diff --git a/Credential-Inventory.md b/Credential-Inventory.md new file mode 100644 index 0000000..c203216 --- /dev/null +++ b/Credential-Inventory.md @@ -0,0 +1,88 @@ +# Credential Inventory + +Last verified: 2026-05-30 + +## Already in Vaultwarden + +- **Gitea** — Gitea Admin, Gitea - Shawn Admin Password, Gitea - Shawn Password, Gitea API Token (Hermes), Gitea SSH Info, Gitea - Proxmox Shared Password +- **Vaultwarden** — Vaultwarden - Hermes Bot, Vaultwarden - Shawn, Vaultwarden Admin Token +- **Matrix/Conduit** — Matrix - 7 user tokens, Matrix Homeserver +- **Stalwart Mail** — Stalwart Admin, Stalwart Mail - Postmaster, Stalwart Mail - Shawn +- **NPMplus** — NPMplus Admin, NPMplus Cloudflare API Token, NPMplus Server Info +- **Proxmox** — Proxmox PVE Root, Proxmox PVE2 Root, Proxmox Server Hosts +- **Ollama API** — Ollama Cloud API Key (Default), Ollama Cloud API Key (Profiles) +- **OpenCode Go** — OpenCode Go API Key +- **Google Gemini** — Google Gemini API Key +- **SSH Keys** — SSH Private Key - id_ed25519, SSH Private Key - id_comfyui, SSH Private Key - Ollama Service, SSH Private Key - pve1 +- **Canteen Apps** — Canteen Passwords +- **MSFS Extraction** — Extraction App, Extraction App Info +- **Dashboards** — Dashboards (Hermes) +- **Cypht Webmail** — Cypht Webmail, Cypht Webmail (postmaster) +- **Telegram Bots** — Hermes, Default, Artist, Assistant, Kanban +- **TLS** — TLS Certificate - machine-id-scanner +- **Audio** — Mixer Config (Audio) +- **MyCantaloupe** — MyCantaloupe (API) + +## Missing from Vaultwarden + +### 1. Immich +- URL: immich.ourpad.casa (LXC 117, 192.168.0.113) +- Admin: shawncanada@gmail.com — password set via web UI (never changed — `shouldChangePassword=true`) +- DB: postgres/*** on localhost (very weak password) +- ML: GPU via gaming PC RTX 2080 at 192.168.0.181:3003 + +### 2. Obsidian LiveSync (CouchDB) +- Connection URI encrypted in LiveSync config — passphrase known only to user +- Remote config name: "hermes" + +### 3. RustDesk +- Client at this machine (192.168.0.127) → server at rustdesk.ourpad.casa (68.202.6.107) +- Client password + ED25519 key pair stored in local config (encrypted) +- Server (hbbs/hbbr) keys not found — need to locate + +### 4. Portainer — NOT deployed +### 5. Honcho +- API: http://192.168.0.223:8100 (no auth — LAN only) +- DB: postgres:honcho_pg_secret@database:5432/postgres +- Cache: redis://redis:6379/0 +- API keys are placeholder *** (uses local OpenCode Go, no real API key needed) + +## Shared Authentication + +All canteen web apps share a single auth system: + +- **Auth module:** `shared-auth/canteen_auth.py` in projects/ +- **Backend:** assets.db (users + sessions tables) via SQLite +- **Protocol:** Bearer token in Authorization header +- **SSO:** Cross-subdomain cookie at `.ourpad.casa` with `auth_token` +- **Password hashing:** SHA-256 (legacy, not bcrypt) +- **Token:** 64-char hex, stored in sessions table with expiry + +**Apps sharing this auth:** + +App | URL | Port | Notes +---|---|---|--- +canteen-asset-tracker | canteen.ourpad.casa | 8901 | Main app +canteen-admin-server | canteen.ourpad.casa | 8901:8090 | Admin backend +daily-route | route.ourpad.casa | 8904, 8905, 8906 | Route tools +tech-photo-upload | photo.ourpad.casa | 8912 | Photo tool +system-dashboard | dashboard.ourpad.casa | 8080 | Dashboard + +**Canteen users** are created in assets.db with SHA-256 hashed passwords. The shared auth gives every canteen app the same login credentials. + +### Auth per Service — Summary + +| Service | Auth Method | Credential Source | +|---|---|---| +| Gitea | Built-in user DB (bcrypt) | Gitea users + API tokens | +| Vaultwarden | Master password + 2FA | Vaultwarden Admin Token | +| Matrix/Conduit | Access tokens | Per-bot tokens | +| Stalwart Mail | Username/password | SMTP/IMAP credentials | +| NPMplus | Built-in admin + Cloudflare API | Admin + API token | +| Proxmox | SSH key + root password | SSH key in VW | +| Immich | Email/password (bcrypt) | Web UI set | +| Canteen apps | Bearer token (SHA-256) | assets.db users/sessions | +| RustDesk | ED25519 key pair + password | Client config | +| Honcho | None (LAN-only, AUTH=*** | No external auth needed | +| Ollama API | API key | VW | +| OpenCode Go | API key | VW | diff --git a/Shared-Auth-Architecture.md b/Shared-Auth-Architecture.md new file mode 100644 index 0000000..77a6c4e --- /dev/null +++ b/Shared-Auth-Architecture.md @@ -0,0 +1,73 @@ +# Shared Authentication — Canteen Apps + +All canteen web apps authenticate through a shared module that validates against a single database. + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────┐ +│ User's Browser │ +│ Authorization: Bearer │ +│ Cookie: auth_token=.ourpad.casa │ +└──────────┬──────────────────────┬──────────────────────────┘ + │ │ + ▼ ▼ +┌──────────────────┐ ┌──────────────────┐ ┌──────────┐ +│ canteen.ourpad │ │ route.ourpad │ │ (others) │ +│ .casa:8901 │ │ .casa:8904-06 │ │ │ +└──────┬───────────┘ └──────┬───────────┘ └────┬─────┘ + │ │ │ + └──────────────────────┴─────────────────────┘ + │ + ▼ + ┌────────────────────┐ + │ shared-auth/ │ + │ canteen_auth.py │ + │ (FastAPI MW) │ + └────────┬───────────┘ + │ + ▼ + ┌────────────────────┐ + │ assets.db │ + │ ┌─────────────┐ │ + │ │ users │ │ + │ │ sessions │ │ + │ └─────────────┘ │ + └────────────────────┘ +``` + +## Key Details + +- **Module location:** `projects/shared-auth/canteen_auth.py` +- **DB path:** Defaults to `projects/canteen-asset-tracker/assets.db` +- **Password hash:** SHA-256 (NOT bcrypt — legacy, stored in `password_hash` column) +- **Tokens:** 64-byte hex via `secrets.token_hex(32)`, stored in `sessions` table +- **Token expiry:** 30 days (remember_me) / 1 day (default) +- **SSO cookie:** `auth_token` at `.ourpad.casa`, `secure=true`, `samesite=lax` + +## Apps Using This Auth + +| App | URL | Ports(s) | Path | +|---|---|---|---| +| canteen-asset-tracker | canteen.ourpad.casa | 8901, 8090 (admin) | `/data/compose/3/` | +| daily-route | route.ourpad.casa | 8904, 8905, 8906 | `/data/compose/6/` | +| tech-photo-upload | photo.ourpad.casa | 8912 | `/data/compose/5/` | +| system-dashboard | dashboard.ourpad.casa | 8080 | `/data/compose/7/` | + +## Login Flow + +1. User POSTs `{username, password}` to `/api/auth/login` +2. Server hashes password with SHA-256, looks up user in `users` table +3. If valid, creates `sessions` row with token + expiry +4. Returns token in JSON body AND sets `auth_token` cookie at `.ourpad.casa` +5. All subsequent API calls validate via Bearer token or cookie + +## Admins + +All canteen apps use the same user DB. Admin is determined by `role` column in `users` table (typically `role='admin'`). Shared auth module exposes `request.state.current_user` with `{id, username, role, created_at}`. + +## Maintenance + +- To add a user: INSERT into `users` with SHA-256 password hash +- To revoke access: DELETE from `sessions` by user_id +- Password reset: update `password_hash` column (SHA-256 of new password)