firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
52c3293f1f09bab300d03e59e577be97ffdd45bf
firefrost-operations-manual/docs/services/vaultwarden-configuration.md
Claude 43b8d3b01b docs: Add Vaultwarden, LuckPerms MySQL, and Cloudflare proxy configurations 
- Vaultwarden SMTP configured and tested
- Holly and Meg invited to Vaultwarden
- Firefrost Gaming organization created
- LuckPerms MySQL database ready (credentials stored in Vaultwarden)
- 11 web services added to Cloudflare proxy for DDoS protection
- vault.firefrostgaming.com SSL warning resolved
- Comprehensive troubleshooting guides included

All services documented and operational. Ready for Holly's mod deployment.
2026-03-27 02:23:33 +00:00

11 KiB
Raw Blame History

Vaultwarden Configuration

Service: Vaultwarden (self-hosted password manager)
URL: https://vault.firefrostgaming.com
Admin Panel: https://vault.firefrostgaming.com/admin
Server: Command Center (63.143.34.217)
Container: Docker (vaultwarden/server:latest v1.35.3)
Port: 8001 → 80 (proxied via Nginx)
SSL: Let's Encrypt (expires May 14, 2026)
Cloudflare Proxy: Enabled (orange cloud) as of 2026-03-27

Admin Access

Admin Token:

kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW

Note: This is a plain text token (not Argon2 hashed). Should be hashed for better security using:

docker exec vaultwarden /vaultwarden hash

SMTP Email Configuration

Configured: 2026-03-27
Status: Working (test email successful)

Settings

Future Improvement

Create dedicated vault@ mailbox:

  1. Create vault@firefrostgaming.com in Mailcow
  2. Update Vaultwarden SMTP settings to use vault@ instead of michael@
  3. Provides better separation of concerns

General Settings

Security Settings

  • Domain URL: https://vault.firefrostgaming.com
  • Allow new signups: false (prevents random registrations)
  • Allow invitations: true (required for inviting team members)
  • Password iterations: 600,000 (OWASP recommended)
  • Enable emergency access: true
  • Allow email change: true
  • Show password hint: false
  • HIBP API Key: Configured (Have I Been Pwned integration)

Storage Limits

  • Per-user attachment storage: Unlimited (empty)
  • Per-organization attachment storage: Unlimited (empty)
  • Per-user send storage: Unlimited (empty)
  • Trash auto-delete days: Not configured (recommended: 30)

Email Verification

  • Require email verification on signups: false (signups disabled anyway)
  • Auto-resend verification email after: 3600 seconds (1 hour)
  • Email auto-send limit: 6 emails

Advanced Settings

  • Client IP header: X-Real-IP (correct for Nginx proxy)
  • Icon redirect code: 302
  • Icon cache expiry (positive): 2592000 seconds
  • Icon cache expiry (negative): 259200 seconds
  • Icon download timeout: 10 seconds
  • Block non-global IPs: true (security)
  • Disable Two-Factor remember: false
  • Disable authenticator time drift: false
  • Require new device emails: false
  • Allowed iframe ancestors: Empty (prevents clickjacking)
  • Allowed connect-src: Empty

SSO Settings

  • OpenID Connect: Disabled (not configured)
  • Yubikey: Not configured
  • Global Duo: Not configured

Organizations

Firefrost Gaming Organization

Created: 2026-03-27
Owner: Michael Krause (mkrause612@gmail.com)
Billing Email: michael@firefrostgaming.com
Plan: Free (self-hosted)

Collections:

  • Default collection (auto-created)
  • Unassigned (items not in any collection)

Future Collections (Recommended):

  • Infrastructure (MySQL credentials, SSH keys, server root passwords)
  • Services (Mailcow, Pterodactyl, Paymenter, n8n, etc.)
  • Game Servers (per-server credentials)
  • Discord (bot tokens, webhook URLs)

Members:

Users

Registered Users

  1. Michael Krause

  2. Holly (unicorn20089)

  3. Meg (GingerFury)

    • Status: Invitation sent 2026-03-27
    • Pending account creation

Diagnostics (System Health)

Last checked: 2026-03-27

Versions

  • Server Installed: 1.35.3
  • Server Latest: 1.35.4 (update available, not urgent)
  • Web Installed: 2026.1.1 (current)
  • Web Latest: 2026.1.1
  • Database: SQLite 3.50.2

System Checks

  • OS/Arch: Linux x86_64
  • Running in Docker: Yes (Debian base)
  • Uses config.json: Yes
  • Reverse proxy detected: Yes
  • IP header match: Config/Server: X-Real-IP
  • Internet access: Yes
  • DNS (github.com): 140.82.112.3
  • NTP sync: Server/Browser OK
  • Domain configuration: Match, HTTPS
  • HTTP response validation: OK

Warnings

  • Websocket enabled: Error ⚠️
    • Known issue with reverse proxies
    • Not critical - only affects real-time sync
    • Can be fixed later if needed

Nginx Configuration

Location: /etc/nginx/sites-enabled/vault*

SSL Certificate:

  • Type: Let's Encrypt
  • Path: /etc/letsencrypt/live/vault.firefrostgaming.com/
  • Valid Until: May 14, 2026
  • Auto-renewal: Certbot (should renew automatically)

Proxy Configuration:

Cloudflare Configuration

DNS Record:

  • Type: A
  • Name: vault
  • Value: 63.143.34.217 (Command Center)
  • Proxy Status: Proxied (orange cloud)
  • TTL: Auto

SSL/TLS Mode: Full (strict)

Benefits:

  • DDoS protection
  • Global CDN
  • SSL managed by Cloudflare
  • Hides origin server IP

Changed: 2026-03-27 (was DNS-only, now proxied)

Docker Configuration

Container Name: vaultwarden
Image: vaultwarden/server:latest
Version: 1.35.3
Restart Policy: Always (confirmed healthy)

Key Environment Variables:

  • ADMIN_TOKEN=kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW
  • SMTP settings configured via admin panel (persisted in data volume)

Volumes:

  • Data directory: (check with docker inspect vaultwarden)

Stored Credentials

Current Vault Items

  1. LuckPerms MySQL Credentials
    • Host: 63.143.34.217
    • Port: 3306
    • Database: luckperms
    • Username: luckperms
    • Password: Firefrost1234!!
    • Notes: Used by all 13 game servers for permission sync
    • Location: Personal vault (should be moved to Infrastructure collection)

Common Tasks

Invite a User

  1. Go to Admin Panel: https://vault.firefrostgaming.com/admin
  2. Enter admin token
  3. Click Users tab
  4. Click Invite User
  5. Enter email address
  6. User receives invitation email

OR (if SMTP not configured):

Add User to Organization

  1. Organization owner logs into vault
  2. Go to Organizations → Firefrost Gaming
  3. Click Members
  4. Click Invite
  5. Enter user's email
  6. Select role (User, Admin, Owner)
  7. User accepts invitation

Share a Credential

Method 1: Organization Collection

  1. Move item to an Organization Collection
  2. Grant user access to that Collection

Method 2: Individual Share

  1. Click on vault item
  2. Click Share (three-dot menu)
  3. Enter user's email
  4. User gets access to that specific item

Update SMTP Settings

  1. Go to Admin Panel: https://vault.firefrostgaming.com/admin
  2. Click Settings tab
  3. Expand SMTP Email Settings
  4. Update configuration
  5. Click Save
  6. Test with Send test email button

Backup Vaultwarden Data

# On Command Center
docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup '/data/backup.sqlite3'"
docker cp vaultwarden:/data/backup.sqlite3 ~/vaultwarden-backup-$(date +%Y%m%d).sqlite3

Update Vaultwarden

# On Command Center
docker pull vaultwarden/server:latest
docker stop vaultwarden
docker rm vaultwarden
# Re-create container with same settings (check docker inspect for exact command)
docker start vaultwarden

Security Best Practices

Implemented

  • HTTPS enforced (Let's Encrypt + Cloudflare)
  • Admin panel requires token
  • Signups disabled (invitation-only)
  • Strong password iterations (600,000)
  • HIBP integration for compromised password detection
  • Emergency access enabled
  • Cloudflare proxy for DDoS protection

Recommended Improvements

  1. Hash admin token with Argon2

    docker exec vaultwarden /vaultwarden hash
# Update ADMIN_TOKEN environment variable with hashed output

  2. Create dedicated vault@ email address

  3. Enable 2FA for all users

    • Require TOTP or hardware key
    • Set in organization policies

  4. Configure automated backups

    • Daily SQLite backups
    • Store offsite (Ghost VPS, Billing VPS, or cloud storage)

  5. Set trash auto-delete to 30 days

    • Prevents vault bloat
    • Automatic cleanup

  6. Monitor failed login attempts

    • Check Vaultwarden logs regularly
    • Set up alerts for suspicious activity

Troubleshooting

"Dangerous Site" Warning in Chrome

Problem: Chrome shows SSL warning when accessing vault.firefrostgaming.com

Cause: Subdomain not proxied through Cloudflare (gray cloud)

Solution:

  1. Go to Cloudflare DNS settings
  2. Find vault A record
  3. Click gray cloud to enable proxy (turn orange)
  4. Wait for DNS propagation (~5 minutes)

SMTP Test Fails

Error: Sender address rejected: not owned by user

Cause: From Address doesn't match Username

Solution:

  • Set From Address to match Username exactly
  • Example: Both should be michael@firefrostgaming.com

Can't Create Organization

Problem: No "New Organization" button visible

Cause: Looking at Admin Panel instead of personal vault

Solution:

  1. Go to https://vault.firefrostgaming.com (NOT /admin)
  2. Click Organizations in sidebar
  3. Click New Organization

Websocket Error in Diagnostics

Status: Known issue, not critical

Impact: Real-time sync between devices may be delayed

Fix (optional):

  1. Configure Nginx to proxy WebSocket connections
  2. Add to Nginx config: 
    location /notifications/hub {
    proxy_pass http://127.0.0.1:8001;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}
  3. Reload Nginx: nginx -s reload

Related Documentation

Last Updated: 2026-03-27
Documented By: The Verifier (Chronicler #42)
Status: Production - Fully configured and operational

Reference in New Issue View Git Blame Copy Permalink