Add credential inventory and shared auth architecture docs

2026-05-30 00:19:35 -04:00
parent 9d90f15ad4
commit 191642ff52
2 changed files with 161 additions and 0 deletions
+88
@@ -0,0 +1,88 @@
# Credential Inventory
Last verified: 2026-05-30
## Already in Vaultwarden
- **Gitea** — Gitea Admin, Gitea - Shawn Admin Password, Gitea - Shawn Password, Gitea API Token (Hermes), Gitea SSH Info, Gitea - Proxmox Shared Password
- **Vaultwarden** — Vaultwarden - Hermes Bot, Vaultwarden - Shawn, Vaultwarden Admin Token
- **Matrix/Conduit** — Matrix - 7 user tokens, Matrix Homeserver
- **Stalwart Mail** — Stalwart Admin, Stalwart Mail - Postmaster, Stalwart Mail - Shawn
- **NPMplus** — NPMplus Admin, NPMplus Cloudflare API Token, NPMplus Server Info
- **Proxmox** — Proxmox PVE Root, Proxmox PVE2 Root, Proxmox Server Hosts
- **Ollama API** — Ollama Cloud API Key (Default), Ollama Cloud API Key (Profiles)
- **OpenCode Go** — OpenCode Go API Key
- **Google Gemini** — Google Gemini API Key
- **SSH Keys** — SSH Private Key - id_ed25519, SSH Private Key - id_comfyui, SSH Private Key - Ollama Service, SSH Private Key - pve1
- **Canteen Apps** — Canteen Passwords
- **MSFS Extraction** — Extraction App, Extraction App Info
- **Dashboards** — Dashboards (Hermes)
- **Cypht Webmail** — Cypht Webmail, Cypht Webmail (postmaster)
- **Telegram Bots** — Hermes, Default, Artist, Assistant, Kanban
- **TLS** — TLS Certificate - machine-id-scanner
- **Audio** — Mixer Config (Audio)
- **MyCantaloupe** — MyCantaloupe (API)
## Missing from Vaultwarden
### 1. Immich
- URL: immich.ourpad.casa (LXC 117, 192.168.0.113)
- Admin: shawncanada@gmail.com — password set via web UI (never changed — `shouldChangePassword=true`)
- DB: postgres/*** on localhost (very weak password)
- ML: GPU via gaming PC RTX 2080 at 192.168.0.181:3003
### 2. Obsidian LiveSync (CouchDB)
- Connection URI encrypted in LiveSync config — passphrase known only to user
- Remote config name: "hermes"
### 3. RustDesk
- Client at this machine (192.168.0.127) → server at rustdesk.ourpad.casa (68.202.6.107)
- Client password + ED25519 key pair stored in local config (encrypted)
- Server (hbbs/hbbr) keys not found — need to locate
### 4. Portainer — NOT deployed
### 5. Honcho
- API: http://192.168.0.223:8100 (no auth — LAN only)
- DB: postgres:honcho_pg_secret@database:5432/postgres
- Cache: redis://redis:6379/0
- API keys are placeholder *** (uses local OpenCode Go, no real API key needed)
## Shared Authentication
All canteen web apps share a single auth system:
- **Auth module:** `shared-auth/canteen_auth.py` in projects/
- **Backend:** assets.db (users + sessions tables) via SQLite
- **Protocol:** Bearer token in Authorization header
- **SSO:** Cross-subdomain cookie at `.ourpad.casa` with `auth_token`
- **Password hashing:** SHA-256 (legacy, not bcrypt)
- **Token:** 64-char hex, stored in sessions table with expiry
**Apps sharing this auth:**
App | URL | Port | Notes
---|---|---|---
canteen-asset-tracker | canteen.ourpad.casa | 8901 | Main app
canteen-admin-server | canteen.ourpad.casa | 8901:8090 | Admin backend
daily-route | route.ourpad.casa | 8904, 8905, 8906 | Route tools
tech-photo-upload | photo.ourpad.casa | 8912 | Photo tool
system-dashboard | dashboard.ourpad.casa | 8080 | Dashboard
**Canteen users** are created in assets.db with SHA-256 hashed passwords. The shared auth gives every canteen app the same login credentials.
### Auth per Service — Summary
| Service | Auth Method | Credential Source |
|---|---|---|
| Gitea | Built-in user DB (bcrypt) | Gitea users + API tokens |
| Vaultwarden | Master password + 2FA | Vaultwarden Admin Token |
| Matrix/Conduit | Access tokens | Per-bot tokens |
| Stalwart Mail | Username/password | SMTP/IMAP credentials |
| NPMplus | Built-in admin + Cloudflare API | Admin + API token |
| Proxmox | SSH key + root password | SSH key in VW |
| Immich | Email/password (bcrypt) | Web UI set |
| Canteen apps | Bearer token (SHA-256) | assets.db users/sessions |
| RustDesk | ED25519 key pair + password | Client config |
| Honcho | None (LAN-only, AUTH=*** | No external auth needed |
| Ollama API | API key | VW |
| OpenCode Go | API key | VW |
+73
@@ -0,0 +1,73 @@
# Shared Authentication — Canteen Apps
All canteen web apps authenticate through a shared module that validates against a single database.
## Architecture
```
┌─────────────────────────────────────────────────────────────┐
│ User's Browser │
│ Authorization: Bearer <token> │
│ Cookie: auth_token=.ourpad.casa │
└──────────┬──────────────────────┬──────────────────────────┘
│ │
▼ ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────┐
│ canteen.ourpad │ │ route.ourpad │ │ (others) │
│ .casa:8901 │ │ .casa:8904-06 │ │ │
└──────┬───────────┘ └──────┬───────────┘ └────┬─────┘
│ │ │
└──────────────────────┴─────────────────────┘
┌────────────────────┐
│ shared-auth/ │
│ canteen_auth.py │
│ (FastAPI MW) │
└────────┬───────────┘
┌────────────────────┐
│ assets.db │
│ ┌─────────────┐ │
│ │ users │ │
│ │ sessions │ │
│ └─────────────┘ │
└────────────────────┘
```
## Key Details
- **Module location:** `projects/shared-auth/canteen_auth.py`
- **DB path:** Defaults to `projects/canteen-asset-tracker/assets.db`
- **Password hash:** SHA-256 (NOT bcrypt — legacy, stored in `password_hash` column)
- **Tokens:** 64-byte hex via `secrets.token_hex(32)`, stored in `sessions` table
- **Token expiry:** 30 days (remember_me) / 1 day (default)
- **SSO cookie:** `auth_token` at `.ourpad.casa`, `secure=true`, `samesite=lax`
## Apps Using This Auth
| App | URL | Ports(s) | Path |
|---|---|---|---|
| canteen-asset-tracker | canteen.ourpad.casa | 8901, 8090 (admin) | `/data/compose/3/` |
| daily-route | route.ourpad.casa | 8904, 8905, 8906 | `/data/compose/6/` |
| tech-photo-upload | photo.ourpad.casa | 8912 | `/data/compose/5/` |
| system-dashboard | dashboard.ourpad.casa | 8080 | `/data/compose/7/` |
## Login Flow
1. User POSTs `{username, password}` to `/api/auth/login`
2. Server hashes password with SHA-256, looks up user in `users` table
3. If valid, creates `sessions` row with token + expiry
4. Returns token in JSON body AND sets `auth_token` cookie at `.ourpad.casa`
5. All subsequent API calls validate via Bearer token or cookie
## Admins
All canteen apps use the same user DB. Admin is determined by `role` column in `users` table (typically `role='admin'`). Shared auth module exposes `request.state.current_user` with `{id, username, role, created_at}`.
## Maintenance
- To add a user: INSERT into `users` with SHA-256 password hash
- To revoke access: DELETE from `sessions` by user_id
- Password reset: update `password_hash` column (SHA-256 of new password)