feat: add Vaultwarden password manager stack

Added self-hosted password manager to The Falcon infrastructure: **Vault Stack** (vault.pivoine.art): - Vaultwarden (Bitwarden-compatible server) - SQLite database for password storage - WebSocket support for real-time sync - TOTP and WebAuthn/U2F 2FA support - Browser extensions and mobile apps compatible **Configuration:** - Domain: https://vault.pivoine.art - Signups: Disabled (invite-only for security) - Invitations: Enabled - Password hints: Disabled (security best practice) - First user becomes admin **Backup Integration:** - Added vaultwarden-backup plan to Restic - Schedule: 8 AM daily (same as letsencrypt) - Retention: 7 daily, 4 weekly, 12 monthly, 3 yearly - Backup volume: vault_data mounted read-only **Infrastructure Updates:** - Created vault/compose.yaml following stack pattern - Added VAULT_* environment variables to arty.yml - Updated compose.yaml to include vault stack - Added backup_vaultwarden_data volume to restic - Updated restic/config.json with 12th backup plan **Documentation:** - Added Vault to CORE SYSTEMS in README - Added to ship architecture diagram - Documented in CLAUDE.md with configuration details - Updated volume management sections - Backup count increased from 11 to 12 plans Critical data backed up with long retention (3 years yearly). Compatible with official Bitwarden clients on all platforms. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-06 11:15:12 +01:00
parent fcfe508698
commit 9b433e66ad
7 changed files with 101 additions and 0 deletions
--- a/restic/compose.yaml
+++ b/restic/compose.yaml
@@ -28,6 +28,7 @@ services:
      - backup_linkwarden_data:/volumes/linkwarden_data:ro
      - backup_linkwarden_meili_data:/volumes/linkwarden_meili_data:ro
      - backup_letsencrypt_data:/volumes/letsencrypt_data:ro
+      - backup_vaultwarden_data:/volumes/vaultwarden_data:ro

    environment:
      TZ: ${TIMEZONE:-Europe/Berlin}
@@ -104,6 +105,9 @@ volumes:
  backup_letsencrypt_data:
    name: proxy_letsencrypt_data
    external: true
+  backup_vaultwarden_data:
+    name: vault_data
+    external: true

 networks:
  compose_network:
--- a/restic/config.json
+++ b/restic/config.json
@@ -194,6 +194,22 @@
          "yearly": 3
        }
      }
+    },
+    {
+      "id": "vaultwarden-backup",
+      "repo": "hidrive-backup",
+      "paths": ["/volumes/vaultwarden_data"],
+      "schedule": {
+        "cron": "0 8 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 12,
+          "yearly": 3
+        }
+      }
    }
  ]
 }