Secrets & Credentials
All homelab secrets are stored in Bitwarden (family plan), in a shared collection accessible to both myself and my girlfriend. In an emergency, she can retrieve any credential needed to access or recover the infrastructure.
What's in Bitwarden
| Secret | Notes |
|---|---|
| OPNsense credentials | Router/firewall admin access |
| pve0-core root password | Proxmox host root login |
| pve1-media root password | Proxmox host root login |
pve0-core secours user credentials |
Emergency user account on pve0-core |
pve1-media secours user credentials |
Emergency user account on pve1-media |
Bastion secours access password |
Shell access on the bastion host |
secours SSH private key |
Accepted by all servers in the homelab |
| Restic passphrases | One per B2 bucket (pob-pve-backup, zpool0-family, zpool0-vault) |
| Tailnet disablement secret | Required to disable Tailscale Lock if the tailnet needs to be unlocked |
| WiFi passphrases | All PPSK passwords for the Cosmos SSID |
zpool0/family decryption passphrase |
ZFS dataset unlock |
zpool0/vault decryption passphrase |
ZFS dataset unlock |
Emergency Access
If the homelab needs to be recovered and I am unavailable, my girlfriend has access to the full Bitwarden shared collection. Combined with the documentation in this repo and bastion access via Tailscale (group:secours), she has everything needed to retrieve files or call for help.
See tailscale.md for her emergency SSH access to the bastion. See zfs-encryption.md for dataset unlock procedures.