firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
e6d652e3d2223e68da96ba4ef78db4aae9c650ca
firefrost-operations-manual/docs/tasks/vaultwarden-setup/configuration-guide.md
Claude 6c49e87f7b docs: Add comprehensive Vaultwarden configuration guide 
Created complete configuration guide for Vaultwarden setup (450+ lines):

Configuration Strategy:
- Part A: SSH key setup (5 min)
- Part B: Organization setup (25 min)
- Part C: Security best practices
- Part D: Cleanup and documentation

Organization Structure:
- Organization: Firefrost Gaming (Free plan, 2 users)
- Users: Michael (owner) + Meg (admin/manager)
- Collections: 6 total with granular permissions

Collections Defined:
1. Server Credentials (Michael owner, Meg read-only)
2. API Keys & Tokens (Michael owner, Meg read-only)
3. Social Media Accounts (Both can edit)
4. Game Server Admin (Both can edit)
5. Billing & Financial (Michael owner, Meg read-only)
6. Staff & Shared Tools (Both can edit)

Security Features:
- SSH key authentication option
- Two-factor authentication (2FA) setup
- Strong master password policy
- Secure password generator settings
- Backup and recovery procedures

Migration Process:
- Step-by-step credential migration from personal vault
- Verification of Meg's access
- Cleanup of temporary credential files
- Git repository sanitization

Comprehensive troubleshooting for common issues.

Unblocks: Scoped Gitea Token, all credential management workflows

Ready to configure when Vaultwarden is deployed.

Task: Vaultwarden Setup (Tier 1)
FFG-STD-002 compliant
2026-02-18 00:01:13 +00:00

489 lines
12 KiB
Markdown
Raw Blame History

# Vaultwarden Configuration - Complete Guide
**Status:** Ready to Configure
**Priority:** Tier 1 - Security Foundation
**Time Estimate:** 30 minutes
**Last Updated:** 2026-02-17
---
## Overview
Complete Vaultwarden configuration for Firefrost Gaming. Sets up organization structure for secure credential sharing between Michael and Meg, with proper collection organization and permissions.
**Service URL:** vault.firefrostgaming.com
**Current State:** Deployed, needs configuration
**Users:** Michael (owner) + Meg (admin)
---
## Prerequisites
- [ ] Vaultwarden deployed and accessible at vault.firefrostgaming.com
- [ ] Michael's account created and verified
- [ ] Meg's email address for invitation
- [ ] List of credentials to migrate
- [ ] Browser with Vaultwarden extension (optional but recommended)
---
## Part A: SSH Key Setup (5 minutes)
### Why SSH Keys in Vaultwarden?
Adding SSH keys to Vaultwarden provides:
- Secure credential access without re-entering master password
- Two-factor authentication option
- Emergency access method
- Additional security layer
### Step 1: Generate or Locate SSH Key
**If you already have SSH keys from Command Center Security setup:**
```bash
# Display your public key
cat ~/.ssh/id_ed25519.pub
# Or
cat ~/.ssh/id_rsa.pub
```
**If you need to generate a new key specifically for Vaultwarden:**
```bash
ssh-keygen -t ed25519 -C "vaultwarden@firefrostgaming.com" -f ~/.ssh/vaultwarden_key
```
Copy the public key content.
---
### Step 2: Add SSH Key to Vaultwarden
1. **Log into** vault.firefrostgaming.com
2. Click **Settings** (gear icon, top right)
3. Navigate to **Security** tab
4. Scroll to **Security Keys** section
5. Click **Add Security Key**
6. Select **SSH Key** type
7. Paste your public SSH key
8. Give it a name: "Main Workstation Key"
9. Click **Save**
---
### Step 3: Test SSH Key Access
1. Log out of Vaultwarden
2. Try to log in again
3. You should now have option to use SSH key
4. Verify it works before proceeding
---
## Part B: Organization Setup (25 minutes)
### Step 1: Create Organization (5 min)
1. **Log into** vault.firefrostgaming.com
2. Click **Organizations** (left sidebar)
3. Click **New Organization**
4. Enter details:
- **Organization Name:** Firefrost Gaming
- **Billing Email:** admin@firefrostgaming.com (or Michael's email)
- **Plan:** Free (supports 2 users)
5. Click **Submit**
---
### Step 2: Invite Meg (3 min)
1. In **Firefrost Gaming** organization
2. Go to **Manage** tab
3. Click **People** submenu
4. Click **Invite User**
5. Enter **Meg's email address**
6. Select **User Type:** Admin (or Manager)
7. Click **Save**
**Meg will receive email invitation:**
- She needs to create her Vaultwarden account
- Then accept the organization invitation
- Verify she can see the organization
---
### Step 3: Create Collections (10 min)
Collections organize credentials by category and control access.
**Navigate to:** Organizations → Firefrost Gaming → Manage → Collections
**Create 6 collections:**
#### Collection 1: Server Credentials
- **Name:** Server Credentials
- **Description:** Root/admin access to all infrastructure servers
- **Access:** Michael (Owner), Meg (Read-only)
- **Contains:**
- Command Center root password
- TX1 root password
- NC1 root password
- Panel admin password
- Ghost VPS root password
- Billing VPS root password
#### Collection 2: API Keys & Tokens
- **Name:** API Keys & Tokens
- **Description:** API tokens for services (Pterodactyl, Gitea, etc.)
- **Access:** Michael (Owner), Meg (Read-only)
- **Contains:**
- Pterodactyl API key
- Gitea API token
- Discord bot tokens
- Any other API credentials
#### Collection 3: Social Media Accounts
- **Name:** Social Media Accounts
- **Description:** Firefrost Gaming social media logins
- **Access:** Michael (Can Edit), Meg (Can Edit)
- **Contains:**
- Discord account
- Twitter/X account
- Reddit account
- Instagram account (if applicable)
- TikTok account (if applicable)
#### Collection 4: Game Server Admin
- **Name:** Game Server Admin
- **Description:** Game server admin passwords and RCON
- **Access:** Michael (Owner), Meg (Can Edit)
- **Contains:**
- Pterodactyl panel admin login
- Server RCON passwords
- In-game admin passwords
- FTP credentials for servers
#### Collection 5: Billing & Financial
- **Name:** Billing & Financial
- **Description:** Payment processors, hosting, subscriptions
- **Access:** Michael (Owner), Meg (Read-only)
- **Contains:**
- Paymenter admin login
- Stripe account
- PayPal account
- Hosting provider logins (Hetzner, etc.)
- Domain registrar logins
#### Collection 6: Staff & Shared Tools
- **Name:** Staff & Shared Tools
- **Description:** Shared tools and services for staff
- **Access:** Michael (Can Edit), Meg (Can Edit)
- **Contains:**
- NextCloud admin
- Wiki.js admin
- Shared Google accounts (if any)
- Any other staff tools
---
### Step 4: Create Collections in Vaultwarden
**For each collection:**
1. Click **Collections** tab
2. Click **New Collection**
3. Enter **Name** and **Description**
4. Click **Save**
5. After saving, click **Access** button
6. Set permissions for Michael and Meg:
- Check boxes for users
- Select permission level (Read Only, Can Edit, Owner)
7. Click **Save**
Repeat for all 6 collections.
---
### Step 5: Migrate Credentials to Collections (7 min)
**For each password in your personal vault that should be shared:**
1. Open the credential in Vaultwarden
2. Click **Edit**
3. Under **Organization**, select: Firefrost Gaming
4. Under **Collection**, select appropriate collection
5. Click **Save**
**Example migrations:**
| Credential | From Personal Vault | To Collection |
|------------|-------------------|---------------|
| Command Center root | Personal | Server Credentials |
| Pterodactyl API key | Personal | API Keys & Tokens |
| Discord admin login | Personal | Social Media Accounts |
| Paymenter admin | Personal | Billing & Financial |
**New credentials (create in organization directly):**
1. Click **New Item** (+)
2. Select **Organization:** Firefrost Gaming
3. Select **Collection:** (appropriate one)
4. Fill in details
5. Click **Save**
---
### Step 6: Verify Meg's Access (5 min)
**After Meg accepts invitation:**
1. Have Meg log into vault.firefrostgaming.com
2. She should see "Firefrost Gaming" organization
3. Click into organization
4. Verify she can access each collection
5. Test that she can:
- **View** Server Credentials (read-only)
- **Edit** Social Media Accounts
- **View** API Keys (read-only)
- **Edit** Staff & Shared Tools
**If Meg can't see something:**
- Check collection access permissions
- Verify her user type in organization
- Re-invite if necessary
---
## Part C: Security Best Practices
### Password Generator Settings
**Configure strong password generation:**
1. Settings → Password Generator
2. Set defaults:
- **Length:** 20 characters minimum
- **Include:** Uppercase, lowercase, numbers, special characters
- **Avoid ambiguous characters:** Yes
3. Save settings
---
### Two-Factor Authentication (2FA)
**Highly recommended for both Michael and Meg:**
1. Settings → Two-Step Login
2. Choose method:
- **Authenticator App** (recommended): Use Authy or Google Authenticator
- **Email:** Backup method
3. Follow setup wizard
4. Save recovery codes in safe place (printed or secure file)
---
### Master Password Policy
**Strong master password requirements:**
- Minimum 16 characters
- Mix of uppercase, lowercase, numbers, symbols
- Not used elsewhere
- Not based on personal information
- Changed annually
**Store master password recovery:**
- Write down and store in physical safe
- Give copy to trusted person (emergency)
- DO NOT store digitally in plain text
---
## Part D: Cleanup & Documentation
### Remove Temporary Credential Files (5 min)
**After migration to Vaultwarden:**
```bash
# SSH to Command Center (or wherever credentials might be stored)
ssh root@63.143.34.217
# Search for any password files
find /root -name "*password*" -o -name "*credential*"
find /opt -name "*password*" -o -name "*credential*"
# Remove temporary credential files
rm /root/temp-passwords.txt # example
rm /root/api-keys.txt # example
# Check git repo for any committed passwords
cd /home/claude/firefrost-operations-manual
grep -r "password\|api.*key" --include="*.txt" --include="*.md"
# If found, remove them and commit
git rm path/to/sensitive/file.txt
git commit -m "security: Remove credentials migrated to Vaultwarden"
git push
```
---
### Document Vaultwarden Setup
**Update infrastructure manifest:**
```markdown
## Vaultwarden (vault.firefrostgaming.com)
**Status:** ✅ OPERATIONAL
**Location:** Command Center or dedicated server
**Users:** 2 (Michael, Meg)
**Collections:** 6
**Purpose:** Secure credential management and sharing
**Collections:**
1. Server Credentials (Michael owner, Meg read)
2. API Keys & Tokens (Michael owner, Meg read)
3. Social Media Accounts (Both can edit)
4. Game Server Admin (Both can edit)
5. Billing & Financial (Michael owner, Meg read)
6. Staff & Shared Tools (Both can edit)
**Backup:** [Backup strategy to be determined]
```
---
## Verification Checklist
**Before marking task complete:**
- [ ] SSH key added to Vaultwarden
- [ ] Organization "Firefrost Gaming" created
- [ ] Meg invited and accepted invitation
- [ ] All 6 collections created
- [ ] Collection permissions set correctly
- [ ] Shared credentials migrated from personal vault
- [ ] Meg can access all appropriate collections
- [ ] Meg can edit Social Media and Staff collections
- [ ] Meg cannot edit Server Credentials or Billing
- [ ] 2FA enabled for both users
- [ ] Temporary password files deleted
- [ ] Documentation updated
- [ ] Both users tested login and credential access
---
## Backup & Recovery
### Backup Vaultwarden Data
**Important:** Vaultwarden data should be backed up regularly
```bash
# Backup Vaultwarden database and attachments
# (Exact path depends on deployment method)
# If using Docker:
docker exec vaultwarden sqlite3 /data/db.sqlite3 .dump > vaultwarden-backup-$(date +%Y%m%d).sql
# Backup attachments
tar -czf vaultwarden-attachments-$(date +%Y%m%d).tar.gz /path/to/vaultwarden/attachments/
# Store backups off-server (NextCloud, S3, etc.)
```
**Backup schedule:** Weekly (automate with cron)
---
### Emergency Access
**If locked out of Vaultwarden:**
1. Access Vaultwarden server via SSH
2. Reset master password using Vaultwarden admin panel
3. Or restore from backup if data is lost
**Vaultwarden admin panel:** vault.firefrostgaming.com/admin
**Admin token:** Set during Vaultwarden deployment
---
## Troubleshooting
### Meg Can't See Organization
**Check:**
- Email invitation sent successfully
- Meg created account with same email
- Meg clicked invitation link in email
- Organization invitation status in Vaultwarden
**Fix:**
- Resend invitation
- Verify email address correct
- Check spam folder
---
### Collection Permissions Not Working
**Issue:** Meg can't access or edit items in collection
**Check:**
- Collection access settings (Manage → Collections → Access)
- User permission level (Read Only vs Can Edit)
- Item is actually assigned to that collection
**Fix:**
- Edit collection access
- Change Meg's permission level
- Re-assign item to correct collection
---
### Can't Migrate Item to Organization
**Issue:** Personal vault item won't move to organization
**Possible causes:**
- Item type not supported in organization
- Collection not created yet
- Organization at capacity
**Fix:**
- Verify collection exists
- Check organization limits
- Create new item in organization instead of migrating
---
## Related Tasks
- **Scoped Gitea Token** - Needs Vaultwarden for secure storage
- **Command Center Security** - SSH keys managed here
- **Staff Recruitment** - New staff need credential access
---
## Future Enhancements
**When team grows:**
- Additional collections for departments
- More granular permissions
- Groups for role-based access
- Emergency access policies
- Automated credential rotation
---
**Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️
---
**Document Status:** COMPLETE
**Ready to Configure:** When Vaultwarden is deployed (30 minutes)
**Users Required:** Michael + Meg
**Dependencies:** Vaultwarden deployed, both users' email addresses
**Outcome:** Secure, organized credential management for all Firefrost infrastructure
Reference in New Issue View Git Blame Copy Permalink