Credentials Reference¶
This page does NOT contain actual passwords
This document only describes where credentials are stored and who manages them. Never put actual passwords, tokens, or keys in documentation or git repositories.
Credential Locations¶
Infrastructure Access¶
| Credential | Storage Location | Managed By |
|---|---|---|
| NUC user password | Not stored digitally -- ask Hari directly | Hari |
| Cloud root password | Contabo control panel | Hari |
| Cloud user passwords | /etc/shadow on the cloud server | Hari |
Application Credentials¶
| Credential | Storage Location | Managed By |
|---|---|---|
| AstraPBX API admin token | /opt/astrapbx/.env on cloud server | Hari |
| Zoiper user passwords | Database (did_numbers / extensions table) | Generated per user |
| Database password | /opt/astrapbx/.env on cloud server | Hari |
VPN and Tunnel¶
| Credential | Storage Location | Managed By |
|---|---|---|
| WireGuard private keys | /etc/wireguard/wg0.conf on each server | Hari |
| WireGuard public keys | Exchanged between peers in wg0.conf | Hari |
| Cloudflare Tunnel token | Cloudflare Zero Trust dashboard | Hari |
Third-Party Accounts¶
| Service | Account | Managed By |
|---|---|---|
| Cloudflare | Hariandprojects@gmail.com | Hari |
| GitHub (astradial) | astradial org | Hari |
| Netdata Cloud | Hari's Netdata account | Hari |
| Contabo | Contabo customer portal | Hari |
Retrieving Credentials¶
AstraPBX API Token¶
Zoiper User Password¶
Query the database on the cloud server:
ssh root@89.116.31.109
psql -U astrapbx -d astrapbx_db -c "SELECT username, password FROM extensions WHERE username = 'org_mna9x47k_1001';"
WireGuard Keys¶
Security Policies¶
Mandatory rules for all team members
Never do these:
- Never commit passwords, tokens, or private keys to git
- Never share credentials over Slack, email, or any unencrypted channel
- Never store credentials in plain text files outside of the designated locations above
- Never reuse passwords across services
Always do these:
- Share credentials only through secure, ephemeral channels (in person, encrypted messaging, or a secrets manager)
- Rotate shared credentials when a freelancer or contractor's access is revoked
- Use SSH keys instead of passwords for server access
- Use unique, generated passwords for each Zoiper user account
Access Revocation Checklist¶
When a freelancer or contractor finishes their engagement:
- [ ] Remove their SSH user account from the cloud server
- [ ] Remove their SSH user account from the NUC (if applicable)
- [ ] Remove their SSH public key from all
authorized_keysfiles - [ ] Remove their email from Cloudflare Access policies
- [ ] Disable or delete their Zoiper extension credentials
- [ ] Rotate the AstraPBX API token if they had access to it
- [ ] Rotate any other shared secrets they may have seen
- [ ] Revoke GitHub access if they were added to the
astradialorg - [ ] Review and remove any WireGuard peer configurations they used