...
...
...
...

FOR GROUP · Security

Password Manager

Self-hosted Vaultwarden — Bitwarden-kompatibel. Invite-only, Browser-Extension-fähig, integriert in alle for-group.de Subdomains.

Vaultwarden · Self-hosted

Vault Deployment

Vaultwarden

Self-hosted Bitwarden-compatible — deploy via platform-ops/vault/docker-compose.yml

vault.for-group.deinvite-only

Deploy

$ cp .env.example .env # fill VAULT_ADMIN_TOKEN

$ docker compose up -d

$ sudo certbot certonly -d vault.for-group.de

$ sudo nginx -t && sudo systemctl reload nginx

Credential Registry — store all in Vaultwarden

Vaultwarden Admin

vault.for-group.de

Self-hosted Bitwarden — admin panel requires VAULT_ADMIN_TOKEN

infrastructure

n8n Automation

n8n.for-group.de

n8n owner account — reset via user-management:reset if locked out

automation

Coolify Orchestration

coolify.for-group.de

Deployment orchestration — admin access via Coolify UI

deployment

Cockpit Control

cockpit.for-group.de

Human-facing control plane — Codex Gateway auth

control-plane

Codex Gateway

codex.for-group.de

Backend API — managed via codex-gateway.service systemd

control-plane

Cloudflare DNS

dash.cloudflare.com

DNS + WAF for all for-group.de subdomains

infrastructure

Extensions

Browser Integration

Bitwarden Chrome

Chrome Web Store

Verbindet sich mit vault.for-group.de

Bitwarden Firefox

Firefox Add-ons

Server URL: https://vault.for-group.de

Bitwarden Mobile

iOS / Android

Self-hosted Server in den Einstellungen eintragen

CLI: bw

npm install -g @bitwarden/cli

bw config server https://vault.for-group.de

Vault hardening

Security Posture

  • Signups deaktiviert — nur Invite-Links
  • Admin Token: openssl rand -base64 48 generieren
  • Rate-limiting: 10 Login-Versuche / 60s
  • Admin-Panel: Rate-limit 3 / 300s
  • HTTPS only — HSTS max-age=31536000
  • 2FA per Authenticator-App empfohlen (TOTP)
  • Daten-Volume: for-group-vaultwarden-data
  • Backup: Volume täglich sichern (n8n Workflow)
  • nginx CSP: wasm-unsafe-eval für Bitwarden-WASM
  • Admin-Panel /admin mit IP-Whitelist absichern

Download & Backup

Passwörter exportieren

Web Vault Export

  1. 1vault.for-group.de öffnen
  2. 2Einstellungen > Tresor exportieren
  3. 3Format: encrypted_json (empfohlen)
  4. 4Master-Passwort bestätigen
  5. 5Download

CLI Export (bw)

  1. 1npm i -g @bitwarden/cli
  2. 2bw config server https://vault.for-group.de
  3. 3bw login owner@for-group.de
  4. 4export BW_SESSION="$(bw unlock --raw)"
  5. 5bw export --format encrypted_json --output ~/export.json

Server Backup (komplett)

  1. 1vault-backup.sh ausführen
  2. 2Sichert: DB + Anhänge + RSA-Keys
  3. 3Automatisch per Cronjob um 03:00
  4. 430 Tage Retention
  5. 5ls ~/backups/vaultwarden/

Quick Commands

# Alle Passwörter anzeigen

bw list items | jq '.[].name'

# Einzelner Eintrag

bw get item "n8n.for-group.de" | jq '.login'

# Server-Backup jetzt

~/workspaces/platform-ops/vault/vault-backup.sh

# Bestehende Passwörter importieren (Chrome, LastPass, 1Password, KeePass)

bw import --format chrome_csv ~/chrome-passwords.csv