1
Credential Inventory
Shawn edited this page 2026-05-30 00:19:35 -04:00

Credential Inventory

Last verified: 2026-05-30

Already in Vaultwarden

  • Gitea — Gitea Admin, Gitea - Shawn Admin Password, Gitea - Shawn Password, Gitea API Token (Hermes), Gitea SSH Info, Gitea - Proxmox Shared Password
  • Vaultwarden — Vaultwarden - Hermes Bot, Vaultwarden - Shawn, Vaultwarden Admin Token
  • Matrix/Conduit — Matrix - 7 user tokens, Matrix Homeserver
  • Stalwart Mail — Stalwart Admin, Stalwart Mail - Postmaster, Stalwart Mail - Shawn
  • NPMplus — NPMplus Admin, NPMplus Cloudflare API Token, NPMplus Server Info
  • Proxmox — Proxmox PVE Root, Proxmox PVE2 Root, Proxmox Server Hosts
  • Ollama API — Ollama Cloud API Key (Default), Ollama Cloud API Key (Profiles)
  • OpenCode Go — OpenCode Go API Key
  • Google Gemini — Google Gemini API Key
  • SSH Keys — SSH Private Key - id_ed25519, SSH Private Key - id_comfyui, SSH Private Key - Ollama Service, SSH Private Key - pve1
  • Canteen Apps — Canteen Passwords
  • MSFS Extraction — Extraction App, Extraction App Info
  • Dashboards — Dashboards (Hermes)
  • Cypht Webmail — Cypht Webmail, Cypht Webmail (postmaster)
  • Telegram Bots — Hermes, Default, Artist, Assistant, Kanban
  • TLS — TLS Certificate - machine-id-scanner
  • Audio — Mixer Config (Audio)
  • MyCantaloupe — MyCantaloupe (API)

Missing from Vaultwarden

1. Immich

  • URL: immich.ourpad.casa (LXC 117, 192.168.0.113)
  • Admin: shawncanada@gmail.com — password set via web UI (never changed — shouldChangePassword=true)
  • DB: postgres/*** on localhost (very weak password)
  • ML: GPU via gaming PC RTX 2080 at 192.168.0.181:3003

2. Obsidian LiveSync (CouchDB)

  • Connection URI encrypted in LiveSync config — passphrase known only to user
  • Remote config name: "hermes"

3. RustDesk

  • Client at this machine (192.168.0.127) → server at rustdesk.ourpad.casa (68.202.6.107)
  • Client password + ED25519 key pair stored in local config (encrypted)
  • Server (hbbs/hbbr) keys not found — need to locate

4. Portainer — NOT deployed

5. Honcho

  • API: http://192.168.0.223:8100 (no auth — LAN only)
  • DB: postgres:honcho_pg_secret@database:5432/postgres
  • Cache: redis://redis:6379/0
  • API keys are placeholder *** (uses local OpenCode Go, no real API key needed)

Shared Authentication

All canteen web apps share a single auth system:

  • Auth module: shared-auth/canteen_auth.py in projects/
  • Backend: assets.db (users + sessions tables) via SQLite
  • Protocol: Bearer token in Authorization header
  • SSO: Cross-subdomain cookie at .ourpad.casa with auth_token
  • Password hashing: SHA-256 (legacy, not bcrypt)
  • Token: 64-char hex, stored in sessions table with expiry

Apps sharing this auth:

App URL Port Notes
canteen-asset-tracker canteen.ourpad.casa 8901 Main app
canteen-admin-server canteen.ourpad.casa 8901:8090 Admin backend
daily-route route.ourpad.casa 8904, 8905, 8906 Route tools
tech-photo-upload photo.ourpad.casa 8912 Photo tool
system-dashboard dashboard.ourpad.casa 8080 Dashboard

Canteen users are created in assets.db with SHA-256 hashed passwords. The shared auth gives every canteen app the same login credentials.

Auth per Service — Summary

Service Auth Method Credential Source
Gitea Built-in user DB (bcrypt) Gitea users + API tokens
Vaultwarden Master password + 2FA Vaultwarden Admin Token
Matrix/Conduit Access tokens Per-bot tokens
Stalwart Mail Username/password SMTP/IMAP credentials
NPMplus Built-in admin + Cloudflare API Admin + API token
Proxmox SSH key + root password SSH key in VW
Immich Email/password (bcrypt) Web UI set
Canteen apps Bearer token (SHA-256) assets.db users/sessions
RustDesk ED25519 key pair + password Client config
Honcho None (LAN-only, AUTH=*** No external auth needed
Ollama API API key VW
OpenCode Go API key VW