audit(gremlin): vault FAIL 2026-04-13

Netgrimoire/Audits/vault-2026-04-13.md

@@ -0,0 +1,57 @@
+---
+title: Audit - vault.yaml
+description: Gremlin audit report 2026-04-13
+published: true
+date: 2026-04-13T11:38:37.115Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-13T11:38:37.115Z
+---
+
+# Audit Report — vault.yaml
+
+**Date:** 2026-04-13  
+**File:** swarm/vault.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit Results:
+
+1. **Homepage Labels**:
+   - `homepage.group`: "Backup" (PASS)
+   - `homepage.name`: "Vault" (PASS)
+   - `homepage.icon`: "kopia.png" (PASS)
+   - `homepage.href`: "https://vault.netgrimoire.com" (PASS)
+   - `homepage.description`: "Snapshot backup and deduplication" (PASS)
+
+2. **Uptime Kuma Labels**:
+   - `kuma.kopia.http.name`: "Kopia Web" (PASS)
+   - `kuma.kopia.http.url`: "http://vault:51515" (PASS)
+
+3. **Caddy Labels on Exposed Services**:
+   - `caddy=vault.netgrimoire.com` (PASS)
+   - `caddy.reverse_proxy=http://vault:51515` (FAIL)  
+     **Issue**: The reverse proxy should point to the external domain (`https://vault.netgrimoire.com`) instead of the internal service.
+
+4. **Placement Constraints**:
+   - `node.hostname==znas`: (PASS)
+
+5. **Volumes Use /DockerVol/<service> Path Convention**:
+   - `/DockerVol/vault/config` (PASS)
+   - `/DockerVol/vault/cache` (PASS)
+   - `/DockerVol/vault/cert` (PASS)
+   - `/srv/vault/backup/repository` (FAIL)  
+     **Issue**: This volume does not follow the `/DockerVol/<service>` path convention.
+   - `/DockerVol/vault/logs` (PASS)
+
+6. **Network References External netgrimoire Overlay**:
+   - `netgrimoire`: (PASS)
+
+### Fixes:
+
+1. Update the reverse proxy URL in Caddy labels to point to the external domain.
+2. Move the backup repository volume to follow the `/DockerVol/<service>` path convention.
+
+### VERDICT: FAIL