firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
ff2a1bf7876d73bfbbefaeeaf7d778d327a7dd07
firefrost-operations-manual/docs/tasks/vaultwarden-setup/configuration-guide.md
Claude 6c49e87f7b docs: Add comprehensive Vaultwarden configuration guide 
Created complete configuration guide for Vaultwarden setup (450+ lines):

Configuration Strategy:
- Part A: SSH key setup (5 min)
- Part B: Organization setup (25 min)
- Part C: Security best practices
- Part D: Cleanup and documentation

Organization Structure:
- Organization: Firefrost Gaming (Free plan, 2 users)
- Users: Michael (owner) + Meg (admin/manager)
- Collections: 6 total with granular permissions

Collections Defined:
1. Server Credentials (Michael owner, Meg read-only)
2. API Keys & Tokens (Michael owner, Meg read-only)
3. Social Media Accounts (Both can edit)
4. Game Server Admin (Both can edit)
5. Billing & Financial (Michael owner, Meg read-only)
6. Staff & Shared Tools (Both can edit)

Security Features:
- SSH key authentication option
- Two-factor authentication (2FA) setup
- Strong master password policy
- Secure password generator settings
- Backup and recovery procedures

Migration Process:
- Step-by-step credential migration from personal vault
- Verification of Meg's access
- Cleanup of temporary credential files
- Git repository sanitization

Comprehensive troubleshooting for common issues.

Unblocks: Scoped Gitea Token, all credential management workflows

Ready to configure when Vaultwarden is deployed.

Task: Vaultwarden Setup (Tier 1)
FFG-STD-002 compliant
2026-02-18 00:01:13 +00:00

12 KiB
Raw Blame History

Vaultwarden Configuration - Complete Guide

Status: Ready to Configure
Priority: Tier 1 - Security Foundation
Time Estimate: 30 minutes
Last Updated: 2026-02-17

Overview

Complete Vaultwarden configuration for Firefrost Gaming. Sets up organization structure for secure credential sharing between Michael and Meg, with proper collection organization and permissions.

Service URL: vault.firefrostgaming.com
Current State: Deployed, needs configuration
Users: Michael (owner) + Meg (admin)

Prerequisites

  • Vaultwarden deployed and accessible at vault.firefrostgaming.com
  • Michael's account created and verified
  • Meg's email address for invitation
  • List of credentials to migrate
  • Browser with Vaultwarden extension (optional but recommended)

Part A: SSH Key Setup (5 minutes)

Why SSH Keys in Vaultwarden?

Adding SSH keys to Vaultwarden provides:

  • Secure credential access without re-entering master password
  • Two-factor authentication option
  • Emergency access method
  • Additional security layer

Step 1: Generate or Locate SSH Key

If you already have SSH keys from Command Center Security setup:

# Display your public key
cat ~/.ssh/id_ed25519.pub
# Or
cat ~/.ssh/id_rsa.pub

If you need to generate a new key specifically for Vaultwarden:

ssh-keygen -t ed25519 -C "vaultwarden@firefrostgaming.com" -f ~/.ssh/vaultwarden_key

Copy the public key content.

Step 2: Add SSH Key to Vaultwarden

  1. Log into vault.firefrostgaming.com
  2. Click Settings (gear icon, top right)
  3. Navigate to Security tab
  4. Scroll to Security Keys section
  5. Click Add Security Key
  6. Select SSH Key type
  7. Paste your public SSH key
  8. Give it a name: "Main Workstation Key"
  9. Click Save

Step 3: Test SSH Key Access

  1. Log out of Vaultwarden
  2. Try to log in again
  3. You should now have option to use SSH key
  4. Verify it works before proceeding

Part B: Organization Setup (25 minutes)

Step 1: Create Organization (5 min)

  1. Log into vault.firefrostgaming.com
  2. Click Organizations (left sidebar)
  3. Click New Organization
  4. Enter details:
    • Organization Name: Firefrost Gaming
    • Billing Email: admin@firefrostgaming.com (or Michael's email)
    • Plan: Free (supports 2 users)
  5. Click Submit

Step 2: Invite Meg (3 min)

  1. In Firefrost Gaming organization
  2. Go to Manage tab
  3. Click People submenu
  4. Click Invite User
  5. Enter Meg's email address
  6. Select User Type: Admin (or Manager)
  7. Click Save

Meg will receive email invitation:

  • She needs to create her Vaultwarden account
  • Then accept the organization invitation
  • Verify she can see the organization

Step 3: Create Collections (10 min)

Collections organize credentials by category and control access.

Navigate to: Organizations → Firefrost Gaming → Manage → Collections

Create 6 collections:

Collection 1: Server Credentials

  • Name: Server Credentials
  • Description: Root/admin access to all infrastructure servers
  • Access: Michael (Owner), Meg (Read-only)
  • Contains:
    • Command Center root password
    • TX1 root password
    • NC1 root password
    • Panel admin password
    • Ghost VPS root password
    • Billing VPS root password

Collection 2: API Keys & Tokens

  • Name: API Keys & Tokens
  • Description: API tokens for services (Pterodactyl, Gitea, etc.)
  • Access: Michael (Owner), Meg (Read-only)
  • Contains:
    • Pterodactyl API key
    • Gitea API token
    • Discord bot tokens
    • Any other API credentials

Collection 3: Social Media Accounts

  • Name: Social Media Accounts
  • Description: Firefrost Gaming social media logins
  • Access: Michael (Can Edit), Meg (Can Edit)
  • Contains:
    • Discord account
    • Twitter/X account
    • Reddit account
    • Instagram account (if applicable)
    • TikTok account (if applicable)

Collection 4: Game Server Admin

  • Name: Game Server Admin
  • Description: Game server admin passwords and RCON
  • Access: Michael (Owner), Meg (Can Edit)
  • Contains:
    • Pterodactyl panel admin login
    • Server RCON passwords
    • In-game admin passwords
    • FTP credentials for servers

Collection 5: Billing & Financial

  • Name: Billing & Financial
  • Description: Payment processors, hosting, subscriptions
  • Access: Michael (Owner), Meg (Read-only)
  • Contains:
    • Paymenter admin login
    • Stripe account
    • PayPal account
    • Hosting provider logins (Hetzner, etc.)
    • Domain registrar logins

Collection 6: Staff & Shared Tools

  • Name: Staff & Shared Tools
  • Description: Shared tools and services for staff
  • Access: Michael (Can Edit), Meg (Can Edit)
  • Contains:
    • NextCloud admin
    • Wiki.js admin
    • Shared Google accounts (if any)
    • Any other staff tools

Step 4: Create Collections in Vaultwarden

For each collection:

  1. Click Collections tab
  2. Click New Collection
  3. Enter Name and Description
  4. Click Save
  5. After saving, click Access button
  6. Set permissions for Michael and Meg:
    • Check boxes for users
    • Select permission level (Read Only, Can Edit, Owner)
  7. Click Save

Repeat for all 6 collections.

Step 5: Migrate Credentials to Collections (7 min)

For each password in your personal vault that should be shared:

  1. Open the credential in Vaultwarden
  2. Click Edit
  3. Under Organization, select: Firefrost Gaming
  4. Under Collection, select appropriate collection
  5. Click Save

Example migrations:

Credential From Personal Vault To Collection
Command Center root Personal Server Credentials
Pterodactyl API key Personal API Keys & Tokens
Discord admin login Personal Social Media Accounts
Paymenter admin Personal Billing & Financial

New credentials (create in organization directly):

  1. Click New Item (+)
  2. Select Organization: Firefrost Gaming
  3. Select Collection: (appropriate one)
  4. Fill in details
  5. Click Save

Step 6: Verify Meg's Access (5 min)

After Meg accepts invitation:

  1. Have Meg log into vault.firefrostgaming.com
  2. She should see "Firefrost Gaming" organization
  3. Click into organization
  4. Verify she can access each collection
  5. Test that she can:
    • View Server Credentials (read-only)
    • Edit Social Media Accounts
    • View API Keys (read-only)
    • Edit Staff & Shared Tools

If Meg can't see something:

  • Check collection access permissions
  • Verify her user type in organization
  • Re-invite if necessary

Part C: Security Best Practices

Password Generator Settings

Configure strong password generation:

  1. Settings → Password Generator
  2. Set defaults:
    • Length: 20 characters minimum
    • Include: Uppercase, lowercase, numbers, special characters
    • Avoid ambiguous characters: Yes
  3. Save settings

Two-Factor Authentication (2FA)

Highly recommended for both Michael and Meg:

  1. Settings → Two-Step Login
  2. Choose method:
    • Authenticator App (recommended): Use Authy or Google Authenticator
    • Email: Backup method
  3. Follow setup wizard
  4. Save recovery codes in safe place (printed or secure file)

Master Password Policy

Strong master password requirements:

  • Minimum 16 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • Not used elsewhere
  • Not based on personal information
  • Changed annually

Store master password recovery:

  • Write down and store in physical safe
  • Give copy to trusted person (emergency)
  • DO NOT store digitally in plain text

Part D: Cleanup & Documentation

Remove Temporary Credential Files (5 min)

After migration to Vaultwarden:

# SSH to Command Center (or wherever credentials might be stored)
ssh root@63.143.34.217

# Search for any password files
find /root -name "*password*" -o -name "*credential*"
find /opt -name "*password*" -o -name "*credential*"

# Remove temporary credential files
rm /root/temp-passwords.txt  # example
rm /root/api-keys.txt  # example

# Check git repo for any committed passwords
cd /home/claude/firefrost-operations-manual
grep -r "password\|api.*key" --include="*.txt" --include="*.md"

# If found, remove them and commit
git rm path/to/sensitive/file.txt
git commit -m "security: Remove credentials migrated to Vaultwarden"
git push

Document Vaultwarden Setup

Update infrastructure manifest:

## Vaultwarden (vault.firefrostgaming.com)

**Status:** ✅ OPERATIONAL  
**Location:** Command Center or dedicated server  
**Users:** 2 (Michael, Meg)  
**Collections:** 6  
**Purpose:** Secure credential management and sharing

**Collections:**
1. Server Credentials (Michael owner, Meg read)
2. API Keys & Tokens (Michael owner, Meg read)
3. Social Media Accounts (Both can edit)
4. Game Server Admin (Both can edit)
5. Billing & Financial (Michael owner, Meg read)
6. Staff & Shared Tools (Both can edit)

**Backup:** [Backup strategy to be determined]

Verification Checklist

Before marking task complete:

  • SSH key added to Vaultwarden
  • Organization "Firefrost Gaming" created
  • Meg invited and accepted invitation
  • All 6 collections created
  • Collection permissions set correctly
  • Shared credentials migrated from personal vault
  • Meg can access all appropriate collections
  • Meg can edit Social Media and Staff collections
  • Meg cannot edit Server Credentials or Billing
  • 2FA enabled for both users
  • Temporary password files deleted
  • Documentation updated
  • Both users tested login and credential access

Backup & Recovery

Backup Vaultwarden Data

Important: Vaultwarden data should be backed up regularly

# Backup Vaultwarden database and attachments
# (Exact path depends on deployment method)

# If using Docker:
docker exec vaultwarden sqlite3 /data/db.sqlite3 .dump > vaultwarden-backup-$(date +%Y%m%d).sql

# Backup attachments
tar -czf vaultwarden-attachments-$(date +%Y%m%d).tar.gz /path/to/vaultwarden/attachments/

# Store backups off-server (NextCloud, S3, etc.)

Backup schedule: Weekly (automate with cron)

Emergency Access

If locked out of Vaultwarden:

  1. Access Vaultwarden server via SSH
  2. Reset master password using Vaultwarden admin panel
  3. Or restore from backup if data is lost

Vaultwarden admin panel: vault.firefrostgaming.com/admin
Admin token: Set during Vaultwarden deployment

Troubleshooting

Meg Can't See Organization

Check:

  • Email invitation sent successfully
  • Meg created account with same email
  • Meg clicked invitation link in email
  • Organization invitation status in Vaultwarden

Fix:

  • Resend invitation
  • Verify email address correct
  • Check spam folder

Collection Permissions Not Working

Issue: Meg can't access or edit items in collection

Check:

  • Collection access settings (Manage → Collections → Access)
  • User permission level (Read Only vs Can Edit)
  • Item is actually assigned to that collection

Fix:

  • Edit collection access
  • Change Meg's permission level
  • Re-assign item to correct collection

Can't Migrate Item to Organization

Issue: Personal vault item won't move to organization

Possible causes:

  • Item type not supported in organization
  • Collection not created yet
  • Organization at capacity

Fix:

  • Verify collection exists
  • Check organization limits
  • Create new item in organization instead of migrating

Related Tasks

  • Scoped Gitea Token - Needs Vaultwarden for secure storage
  • Command Center Security - SSH keys managed here
  • Staff Recruitment - New staff need credential access

Future Enhancements

When team grows:

  • Additional collections for departments
  • More granular permissions
  • Groups for role-based access
  • Emergency access policies
  • Automated credential rotation

Fire + Frost + Foundation = Where Love Builds Legacy 💙🔥❄️

Document Status: COMPLETE
Ready to Configure: When Vaultwarden is deployed (30 minutes)
Users Required: Michael + Meg
Dependencies: Vaultwarden deployed, both users' email addresses
Outcome: Secure, organized credential management for all Firefrost infrastructure

Reference in New Issue View Git Blame Copy Permalink