From 9b0a0a81c8cd5e251851e883bffa4e8faa57aa3f Mon Sep 17 00:00:00 2001
From: traveler <traveler@wasted-bandwidth.net>
Date: Mon, 13 Apr 2026 06:38:37 -0500
Subject: [PATCH] audit(gremlin): vault FAIL 2026-04-13

---
 Netgrimoire/Audits/vault-2026-04-13.md | 57 ++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 Netgrimoire/Audits/vault-2026-04-13.md

diff --git a/Netgrimoire/Audits/vault-2026-04-13.md b/Netgrimoire/Audits/vault-2026-04-13.md
new file mode 100644
index 0000000..0ff13ea
--- /dev/null
+++ b/Netgrimoire/Audits/vault-2026-04-13.md
@@ -0,0 +1,57 @@
+---
+title: Audit - vault.yaml
+description: Gremlin audit report 2026-04-13
+published: true
+date: 2026-04-13T11:38:37.115Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-13T11:38:37.115Z
+---
+
+# Audit Report — vault.yaml
+
+**Date:** 2026-04-13  
+**File:** swarm/vault.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit Results:
+
+1. **Homepage Labels**:
+   - `homepage.group`: "Backup" (PASS)
+   - `homepage.name`: "Vault" (PASS)
+   - `homepage.icon`: "kopia.png" (PASS)
+   - `homepage.href`: "https://vault.netgrimoire.com" (PASS)
+   - `homepage.description`: "Snapshot backup and deduplication" (PASS)
+
+2. **Uptime Kuma Labels**:
+   - `kuma.kopia.http.name`: "Kopia Web" (PASS)
+   - `kuma.kopia.http.url`: "http://vault:51515" (PASS)
+
+3. **Caddy Labels on Exposed Services**:
+   - `caddy=vault.netgrimoire.com` (PASS)
+   - `caddy.reverse_proxy=http://vault:51515` (FAIL)  
+     **Issue**: The reverse proxy should point to the external domain (`https://vault.netgrimoire.com`) instead of the internal service.
+
+4. **Placement Constraints**:
+   - `node.hostname==znas`: (PASS)
+
+5. **Volumes Use /DockerVol/<service> Path Convention**:
+   - `/DockerVol/vault/config` (PASS)
+   - `/DockerVol/vault/cache` (PASS)
+   - `/DockerVol/vault/cert` (PASS)
+   - `/srv/vault/backup/repository` (FAIL)  
+     **Issue**: This volume does not follow the `/DockerVol/<service>` path convention.
+   - `/DockerVol/vault/logs` (PASS)
+
+6. **Network References External netgrimoire Overlay**:
+   - `netgrimoire`: (PASS)
+
+### Fixes:
+
+1. Update the reverse proxy URL in Caddy labels to point to the external domain.
+2. Move the backup repository volume to follow the `/DockerVol/<service>` path convention.
+
+### VERDICT: FAIL
\ No newline at end of file