diff --git a/docs/infrastructure/cloudflare-proxy-configuration.md b/docs/infrastructure/cloudflare-proxy-configuration.md new file mode 100644 index 0000000..da7de64 --- /dev/null +++ b/docs/infrastructure/cloudflare-proxy-configuration.md @@ -0,0 +1,413 @@ +# Cloudflare Proxy Configuration + +**Domain:** firefrostgaming.com +**Cloudflare Account:** [Account details] +**Last Updated:** 2026-03-27 + +--- + +## SSL/TLS Configuration + +**Encryption Mode:** Full (strict) + +**Benefits:** +- End-to-end encryption (browser ↔ Cloudflare ↔ origin server) +- Origin server SSL certificates validated +- Maximum security posture + +**Requirements:** +- Origin servers must have valid SSL certificates +- Certificates must match the subdomain +- Can use Cloudflare Origin Certificates (15-year validity) + +--- + +## Proxied Subdomains (Orange Cloud ☁️) + +### Web Services (15 total) + +All public-facing web services route through Cloudflare proxy for DDoS protection, SSL management, and performance: + +1. **firefrostgaming.com** (64.50.188.14 - Ghost VPS) + - Main website + - Ghost CMS + +2. **www.firefrostgaming.com** (CNAME → firefrostgaming.com) + - WWW subdomain + - Cloudflare Origin Certificate required + +3. **billing.firefrostgaming.com** (38.68.14.188 - Billing VPS) + - Paymenter billing portal + - Public customer access + +4. **code.firefrostgaming.com** (74.63.218.202) + - Code-Server web IDE + - Staff/developer access + - **Added to proxy:** 2026-03-27 + +5. **codex.firefrostgaming.com** (38.68.14.26 - TX1) + - Dify RAG system + - AI knowledge base + - **Added to proxy:** 2026-03-27 + +6. **docs.firefrostgaming.com** (64.50.188.14 - Ghost VPS) + - Nextcloud file storage + - **Added to proxy:** 2026-03-27 + +7. **git.firefrostgaming.com** (63.143.34.217 - Command Center) + - Gitea code repository + - **Added to proxy:** 2026-03-27 + +8. **n8n.firefrostgaming.com** (38.68.14.26 - TX1) + - n8n workflow automation + - **Added to proxy:** 2026-03-27 + +9. **pokerole.firefrostgaming.com** (64.50.188.14 - Ghost VPS) + - Wiki.js (Pokérole TTRPG wiki) + - Public wiki access + - **Added to proxy:** 2026-03-27 + +10. **staff.firefrostgaming.com** (64.50.188.14 - Ghost VPS) + - Wiki.js (staff wiki) + - Internal documentation + - **Added to proxy:** 2026-03-27 + +11. **status.firefrostgaming.com** (63.143.34.217 - Command Center) + - Uptime Kuma status page + - **Added to proxy:** 2026-03-27 + +12. **subscribers.firefrostgaming.com** (64.50.188.14 - Ghost VPS) + - Wiki.js (subscriber wiki) + - Member-only content + - **Added to proxy:** 2026-03-27 + +13. **tasks.firefrostgaming.com** (38.68.14.26 - TX1) + - Plane project management + - **Added to proxy:** 2026-03-27 + +14. **vault.firefrostgaming.com** (63.143.34.217 - Command Center) + - Vaultwarden password manager + - **Added to proxy:** 2026-03-27 + - **Fixed:** SSL certificate warning resolved + +15. **webmail.firefrostgaming.com** (38.68.14.188 - Billing VPS) + - Mailcow webmail interface + - **Added to proxy:** 2026-03-27 + +--- + +## DNS-Only Subdomains (Gray Cloud ☁️) + +### Email Services (MUST be DNS-only) + +1. **mail.firefrostgaming.com** (38.68.14.188 - Billing VPS) + - Mailcow email server + - SMTP/IMAP/POP3 protocols + - **Must NOT be proxied** - email protocols require direct connection + +2. **autoconfig.firefrostgaming.com** (CNAME → mail.firefrostgaming.com) + - Thunderbird auto-configuration + - Email client setup + +3. **autodiscover.firefrostgaming.com** (CNAME → mail.firefrostgaming.com) + - Outlook auto-discovery + - Email client setup + +### Infrastructure Services + +1. **panel.firefrostgaming.com** (45.94.168.138 - Panel VPS) + - Pterodactyl Panel + - **Must NOT be proxied** - Wings nodes connect directly + - WebSocket connections for real-time console + - Large file transfers (game server files) + +2. **downloads.firefrostgaming.com** (64.50.188.14 - Ghost VPS) + - Large file downloads (modpacks >100MB) + - **Must NOT be proxied** - Cloudflare has file size limits + - Direct download is faster and cheaper + +3. **us.nc1.firefrostgaming.com** (216.239.104.130 - NC1 Charlotte) + - Direct server access + - Infrastructure endpoint + +4. **us.tx1.firefrostgaming.com** (38.68.14.26 - TX1 Dallas) + - Direct server access + - Infrastructure endpoint + +### Game Servers (24 subdomains - all DNS-only) + +**All Minecraft servers MUST be DNS-only:** +- Game protocols require direct UDP/TCP connections +- Cloudflare proxy doesn't support Minecraft protocol +- SRV records require direct DNS resolution + +**TX1 Dallas Servers:** +- allthemons.firefrostgaming.com (38.68.14.30) +- foundry.firefrostgaming.com (38.68.14.26) +- rad2.firefrostgaming.com (38.68.14.26) +- stoneblock4.firefrostgaming.com (38.68.14.26) +- vanilla.firefrostgaming.com (38.68.14.26) +- createplus.firefrostgaming.com (38.68.14.26) +- arseclectica.firefrostgaming.com (38.68.14.26) + +**NC1 Charlotte Servers:** +- reclamation.firefrostgaming.com (38.68.14.27) +- society.firefrostgaming.com (38.68.14.28) +- emberproject.firefrostgaming.com (216.239.104.130) +- minecolonies.firefrostgaming.com (216.239.104.130) +- homestead.firefrostgaming.com (216.239.104.130) +- emcsubterratech.firefrostgaming.com (216.239.104.130) +- atm10.firefrostgaming.com (216.239.104.130) +- atm10tts.firefrostgaming.com (216.239.104.130) +- atmons.firefrostgaming.com (216.239.104.130) +- aocc.firefrostgaming.com (216.239.104.130) +- hytale.firefrostgaming.com (216.239.104.130) +- mayview.firefrostgaming.com (216.239.104.130) +- mythcraft5.firefrostgaming.com (216.239.104.130) +- vanilla121.firefrostgaming.com (38.68.14.29) + +--- + +## Benefits of Cloudflare Proxy + +### Security + +1. **DDoS Protection** + - Absorbs attacks before they reach origin servers + - Unmetered DDoS mitigation + - Protects against Layer 3, 4, and 7 attacks + +2. **IP Address Hiding** + - Origin server IPs hidden from public + - Prevents direct attacks on infrastructure + - Reduces server reconnaissance + +3. **SSL/TLS Management** + - Cloudflare manages certificates to browsers + - Automatic renewal + - Modern cipher suites + - TLS 1.3 support + +4. **Web Application Firewall (WAF)** + - Blocks common exploits + - SQL injection protection + - XSS prevention + - Rate limiting + +### Performance + +1. **Global CDN** + - Static assets cached worldwide + - Reduced latency for global users + - Faster page loads + +2. **Bandwidth Savings** + - Cached content served from Cloudflare edge + - Reduces origin server bandwidth + - Lower hosting costs + +3. **Always Online** + - Cached version served during origin downtime + - Improved reliability + +4. **Brotli Compression** + - Automatic compression + - Faster page loads + - Reduced bandwidth + +--- + +## Decision Matrix: Proxy vs DNS-Only + +### When to Enable Proxy (Orange Cloud) + +**Use Cases:** +- Public web interfaces (admin panels, portals, websites) +- HTTP/HTTPS traffic only +- Want DDoS protection +- Want global CDN caching +- Want to hide origin server IP +- Small to medium file sizes (<100MB) + +**Examples:** +- Ghost CMS website +- Vaultwarden password manager +- Gitea code repository +- Wiki.js instances +- Paymenter billing portal + +### When to Use DNS-Only (Gray Cloud) + +**Use Cases:** +- Email servers (SMTP, IMAP, POP3) +- Game servers (Minecraft, etc.) +- Large file downloads (>100MB) +- Infrastructure endpoints needing direct access +- Services with WebSocket-heavy requirements +- API endpoints with strict timeout requirements + +**Examples:** +- mail.firefrostgaming.com +- panel.firefrostgaming.com (Wings direct connection) +- downloads.firefrostgaming.com +- All Minecraft game servers + +--- + +## SSL Certificate Requirements + +### Proxied Subdomains + +**Options:** + +1. **Cloudflare Origin Certificate (Recommended)** + - Generate in Cloudflare dashboard + - 15-year validity + - Supports wildcards (*.firefrostgaming.com) + - Free + - Only trusted by Cloudflare (perfect for proxied) + +2. **Let's Encrypt** + - 90-day validity (auto-renewal required) + - Free + - Publicly trusted + - Works for both proxied and DNS-only + +3. **Commercial Certificate** + - 1-year validity + - Publicly trusted + - Cost varies + +### DNS-Only Subdomains + +**Requirements:** +- MUST use publicly trusted certificates +- Let's Encrypt recommended +- Cloudflare Origin Certificates won't work (not publicly trusted) + +**Current Status:** +- mail.firefrostgaming.com: Let's Encrypt ✅ +- panel.firefrostgaming.com: (check certificate status) +- vault.firefrostgaming.com: Let's Encrypt (expires May 14, 2026) ✅ + +--- + +## Troubleshooting + +### "Dangerous Site" Warning + +**Symptoms:** Chrome/Firefox shows SSL warning when accessing proxied subdomain + +**Cause:** Origin server doesn't have valid SSL certificate for that subdomain + +**Solution:** +1. Generate Cloudflare Origin Certificate +2. Install on origin server +3. Update Nginx to use new certificate +4. Reload Nginx + +**Example Fix (vault.firefrostgaming.com):** +```bash +# On origin server +# Certificate already exists at: /etc/letsencrypt/live/vault.firefrostgaming.com/ +# Enable Cloudflare proxy (orange cloud) in DNS settings +# Wait 5 minutes for DNS propagation +# Test: https://vault.firefrostgaming.com +``` + +### 521 Error (Web Server Down) + +**Symptoms:** "Error 521: Web server is down" + +**Cause:** Origin server not responding on proxied port + +**Checks:** +1. Service running on origin server +2. Nginx/Apache listening on correct port +3. Firewall allows Cloudflare IPs +4. Origin server not blocking Cloudflare + +**Solution:** +```bash +# Check service status +systemctl status nginx + +# Check port listening +netstat -tlnp | grep :80 +netstat -tlnp | grep :443 + +# Allow Cloudflare IPs (if using UFW) +# https://www.cloudflare.com/ips/ +``` + +### 522 Error (Connection Timed Out) + +**Symptoms:** "Error 522: Connection timed out" + +**Cause:** Cloudflare can't connect to origin server + +**Checks:** +1. Origin server firewall blocking Cloudflare +2. Origin server IP correct in DNS +3. Origin server online + +**Solution:** +1. Verify A record points to correct IP +2. Ensure firewall allows Cloudflare IP ranges +3. Check origin server is responding + +### 526 Error (Invalid SSL Certificate) + +**Symptoms:** "Error 526: Invalid SSL certificate" + +**Cause:** SSL/TLS mode is Full (strict) but origin certificate is invalid + +**Solution:** +1. Install valid SSL certificate on origin +2. OR temporarily set SSL/TLS mode to "Full" (not recommended) +3. OR use Cloudflare Origin Certificate + +--- + +## Monitoring + +### Check Proxy Status + +**Cloudflare Dashboard:** +1. Select domain (firefrostgaming.com) +2. Go to DNS → Records +3. Check cloud icon color: + - **Orange** = Proxied ✅ + - **Gray** = DNS Only + +### Verify SSL + +**Test SSL configuration:** +```bash +# Test from external location +curl -I https://vault.firefrostgaming.com +openssl s_client -connect vault.firefrostgaming.com:443 -servername vault.firefrostgaming.com +``` + +### Analytics + +**Cloudflare Analytics Dashboard:** +- Traffic volume per subdomain +- Bandwidth savings from caching +- Threats blocked +- Cache hit ratio + +--- + +## Related Documentation + +- [Nginx Reverse Proxy Configuration](../infrastructure/nginx-proxy-configuration.md) +- [SSL Certificate Management](../infrastructure/ssl-certificates.md) +- [Vaultwarden Configuration](vaultwarden-configuration.md) +- [Mailcow Configuration](mailcow-configuration.md) + +--- + +**Last Updated:** 2026-03-27 +**Documented By:** The Verifier (Chronicler #42) +**Changes:** Added 11 web services to Cloudflare proxy, fixed vault.firefrostgaming.com SSL warning diff --git a/docs/services/luckperms-mysql-database.md b/docs/services/luckperms-mysql-database.md new file mode 100644 index 0000000..8c5f73e --- /dev/null +++ b/docs/services/luckperms-mysql-database.md @@ -0,0 +1,364 @@ +# LuckPerms MySQL Database Setup + +**Date:** 2026-03-27 +**Server:** Command Center (63.143.34.217) +**Database:** luckperms +**Purpose:** Centralized permission storage for all 13 game servers + +--- + +## Database Configuration + +### MySQL Installation + +**Installed:** 2026-03-27 +**Version:** MySQL 8.0 (Ubuntu 24.04) +**Service:** systemd (mysql.service) + +**Installation Commands:** +```bash +apt update +apt install mysql-server -y +systemctl start mysql +systemctl enable mysql +mysql_secure_installation +``` + +**Secure Installation Settings:** +- Password validator: Not enabled (allows custom passwords) +- Remove anonymous users: Yes +- Disallow root login remotely: Yes +- Remove test database: Yes +- Reload privilege tables: Yes + +**Root Access:** +- MySQL 8.0 uses `auth_socket` plugin by default +- Root can login via: `sudo mysql` (no password needed) +- Root cannot login remotely (secure by default) + +--- + +## LuckPerms Database + +### Database Details + +- **Name:** luckperms +- **Character Set:** utf8mb4 +- **Collation:** utf8mb4_unicode_ci +- **Created:** 2026-03-27 + +### User Credentials + +- **Username:** luckperms +- **Password:** Firefrost1234!! +- **Host:** % (allows connections from any IP) +- **Privileges:** ALL on luckperms.* database + +### Creation Commands + +```sql +-- Access MySQL as root +sudo mysql + +-- Create database +CREATE DATABASE luckperms CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; + +-- Create user +CREATE USER 'luckperms'@'%' IDENTIFIED BY 'Firefrost1234!!'; + +-- Grant permissions +GRANT ALL PRIVILEGES ON luckperms.* TO 'luckperms'@'%'; +FLUSH PRIVILEGES; + +-- Verify +SHOW DATABASES; +SELECT User, Host FROM mysql.user WHERE User='luckperms'; + +-- Exit +exit +``` + +--- + +## Connection Details + +### For LuckPerms Configuration + +```yaml +storage-method: MySQL + +data: + address: 63.143.34.217:3306 + database: luckperms + username: luckperms + password: Firefrost1234!! +``` + +**OR in config format:** +```properties +storage-method=MySQL +data.address=63.143.34.217:3306 +data.database=luckperms +data.username=luckperms +data.password=Firefrost1234!! +``` + +--- + +## Security Considerations + +### Why Separate Database? + +**Isolated from Pterodactyl database for:** + +1. **Security Isolation** + - Pterodactyl database contains sensitive panel data + - LuckPerms database contains game permissions + - Compromise of one doesn't affect the other + +2. **Performance** + - Pterodactyl handles panel queries + - LuckPerms handles thousands of permission checks per second across 13 servers + - Separation prevents performance degradation + +3. **Backup/Recovery** + - Can backup game permissions separately + - Can restore/reset without affecting infrastructure + - Independent maintenance windows + +4. **Best Practice** + - Industry standard: one database per application + - Prevents dependency conflicts + - Easier troubleshooting + +### Network Security + +**MySQL listens on:** +- Port: 3306 (default) +- Bind address: 0.0.0.0 (all interfaces - allows remote connections) + +**Firewall considerations:** +- TX1 Dallas (38.68.14.26) needs access +- NC1 Charlotte (216.239.104.130) needs access +- Ensure UFW/iptables allows connections from these IPs + +**Check current firewall status:** +```bash +ufw status +# OR +iptables -L -n | grep 3306 +``` + +**If needed, allow specific IPs:** +```bash +ufw allow from 38.68.14.26 to any port 3306 +ufw allow from 216.239.104.130 to any port 3306 +``` + +--- + +## Game Server Integration + +### Servers Using This Database + +All 13 Firefrost Gaming servers connect to this central MySQL database: + +**TX1 Dallas Servers (38.68.14.26):** +1. foundry.firefrostgaming.com +2. rad2.firefrostgaming.com +3. stoneblock4.firefrostgaming.com +4. vanilla.firefrostgaming.com +5. createplus.firefrostgaming.com +6. arseclectica.firefrostgaming.com + +**NC1 Charlotte Servers (216.239.104.130):** +1. reclamation.firefrostgaming.com +2. society.firefrostgaming.com +3. emberproject.firefrostgaming.com +4. minecolonies.firefrostgaming.com +5. homestead.firefrostgaming.com +6. emcsubterratech.firefrostgaming.com +7. atm10.firefrostgaming.com + +### Configuration Per Server + +Each server's LuckPerms config at `/config/luckperms/luckperms.conf`: + +```hocon +storage-method = mysql + +data { + address = "63.143.34.217:3306" + database = "luckperms" + username = "luckperms" + password = "Firefrost1234!!" + + # Connection pool settings + pool-settings { + maximum-pool-size = 10 + minimum-idle = 10 + maximum-lifetime = 1800000 + keepalive-time = 0 + connection-timeout = 5000 + } +} +``` + +--- + +## Deployment Status + +### Implementation Plan + +**Phase 1: Prerequisites (COMPLETE ✅)** +- MySQL server installed on Command Center +- Database created +- User credentials configured +- Credentials stored in Vaultwarden + +**Phase 2: Mod Deployment (IN PROGRESS ⏳)** +- **Responsible:** Holly (unicorn20089) +- **Status:** Delegated 2026-03-27 +- **Guide Provided:** `docs/guides/server-side-mod-deployment-guide.md` +- **Tasks:** + - Download required mods per server Minecraft version + - Upload mods to each server via Pterodactyl Panel + - Configure LuckPerms MySQL connection + - Test each server + - Repeat for all 13 servers + +**Phase 3: Testing (PENDING)** +- Verify all servers connect to MySQL +- Test permission sync across servers +- Verify rank system works + +--- + +## Maintenance + +### Backup Procedures + +**Manual Backup:** +```bash +# On Command Center +mysqldump -u luckperms -p luckperms > luckperms-backup-$(date +%Y%m%d).sql +``` + +**Restore from Backup:** +```bash +mysql -u luckperms -p luckperms < luckperms-backup-YYYYMMDD.sql +``` + +**Automated Backup (Recommended):** +```bash +# Add to crontab +0 2 * * * mysqldump -u luckperms -p'Firefrost1234!!' luckperms | gzip > /root/backups/luckperms-$(date +\%Y\%m\%d).sql.gz +``` + +### Monitoring + +**Check database size:** +```bash +sudo mysql -e "SELECT table_schema AS 'Database', ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS 'Size (MB)' FROM information_schema.tables WHERE table_schema = 'luckperms' GROUP BY table_schema;" +``` + +**Check active connections:** +```bash +sudo mysql -e "SHOW PROCESSLIST;" | grep luckperms +``` + +**Check table status:** +```bash +sudo mysql luckperms -e "SHOW TABLES;" +sudo mysql luckperms -e "SELECT COUNT(*) FROM luckperms_players;" +sudo mysql luckperms -e "SELECT COUNT(*) FROM luckperms_permissions;" +``` + +--- + +## Troubleshooting + +### Connection Refused + +**Symptoms:** Game server can't connect to MySQL + +**Checks:** +1. MySQL service running: `systemctl status mysql` +2. MySQL listening on 3306: `netstat -tlnp | grep 3306` +3. Firewall allows connections: `ufw status` +4. Credentials correct in server config + +**Solution:** +```bash +# Ensure MySQL is running +systemctl start mysql + +# Check bind address (should be 0.0.0.0 or specific IP) +grep bind-address /etc/mysql/mysql.conf.d/mysqld.cnf + +# If bind-address is 127.0.0.1, change to 0.0.0.0 +sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf +# Change: bind-address = 0.0.0.0 +sudo systemctl restart mysql +``` + +### Access Denied for User + +**Symptoms:** "Access denied for user 'luckperms'@'host'" + +**Checks:** +1. Password correct +2. User has permissions +3. Host wildcard allows connection + +**Solution:** +```sql +-- Verify user exists and host is '%' +SELECT User, Host FROM mysql.user WHERE User='luckperms'; + +-- Re-grant permissions if needed +GRANT ALL PRIVILEGES ON luckperms.* TO 'luckperms'@'%'; +FLUSH PRIVILEGES; + +-- If still failing, recreate user +DROP USER 'luckperms'@'%'; +CREATE USER 'luckperms'@'%' IDENTIFIED BY 'Firefrost1234!!'; +GRANT ALL PRIVILEGES ON luckperms.* TO 'luckperms'@'%'; +FLUSH PRIVILEGES; +``` + +### Slow Queries + +**Symptoms:** Permission checks lag, server TPS drops + +**Diagnosis:** +```sql +-- Enable slow query log +SET GLOBAL slow_query_log = 'ON'; +SET GLOBAL long_query_time = 1; +SET GLOBAL slow_query_log_file = '/var/log/mysql/slow-query.log'; + +-- Check slow queries +sudo tail -f /var/log/mysql/slow-query.log +``` + +**Solutions:** +1. Increase connection pool size in LuckPerms config +2. Optimize MySQL configuration +3. Add database indexes (LuckPerms handles this automatically) +4. Upgrade server hardware if needed + +--- + +## Related Documentation + +- [Server-Side Mod Deployment Guide](../guides/server-side-mod-deployment-guide.md) +- [Subscription Automation Guide](../guides/subscription-automation-guide.md) +- [Pterodactyl Panel Configuration](pterodactyl-panel-configuration.md) +- [Vaultwarden Configuration](vaultwarden-configuration.md) + +--- + +**Last Updated:** 2026-03-27 +**Documented By:** The Verifier (Chronicler #42) +**Status:** ✅ Database ready, awaiting mod deployment by Holly diff --git a/docs/services/vaultwarden-configuration.md b/docs/services/vaultwarden-configuration.md new file mode 100644 index 0000000..8a6c50c --- /dev/null +++ b/docs/services/vaultwarden-configuration.md @@ -0,0 +1,434 @@ +# Vaultwarden Configuration + +**Service:** Vaultwarden (self-hosted password manager) +**URL:** https://vault.firefrostgaming.com +**Admin Panel:** https://vault.firefrostgaming.com/admin +**Server:** Command Center (63.143.34.217) +**Container:** Docker (vaultwarden/server:latest v1.35.3) +**Port:** 8001 → 80 (proxied via Nginx) +**SSL:** Let's Encrypt (expires May 14, 2026) +**Cloudflare Proxy:** Enabled (orange cloud) as of 2026-03-27 + +--- + +## Admin Access + +**Admin Token:** +``` +kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW +``` + +**Note:** This is a plain text token (not Argon2 hashed). Should be hashed for better security using: +```bash +docker exec vaultwarden /vaultwarden hash +``` + +--- + +## SMTP Email Configuration + +**Configured:** 2026-03-27 +**Status:** ✅ Working (test email successful) + +### Settings + +- **Enabled:** true +- **Host:** mail.firefrostgaming.com +- **Port:** 587 +- **Secure SMTP:** STARTTLS +- **From Address:** michael@firefrostgaming.com +- **From Name:** Vaultwarden +- **Username:** michael@firefrostgaming.com +- **Password:** [Stored in Vaultwarden - michael@firefrostgaming.com mailbox password] +- **Auth Mechanism:** (default) +- **Connection Timeout:** 15 seconds + +### Future Improvement + +**Create dedicated vault@ mailbox:** +1. Create `vault@firefrostgaming.com` in Mailcow +2. Update Vaultwarden SMTP settings to use vault@ instead of michael@ +3. Provides better separation of concerns + +--- + +## General Settings + +### Security Settings + +- **Domain URL:** https://vault.firefrostgaming.com ✅ +- **Allow new signups:** false ✅ (prevents random registrations) +- **Allow invitations:** true ✅ (required for inviting team members) +- **Password iterations:** 600,000 ✅ (OWASP recommended) +- **Enable emergency access:** true ✅ +- **Allow email change:** true ✅ +- **Show password hint:** false ✅ +- **HIBP API Key:** Configured ✅ (Have I Been Pwned integration) + +### Storage Limits + +- **Per-user attachment storage:** Unlimited (empty) +- **Per-organization attachment storage:** Unlimited (empty) +- **Per-user send storage:** Unlimited (empty) +- **Trash auto-delete days:** Not configured (recommended: 30) + +### Email Verification + +- **Require email verification on signups:** false ✅ (signups disabled anyway) +- **Auto-resend verification email after:** 3600 seconds (1 hour) ✅ +- **Email auto-send limit:** 6 emails ✅ + +--- + +## Advanced Settings + +- **Client IP header:** X-Real-IP ✅ (correct for Nginx proxy) +- **Icon redirect code:** 302 ✅ +- **Icon cache expiry (positive):** 2592000 seconds ✅ +- **Icon cache expiry (negative):** 259200 seconds ✅ +- **Icon download timeout:** 10 seconds ✅ +- **Block non-global IPs:** true ✅ (security) +- **Disable Two-Factor remember:** false ✅ +- **Disable authenticator time drift:** false ✅ +- **Require new device emails:** false ✅ +- **Allowed iframe ancestors:** Empty ✅ (prevents clickjacking) +- **Allowed connect-src:** Empty ✅ + +--- + +## SSO Settings + +- **OpenID Connect:** Disabled (not configured) +- **Yubikey:** Not configured +- **Global Duo:** Not configured + +--- + +## Organizations + +### Firefrost Gaming Organization + +**Created:** 2026-03-27 +**Owner:** Michael Krause (mkrause612@gmail.com) +**Billing Email:** michael@firefrostgaming.com +**Plan:** Free (self-hosted) + +**Collections:** +- Default collection (auto-created) +- Unassigned (items not in any collection) + +**Future Collections (Recommended):** +- Infrastructure (MySQL credentials, SSH keys, server root passwords) +- Services (Mailcow, Pterodactyl, Paymenter, n8n, etc.) +- Game Servers (per-server credentials) +- Discord (bot tokens, webhook URLs) + +**Members:** +- Michael Krause (Owner) ✅ +- Holly (unicorn20089@firefrostgaming.com) - Invitation sent 2026-03-27 ⏳ +- Meg (GingerFury) - Invitation sent 2026-03-27 ⏳ + +--- + +## Users + +### Registered Users + +1. **Michael Krause** + - Email: mkrause612@gmail.com + - Role: Owner/Admin + - Status: Active ✅ + +2. **Holly (unicorn20089)** + - Email: unicorn20089@firefrostgaming.com + - Status: Invitation sent 2026-03-27 ⏳ + - Pending account creation + +3. **Meg (GingerFury)** + - Status: Invitation sent 2026-03-27 ⏳ + - Pending account creation + +--- + +## Diagnostics (System Health) + +**Last checked:** 2026-03-27 + +### Versions + +- **Server Installed:** 1.35.3 +- **Server Latest:** 1.35.4 (update available, not urgent) +- **Web Installed:** 2026.1.1 ✅ (current) +- **Web Latest:** 2026.1.1 ✅ +- **Database:** SQLite 3.50.2 ✅ + +### System Checks + +- **OS/Arch:** Linux x86_64 ✅ +- **Running in Docker:** Yes (Debian base) ✅ +- **Uses config.json:** Yes ✅ +- **Reverse proxy detected:** Yes ✅ +- **IP header match:** Config/Server: X-Real-IP ✅ +- **Internet access:** Yes ✅ +- **DNS (github.com):** 140.82.112.3 ✅ +- **NTP sync:** Server/Browser OK ✅ +- **Domain configuration:** Match, HTTPS ✅ +- **HTTP response validation:** OK ✅ + +### Warnings + +- **Websocket enabled:** Error ⚠️ + - Known issue with reverse proxies + - Not critical - only affects real-time sync + - Can be fixed later if needed + +--- + +## Nginx Configuration + +**Location:** `/etc/nginx/sites-enabled/vault*` + +**SSL Certificate:** +- **Type:** Let's Encrypt +- **Path:** `/etc/letsencrypt/live/vault.firefrostgaming.com/` +- **Valid Until:** May 14, 2026 +- **Auto-renewal:** Certbot (should renew automatically) + +**Proxy Configuration:** +- **Backend:** http://127.0.0.1:8001 +- **Headers Set:** + - `Host $host` + - `X-Real-IP $remote_addr` + - Standard proxy headers + +--- + +## Cloudflare Configuration + +**DNS Record:** +- **Type:** A +- **Name:** vault +- **Value:** 63.143.34.217 (Command Center) +- **Proxy Status:** Proxied (orange cloud) ✅ +- **TTL:** Auto + +**SSL/TLS Mode:** Full (strict) + +**Benefits:** +- DDoS protection +- Global CDN +- SSL managed by Cloudflare +- Hides origin server IP + +**Changed:** 2026-03-27 (was DNS-only, now proxied) + +--- + +## Docker Configuration + +**Container Name:** vaultwarden +**Image:** vaultwarden/server:latest +**Version:** 1.35.3 +**Restart Policy:** Always (confirmed healthy) + +**Key Environment Variables:** +- `ADMIN_TOKEN=kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW` +- SMTP settings configured via admin panel (persisted in data volume) + +**Volumes:** +- Data directory: (check with `docker inspect vaultwarden`) + +--- + +## Stored Credentials + +### Current Vault Items + +1. **LuckPerms MySQL Credentials** + - **Host:** 63.143.34.217 + - **Port:** 3306 + - **Database:** luckperms + - **Username:** luckperms + - **Password:** Firefrost1234!! + - **Notes:** Used by all 13 game servers for permission sync + - **Location:** Personal vault (should be moved to Infrastructure collection) + +--- + +## Common Tasks + +### Invite a User + +1. Go to Admin Panel: https://vault.firefrostgaming.com/admin +2. Enter admin token +3. Click **Users** tab +4. Click **Invite User** +5. Enter email address +6. User receives invitation email + +**OR (if SMTP not configured):** +- User goes to https://vault.firefrostgaming.com +- User clicks "Create Account" (if signups are enabled) +- User registers with email + +### Add User to Organization + +1. Organization owner logs into vault +2. Go to Organizations → Firefrost Gaming +3. Click **Members** +4. Click **Invite** +5. Enter user's email +6. Select role (User, Admin, Owner) +7. User accepts invitation + +### Share a Credential + +**Method 1: Organization Collection** +1. Move item to an Organization Collection +2. Grant user access to that Collection + +**Method 2: Individual Share** +1. Click on vault item +2. Click Share (three-dot menu) +3. Enter user's email +4. User gets access to that specific item + +### Update SMTP Settings + +1. Go to Admin Panel: https://vault.firefrostgaming.com/admin +2. Click **Settings** tab +3. Expand **SMTP Email Settings** +4. Update configuration +5. Click **Save** +6. Test with **Send test email** button + +### Backup Vaultwarden Data + +```bash +# On Command Center +docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup '/data/backup.sqlite3'" +docker cp vaultwarden:/data/backup.sqlite3 ~/vaultwarden-backup-$(date +%Y%m%d).sqlite3 +``` + +### Update Vaultwarden + +```bash +# On Command Center +docker pull vaultwarden/server:latest +docker stop vaultwarden +docker rm vaultwarden +# Re-create container with same settings (check docker inspect for exact command) +docker start vaultwarden +``` + +--- + +## Security Best Practices + +### Implemented ✅ + +- HTTPS enforced (Let's Encrypt + Cloudflare) +- Admin panel requires token +- Signups disabled (invitation-only) +- Strong password iterations (600,000) +- HIBP integration for compromised password detection +- Emergency access enabled +- Cloudflare proxy for DDoS protection + +### Recommended Improvements + +1. **Hash admin token with Argon2** + ```bash + docker exec vaultwarden /vaultwarden hash + # Update ADMIN_TOKEN environment variable with hashed output + ``` + +2. **Create dedicated vault@ email address** + - Separate from michael@firefrostgaming.com + - Better audit trail for system emails + +3. **Enable 2FA for all users** + - Require TOTP or hardware key + - Set in organization policies + +4. **Configure automated backups** + - Daily SQLite backups + - Store offsite (Ghost VPS, Billing VPS, or cloud storage) + +5. **Set trash auto-delete to 30 days** + - Prevents vault bloat + - Automatic cleanup + +6. **Monitor failed login attempts** + - Check Vaultwarden logs regularly + - Set up alerts for suspicious activity + +--- + +## Troubleshooting + +### "Dangerous Site" Warning in Chrome + +**Problem:** Chrome shows SSL warning when accessing vault.firefrostgaming.com + +**Cause:** Subdomain not proxied through Cloudflare (gray cloud) + +**Solution:** +1. Go to Cloudflare DNS settings +2. Find `vault` A record +3. Click gray cloud to enable proxy (turn orange) +4. Wait for DNS propagation (~5 minutes) + +### SMTP Test Fails + +**Error:** `Sender address rejected: not owned by user` + +**Cause:** From Address doesn't match Username + +**Solution:** +- Set **From Address** to match **Username** exactly +- Example: Both should be `michael@firefrostgaming.com` + +### Can't Create Organization + +**Problem:** No "New Organization" button visible + +**Cause:** Looking at Admin Panel instead of personal vault + +**Solution:** +1. Go to https://vault.firefrostgaming.com (NOT /admin) +2. Click **Organizations** in sidebar +3. Click **New Organization** + +### Websocket Error in Diagnostics + +**Status:** Known issue, not critical + +**Impact:** Real-time sync between devices may be delayed + +**Fix (optional):** +1. Configure Nginx to proxy WebSocket connections +2. Add to Nginx config: + ```nginx + location /notifications/hub { + proxy_pass http://127.0.0.1:8001; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + ``` +3. Reload Nginx: `nginx -s reload` + +--- + +## Related Documentation + +- [Vaultwarden Official Wiki](https://github.com/dani-garcia/vaultwarden/wiki) +- [Mailcow Configuration](mailcow-configuration.md) +- [Cloudflare DNS Setup](../infrastructure/cloudflare-dns.md) +- [Nginx Reverse Proxy](../infrastructure/nginx-proxy-configuration.md) + +--- + +**Last Updated:** 2026-03-27 +**Documented By:** The Verifier (Chronicler #42) +**Status:** ✅ Production - Fully configured and operational