# Vaultwarden Configuration **Service:** Vaultwarden (self-hosted password manager) **URL:** https://vault.firefrostgaming.com **Admin Panel:** https://vault.firefrostgaming.com/admin **Server:** Command Center (63.143.34.217) **Container:** Docker (vaultwarden/server:latest v1.35.3) **Port:** 8001 → 80 (proxied via Nginx) **SSL:** Let's Encrypt (expires May 14, 2026) **Cloudflare Proxy:** Enabled (orange cloud) as of 2026-03-27 --- ## Admin Access **Admin Token:** ``` kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW ``` **Note:** This is a plain text token (not Argon2 hashed). Should be hashed for better security using: ```bash docker exec vaultwarden /vaultwarden hash ``` --- ## SMTP Email Configuration **Configured:** 2026-03-27 **Status:** ✅ Working (test email successful) ### Settings - **Enabled:** true - **Host:** mail.firefrostgaming.com - **Port:** 587 - **Secure SMTP:** STARTTLS - **From Address:** michael@firefrostgaming.com - **From Name:** Vaultwarden - **Username:** michael@firefrostgaming.com - **Password:** [Stored in Vaultwarden - michael@firefrostgaming.com mailbox password] - **Auth Mechanism:** (default) - **Connection Timeout:** 15 seconds ### Future Improvement **Create dedicated vault@ mailbox:** 1. Create `vault@firefrostgaming.com` in Mailcow 2. Update Vaultwarden SMTP settings to use vault@ instead of michael@ 3. Provides better separation of concerns --- ## General Settings ### Security Settings - **Domain URL:** https://vault.firefrostgaming.com ✅ - **Allow new signups:** false ✅ (prevents random registrations) - **Allow invitations:** true ✅ (required for inviting team members) - **Password iterations:** 600,000 ✅ (OWASP recommended) - **Enable emergency access:** true ✅ - **Allow email change:** true ✅ - **Show password hint:** false ✅ - **HIBP API Key:** Configured ✅ (Have I Been Pwned integration) ### Storage Limits - **Per-user attachment storage:** Unlimited (empty) - **Per-organization attachment storage:** Unlimited (empty) - **Per-user send storage:** Unlimited (empty) - **Trash auto-delete days:** Not configured (recommended: 30) ### Email Verification - **Require email verification on signups:** false ✅ (signups disabled anyway) - **Auto-resend verification email after:** 3600 seconds (1 hour) ✅ - **Email auto-send limit:** 6 emails ✅ --- ## Advanced Settings - **Client IP header:** X-Real-IP ✅ (correct for Nginx proxy) - **Icon redirect code:** 302 ✅ - **Icon cache expiry (positive):** 2592000 seconds ✅ - **Icon cache expiry (negative):** 259200 seconds ✅ - **Icon download timeout:** 10 seconds ✅ - **Block non-global IPs:** true ✅ (security) - **Disable Two-Factor remember:** false ✅ - **Disable authenticator time drift:** false ✅ - **Require new device emails:** false ✅ - **Allowed iframe ancestors:** Empty ✅ (prevents clickjacking) - **Allowed connect-src:** Empty ✅ --- ## SSO Settings - **OpenID Connect:** Disabled (not configured) - **Yubikey:** Not configured - **Global Duo:** Not configured --- ## Organizations ### Firefrost Gaming Organization **Created:** 2026-03-27 **Owner:** Michael Krause (mkrause612@gmail.com) **Billing Email:** michael@firefrostgaming.com **Plan:** Free (self-hosted) **Collections:** - Default collection (auto-created) - Unassigned (items not in any collection) **Future Collections (Recommended):** - Infrastructure (MySQL credentials, SSH keys, server root passwords) - Services (Mailcow, Pterodactyl, Paymenter, n8n, etc.) - Game Servers (per-server credentials) - Discord (bot tokens, webhook URLs) **Members:** - Michael Krause (Owner) ✅ - Holly (unicorn20089@firefrostgaming.com) - Invitation sent 2026-03-27 ⏳ - Meg (GingerFury) - Invitation sent 2026-03-27 ⏳ --- ## Users ### Registered Users 1. **Michael Krause** - Email: mkrause612@gmail.com - Role: Owner/Admin - Status: Active ✅ 2. **Holly (unicorn20089)** - Email: unicorn20089@firefrostgaming.com - Status: Invitation sent 2026-03-27 ⏳ - Pending account creation 3. **Meg (GingerFury)** - Status: Invitation sent 2026-03-27 ⏳ - Pending account creation --- ## Diagnostics (System Health) **Last checked:** 2026-03-27 ### Versions - **Server Installed:** 1.35.3 - **Server Latest:** 1.35.4 (update available, not urgent) - **Web Installed:** 2026.1.1 ✅ (current) - **Web Latest:** 2026.1.1 ✅ - **Database:** SQLite 3.50.2 ✅ ### System Checks - **OS/Arch:** Linux x86_64 ✅ - **Running in Docker:** Yes (Debian base) ✅ - **Uses config.json:** Yes ✅ - **Reverse proxy detected:** Yes ✅ - **IP header match:** Config/Server: X-Real-IP ✅ - **Internet access:** Yes ✅ - **DNS (github.com):** 140.82.112.3 ✅ - **NTP sync:** Server/Browser OK ✅ - **Domain configuration:** Match, HTTPS ✅ - **HTTP response validation:** OK ✅ ### Warnings - **Websocket enabled:** Error ⚠️ - Known issue with reverse proxies - Not critical - only affects real-time sync - Can be fixed later if needed --- ## Nginx Configuration **Location:** `/etc/nginx/sites-enabled/vault*` **SSL Certificate:** - **Type:** Let's Encrypt - **Path:** `/etc/letsencrypt/live/vault.firefrostgaming.com/` - **Valid Until:** May 14, 2026 - **Auto-renewal:** Certbot (should renew automatically) **Proxy Configuration:** - **Backend:** http://127.0.0.1:8001 - **Headers Set:** - `Host $host` - `X-Real-IP $remote_addr` - Standard proxy headers --- ## Cloudflare Configuration **DNS Record:** - **Type:** A - **Name:** vault - **Value:** 63.143.34.217 (Command Center) - **Proxy Status:** Proxied (orange cloud) ✅ - **TTL:** Auto **SSL/TLS Mode:** Full (strict) **Benefits:** - DDoS protection - Global CDN - SSL managed by Cloudflare - Hides origin server IP **Changed:** 2026-03-27 (was DNS-only, now proxied) --- ## Docker Configuration **Container Name:** vaultwarden **Image:** vaultwarden/server:latest **Version:** 1.35.3 **Restart Policy:** Always (confirmed healthy) **Key Environment Variables:** - `ADMIN_TOKEN=kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW` - SMTP settings configured via admin panel (persisted in data volume) **Volumes:** - Data directory: (check with `docker inspect vaultwarden`) --- ## Stored Credentials ### Current Vault Items 1. **LuckPerms MySQL Credentials** - **Host:** 63.143.34.217 - **Port:** 3306 - **Database:** luckperms - **Username:** luckperms - **Password:** Firefrost1234!! - **Notes:** Used by all 13 game servers for permission sync - **Location:** Personal vault (should be moved to Infrastructure collection) --- ## Common Tasks ### Invite a User 1. Go to Admin Panel: https://vault.firefrostgaming.com/admin 2. Enter admin token 3. Click **Users** tab 4. Click **Invite User** 5. Enter email address 6. User receives invitation email **OR (if SMTP not configured):** - User goes to https://vault.firefrostgaming.com - User clicks "Create Account" (if signups are enabled) - User registers with email ### Add User to Organization 1. Organization owner logs into vault 2. Go to Organizations → Firefrost Gaming 3. Click **Members** 4. Click **Invite** 5. Enter user's email 6. Select role (User, Admin, Owner) 7. User accepts invitation ### Share a Credential **Method 1: Organization Collection** 1. Move item to an Organization Collection 2. Grant user access to that Collection **Method 2: Individual Share** 1. Click on vault item 2. Click Share (three-dot menu) 3. Enter user's email 4. User gets access to that specific item ### Update SMTP Settings 1. Go to Admin Panel: https://vault.firefrostgaming.com/admin 2. Click **Settings** tab 3. Expand **SMTP Email Settings** 4. Update configuration 5. Click **Save** 6. Test with **Send test email** button ### Backup Vaultwarden Data ```bash # On Command Center docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup '/data/backup.sqlite3'" docker cp vaultwarden:/data/backup.sqlite3 ~/vaultwarden-backup-$(date +%Y%m%d).sqlite3 ``` ### Update Vaultwarden ```bash # On Command Center docker pull vaultwarden/server:latest docker stop vaultwarden docker rm vaultwarden # Re-create container with same settings (check docker inspect for exact command) docker start vaultwarden ``` --- ## Security Best Practices ### Implemented ✅ - HTTPS enforced (Let's Encrypt + Cloudflare) - Admin panel requires token - Signups disabled (invitation-only) - Strong password iterations (600,000) - HIBP integration for compromised password detection - Emergency access enabled - Cloudflare proxy for DDoS protection ### Recommended Improvements 1. **Hash admin token with Argon2** ```bash docker exec vaultwarden /vaultwarden hash # Update ADMIN_TOKEN environment variable with hashed output ``` 2. **Create dedicated vault@ email address** - Separate from michael@firefrostgaming.com - Better audit trail for system emails 3. **Enable 2FA for all users** - Require TOTP or hardware key - Set in organization policies 4. **Configure automated backups** - Daily SQLite backups - Store offsite (Ghost VPS, Billing VPS, or cloud storage) 5. **Set trash auto-delete to 30 days** - Prevents vault bloat - Automatic cleanup 6. **Monitor failed login attempts** - Check Vaultwarden logs regularly - Set up alerts for suspicious activity --- ## Troubleshooting ### "Dangerous Site" Warning in Chrome **Problem:** Chrome shows SSL warning when accessing vault.firefrostgaming.com **Cause:** Subdomain not proxied through Cloudflare (gray cloud) **Solution:** 1. Go to Cloudflare DNS settings 2. Find `vault` A record 3. Click gray cloud to enable proxy (turn orange) 4. Wait for DNS propagation (~5 minutes) ### SMTP Test Fails **Error:** `Sender address rejected: not owned by user` **Cause:** From Address doesn't match Username **Solution:** - Set **From Address** to match **Username** exactly - Example: Both should be `michael@firefrostgaming.com` ### Can't Create Organization **Problem:** No "New Organization" button visible **Cause:** Looking at Admin Panel instead of personal vault **Solution:** 1. Go to https://vault.firefrostgaming.com (NOT /admin) 2. Click **Organizations** in sidebar 3. Click **New Organization** ### Websocket Error in Diagnostics **Status:** Known issue, not critical **Impact:** Real-time sync between devices may be delayed **Fix (optional):** 1. Configure Nginx to proxy WebSocket connections 2. Add to Nginx config: ```nginx location /notifications/hub { proxy_pass http://127.0.0.1:8001; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } ``` 3. Reload Nginx: `nginx -s reload` --- ## Related Documentation - [Vaultwarden Official Wiki](https://github.com/dani-garcia/vaultwarden/wiki) - [Mailcow Configuration](mailcow-configuration.md) - [Cloudflare DNS Setup](../infrastructure/cloudflare-dns.md) - [Nginx Reverse Proxy](../infrastructure/nginx-proxy-configuration.md) --- **Last Updated:** 2026-03-27 **Documented By:** The Verifier (Chronicler #42) **Status:** ✅ Production - Fully configured and operational