. **status.firefrostgaming.com** (63.143.34.217 - Command Center)
- Uptime Kuma status page
- **Added to proxy:** 2026-03-27
12. **subscribers.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Wiki.js (subscriber wiki)
- Member-only content
- **Added to proxy:** 2026-03-27
13. **tasks.firefrostgaming.com** (38.68.14.26 - TX1)
- Plane project management
- **Added to proxy:** 2026-03-27
14. **vault.firefrostgaming.com** (63.143.34.217 - Command Center)
- Vaultwarden password manager
- **Added to proxy:** 2026-03-27
- **Fixed:** SSL certificate warning resolved
15. **webmail.firefrostgaming.com** (38.68.14.188 - Billing VPS)
- Mailcow webmail interface
- **Added to proxy:** 2026-03-27
---
## DNS-Only Subdomains (Gray Cloud ☁️)
### Email Services (MUST be DNS-only)
1. **mail.firefrostgaming.com** (38.68.14.188 - Billing VPS)
- Mailcow email server
- SMTP/IMAP/POP3 protocols
- **Must NOT be proxied** - email protocols require direct connection
2. **autoconfig.firefrostgaming.com** (CNAME → mail.firefrostgaming.com)
- Thunderbird auto-configuration
- Email client setup
3. **autodiscover.firefrostgaming.com** (CNAME → mail.firefrostgaming.com)
- Outlook auto-discovery
- Email client setup
### Infrastructure Services
1. **panel.firefrostgaming.com** (45.94.168.138 - Panel VPS)
- Pterodactyl Panel
- **Must NOT be proxied** - Wings nodes connect directly
- WebSocket connections for real-time console
- Large file transfers (game server files)
2. **downloads.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Large file downloads (modpacks >100MB)
- **Must NOT be proxied** - Cloudflare has file size limits
- Direct download is faster and cheaper
3. **us.nc1.firefrostgaming.com** (216.239.104.130 - NC1 Charlotte)
- Direct server access
- Infrastructure endpoint
4. **us.tx1.firefrostgaming.com** (38.68.14.26 - TX1 Dallas)
- Direct server access
- Infrastructure endpoint
### Game Servers (24 subdomains - all DNS-only)
**All Minecraft servers MUST be DNS-only:**
- Game protocols require direct UDP/TCP connections
- Cloudflare proxy doesn't support Minecraft protocol
- SRV records require direct DNS resolution
**TX1 Dallas Servers:**
- allthemons.firefrostgaming.com (38.68.14.30)
- foundry.firefrostgaming.com (38.68.14.26)
- rad2.firefrostgaming.com (38.68.14.26)
- stoneblock4.firefrostgaming.com (38.68.14.26)
- vanilla.firefrostgaming.com (38.68.14.26)
- createplus.firefrostgaming.com (38.68.14.26)
- arseclectica.firefrostgaming.com (38.68.14.26)
**NC1 Charlotte Servers:**
- reclamation.firefrostgaming.com (38.68.14.27)
- society.firefrostgaming.com (38.68.14.28)
- emberproject.firefrostgaming.com (216.239.104.130)
- minecolonies.firefrostgaming.com (216.239.104.130)
- homestead.firefrostgaming.com (216.239.104.130)
- emcsubterratech.firefrostgaming.com (216.239.104.130)
- atm10.firefrostgaming.com (216.239.104.130)
- atm10tts.firefrostgaming.com (216.239.104.130)
- atmons.firefrostgaming.com (216.239.104.130)
- aocc.firefrostgaming.com (216.239.104.130)
- hytale.firefrostgaming.com (216.239.104.130)
- mayview.firefrostgaming.com (216.239.104.130)
- mythcraft5.firefrostgaming.com (216.239.104.130)
- vanilla121.firefrostgaming.com (38.68.14.29)
---
## Benefits of Cloudflare Proxy
### Security
1. **DDoS Protection**
- Absorbs attacks before they reach origin servers
- Unmetered DDoS mitigation
- Protects against Layer 3, 4, and 7 attacks
2. **IP Address Hiding**
- Origin server IPs hidden from public
- Prevents direct attacks on infrastructure
- Reduces server reconnaissance
3. **SSL/TLS Management**
- Cloudflare manages certificates to browsers
- Automatic renewal
- Modern cipher suites
- TLS 1.3 support
4. **Web Application Firewall (WAF)**
- Blocks common exploits
- SQL injection protection
- XSS prevention
- Rate limiting
### Performance
1. **Global CDN**
- Static assets cached worldwide
- Reduced latency for global users
- Faster page loads
2. **Bandwidth Savings**
- Cached content served from Cloudflare edge
- Reduces origin server bandwidth
- Lower hosting costs
3. **Always Online**
- Cached version served during origin downtime
- Improved reliability
4. **Brotli Compression**
- Automatic compression
- Faster page loads
- Reduced bandwidth
---
## Decision Matrix: Proxy vs DNS-Only
### When to Enable Proxy (Orange Cloud)
**Use Cases:**
- Public web interfaces (admin panels, portals, websites)
- HTTP/HTTPS traffic only
- Want DDoS protection
- Want global CDN caching
- Want to hide origin server IP
- Small to medium file sizes (<100MB)
**Examples:**
- Ghost CMS website
- Vaultwarden password manager
- Gitea code repository
- Wiki.js instances
- Paymenter billing portal
### When to Use DNS-Only (Gray Cloud)
**Use Cases:**
- Email servers (SMTP, IMAP, POP3)
- Game servers (Minecraft, etc.)
- Large file downloads (>100MB)
- Infrastructure endpoints needing direct access
- Services with WebSocket-heavy requirements
- API endpoints with strict timeout requirements
**Examples:**
- mail.firefrostgaming.com
- panel.firefrostgaming.com (Wings direct connection)
- downloads.firefrostgaming.com
- All Minecraft game servers
---
## SSL Certificate Requirements
### Proxied Subdomains
**Options:**
1. **Cloudflare Origin Certificate (Recommended)**
- Generate in Cloudflare dashboard
- 15-year validity
- Supports wildcards (*.firefrostgaming.com)
- Free
- Only trusted by Cloudflare (perfect for proxied)
2. **Let's Encrypt**
- 90-day validity (auto-renewal required)
- Free
- Publicly trusted
- Works for both proxied and DNS-only
3. **Commercial Certificate**
- 1-year validity
- Publicly trusted
- Cost varies
### DNS-Only Subdomains
**Requirements:**
- MUST use publicly trusted certificates
- Let's Encrypt recommended
- Cloudflare Origin Certificates won't work (not publicly trusted)
**Current Status:**
- mail.firefrostgaming.com: Let's Encrypt ✅
- panel.firefrostgaming.com: (check certificate status)
- vault.firefrostgaming.com: Let's Encrypt (expires May 14, 2026) ✅
---
## Troubleshooting
### "Dangerous Site" Warning
**Symptoms:** Chrome/Firefox shows SSL warning when accessing proxied subdomain
**Cause:** Origin server doesn't have valid SSL certificate for that subdomain
**Solution:**
1. Generate Cloudflare Origin Certificate
2. Install on origin server
3. Update Nginx to use new certificate
4. Reload Nginx
**Example Fix (vault.firefrostgaming.com):**
```bash
# On origin server
# Certificate already exists at: /etc/letsencrypt/live/vault.firefrostgaming.com/
# Enable Cloudflare proxy (orange cloud) in DNS settings
# Wait 5 minutes for DNS propagation
# Test: https://vault.firefrostgaming.com
```
### 521 Error (Web Server Down)
**Symptoms:** "Error 521: Web server is down"
**Cause:** Origin server not responding on proxied port
**Checks:**
1. Service running on origin server
2. Nginx/Apache listening on correct port
3. Firewall allows Cloudflare IPs
4. Origin server not blocking Cloudflare
**Solution:**
```bash
# Check service status
systemctl status nginx
# Check port listening
netstat -tlnp | grep :80
netstat -tlnp | grep :443
# Allow Cloudflare IPs (if using UFW)
# https://www.cloudflare.com/ips/
```
### 522 Error (Connection Timed Out)
**Symptoms:** "Error 522: Connection timed out"
**Cause:** Cloudflare can't connect to origin server
**Checks:**
1. Origin server firewall blocking Cloudflare
2. Origin server IP correct in DNS
3. Origin server online
**Solution:**
1. Verify A record points to correct IP
2. Ensure firewall allows Cloudflare IP ranges
3. Check origin server is responding
### 526 Error (Invalid SSL Certificate)
**Symptoms:** "Error 526: Invalid SSL certificate"
**Cause:** SSL/TLS mode is Full (strict) but origin certificate is invalid
**Solution:**
1. Install valid SSL certificate on origin
2. OR temporarily set SSL/TLS mode to "Full" (not recommended)
3. OR use Cloudflare Origin Certificate
---
## Monitoring
### Check Proxy Status
**Cloudflare Dashboard:**
1. Select domain (firefrostgaming.com)
2. Go to DNS → Records
3. Check cloud icon color:
- **Orange** = Proxied ✅
- **Gray** = DNS Only
### Verify SSL
**Test SSL configuration:**
```bash
# Test from external location
curl -I https://vault.firefrostgaming.com
openssl s_client -connect vault.firefrostgaming.com:443 -servername vault.firefrostgaming.com
```
### Analytics
**Cloudflare Analytics Dashboard:**
- Traffic volume per subdomain
- Bandwidth savings from caching
- Threats blocked
- Cache hit ratio
---
## Related Documentation
- [Nginx Reverse Proxy Configuration](../infrastructure/nginx-proxy-configuration.md)
- [SSL Certificate Management](../infrastructure/ssl-certificates.md)
- [Vaultwarden Configuration](vaultwarden-configuration.md)
- [Mailcow Configuration](mailcow-configuration.md)
---
**Last Updated:** 2026-03-27
**Documented By:** The Verifier (Chronicler #42)
**Changes:** Added 11 web services to Cloudflare proxy, fixed vault.firefrostgaming.com SSL warning

364
docs/services/luckperms-mysql-database.md Normal file
View File

@@ -0,0 +1,364 @@
# LuckPerms MySQL Database Setup
**Date:** 2026-03-27
**Server:** Command Center (63.143.34.217)
**Database:** luckperms
**Purpose:** Centralized permission storage for all 13 game servers
---
## Database Configuration
### MySQL Installation
**Installed:** 2026-03-27
**Version:** MySQL 8.0 (Ubuntu 24.04)
**Service:** systemd (mysql.service)
**Installation Commands:**
```bash
apt update
apt install mysql-server -y
systemctl start mysql
systemctl enable mysql
mysql_secure_installation
```
**Secure Installation Settings:**
- Password validator: Not enabled (allows custom passwords)
- Remove anonymous users: Yes
- Disallow root login remotely: Yes
- Remove test database: Yes
- Reload privilege tables: Yes
**Root Access:**
- MySQL 8.0 uses `auth_socket` plugin by default
- Root can login via: `sudo mysql` (no password needed)
- Root cannot login remotely (secure by default)
---
## LuckPerms Database
### Database Details
- **Name:** luckperms
- **Character Set:** utf8mb4
- **Collation:** utf8mb4_unicode_ci
- **Created:** 2026-03-27
### User Credentials
- **Username:** luckperms
- **Password:** Firefrost1234!!
- **Host:** % (allows connections from any IP)
- **Privileges:** ALL on luckperms.* database
### Creation Commands
```sql
-- Access MySQL as root
sudo mysql
-- Create database
CREATE DATABASE luckperms CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
-- Create user
CREATE USER 'luckperms'@'%' IDENTIFIED BY 'Firefrost1234!!';
-- Grant permissions
GRANT ALL PRIVILEGES ON luckperms.* TO 'luckperms'@'%';
FLUSH PRIVILEGES;
-- Verify
SHOW DATABASES;
SELECT User, Host FROM mysql.user WHERE User='luckperms';
-- Exit
exit
```
---
## Connection Details
### For LuckPerms Configuration
```yaml
storage-method: MySQL
data:
address: 63.143.34.217:3306
database: luckperms
username: luckperms
password: Firefrost1234!!
```
**OR in config format:**
```properties
storage-method=MySQL
data.address=63.143.34.217:3306
data.database=luckperms
data.username=luckperms
data.password=Firefrost1234!!
```
---
## Security Considerations
### Why Separate Database?
**Isolated from Pterodactyl database for:**
1. **Security Isolation**
- Pterodactyl database contains sensitive panel data
- LuckPerms database contains game permissions
- Compromise of one doesn't affect the other
2. **Performance**
- Pterodactyl handles panel queries
- LuckPerms handles thousands of permission checks per second across 13 servers
- Separation prevents performance degradation
3. **Backup/Recovery**
- Can backup game permissions separately
- Can restore/reset without affecting infrastructure
- Independent maintenance windows
4. **Best Practice**
- Industry standard: one database per application
- Prevents dependency conflicts
- Easier troubleshooting
### Network Security
**MySQL listens on:**
- Port: 3306 (default)
- Bind address: 0.0.0.0 (all interfaces - allows remote connections)
**Firewall considerations:**
- TX1 Dallas (38.68.14.26) needs access
- NC1 Charlotte (216.239.104.130) needs access
- Ensure UFW/iptables allows connections from these IPs
**Check current firewall status:**
```bash
ufw status
# OR
iptables -L -n | grep 3306
```
**If needed, allow specific IPs:**
```bash
ufw allow from 38.68.14.26 to any port 3306
ufw allow from 216.239.104.130 to any port 3306
```
---
## Game Server Integration
### Servers Using This Database
All 13 Firefrost Gaming servers connect to this central MySQL database:
**TX1 Dallas Servers (38.68.14.26):**
1. foundry.firefrostgaming.com
2. rad2.firefrostgaming.com
3. stoneblock4.firefrostgaming.com
4. vanilla.firefrostgaming.com
5. createplus.firefrostgaming.com
6. arseclectica.firefrostgaming.com
**NC1 Charlotte Servers (216.239.104.130):**
1. reclamation.firefrostgaming.com
2. society.firefrostgaming.com
3. emberproject.firefrostgaming.com
4. minecolonies.firefrostgaming.com
5. homestead.firefrostgaming.com
6. emcsubterratech.firefrostgaming.com
7. atm10.firefrostgaming.com
### Configuration Per Server
Each server's LuckPerms config at `/config/luckperms/luckperms.conf`:
```hocon
storage-method = mysql
data {
address = "63.143.34.217:3306"
database = "luckperms"
username = "luckperms"
password = "Firefrost1234!!"
# Connection pool settings
pool-settings {
maximum-pool-size = 10
minimum-idle = 10
maximum-lifetime = 1800000
keepalive-time = 0
connection-timeout = 5000
}
}
```
---
## Deployment Status
### Implementation Plan
**Phase 1: Prerequisites (COMPLETE ✅)**
- MySQL server installed on Command Center
- Database created
- User credentials configured
- Credentials stored in Vaultwarden
**Phase 2: Mod Deployment (IN PROGRESS ⏳)**
- **Responsible:** Holly (unicorn20089)
- **Status:** Delegated 2026-03-27
- **Guide Provided:** `docs/guides/server-side-mod-deployment-guide.md`
- **Tasks:**
- Download required mods per server Minecraft version
- Upload mods to each server via Pterodactyl Panel
- Configure LuckPerms MySQL connection
- Test each server
- Repeat for all 13 servers
**Phase 3: Testing (PENDING)**
- Verify all servers connect to MySQL
- Test permission sync across servers
- Verify rank system works
---
## Maintenance
### Backup Procedures
**Manual Backup:**
```bash
# On Command Center
mysqldump -u luckperms -p luckperms > luckperms-backup-$(date +%Y%m%d).sql
```
**Restore from Backup:**
```bash
mysql -u luckperms -p luckperms < luckperms-backup-YYYYMMDD.sql
```
**Automated Backup (Recommended):**
```bash
# Add to crontab
0 2 * * * mysqldump -u luckperms -p'Firefrost1234!!' luckperms | gzip > /root/backups/luckperms-$(date +\%Y\%m\%d).sql.gz
```
### Monitoring
**Check database size:**
```bash
sudo mysql -e "SELECT table_schema AS 'Database', ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS 'Size (MB)' FROM information_schema.tables WHERE table_schema = 'luckperms' GROUP BY table_schema;"
```
**Check active connections:**
```bash
sudo mysql -e "SHOW PROCESSLIST;" | grep luckperms
```
**Check table status:**
```bash
sudo mysql luckperms -e "SHOW TABLES;"
sudo mysql luckperms -e "SELECT COUNT(*) FROM luckperms_players;"
sudo mysql luckperms -e "SELECT COUNT(*) FROM luckperms_permissions;"
```
---
## Troubleshooting
### Connection Refused
**Symptoms:** Game server can't connect to MySQL
**Checks:**
1. MySQL service running: `systemctl status mysql`
2. MySQL listening on 3306: `netstat -tlnp | grep 3306`
3. Firewall allows connections: `ufw status`
4. Credentials correct in server config
**Solution:**
```bash
# Ensure MySQL is running
systemctl start mysql
# Check bind address (should be 0.0.0.0 or specific IP)
grep bind-address /etc/mysql/mysql.conf.d/mysqld.cnf
# If bind-address is 127.0.0.1, change to 0.0.0.0
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
# Change: bind-address = 0.0.0.0
sudo systemctl restart mysql
```
### Access Denied for User
**Symptoms:** "Access denied for user 'luckperms'@'host'"
**Checks:**
1. Password correct
2. User has permissions
3. Host wildcard allows connection
**Solution:**
```sql
-- Verify user exists and host is '%'
SELECT User, Host FROM mysql.user WHERE User='luckperms';
-- Re-grant permissions if needed
GRANT ALL PRIVILEGES ON luckperms.* TO 'luckperms'@'%';
FLUSH PRIVILEGES;
-- If still failing, recreate user
DROP USER 'luckperms'@'%';
CREATE USER 'luckperms'@'%' IDENTIFIED BY 'Firefrost1234!!';
GRANT ALL PRIVILEGES ON luckperms.* TO 'luckperms'@'%';
FLUSH PRIVILEGES;
```
### Slow Queries
**Symptoms:** Permission checks lag, server TPS drops
**Diagnosis:**
```sql
-- Enable slow query log
SET GLOBAL slow_query_log = 'ON';
SET GLOBAL long_query_time = 1;
SET GLOBAL slow_query_log_file = '/var/log/mysql/slow-query.log';
-- Check slow queries
sudo tail -f /var/log/mysql/slow-query.log
```
**Solutions:**
1. Increase connection pool size in LuckPerms config
2. Optimize MySQL configuration
3. Add database indexes (LuckPerms handles this automatically)
4. Upgrade server hardware if needed
---
## Related Documentation
- [Server-Side Mod Deployment Guide](../guides/server-side-mod-deployment-guide.md)
- [Subscription Automation Guide](../guides/subscription-automation-guide.md)
- [Pterodactyl Panel Configuration](pterodactyl-panel-configuration.md)
- [Vaultwarden Configuration](vaultwarden-configuration.md)
---
**Last Updated:** 2026-03-27
**Documented By:** The Verifier (Chronicler #42)
**Status:** ✅ Database ready, awaiting mod deployment by Holly

434
docs/services/vaultwarden-configuration.md Normal file
View File

@@ -0,0 +1,434 @@
# Vaultwarden Configuration
**Service:** Vaultwarden (self-hosted password manager)
**URL:** https://vault.firefrostgaming.com
**Admin Panel:** https://vault.firefrostgaming.com/admin
**Server:** Command Center (63.143.34.217)
**Container:** Docker (vaultwarden/server:latest v1.35.3)
**Port:** 8001 → 80 (proxied via Nginx)
**SSL:** Let's Encrypt (expires May 14, 2026)
**Cloudflare Proxy:** Enabled (orange cloud) as of 2026-03-27
---
## Admin Access
**Admin Token:**
```
kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW
```
**Note:** This is a plain text token (not Argon2 hashed). Should be hashed for better security using:
```bash
docker exec vaultwarden /vaultwarden hash
```
---
## SMTP Email Configuration
**Configured:** 2026-03-27
**Status:** ✅ Working (test email successful)
### Settings
- **Enabled:** true
- **Host:** mail.firefrostgaming.com
- **Port:** 587
- **Secure SMTP:** STARTTLS
- **From Address:** michael@firefrostgaming.com
- **From Name:** Vaultwarden
- **Username:** michael@firefrostgaming.com
- **Password:** [Stored in Vaultwarden - michael@firefrostgaming.com mailbox password]
- **Auth Mechanism:** (default)
- **Connection Timeout:** 15 seconds
### Future Improvement
**Create dedicated vault@ mailbox:**
1. Create `vault@firefrostgaming.com` in Mailcow
2. Update Vaultwarden SMTP settings to use vault@ instead of michael@
3. Provides better separation of concerns
---
## General Settings
### Security Settings
- **Domain URL:** https://vault.firefrostgaming.com ✅
- **Allow new signups:** false ✅ (prevents random registrations)
- **Allow invitations:** true ✅ (required for inviting team members)
- **Password iterations:** 600,000 ✅ (OWASP recommended)
- **Enable emergency access:** true ✅
- **Allow email change:** true ✅
- **Show password hint:** false ✅
- **HIBP API Key:** Configured ✅ (Have I Been Pwned integration)
### Storage Limits
- **Per-user attachment storage:** Unlimited (empty)
- **Per-organization attachment storage:** Unlimited (empty)
- **Per-user send storage:** Unlimited (empty)
- **Trash auto-delete days:** Not configured (recommended: 30)
### Email Verification
- **Require email verification on signups:** false ✅ (signups disabled anyway)
- **Auto-resend verification email after:** 3600 seconds (1 hour) ✅
- **Email auto-send limit:** 6 emails ✅
---
## Advanced Settings
- **Client IP header:** X-Real-IP ✅ (correct for Nginx proxy)
- **Icon redirect code:** 302 ✅
- **Icon cache expiry (positive):** 2592000 seconds ✅
- **Icon cache expiry (negative):** 259200 seconds ✅
- **Icon download timeout:** 10 seconds ✅
- **Block non-global IPs:** true ✅ (security)
- **Disable Two-Factor remember:** false ✅
- **Disable authenticator time drift:** false ✅
- **Require new device emails:** false ✅
- **Allowed iframe ancestors:** Empty ✅ (prevents clickjacking)
- **Allowed connect-src:** Empty ✅
---
## SSO Settings
- **OpenID Connect:** Disabled (not configured)
- **Yubikey:** Not configured
- **Global Duo:** Not configured
---
## Organizations
### Firefrost Gaming Organization
**Created:** 2026-03-27
**Owner:** Michael Krause (mkrause612@gmail.com)
**Billing Email:** michael@firefrostgaming.com
**Plan:** Free (self-hosted)
**Collections:**
- Default collection (auto-created)
- Unassigned (items not in any collection)
**Future Collections (Recommended):**
- Infrastructure (MySQL credentials, SSH keys, server root passwords)
- Services (Mailcow, Pterodactyl, Paymenter, n8n, etc.)
- Game Servers (per-server credentials)
- Discord (bot tokens, webhook URLs)
**Members:**
- Michael Krause (Owner) ✅
- Holly (unicorn20089@firefrostgaming.com) - Invitation sent 2026-03-27 ⏳
- Meg (GingerFury) - Invitation sent 2026-03-27 ⏳
---
## Users
### Registered Users
1. **Michael Krause**
- Email: mkrause612@gmail.com
- Role: Owner/Admin
- Status: Active ✅
2. **Holly (unicorn20089)**
- Email: unicorn20089@firefrostgaming.com
- Status: Invitation sent 2026-03-27 ⏳
- Pending account creation
3. **Meg (GingerFury)**
- Status: Invitation sent 2026-03-27 ⏳
- Pending account creation
---
## Diagnostics (System Health)
**Last checked:** 2026-03-27
### Versions
- **Server Installed:** 1.35.3
- **Server Latest:** 1.35.4 (update available, not urgent)
- **Web Installed:** 2026.1.1 ✅ (current)
- **Web Latest:** 2026.1.1 ✅
- **Database:** SQLite 3.50.2 ✅
### System Checks
- **OS/Arch:** Linux x86_64 ✅
- **Running in Docker:** Yes (Debian base) ✅
- **Uses config.json:** Yes ✅
- **Reverse proxy detected:** Yes ✅
- **IP header match:** Config/Server: X-Real-IP ✅
- **Internet access:** Yes ✅
- **DNS (github.com):** 140.82.112.3 ✅
- **NTP sync:** Server/Browser OK ✅
- **Domain configuration:** Match, HTTPS ✅
- **HTTP response validation:** OK ✅
### Warnings
- **Websocket enabled:** Error ⚠️
- Known issue with reverse proxies
- Not critical - only affects real-time sync
- Can be fixed later if needed
---
## Nginx Configuration
**Location:** `/etc/nginx/sites-enabled/vault*`
**SSL Certificate:**
- **Type:** Let's Encrypt
- **Path:** `/etc/letsencrypt/live/vault.firefrostgaming.com/`
- **Valid Until:** May 14, 2026
- **Auto-renewal:** Certbot (should renew automatically)
**Proxy Configuration:**
- **Backend:** http://127.0.0.1:8001
- **Headers Set:**
- `Host $host`
- `X-Real-IP $remote_addr`
- Standard proxy headers
---
## Cloudflare Configuration
**DNS Record:**
- **Type:** A
- **Name:** vault
- **Value:** 63.143.34.217 (Command Center)
- **Proxy Status:** Proxied (orange cloud) ✅
- **TTL:** Auto
**SSL/TLS Mode:** Full (strict)
**Benefits:**
- DDoS protection
- Global CDN
- SSL managed by Cloudflare
- Hides origin server IP
**Changed:** 2026-03-27 (was DNS-only, now proxied)
---
## Docker Configuration
**Container Name:** vaultwarden
**Image:** vaultwarden/server:latest
**Version:** 1.35.3
**Restart Policy:** Always (confirmed healthy)
**Key Environment Variables:**
- `ADMIN_TOKEN=kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW`
- SMTP settings configured via admin panel (persisted in data volume)
**Volumes:**
- Data directory: (check with `docker inspect vaultwarden`)
---
## Stored Credentials
### Current Vault Items
1. **LuckPerms MySQL Credentials**
- **Host:** 63.143.34.217
- **Port:** 3306
- **Database:** luckperms
- **Username:** luckperms
- **Password:** Firefrost1234!!
- **Notes:** Used by all 13 game servers for permission sync
- **Location:** Personal vault (should be moved to Infrastructure collection)
---
## Common Tasks
### Invite a User
1. Go to Admin Panel: https://vault.firefrostgaming.com/admin
2. Enter admin token
3. Click **Users** tab
4. Click **Invite User**
5. Enter email address
6. User receives invitation email
**OR (if SMTP not configured):**
- User goes to https://vault.firefrostgaming.com
- User clicks "Create Account" (if signups are enabled)
- User registers with email
### Add User to Organization
1. Organization owner logs into vault
2. Go to Organizations → Firefrost Gaming
3. Click **Members**
4. Click **Invite**
5. Enter user's email
6. Select role (User, Admin, Owner)
7. User accepts invitation
### Share a Credential
**Method 1: Organization Collection**
1. Move item to an Organization Collection
2. Grant user access to that Collection
**Method 2: Individual Share**
1. Click on vault item
2. Click Share (three-dot menu)
3. Enter user's email
4. User gets access to that specific item
### Update SMTP Settings
1. Go to Admin Panel: https://vault.firefrostgaming.com/admin
2. Click **Settings** tab
3. Expand **SMTP Email Settings**
4. Update configuration
5. Click **Save**
6. Test with **Send test email** button
### Backup Vaultwarden Data
```bash
# On Command Center
docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup '/data/backup.sqlite3'"
docker cp vaultwarden:/data/backup.sqlite3 ~/vaultwarden-backup-$(date +%Y%m%d).sqlite3
```
### Update Vaultwarden
```bash
# On Command Center
docker pull vaultwarden/server:latest
docker stop vaultwarden
docker rm vaultwarden
# Re-create container with same settings (check docker inspect for exact command)
docker start vaultwarden
```
---
## Security Best Practices
### Implemented ✅
- HTTPS enforced (Let's Encrypt + Cloudflare)
- Admin panel requires token
- Signups disabled (invitation-only)
- Strong password iterations (600,000)
- HIBP integration for compromised password detection
- Emergency access enabled
- Cloudflare proxy for DDoS protection
### Recommended Improvements
1. **Hash admin token with Argon2**
```bash
docker exec vaultwarden /vaultwarden hash
# Update ADMIN_TOKEN environment variable with hashed output
```
2. **Create dedicated vault@ email address**
- Separate from michael@firefrostgaming.com
- Better audit trail for system emails
3. **Enable 2FA for all users**
- Require TOTP or hardware key
- Set in organization policies
4. **Configure automated backups**
- Daily SQLite backups
- Store offsite (Ghost VPS, Billing VPS, or cloud storage)
5. **Set trash auto-delete to 30 days**
- Prevents vault bloat
- Automatic cleanup
6. **Monitor failed login attempts**
- Check Vaultwarden logs regularly
- Set up alerts for suspicious activity
---
## Troubleshooting
### "Dangerous Site" Warning in Chrome
**Problem:** Chrome shows SSL warning when accessing vault.firefrostgaming.com
**Cause:** Subdomain not proxied through Cloudflare (gray cloud)
**Solution:**
1. Go to Cloudflare DNS settings
2. Find `vault` A record
3. Click gray cloud to enable proxy (turn orange)
4. Wait for DNS propagation (~5 minutes)
### SMTP Test Fails
**Error:** `Sender address rejected: not owned by user`
**Cause:** From Address doesn't match Username
**Solution:**
- Set **From Address** to match **Username** exactly
- Example: Both should be `michael@firefrostgaming.com`
### Can't Create Organization
**Problem:** No "New Organization" button visible
**Cause:** Looking at Admin Panel instead of personal vault
**Solution:**
1. Go to https://vault.firefrostgaming.com (NOT /admin)
2. Click **Organizations** in sidebar
3. Click **New Organization**
### Websocket Error in Diagnostics
**Status:** Known issue, not critical
**Impact:** Real-time sync between devices may be delayed
**Fix (optional):**
1. Configure Nginx to proxy WebSocket connections
2. Add to Nginx config:
```nginx
location /notifications/hub {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
```
3. Reload Nginx: `nginx -s reload`
---
## Related Documentation
- [Vaultwarden Official Wiki](https://github.com/dani-garcia/vaultwarden/wiki)
- [Mailcow Configuration](mailcow-configuration.md)
- [Cloudflare DNS Setup](../infrastructure/cloudflare-dns.md)
- [Nginx Reverse Proxy](../infrastructure/nginx-proxy-configuration.md)
---
**Last Updated:** 2026-03-27
**Documented By:** The Verifier (Chronicler #42)
**Status:** ✅ Production - Fully configured and operational