viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

homelab vault: install bw system-wide + onboarding runbook

Browse source 
Two remaining gaps to let non-admins (emo) use `homelab vault`:

- setup-devvm.sh installed `@bitwarden/cli` only when `command -v bw`
  failed, which an admin's own ~/.local/bin/bw satisfied — so the
  system-wide copy was never installed and non-admins had no `bw`
  backend. Install to the npm /usr prefix and guard on the system path
  (/usr/bin/bw) instead.

- Add docs/runbooks/homelab-vault-onboarding.md (per-user setup, the
  shared Organization/Collection flow for sharing passwords, admin
  deploy + verification, security model) and repoint the two code
  comments that cited a design-spec path which never existed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-27 08:16:52 +00:00
parent 51dc5d031c
commit b371ae6eee
3 changed files with 131 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

13
scripts/workstation/setup-devvm.sh
View file

@ -72,11 +72,14 @@ if [[ -n "$want_t3" && "$(t3 --version 2>/dev/null | awk '{print $NF}' | sed 's/
fi
# 2c) Bitwarden CLI — backs `homelab vault` (per-user no-HITL Vaultwarden access).
# npm-global so every user's PATH resolves it. Pinned major; best-effort (a
# failure only disables `homelab vault`, nothing else on the box).
if ! command -v bw >/dev/null; then
log "npm: installing @bitwarden/cli (homelab vault backend)"
npm install -g "@bitwarden/cli@^2024" >/dev/null 2>&1 || log "WARN: @bitwarden/cli install failed; homelab vault unavailable"
# Install SYSTEM-WIDE (npm prefix /usr → /usr/bin/bw) so EVERY user's PATH
# resolves it. The guard tests the SYSTEM path, NOT `command -v bw`: the
# latter is satisfied by an admin's own ~/.local/bin/bw and would skip the
# system install, leaving non-admins (emo, anca, …) with no backend. Pinned
# major; best-effort (a failure only disables `homelab vault`).
if [ ! -x /usr/bin/bw ] && [ ! -x /usr/local/bin/bw ]; then
log "npm: installing @bitwarden/cli system-wide (homelab vault backend)"
npm install -g --prefix /usr "@bitwarden/cli@^2024" >/dev/null 2>&1 || log "WARN: @bitwarden/cli install failed; homelab vault unavailable"
fi
# 3) kubelogin (kubectl oidc-login) system-wide — NOT the apt 'kubelogin' (= Azure tool).