firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
b55ba5aba3e375c7fa044a53334bccf831784b7c
firefrost-operations-manual/docs/services/vaultwarden-configuration.md
Claude 79e28352b2 docs: Add Vaultwarden, LuckPerms MySQL, and Cloudflare proxy configurations 
- Vaultwarden SMTP configured and tested
- Holly and Meg invited to Vaultwarden
- Firefrost Gaming organization created
- LuckPerms MySQL database ready (credentials stored in Vaultwarden)
- 11 web services added to Cloudflare proxy for DDoS protection
- vault.firefrostgaming.com SSL warning resolved
- Comprehensive troubleshooting guides included

All services documented and operational. Ready for Holly's mod deployment.
2026-03-27 02:23:33 +00:00

435 lines
11 KiB
Markdown
Raw Blame History

# Vaultwarden Configuration
**Service:** Vaultwarden (self-hosted password manager)
**URL:** https://vault.firefrostgaming.com
**Admin Panel:** https://vault.firefrostgaming.com/admin
**Server:** Command Center (63.143.34.217)
**Container:** Docker (vaultwarden/server:latest v1.35.3)
**Port:** 8001 → 80 (proxied via Nginx)
**SSL:** Let's Encrypt (expires May 14, 2026)
**Cloudflare Proxy:** Enabled (orange cloud) as of 2026-03-27
---
## Admin Access
**Admin Token:**
```
kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW
```
**Note:** This is a plain text token (not Argon2 hashed). Should be hashed for better security using:
```bash
docker exec vaultwarden /vaultwarden hash
```
---
## SMTP Email Configuration
**Configured:** 2026-03-27
**Status:** ✅ Working (test email successful)
### Settings
- **Enabled:** true
- **Host:** mail.firefrostgaming.com
- **Port:** 587
- **Secure SMTP:** STARTTLS
- **From Address:** michael@firefrostgaming.com
- **From Name:** Vaultwarden
- **Username:** michael@firefrostgaming.com
- **Password:** [Stored in Vaultwarden - michael@firefrostgaming.com mailbox password]
- **Auth Mechanism:** (default)
- **Connection Timeout:** 15 seconds
### Future Improvement
**Create dedicated vault@ mailbox:**
1. Create `vault@firefrostgaming.com` in Mailcow
2. Update Vaultwarden SMTP settings to use vault@ instead of michael@
3. Provides better separation of concerns
---
## General Settings
### Security Settings
- **Domain URL:** https://vault.firefrostgaming.com ✅
- **Allow new signups:** false ✅ (prevents random registrations)
- **Allow invitations:** true ✅ (required for inviting team members)
- **Password iterations:** 600,000 ✅ (OWASP recommended)
- **Enable emergency access:** true ✅
- **Allow email change:** true ✅
- **Show password hint:** false ✅
- **HIBP API Key:** Configured ✅ (Have I Been Pwned integration)
### Storage Limits
- **Per-user attachment storage:** Unlimited (empty)
- **Per-organization attachment storage:** Unlimited (empty)
- **Per-user send storage:** Unlimited (empty)
- **Trash auto-delete days:** Not configured (recommended: 30)
### Email Verification
- **Require email verification on signups:** false ✅ (signups disabled anyway)
- **Auto-resend verification email after:** 3600 seconds (1 hour) ✅
- **Email auto-send limit:** 6 emails ✅
---
## Advanced Settings
- **Client IP header:** X-Real-IP ✅ (correct for Nginx proxy)
- **Icon redirect code:** 302 ✅
- **Icon cache expiry (positive):** 2592000 seconds ✅
- **Icon cache expiry (negative):** 259200 seconds ✅
- **Icon download timeout:** 10 seconds ✅
- **Block non-global IPs:** true ✅ (security)
- **Disable Two-Factor remember:** false ✅
- **Disable authenticator time drift:** false ✅
- **Require new device emails:** false ✅
- **Allowed iframe ancestors:** Empty ✅ (prevents clickjacking)
- **Allowed connect-src:** Empty ✅
---
## SSO Settings
- **OpenID Connect:** Disabled (not configured)
- **Yubikey:** Not configured
- **Global Duo:** Not configured
---
## Organizations
### Firefrost Gaming Organization
**Created:** 2026-03-27
**Owner:** Michael Krause (mkrause612@gmail.com)
**Billing Email:** michael@firefrostgaming.com
**Plan:** Free (self-hosted)
**Collections:**
- Default collection (auto-created)
- Unassigned (items not in any collection)
**Future Collections (Recommended):**
- Infrastructure (MySQL credentials, SSH keys, server root passwords)
- Services (Mailcow, Pterodactyl, Paymenter, n8n, etc.)
- Game Servers (per-server credentials)
- Discord (bot tokens, webhook URLs)
**Members:**
- Michael Krause (Owner) ✅
- Holly (unicorn20089@firefrostgaming.com) - Invitation sent 2026-03-27 ⏳
- Meg (GingerFury) - Invitation sent 2026-03-27 ⏳
---
## Users
### Registered Users
1. **Michael Krause**
- Email: mkrause612@gmail.com
- Role: Owner/Admin
- Status: Active ✅
2. **Holly (unicorn20089)**
- Email: unicorn20089@firefrostgaming.com
- Status: Invitation sent 2026-03-27 ⏳
- Pending account creation
3. **Meg (GingerFury)**
- Status: Invitation sent 2026-03-27 ⏳
- Pending account creation
---
## Diagnostics (System Health)
**Last checked:** 2026-03-27
### Versions
- **Server Installed:** 1.35.3
- **Server Latest:** 1.35.4 (update available, not urgent)
- **Web Installed:** 2026.1.1 ✅ (current)
- **Web Latest:** 2026.1.1 ✅
- **Database:** SQLite 3.50.2 ✅
### System Checks
- **OS/Arch:** Linux x86_64 ✅
- **Running in Docker:** Yes (Debian base) ✅
- **Uses config.json:** Yes ✅
- **Reverse proxy detected:** Yes ✅
- **IP header match:** Config/Server: X-Real-IP ✅
- **Internet access:** Yes ✅
- **DNS (github.com):** 140.82.112.3 ✅
- **NTP sync:** Server/Browser OK ✅
- **Domain configuration:** Match, HTTPS ✅
- **HTTP response validation:** OK ✅
### Warnings
- **Websocket enabled:** Error ⚠️
- Known issue with reverse proxies
- Not critical - only affects real-time sync
- Can be fixed later if needed
---
## Nginx Configuration
**Location:** `/etc/nginx/sites-enabled/vault*`
**SSL Certificate:**
- **Type:** Let's Encrypt
- **Path:** `/etc/letsencrypt/live/vault.firefrostgaming.com/`
- **Valid Until:** May 14, 2026
- **Auto-renewal:** Certbot (should renew automatically)
**Proxy Configuration:**
- **Backend:** http://127.0.0.1:8001
- **Headers Set:**
- `Host $host`
- `X-Real-IP $remote_addr`
- Standard proxy headers
---
## Cloudflare Configuration
**DNS Record:**
- **Type:** A
- **Name:** vault
- **Value:** 63.143.34.217 (Command Center)
- **Proxy Status:** Proxied (orange cloud) ✅
- **TTL:** Auto
**SSL/TLS Mode:** Full (strict)
**Benefits:**
- DDoS protection
- Global CDN
- SSL managed by Cloudflare
- Hides origin server IP
**Changed:** 2026-03-27 (was DNS-only, now proxied)
---
## Docker Configuration
**Container Name:** vaultwarden
**Image:** vaultwarden/server:latest
**Version:** 1.35.3
**Restart Policy:** Always (confirmed healthy)
**Key Environment Variables:**
- `ADMIN_TOKEN=kSUhysq6Y9yDs9mk4KW+2N6qUzJn2AP6tCJnhdm1g2HCqcEse+rOzteIFyPRL5VW`
- SMTP settings configured via admin panel (persisted in data volume)
**Volumes:**
- Data directory: (check with `docker inspect vaultwarden`)
---
## Stored Credentials
### Current Vault Items
1. **LuckPerms MySQL Credentials**
- **Host:** 63.143.34.217
- **Port:** 3306
- **Database:** luckperms
- **Username:** luckperms
- **Password:** Firefrost1234!!
- **Notes:** Used by all 13 game servers for permission sync
- **Location:** Personal vault (should be moved to Infrastructure collection)
---
## Common Tasks
### Invite a User
1. Go to Admin Panel: https://vault.firefrostgaming.com/admin
2. Enter admin token
3. Click **Users** tab
4. Click **Invite User**
5. Enter email address
6. User receives invitation email
**OR (if SMTP not configured):**
- User goes to https://vault.firefrostgaming.com
- User clicks "Create Account" (if signups are enabled)
- User registers with email
### Add User to Organization
1. Organization owner logs into vault
2. Go to Organizations → Firefrost Gaming
3. Click **Members**
4. Click **Invite**
5. Enter user's email
6. Select role (User, Admin, Owner)
7. User accepts invitation
### Share a Credential
**Method 1: Organization Collection**
1. Move item to an Organization Collection
2. Grant user access to that Collection
**Method 2: Individual Share**
1. Click on vault item
2. Click Share (three-dot menu)
3. Enter user's email
4. User gets access to that specific item
### Update SMTP Settings
1. Go to Admin Panel: https://vault.firefrostgaming.com/admin
2. Click **Settings** tab
3. Expand **SMTP Email Settings**
4. Update configuration
5. Click **Save**
6. Test with **Send test email** button
### Backup Vaultwarden Data
```bash
# On Command Center
docker exec vaultwarden sqlite3 /data/db.sqlite3 ".backup '/data/backup.sqlite3'"
docker cp vaultwarden:/data/backup.sqlite3 ~/vaultwarden-backup-$(date +%Y%m%d).sqlite3
```
### Update Vaultwarden
```bash
# On Command Center
docker pull vaultwarden/server:latest
docker stop vaultwarden
docker rm vaultwarden
# Re-create container with same settings (check docker inspect for exact command)
docker start vaultwarden
```
---
## Security Best Practices
### Implemented ✅
- HTTPS enforced (Let's Encrypt + Cloudflare)
- Admin panel requires token
- Signups disabled (invitation-only)
- Strong password iterations (600,000)
- HIBP integration for compromised password detection
- Emergency access enabled
- Cloudflare proxy for DDoS protection
### Recommended Improvements
1. **Hash admin token with Argon2**
```bash
docker exec vaultwarden /vaultwarden hash
# Update ADMIN_TOKEN environment variable with hashed output
```
2. **Create dedicated vault@ email address**
- Separate from michael@firefrostgaming.com
- Better audit trail for system emails
3. **Enable 2FA for all users**
- Require TOTP or hardware key
- Set in organization policies
4. **Configure automated backups**
- Daily SQLite backups
- Store offsite (Ghost VPS, Billing VPS, or cloud storage)
5. **Set trash auto-delete to 30 days**
- Prevents vault bloat
- Automatic cleanup
6. **Monitor failed login attempts**
- Check Vaultwarden logs regularly
- Set up alerts for suspicious activity
---
## Troubleshooting
### "Dangerous Site" Warning in Chrome
**Problem:** Chrome shows SSL warning when accessing vault.firefrostgaming.com
**Cause:** Subdomain not proxied through Cloudflare (gray cloud)
**Solution:**
1. Go to Cloudflare DNS settings
2. Find `vault` A record
3. Click gray cloud to enable proxy (turn orange)
4. Wait for DNS propagation (~5 minutes)
### SMTP Test Fails
**Error:** `Sender address rejected: not owned by user`
**Cause:** From Address doesn't match Username
**Solution:**
- Set **From Address** to match **Username** exactly
- Example: Both should be `michael@firefrostgaming.com`
### Can't Create Organization
**Problem:** No "New Organization" button visible
**Cause:** Looking at Admin Panel instead of personal vault
**Solution:**
1. Go to https://vault.firefrostgaming.com (NOT /admin)
2. Click **Organizations** in sidebar
3. Click **New Organization**
### Websocket Error in Diagnostics
**Status:** Known issue, not critical
**Impact:** Real-time sync between devices may be delayed
**Fix (optional):**
1. Configure Nginx to proxy WebSocket connections
2. Add to Nginx config:
```nginx
location /notifications/hub {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
```
3. Reload Nginx: `nginx -s reload`
---
## Related Documentation
- [Vaultwarden Official Wiki](https://github.com/dani-garcia/vaultwarden/wiki)
- [Mailcow Configuration](mailcow-configuration.md)
- [Cloudflare DNS Setup](../infrastructure/cloudflare-dns.md)
- [Nginx Reverse Proxy](../infrastructure/nginx-proxy-configuration.md)
---
**Last Updated:** 2026-03-27
**Documented By:** The Verifier (Chronicler #42)
**Status:** ✅ Production - Fully configured and operational
Reference in New Issue View Git Blame Copy Permalink