Clone
1
Credential Inventory
Shawn edited this page 2026-05-30 00:19:35 -04:00
Credential Inventory
Last verified: 2026-05-30
Already in Vaultwarden
- Gitea — Gitea Admin, Gitea - Shawn Admin Password, Gitea - Shawn Password, Gitea API Token (Hermes), Gitea SSH Info, Gitea - Proxmox Shared Password
- Vaultwarden — Vaultwarden - Hermes Bot, Vaultwarden - Shawn, Vaultwarden Admin Token
- Matrix/Conduit — Matrix - 7 user tokens, Matrix Homeserver
- Stalwart Mail — Stalwart Admin, Stalwart Mail - Postmaster, Stalwart Mail - Shawn
- NPMplus — NPMplus Admin, NPMplus Cloudflare API Token, NPMplus Server Info
- Proxmox — Proxmox PVE Root, Proxmox PVE2 Root, Proxmox Server Hosts
- Ollama API — Ollama Cloud API Key (Default), Ollama Cloud API Key (Profiles)
- OpenCode Go — OpenCode Go API Key
- Google Gemini — Google Gemini API Key
- SSH Keys — SSH Private Key - id_ed25519, SSH Private Key - id_comfyui, SSH Private Key - Ollama Service, SSH Private Key - pve1
- Canteen Apps — Canteen Passwords
- MSFS Extraction — Extraction App, Extraction App Info
- Dashboards — Dashboards (Hermes)
- Cypht Webmail — Cypht Webmail, Cypht Webmail (postmaster)
- Telegram Bots — Hermes, Default, Artist, Assistant, Kanban
- TLS — TLS Certificate - machine-id-scanner
- Audio — Mixer Config (Audio)
- MyCantaloupe — MyCantaloupe (API)
Missing from Vaultwarden
1. Immich
- URL: immich.ourpad.casa (LXC 117, 192.168.0.113)
- Admin: shawncanada@gmail.com — password set via web UI (never changed —
shouldChangePassword=true) - DB: postgres/*** on localhost (very weak password)
- ML: GPU via gaming PC RTX 2080 at 192.168.0.181:3003
2. Obsidian LiveSync (CouchDB)
- Connection URI encrypted in LiveSync config — passphrase known only to user
- Remote config name: "hermes"
3. RustDesk
- Client at this machine (192.168.0.127) → server at rustdesk.ourpad.casa (68.202.6.107)
- Client password + ED25519 key pair stored in local config (encrypted)
- Server (hbbs/hbbr) keys not found — need to locate
4. Portainer — NOT deployed
5. Honcho
- API: http://192.168.0.223:8100 (no auth — LAN only)
- DB: postgres:honcho_pg_secret@database:5432/postgres
- Cache: redis://redis:6379/0
- API keys are placeholder *** (uses local OpenCode Go, no real API key needed)
Shared Authentication
All canteen web apps share a single auth system:
- Auth module:
shared-auth/canteen_auth.pyin projects/ - Backend: assets.db (users + sessions tables) via SQLite
- Protocol: Bearer token in Authorization header
- SSO: Cross-subdomain cookie at
.ourpad.casawithauth_token - Password hashing: SHA-256 (legacy, not bcrypt)
- Token: 64-char hex, stored in sessions table with expiry
Apps sharing this auth:
| App | URL | Port | Notes |
|---|---|---|---|
| canteen-asset-tracker | canteen.ourpad.casa | 8901 | Main app |
| canteen-admin-server | canteen.ourpad.casa | 8901:8090 | Admin backend |
| daily-route | route.ourpad.casa | 8904, 8905, 8906 | Route tools |
| tech-photo-upload | photo.ourpad.casa | 8912 | Photo tool |
| system-dashboard | dashboard.ourpad.casa | 8080 | Dashboard |
Canteen users are created in assets.db with SHA-256 hashed passwords. The shared auth gives every canteen app the same login credentials.
Auth per Service — Summary
| Service | Auth Method | Credential Source |
|---|---|---|
| Gitea | Built-in user DB (bcrypt) | Gitea users + API tokens |
| Vaultwarden | Master password + 2FA | Vaultwarden Admin Token |
| Matrix/Conduit | Access tokens | Per-bot tokens |
| Stalwart Mail | Username/password | SMTP/IMAP credentials |
| NPMplus | Built-in admin + Cloudflare API | Admin + API token |
| Proxmox | SSH key + root password | SSH key in VW |
| Immich | Email/password (bcrypt) | Web UI set |
| Canteen apps | Bearer token (SHA-256) | assets.db users/sessions |
| RustDesk | ED25519 key pair + password | Client config |
| Honcho | None (LAN-only, AUTH=*** | No external auth needed |
| Ollama API | API key | VW |
| OpenCode Go | API key | VW |