# Secrets and Vaultwarden Safety Gates

## Purpose

Prevent unsafe migration of critical secrets into an incomplete Vaultwarden deployment.

## Core Rule

Do not migrate real critical secrets into Vaultwarden until the deployment has verified access, TLS, backup, recovery, and break-glass procedures.

## Minimum Gates Before Critical Secret Migration

- [ ] Base OS installation complete and documented
- [ ] Dedicated admin/assistant SSH path exists and is auditable
- [ ] Vaultwarden service deployment is documented
- [ ] HTTPS/TLS approach is satisfactory for the access boundary
- [ ] Backup plan exists and is documented
- [ ] Restore/recovery plan exists and is documented
- [ ] Break-glass/offline recovery material location is documented outside Vaultwarden
- [ ] At least one restore test is planned; perform before relying on Vaultwarden as sole source of truth
- [ ] Server-side changes logged in `docs/server-change-log.md`

## Deferring a Gate

Some gates may be deferred during experimentation, but deferral must be explicitly recorded as a blocker/risk.

Example:

```text
Backups deferred — blocks real secret migration.
```

Do not present risky deferrals as ordinary completion options.

## Reverse Proxy / Nginx Note

A separate Nginx reverse proxy/TLS standard is tracked in:

- `tickets/active/2026-06-06-nginx-reverse-proxy-and-tls-standard.md`

If a service-specific Nginx is created inside the Vaultwarden guest/container, document it as a local bootstrap/temporary service unless the architecture decision explicitly makes it permanent.

Avoid accidentally creating a conflicting long-term reverse-proxy pattern before the homelab-wide TLS/reverse-proxy standard is decided. Link the Vaultwarden notes to the broader Nginx/TLS ticket and record what must later be migrated, removed, or standardized.

## Related Docs/Tickets

- `tickets/active/2026-05-18-consolidated-homelab-secrets-management.md`
- `tickets/active/2026-06-06-vaultwarden-backup-plan.md`
- `tickets/active/2026-06-06-vaultwarden-recovery-restore-plan.md`
- `runbooks/vaultwarden-deployment.md`
- `runbooks/vaultwarden-backup.md`
- `runbooks/vaultwarden-restore-test.md`