audit(gremlin): sonarr FAIL 2026-04-20

Netgrimoire/Audits/sonarr-2026-04-20.md

@@ -0,0 +1,43 @@
+---
+title: Audit - sonarr.yaml
+description: Gremlin audit report 2026-04-20
+published: true
+date: 2026-04-20T11:35:49.931Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-20T11:35:49.931Z
+---
+
+# Audit Report — sonarr.yaml
+
+**Date:** 2026-04-20  
+**File:** swarm/sonarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit Report:
+
+1. **Homepage labels**:
+   - **PASS**: `homepage.group`, `homepage.name`, `homepage.icon`, `homepage.href`, and `homepage.description` are correctly defined.
+
+2. **Uptime Kuma labels**:
+   - **FAIL**: The label `kuma.sonarr.http.url` uses `https://sonarr.netgrimoire.com`. For security, it should use the internal service name (`http://sonarr`) instead of the external domain.
+     - **Fix**: Change `kuma.sonarr.http.url` to `http://sonarr`.
+
+3. **Caddy labels on exposed services**:
+   - **PASS**: The `caddy=<domain>` and `caddy.reverse_proxy` labels are correctly set.
+
+4. **Placement constraints**:
+   - **PASS**: The `node.hostname == docker5` constraint is correctly applied.
+   - **FAIL**: The constraints to exclude `arm64` and `arm` architectures might not be necessary or beneficial depending on the architecture of your cluster nodes. Ensure this aligns with your deployment strategy.
+     - **Fix**: Evaluate if these constraints are strictly needed based on your infrastructure.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **PASS**: All volume paths follow the `/DockerVol/Sonarr:/config` and `/data/nfs/znas/Data/:/data:shared` conventions correctly.
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: The `netgrimoire` network is referenced as an external overlay network, which is correct.
+
+### VERDICT: FAIL