30 lines
1.2 KiB
Markdown
30 lines
1.2 KiB
Markdown
|
# Vaultwarden Secrets
|
||
|
|
|
||
|
|
Self-hosted secrets management at **vault.smilepowered.org** (Vaultwarden 2025.12.0, SSL).
|
||
|
|
|
||
|
|
## Organization
|
||
|
|
|
||
|
|
**Clawdie** (ID: `39727691-3403-4c50-89b8-d5f24310e79c`)
|
||
|
|
|
||
|
|
### Collections
|
||
|
|
|
||
|
|
| Collection | ID | Access | Purpose |
|
||
|
|
|-----------|-----|--------|---------|
|
||
|
|
| agent-secrets | `94ba61b8-633c-454e-b749-f115617eeac3` | All agents | API keys, tokens, passwords |
|
||
|
|
| bootstrap | (admin only) | Sam | Setup keys, admin tokens |
|
||
|
|
|
||
|
|
## Agent access
|
||
|
|
|
||
|
|
Each agent gets its own Vaultwarden user account and personal API key (starts with `user.`). Organization API keys do NOT work with `bw` CLI — only personal ones.
|
||
|
|
|
||
|
|
Bootstrap credentials stored in `~/.hermes/.env`:
|
||
|
|
- `BW_CLIENTID` / `BW_CLIENTSECRET` — personal API key
|
||
|
|
- `BW_PASSWORD` — master password
|
||
|
|
- `BW_SERVER` — https://vault.smilepowered.org
|
||
|
|
|
||
|
|
All other secrets move into the vault, fetched by `bw` CLI at runtime. Currently stored: hermes-debby Forgejo password, provider API keys pending migration.
|
||
|
|
|
||
|
|
## bw CLI
|
||
|
|
|
||
|
|
Installed via npx wrapper at `~/.local/bin/bw` (version must match Vaultwarden server — 2025.12.0). Login via `bw login --apikey`, unlock via `bw unlock --passwordenv BW_PASSWORD`.
|