diff --git a/vaultwarden/SETUP.md b/vaultwarden/SETUP.md
index 74aa695..3f85830 100644
--- a/vaultwarden/SETUP.md
+++ b/vaultwarden/SETUP.md
@@ -32,6 +32,11 @@ Vaultwarden is a lightweight, community-driven server implementation of the Bitw
 - [ ] **Action**: In the Portainer Stack configuration, upload or define the variables from `stack.env`.
   - Important: Ensure `DOMAIN` is set correctly for WebAuthn/FIDO2 to function.
   - Temporary: Keep `SIGNUPS_ALLOWED=true` initially.
+- [ ] **Action (Admin Token)**: The Vaultwarden Admin Panel requires a secure hash, not plain text. To generate it, SSH into your NAS and run:
+  ```bash
+  docker run --rm -it vaultwarden/server vaultwarden hash
+  ```
+  Enter your desired admin password, copy the generated `$$argon2id$$...` string, and paste it as the `ADMIN_TOKEN` value.
 
 ### Deploy Stack
 - [ ] **Action**: Create a new stack named `vaultwarden-stack`.
diff --git a/vaultwarden/docker-compose.portainer.yml b/vaultwarden/docker-compose.portainer.yml
index 5b14354..bf65dab 100644
--- a/vaultwarden/docker-compose.portainer.yml
+++ b/vaultwarden/docker-compose.portainer.yml
@@ -21,9 +21,11 @@ services:
       - SMTP_PASSWORD=${SMTP_PASSWORD}
       # Admin Panel
       - ADMIN_TOKEN=${ADMIN_TOKEN}
+      # Required for running as non-root (cannot bind to port 80)
+      - ROCKET_PORT=8080
     volumes:
       - /volume1/docker/vaultwarden/data:/data:rw
     ports:
-      - "8020:80" # Web UI
+      - "8020:8080" # Web UI
       # Note: Vaultwarden integrates the WebSocket server into the main process in recent versions,
       # so exposing port 3012 is no longer required for typical setups unless using reverse proxy splitting.
diff --git a/vaultwarden/stack.env b/vaultwarden/stack.env
index c1c22fc..6223fd5 100644
--- a/vaultwarden/stack.env
+++ b/vaultwarden/stack.env
@@ -19,7 +19,9 @@ SMTP_USERNAME=your_username
 SMTP_PASSWORD=your_password
 
 # Admin Panel Token (Optional)
-# Generate a secure hash using: vaultwarden hash
+# IMPORTANT: Do not use plain text! Generate a secure hash by running this command via SSH on your NAS:
+# docker run --rm -it vaultwarden/server vaultwarden hash
+# It will prompt for a password and output a hash. Paste the full hash below.
 # Example: 
 # ADMIN_TOKEN=$$argon2id$$v=19...
 ADMIN_TOKEN=your_generated_admin_token