New Grimoire

2026-04-12 09:53:51 -05:00 · 2026-04-12 09:53:51 -05:00 · cc574f8aed
commit cc574f8aed
parent 77d589a13d
157 changed files with 29420 additions and 0 deletions
--- a/Netgrimoire/Audits/Calibre-web-2026-04-03.md
+++ b/Netgrimoire/Audits/Calibre-web-2026-04-03.md
@ -0,0 +1,26 @@
+---
+title: Audit - Calibre-web.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:30:36.844Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:30:36.844Z
+---
+
+# Audit Report — Calibre-web.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/Calibre-web.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+PASS: Homepage labels (homepage.group, homepage.name, homepage.icon, homepage.href, homepage.description) are all present and correctly configured.
+FAIL: Caddy labels on exposed services are incorrect. The caddy.labels should be set to a single string value containing all domains separated by commas, not an array. Correct format would be "caddy=books.netgrimoire.com, books.pncharris.com".
+PASS: Placement constraints (node.hostname) are correctly specified as 'znas'.
+PASS: Volumes use the /DockerVol/<service> path convention.
+PASS: Network references the external netgrimoire overlay.
+
+VERDICT: FAIL
--- a/Netgrimoire/Audits/JellySeer-2026-04-03.md
+++ b/Netgrimoire/Audits/JellySeer-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - JellySeer.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:31:31.742Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:31:31.742Z
+---
+
+# Audit Report — JellySeer.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/JellySeer.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT
+
+1. **Homepage labels**: 
+   - `homepage.group`: "Media Search" — **PASS**
+   - `homepage.name`: "JellySeer" — **PASS**
+   - `homepage.icon`: "sh-jellyseerr.svg" — **PASS**
+   - `homepage.href`: "https://requests.netgrimoire.com" — **PASS**
+   - `homepage.description`: "Media Server" — **PASS**
+
+2. **Uptime Kuma labels**:
+   - `kuma.jellyseer.http.name`: "JellySeer" — **PASS**
+   - `kuma.jellyseer.http.url`: "http://jellyseer:5055" — **PASS**
+
+3. **Caddy labels on exposed services**:
+   - `caddy: requests.netgrimoire.com` — **PASS**
+   - `caddy.reverse_proxy: http://jellyseer:5055` — **PASS**
+
+4. **Placement constraints**:
+   - `node.hostname == docker5` — **PASS**
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/JellySeer/config:/app/config` — **PASS**
+   - `/data/nfs/znas/Data/media:/data:shared` — **FAIL**: The volume `/data/nfs/znas/Data/media:/data:shared` does not follow the `/DockerVol/<service>` path convention. It is recommended to use a volume path that follows this convention for better organization and consistency.
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire` network — **PASS**
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/JellyStat-2026-04-03.md
+++ b/Netgrimoire/Audits/JellyStat-2026-04-03.md
@ -0,0 +1,50 @@
+---
+title: Audit - JellyStat.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:32:31.251Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:32:31.251Z
+---
+
+# Audit Report — JellyStat.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/JellyStat.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit Results:
+
+1. **Homepage labels**:
+   - `homepage.group=Library` — **PASS**
+   - `homepage.name=JellyStat` — **PASS**
+   - `homepage.icon=jellystat.png` — **FAIL**: The icon file path should be relative to the service's context or a valid absolute URL.
+     - **Fix**: Update the icon path to use a valid location.
+   - `homepage.href=http://jellystat.netgrimoire.com` — **PASS**
+   - `homepage.description=Jelly Stats` — **PASS**
+
+2. **Uptime Kuma labels**:
+   - The service does not appear to be Uptime Kuma; the labels are irrelevant here. **PASS**
+
+3. **Caddy labels on exposed services**:
+   - `caddy=jellystat.netgrimoire.com` — **PASS**
+   - `caddy.reverse_proxy="{{upstreams 3000}}"` — **PASS**
+     - **Note**: Ensure that the reverse proxy configuration is correct and functional within your Caddy setup.
+
+4. **Placement constraints**:
+   - `node.hostname == bruce` — **PASS**
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/jellystat/postgres-data` — **PASS**
+   - `/DockerVol/jellystat/backup-data` — **PASS**
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire` — **PASS**
+
+### VERDICT: FAIL
+
+The audit has identified one issue that needs to be addressed. Specifically, the `homepage.icon` label should use a valid file path or URL for the icon image. Once this is resolved, the audit will pass.
--- a/Netgrimoire/Audits/README.md
+++ b/Netgrimoire/Audits/README.md
@ -0,0 +1,31 @@
+---
+title: Audit Reports
+description: Gremlin-generated YAML compliance audit reports
+published: true
+date: 2026-04-12T00:00:00.000Z
+tags: audits, gremlin
+editor: markdown
+dateCreated: 2026-04-12T00:00:00.000Z
+---
+
+# Audit Reports
+
+Audit reports are auto-generated weekly by the Gremlin Forgejo Audit workflow (n8n, Monday 06:00). Each report checks a single compose YAML file against the Netgrimoire Docker Swarm template standard.
+
+See [Gremlin Grimoire — Forgejo Audit Workflow](/Gremlin-Grimoire/Workflows/Forgejo-Audit) for full workflow documentation.
+
+## What Gets Checked
+
+- Homepage labels present on all services
+- Uptime Kuma labels present on all services
+- Caddy labels on exposed services
+- Placement constraints (ARM exclusion defaults)
+- Volume paths follow `/DockerVol/` or `/data/nfs/znas/Docker/` convention
+- No forbidden fields (`version:`, `container_name:`, `restart:`, `depends_on:`)
+- `endpoint_mode: dnsrr` not used (always VIP)
+- `diun.enable: "true"` present
+- Network references `netgrimoire` external overlay
+
+## Report Files
+
+Reports follow the naming convention `<service>-<date>.md`. Files here are committed automatically by n8n — do not edit manually.
--- a/Netgrimoire/Audits/SQL-mgmt-2026-04-03.md
+++ b/Netgrimoire/Audits/SQL-mgmt-2026-04-03.md
@ -0,0 +1,107 @@
+---
+title: Audit - SQL-mgmt.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:34:04.814Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:34:04.814Z
+---
+
+# Audit Report — SQL-mgmt.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/SQL-mgmt.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT REPORT
+
+#### Homepage Labels
+1. **PASS**: `phpmyadmin`
+   - `homepage.group=Management`
+   - `homepage.name=PHPMyadmin`
+   - `homepage.icon=phpmyadmin.png`
+   - `homepage.href=http://phpmyadmin.netgrimoire.com`
+   - `homepage.description=MySQL Manager`
+
+2. **PASS**: `phppgadmin`
+   - `homepage.group=Management`
+   - `homepage.name=PHPpgmyadmin`
+   - `homepage.icon=phppgmyadmin.png`
+   - `homepage.href=http://phppgmyadmin.netgrimoire.com`
+   - `homepage.description=Postgres Manager`
+
+#### Uptime Kuma Labels
+1. **FAIL**: `phpmyadmin` and `phppgadmin`
+   - Missing labels: `kuma.msql.http.name`, `kuma.mealie.http.url`.
+
+2. **FIX**:
+   ```yaml
+   phpmyadmin:
+     deploy:
+       labels:
+         ...
+         kuma.msql.http.name="PHPMyadmin"
+         kuma.msql.http.url=http://phpmyadmin:80
+         ...
+
+   phppgadmin:
+     deploy:
+       labels:
+         ...
+         kuma.mealie.http.url=http://phppgmyadmin:80
+         ...
+   ```
+
+#### Caddy Labels on Exposed Services
+1. **PASS**: `phpmyadmin`
+   - `caddy=phpmyadmin.netgrimoire.com`
+   - `caddy.reverse_proxy="{{upstreams 80}}"`
+   
+2. **PASS**: `phppgadmin`
+   - `caddy=phppgmyadmin.netgrimoire.com`
+   - `caddy.reverse_proxy="{{upstreams 80}}"`
+
+#### Placement Constraints
+1. **FAIL**: Both services are missing placement constraints (`node.hostname`).
+
+2. **FIX**:
+   ```yaml
+   phpmyadmin:
+     deploy:
+       labels:
+         ...
+       placement:
+         constraints:
+           - node.hostname==<desired-hostname>
+
+   phppgadmin:
+     deploy:
+       labels:
+         ...
+       placement:
+         constraints:
+           - node.hostname==<desired-hostname>
+   ```
+
+#### Volumes Use /DockerVol/<service> Path Convention
+1. **FAIL**: Both services are missing volume configurations.
+
+2. **FIX**:
+   ```yaml
+   phpmyadmin:
+     volumes:
+       - /DockerVol/phpmyadmin:/var/lib/mysql
+
+   phppgadmin:
+     volumes:
+       - /DockerVol/phppgadmin:/var/lib/postgresql/data
+   ```
+
+#### Network References External `netgrimoire` Overlay
+1. **PASS**: Both services correctly reference the external network `netgrimoire`.
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/authelia-2026-04-03.md
+++ b/Netgrimoire/Audits/authelia-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - authelia.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:34:59.760Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:34:59.760Z
+---
+
+# Audit Report — authelia.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/authelia.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Homepage labels:**  
+- **PASS**: homepage.group=Management
+- **PASS**: homepage.name=Authelia
+- **PASS**: homepage.icon=authelia.png
+- **PASS**: homepage.href=https://login.wasted-bandwidth.net
+- **PASS**: homepage.description=SSO / Forward-Auth
+
+**Uptime Kuma labels:**  
+- **PASS**: kuma.authelia.http.name="Authelia"
+- **PASS**: kuma.authelia.http.url=http://authelia:9091
+
+**Caddy labels on exposed services:**  
+- **PASS**: caddy=login.wasted-bandwidth.net
+- **PASS**: caddy.reverse_proxy={{upstreams 9091}}
+
+**Placement constraints:**  
+- **FAIL**: Both 'authelia' and 'redis' are constrained to run on the node 'nas', but there is no guarantee that 'nas' will always be available. Consider using a more flexible constraint.
+- Fix: Change `constraints: - node.hostname == nas` to a more general placement strategy.
+
+**Volumes use /DockerVol/<service> path convention:**  
+- **PASS**: `/DockerVol/authelia/config:/config`
+- **PASS**: `/DockerVol/authelia/secrets:/secrets`
+- **PASS**: `/DockerVol/authelia/redis:/data`
+
+**Network references external netgrimoire overlay:**  
+- **PASS**: `networks: - netgrimoire`
+
+**VERDICT: FAIL**
--- a/Netgrimoire/Audits/authentik-2026-04-03.md
+++ b/Netgrimoire/Audits/authentik-2026-04-03.md
@ -0,0 +1,48 @@
+---
+title: Audit - authentik.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:36:24.241Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:36:24.241Z
+---
+
+# Audit Report — authentik.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/authentik.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT REPORT**
+
+1. **Homepage labels**
+   - `homepage.group`: PASS
+   - `homepage.name`: PASS
+   - `homepage.icon`: PASS
+   - `homepage.href`: PASS
+   - `homepage.description`: PASS
+
+2. **Uptime Kuma labels**
+   - No Uptime Kuma service found, hence no labels to check.
+
+3. **Caddy labels on exposed services**
+   - `caddy=auth.netgrimoire.com` and `caddy.reverse_proxy="{{upstreams 9000}}"`: PASS
+
+4. **Placement constraints**
+   - `node.hostname == znas`: PASS for all services
+
+5. **Volumes use /DockerVol/<service> path convention**
+   - `/DockerVol/Authentik/Postgres`, `/DockerVol/Authentik/redis`, `/DockerVol/Authentik/media`, `/DockerVol/Authentik/custom-templates`: PASS
+   - `/var/run/docker.sock` for `worker` service: FAIL
+
+6. **Network references external netgrimoire overlay**
+   - `netgrimoire` network is referenced by both `authentik` and `worker` services, and it is set to `external: true`: PASS
+
+**Fixes Required**
+- Update the `worker` service volume `/var/run/docker.sock:/var/run/docker.sock` to match the convention by using a Docker volume or bind mount with `/DockerVol/Authentik/docker.sock`.
+
+**VERDICT: FAIL**
--- a/Netgrimoire/Audits/bazarr-2026-04-03.md
+++ b/Netgrimoire/Audits/bazarr-2026-04-03.md
@ -0,0 +1,44 @@
+---
+title: Audit - bazarr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:37:15.344Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:37:15.344Z
+---
+
+# Audit Report — bazarr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/bazarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit Report for `swarm/bazarr.yaml`
+
+#### Homepage Labels
+- **PASS**: homepage.group, homepage.name, homepage.icon, homepage.href, homepage.description are all correctly defined.
+
+#### Uptime Kuma Labels
+- **FAIL**: No Uptime Kuma labels found. Expected labels like `kuma.bazarr.http.name` and `kuma.bazarr.http.url`.
+  - **Fix**: Add the necessary labels for Uptime Kuma integration.
+
+#### Caddy Labels on Exposed Services
+- **PASS**: caddy label is correctly defined as `caddy=bazarr.netgrimoire.com`.
+- **FAIL**: The reverse proxy configuration in the Caddy label is incorrect. It should use `{{upstreams bazarr:6767}}` instead of `{{upstreams 6767}}`.
+  - **Fix**: Correct the reverse proxy configuration to `caddy.reverse_proxy: "{{upstreams bazarr:6767}}"`.
+
+#### Placement Constraints
+- **PASS**: The node hostname constraint is correctly defined as `node.hostname == docker4`.
+
+#### Volumes Use /DockerVol/<service> Path Convention
+- **FAIL**: Volume paths do not follow the `/DockerVol/<service>` convention.
+  - **Fix**: Correct volume paths to follow the convention. For example, change `/DockerVol/bazarr/config` to `/DockerVol/bazarr/config`.
+
+#### Network References External Netgrimoire Overlay
+- **PASS**: The network reference is correctly set to an external `netgrimoire` overlay.
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/beets-2026-04-03.md
+++ b/Netgrimoire/Audits/beets-2026-04-03.md
@ -0,0 +1,50 @@
+---
+title: Audit - beets.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:38:00.938Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:38:00.938Z
+---
+
+# Audit Report — beets.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/beets.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+### Audit Summary:
+
+1. **Homepage labels**:
+   - `homepage.group`: PASSED
+   - `homepage.name`: PASSED
+   - `homepage.icon`: PASSED
+   - `homepage.href`: PASSED
+   - `homepage.description`: PASSED
+
+2. **Uptime Kuma labels**:
+   - Not applicable as Uptime Kuma is not referenced in this configuration.
+
+3. **Caddy labels on exposed services**:
+   - `caddy=beets.netgrimoire.com`: PASSED
+   - `caddy.reverse_proxy`: PASSED
+
+4. **Placement constraints**:
+   - `node.hostname == nas`: PASSED
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/beets/config`: PASSED
+   - `/data/nfs/Baxter/Data/media/music/Collection`: FAIL (does not follow the path convention)
+     - Fix: Update to `/DockerVol/beets/music`
+   - `/data/nfs/Baxter/Data/media/music/ingest`: FAIL (does not follow the path convention)
+     - Fix: Update to `/DockerVol/beets/downloads`
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire` network: PASSED
+
+### VERDICT:
+FAIL
--- a/Netgrimoire/Audits/beszel-2026-04-03.md
+++ b/Netgrimoire/Audits/beszel-2026-04-03.md
@ -0,0 +1,44 @@
+---
+title: Audit - beszel.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:38:47.782Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:38:47.782Z
+---
+
+# Audit Report — beszel.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/beszel.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels:** All homepage labels are present.
+   - `homepage.group=Monitoring`
+   - `homepage.name=Beszel`
+   - `homepage.icon=beszel.png`
+   - `homepage.href=https://beszel.netgrimoire.com`
+   - `homepage.description=Beszel Service`
+
+2. **Uptime Kuma labels:** The Uptime Kuma labels are not provided in the deploy block; they should be checked within the service's configuration.
+
+3. **Caddy labels on exposed services:**
+   - `caddy=beszel.netgrimoire.com`
+   - `caddy.import=authentik`
+   - `caddy.reverse_proxy="{{upstreams 8090}}"`
+
+4. **Placement constraints:** The constraint is based on the node label, not the node hostname.
+   - Current: `constraints: ["node.labels.general == true"]`
+   - Fix: Update to use `node.hostname` if necessary.
+
+5. **Volumes use /DockerVol/<service> path convention:**
+   - Volume path: `/data/nfs/znas/Docker/beszel:/beszel_data`
+   - Fix: The volume does not follow the `/DockerVol/<service>` pattern; update to use a standard Docker volume path like `/DockerVol/beszel`.
+
+6. **Network references external netgrimoire overlay:** The network is correctly referenced as `netgrimoire`, which is an external overlay.
+
+**VERDICT: FAIL**
--- a/Netgrimoire/Audits/beszel_agents-2026-04-03.md
+++ b/Netgrimoire/Audits/beszel_agents-2026-04-03.md
@ -0,0 +1,46 @@
+---
+title: Audit - beszel_agents.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:40:11.085Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:40:11.085Z
+---
+
+# Audit Report — beszel_agents.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/beszel_agents.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT**
+
+1. **Homepage labels**: No homepage labels are specified in the file.
+   - **Fix**: Add `homepage.group`, `homepage.name`, `homepage.icon`, `homepage.href`, and `homepage.description` to your Docker Swarm configuration.
+
+2. **Uptime Kuma labels**: No Uptime Kuma labels are specified in the file.
+   - **Fix**: If you are using Uptime Kuma, add the appropriate labels as per its documentation.
+
+3. **Caddy labels on exposed services**:
+   - `beszel-agent-docker2`, `beszel-agent-docker3`, `beszel-agent-docker4`, `beszel-agent-znas`, `beszel-agent-dockerpi1`: No Caddy labels are specified.
+     - **Fix**: Add Caddy labels to specify the domain and reverse proxy configuration for these services.
+
+4. **Placement constraints**:
+   - All services use `node.hostname` placement constraints.
+   - **PASS**: This is correctly configured.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - No volumes follow this specific path convention in the file.
+     - **Fix**: Ensure that all volumes are specified with paths like `/DockerVol/beszel-agent-docker2`, `/DockerVol/beszel-agent-docker3`, etc.
+
+6. **Network references external netgrimoire overlay**:
+   - All services reference an external `netgrimoire` network.
+   - **PASS**: This is correctly configured.
+
+**VERDICT: FAIL**
+
+The file fails the audit due to missing homepage, Uptime Kuma, and Caddy labels, and volumes not following the specified path convention.
--- a/Netgrimoire/Audits/caddy-1-2026-04-03.md
+++ b/Netgrimoire/Audits/caddy-1-2026-04-03.md
@ -0,0 +1,29 @@
+---
+title: Audit - caddy-1.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:30:38.025Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:30:38.025Z
+---
+
+# Audit Report — caddy-1.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/stack/caddy/caddy-1.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+PASS Items:
+1. The Caddy labels `caddy=<domain>` and `caddy.reverse_proxy` are present on the exposed service.
+2. Placement constraints for node.hostname are correctly specified with `node.hostname == znas`.
+3. Volumes use the `/export/Docker/caddy` path convention.
+4. The network reference is to an external overlay named `netgrimoire`.
+
+FAIL Items:
+1. No homepage labels (`homepage.group`, `homepage.name`, `homepage.icon`, `homepage.href`, `homepage.description`) are present in the configuration.
+
+VERDICT: FAIL
--- a/Netgrimoire/Audits/caddy-2026-04-03.md
+++ b/Netgrimoire/Audits/caddy-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - caddy.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:31:34.043Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:31:34.043Z
+---
+
+# Audit Report — caddy.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/stack/caddy/caddy.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT REPORT**
+
+1. **Homepage labels**: There are no homepage-related labels in the provided YAML file.
+   - **FAIL**: Missing homepage labels.
+
+2. **Uptime Kuma labels**: There are no Uptime Kuma-related labels in the provided YAML file.
+   - **FAIL**: Missing Uptime Kuma labels.
+
+3. **Caddy labels on exposed services**:
+   - **PASS**: Caddy service does not have any specific labels as per the provided configuration.
+
+4. **Placement constraints**:
+   - **PASS**: Both `caddy` and `crowdsec` services are constrained to run on the node with hostname `znas`.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **FAIL**: The volumes are not using the `/DockerVol/<service>` path convention.
+     - `/var/run/docker.sock`
+     - `/export/Docker/caddy/Caddyfile`
+     - `/export/Docker/caddy:/data`
+     - `caddy-logs`
+     - `crowdsec-db`
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: The services reference the externally created `netgrimoire` and `vpn` networks.
+
+**VERDICT: FAIL**
+
+The provided YAML file contains several issues that need to be addressed to meet all the audit criteria, including missing homepage and Uptime Kuma labels, non-conforming volume paths, and lack of use of the external `netgrimoire` overlay network.
--- a/Netgrimoire/Audits/cloudcmd-2026-04-03.md
+++ b/Netgrimoire/Audits/cloudcmd-2026-04-03.md
@ -0,0 +1,52 @@
+---
+title: Audit - cloudcmd.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:40:56.554Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:40:56.554Z
+---
+
+# Audit Report — cloudcmd.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/cloudcmd.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Swarm Audit Report for `cloudcmd.yaml`
+
+#### 1. Homepage Labels:
+- **PASS**: homepage.group=Application
+- **PASS**: homepage.name=Cloud Commander
+- **PASS**: homepage.icon=cloudcmd.png
+- **FAIL**: homepage.href=http://commander.netgrimoire.com - Incorrect URL, should be relative to the service.
+  
+**Fix**: Update `homepage.href` to a relative path such as `/`.
+
+#### 2. Uptime Kuma Labels:
+- **FAIL**: kuma.cloud.http.name="Cloudcmd" - Missing `.name`.
+  
+**Fix**: Correct label to `kuma.cloud.http.name=Cloudcmd`.
+
+#### 3. Caddy Labels on Exposed Services:
+- **PASS**: caddy=commander.netgrimoire.com
+- **PASS**: caddy.reverse_proxy="{{upstreams 8000}}"
+  
+#### 4. Placement Constraints:
+- **FAIL**: node.hostname == nas - Ensure that `nas` is correctly configured and available in the Swarm.
+
+**Fix**: Verify that the hostname `nas` is correct and exists within your Swarm cluster.
+
+#### 5. Volumes Use /DockerVol/<service> Path Convention:
+- **FAIL**: ~:/root - Home directory path should use a Docker volume convention.
+  
+**Fix**: Replace `~:/root` with `/DockerVol/cloudcmd/root`.
+
+#### 6. Network References External netgrimoire Overlay:
+- **PASS**: References external network netgrimoire
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/comixed-2026-04-03.md
+++ b/Netgrimoire/Audits/comixed-2026-04-03.md
@ -0,0 +1,48 @@
+---
+title: Audit - comixed.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:41:45.208Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:41:45.208Z
+---
+
+# Audit Report — comixed.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/comixed.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Audit Results for `swarm/comixed.yaml`:**
+
+1. **Homepage Labels:**  
+   - **PASS**: `homepage.group`, `homepage.name`, `homepage.href`
+     - Values are correctly set.
+   - **FAIL**: `homepage.icon`, `homepage.description`
+     - Missing values. Set these to appropriate values.
+
+2. **Uptime Kuma Labels:**  
+   - **FAIL**: Uptime Kuma labels not found.
+     - No labels related to Uptime Kuma are present in the deployment block.
+
+3. **Caddy Labels on Exposed Services:**  
+   - **PASS**: `caddy=<domain>`, `caddy.reverse_proxy`
+     - Correctly configured for domain `comics.netgrimoire.com` and reverse proxy.
+
+4. **Placement Constraints:**  
+   - **PASS**: `node.hostname == nas`
+     - Constraint correctly placed to run on the node named `nas`.
+
+5. **Volumes Use `/DockerVol/<service>` Path Convention:**  
+   - **PASS**: All volumes use the specified path convention (`/DockerVol/comixed/config`).
+
+6. **Network References External Netgrimoire Overlay:**  
+   - **PASS**: The network `netgrimoire` is correctly referenced as external.
+
+**VERDICT: FAIL**
+
+The audit identified issues with the homepage labels and the absence of Uptime Kuma labels. These should be addressed to ensure compliance with the audit criteria.
--- a/Netgrimoire/Audits/commander-2026-04-03.md
+++ b/Netgrimoire/Audits/commander-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - commander.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:42:30.634Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:42:30.634Z
+---
+
+# Audit Report — commander.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/commander.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Audit Results:**
+
+1. **Homepage labels:** 
+   - **PASS:** homepage.group=Applications
+   - **PASS:** homepage.name=Cloud Commander
+   - **PASS:** homepage.icon=mdi-cloud
+   - **FAIL:** homepage.href is incorrect. The correct URL should be https://cloudcmd.netgrimoire.com instead of https://commander.netgrimoire.com.
+   - **FAIL:** homepage.description is missing.
+
+2. **Uptime Kuma labels:**
+   - **FAIL:** Uptime Kuma labels are not present in the provided YAML file.
+
+3. **Caddy labels on exposed services:**
+   - **PASS:** caddy=commander.netgrimoire.com
+   - **FAIL:** caddy.reverse_proxy is missing an upstreams configuration, which should reference the service port (e.g., {{upstreams 8000}}).
+
+4. **Placement constraints:**
+   - **PASS:** node.hostname=nas
+
+5. **Volumes use /DockerVol/<service> path convention:**
+   - **FAIL:** Volumes are using relative paths instead of the /DockerVol/<service> convention. Example volumes should be `/DockerVol/cloudcmd:/root` and `/DockerVol/cloudcmd:/mnt/fs`.
+
+6. **Network references external netgrimoire overlay:**
+   - **PASS:** Network references an external netgrimoire overlay.
+
+**VERDICT: FAIL**
+
+One or more of the items failed during the audit, which prevents a full PASS verdict.
--- a/Netgrimoire/Audits/configarr-2026-04-03.md
+++ b/Netgrimoire/Audits/configarr-2026-04-03.md
@ -0,0 +1,54 @@
+---
+title: Audit - configarr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:43:33.261Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:43:33.261Z
+---
+
+# Audit Report — configarr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/configarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT RESULTS
+
+1. **Homepage labels**:
+   - `homepage.group`: "Jolly Roger" (PASS)
+   - `homepage.name`: "Configarr" (PASS)
+   - `homepage.icon`: "si-config" (PASS)
+   - `homepage.href`: "https://configarr.netgrimoire.com" (PASS)
+   - `homepage.description`: "Automatically sync TRaSH formats & configs" (PASS)
+
+2. **Uptime Kuma labels**:
+   - Missing Uptime Kuma labels (`kuma.configarr.http.name` and `kuma.configarr.http.url`). These are critical for monitoring and should be added. 
+
+3. **Caddy labels on exposed services**:
+   - `caddy=configarr.netgrimoire.com` (PASS)
+   - `caddy.reverse_proxy: "{{upstreams 8000}}"` (PASS)
+
+4. **Placement constraints**: 
+   - No placement constraints specified (`node.hostname`). This is acceptable if there are no specific node requirements.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - Volumes do not follow the `/DockerVol/<service>` path convention. They should be adjusted as follows:
+     ```yaml
+     volumes:
+       - /data/nfs/Baxter/Docker/configarr/config:/DockerVol/configarr/config
+       - /data/nfs/Baxter/Docker/configarr/repos:/DockerVol/configarr/repos
+       - /data/nfs/Baxter/Docker/configarr/cfs:/DockerVol/configarr/cfs
+       - /data/nfs/Baxter/Docker/configarr/templates:/DockerVol/configarr/templates
+     ```
+
+6. **Network references external netgrimoire overlay**:
+   - Network `netgrimoire` is correctly referencing an external overlay (PASS)
+
+### VERDICT: FAIL
+
+The configuration includes critical issues that need to be addressed for it to meet the required standards, specifically missing Uptime Kuma labels and incorrect volume paths.
--- a/Netgrimoire/Audits/dailytxt-2026-04-03.md
+++ b/Netgrimoire/Audits/dailytxt-2026-04-03.md
@ -0,0 +1,26 @@
+---
+title: Audit - dailytxt.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:44:52.573Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:44:52.573Z
+---
+
+# Audit Report — dailytxt.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/dailytxt.yaml  
+**Type:** Docker Compose  
+**Verdict:** FAIL
+
+---
+
+PASS DailyTxT service is configured to expose port 8000 on localhost, which matches an entry in the Caddyfile.
+
+FAIL Default password detected for `ADMIN_PASSWORD`. It's strongly recommended to change this to a strong, unique password.
+FAIL The `SECRET_TOKEN` environment variable is left as `...`, indicating it's not set. A secret token should be generated using a secure method and included here.
+FAIL The `ALLOW_REGISTRATION` setting is enabled, which can expose the service to unauthorized access. This should be disabled in production environments.
+
+VERDICT: FAIL
--- a/Netgrimoire/Audits/database-2026-04-03.md
+++ b/Netgrimoire/Audits/database-2026-04-03.md
@ -0,0 +1,52 @@
+---
+title: Audit - database.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:45:35.594Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:45:35.594Z
+---
+
+# Audit Report — database.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/database.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit of `swarm/database.yaml`
+
+#### 1. Homepage labels: homepage.group, homepage.name, homepage.icon, homepage.href, homepage.description
+
+**PASS**: All homepage labels are present and correctly configured.
+
+#### 2. Uptime Kuma labels: kuma.<n>.http.name, kuma.<n>.http.url
+
+**FAIL**: No Uptime Kuma services or labels found in the configuration.
+- **Fix**: Add a section for Uptime Kuma if necessary, including the required labels.
+
+#### 3. Caddy labels on exposed services: caddy=<domain>, caddy.reverse_proxy
+
+**PASS**: The `pgadmin4` service has the correct Caddy labels:
+- `caddy=pgadmin.netgrimoire.com`
+- `caddy.import=authentik`
+- `caddy.reverse_proxy="{{upstreams 80}}"`
+
+#### 4. Placement constraints: node.hostname
+
+**FAIL**: There are no placement constraints defined in the configuration.
+- **Fix**: Consider adding constraints to ensure services run on specific nodes if necessary.
+
+#### 5. Volumes use /DockerVol/<service> path convention
+
+**FAIL**: No volumes are specified in the configuration.
+- **Fix**: If volumes are needed, add them following the `/DockerVol/<service>` path convention.
+
+#### 6. Network references external netgrimoire overlay
+
+**PASS**: The service references an external network named `netgrimoire`.
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/diun-2026-04-03.md
+++ b/Netgrimoire/Audits/diun-2026-04-03.md
@ -0,0 +1,42 @@
+---
+title: Audit - diun.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:46:19.248Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:46:19.248Z
+---
+
+# Audit Report — diun.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/diun.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Audit Results for swarm/diun.yaml**
+
+1. **Homepage labels**: No homepage labels defined in the file.
+   - **Fix**: Add appropriate homepage labels if applicable.
+
+2. **Uptime Kuma labels**: No Uptime Kuma labels defined in the file.
+   - **Fix**: Add appropriate Uptime Kuma labels if applicable.
+
+3. **Caddy labels on exposed services**: Caddy labels are missing for this service.
+   - **Fix**: Add Caddy labels if needed, e.g., `caddy=example.com,caddy.reverse_proxy=http://localhost:80`.
+
+4. **Placement constraints**: The constraint is set to run only on manager nodes, which is appropriate.
+   - **PASS**: Placement constraints are correctly defined.
+
+5. **Volumes use /DockerVol/<service> path convention**: The volume uses `/data/nfs/znas/Docker/diun`, which does not follow the `/DockerVol/<service>` convention.
+   - **Fix**: Update the volume path to follow the convention, e.g., `/DockerVol/diun`.
+
+6. **Network references external netgrimoire overlay**: The network `netgrimoire` is correctly referencing an external overlay network.
+   - **PASS**: Network reference is correct.
+
+**VERDICT: FAIL**
+
+The volume path does not follow the recommended convention, and additional labels for homepage, Uptime Kuma, and Caddy are missing.
--- a/Netgrimoire/Audits/dockpeek-2026-04-03.md
+++ b/Netgrimoire/Audits/dockpeek-2026-04-03.md
@ -0,0 +1,53 @@
+---
+title: Audit - dockpeek.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:47:08.875Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:47:08.875Z
+---
+
+# Audit Report — dockpeek.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/dockpeek.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+**SWARM AUDIT**
+
+1. **Homepage labels**: 
+   - `homepage.group`: PASS
+   - `homepage.name`: PASS
+   - `homepage.icon`: PASS
+   - `homepage.href`: PASS
+   - **`homepage.description`: FAIL**
+     - Issue: Missing
+     - Fix: Add `homepage.description: "Description of the service"`
+
+2. **Uptime Kuma labels**:
+   - `kuma.dockpeek.http.name`: PASS
+   - `kuma.dockpeek.http.url`: PASS
+
+3. **Caddy labels on exposed services**:
+   - `caddy=dockpeek.netgrimoire.com`: PASS
+   - `caddy.reverse_proxy`: PASS
+
+4. **Placement constraints**:
+   - `node.role == manager`: FAIL
+     - Issue: Constraints should be based on node attributes (e.g., `node.hostname`), not roles.
+     - Fix: Replace with specific hostname or other attribute-based constraint.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - The volume `/var/run/docker.sock:/var/run/docker.sock` does not follow the `/DockerVol/<service>` convention.
+   - Issue: Volume should be mounted using a custom path within `/DockerVol`.
+     - Fix: Replace with something like `/DockerVol/dockpeek/docker.sock`.
+
+6. **Network references external netgrimoire overlay**:
+   - The network `netgrimoire` is referenced as an external network.
+   - PASS
+
+**VERDICT:** FAIL
--- a/Netgrimoire/Audits/dozzle-2026-04-03.md
+++ b/Netgrimoire/Audits/dozzle-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - dozzle.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:47:44.863Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:47:44.863Z
+---
+
+# Audit Report — dozzle.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/dozzle.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels**:
+   - **PASS**: homepage.group=Management
+   - **PASS**: homepage.name=Dozzle
+   - **FAIL**: homepage.icon is missing.
+   - **PASS**: homepage.href=http://dozzle.netgrimoire.com
+   - **PASS**: homepage.description=Docker logs
+
+2. **Uptime Kuma labels**:
+   - No Uptime Kuma service found in the configuration.
+
+3. **Caddy labels on exposed services**:
+   - No Caddy services found in the configuration.
+
+4. **Placement constraints**:
+   - No placement constraints defined.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **FAIL**: Volumes should follow the /DockerVol/dozzle path convention, but they are set to /var/run/docker.sock.
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: Network dozzle references an external netgrimoire overlay.
+
+**VERDICT: FAIL**
+
+Reasons for failure:
+- Missing homepage.icon.
+- Volumes are not using the recommended path convention.
+- The /var/run/docker.sock volume is exposed directly, which might pose security risks.
--- a/Netgrimoire/Audits/dumbterm-2026-04-03.md
+++ b/Netgrimoire/Audits/dumbterm-2026-04-03.md
@ -0,0 +1,52 @@
+---
+title: Audit - dumbterm.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:48:40.660Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:48:40.660Z
+---
+
+# Audit Report — dumbterm.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/dumbterm.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Homepage Labels:**  
+PASS - homepage.group=Remote Access  
+PASS - homepage.name=Dumbterm  
+FAIL - homepage.icon=dumbterm.png (should be a valid path to the icon file)  
+FAIL - homepage.href=https://cli.netgrimoire.com (URL should be http://dumbterm:3000 based on BASE_URL)  
+FAIL - homepage.description=Terminal (description is too short and lacks detail)
+
+**Uptime Kuma Labels:**  
+PASS - kuma.cli.http.name="dumbterm"  
+PASS - kuma.cli.http.url=http://dumbterm:3000
+
+**Caddy Labels on Exposed Services:**  
+FAIL - caddy=cli.netgrimoire.com (domain should match the actual domain used in Caddy configuration)  
+FAIL - caddy.reverse_proxy="{{upstreams 3000}}" (reverse proxy should be configured correctly)
+
+**Placement Constraints:**  
+FAIL - node.hostname is not defined
+
+**Volumes Use /DockerVol/<service> Path Convention:**  
+FAIL - Volumes are using paths outside the convention, e.g., /data/nfs/Baxter/Docker/dumbterm/root:/root
+
+**Network References External Netgrimoire Overlay:**  
+PASS - Network references external netgrimoire overlay
+
+**VERDICT: FAIL**
+
+To fix the issues:
+1. Update `homepage.icon` to a valid path.
+2. Correct `homepage.href` based on the actual base URL used by the application.
+3. Provide more detail in `homepage.description`.
+4. Configure Caddy with the correct domain and reverse proxy settings.
+5. Define placement constraints for node.hostname if specific nodes are required.
+6. Update volume paths to use the /DockerVol/<service> convention.
--- a/Netgrimoire/Audits/dupecheck-2026-04-03.md
+++ b/Netgrimoire/Audits/dupecheck-2026-04-03.md
@ -0,0 +1,40 @@
+---
+title: Audit - dupecheck.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:49:24.657Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:49:24.657Z
+---
+
+# Audit Report — dupecheck.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/dupecheck.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT CHECKS
+
+1. **Homepage labels**:
+   - **PASS**: `homepage.group`, `homepage.name`, `homepage.icon`, `homepage.href`, and `homepage.description` are correctly set.
+
+2. **Uptime Kuma labels**:
+   - **FAIL**: Uptime Kuma labels (`kuma.<n>.http.name` and `kuma.<n>.http.url`) are not provided in the configuration.
+   
+3. **Caddy labels on exposed services**:
+   - **PASS**: Caddy labels (`caddy=<domain>`, `caddy.import`, and `caddy.reverse_proxy`) are correctly set.
+
+4. **Placement constraints**:
+   - **PASS**: The placement constraint (`node.hostname == znas`) is correctly specified.
+
+5. **Volumes use `/DockerVol/<service>` path convention**:
+   - **PASS**: Volumes follow the `/DockerVol/<service>` path convention, e.g., `/DockerVol/czkawka:/config`.
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: The service uses an external network `netgrimoire` which is correctly referenced.
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/filebrowser-2026-04-03.md
+++ b/Netgrimoire/Audits/filebrowser-2026-04-03.md
@ -0,0 +1,52 @@
+---
+title: Audit - filebrowser.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:50:18.312Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:50:18.312Z
+---
+
+# Audit Report — filebrowser.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/filebrowser.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT REVIEW
+
+1. **Homepage labels**:
+   - `homepage.group=Jolly Roger`: PASS
+   - `homepage.name=FileBrowser`: PASS
+   - `homepage.icon=filebrowser.png`: PASS
+   - `homepage.href=http://filebrowser.netgrimoire.com`: PASS
+   - `homepage.description=Web-based file manager`: PASS
+
+2. **Uptime Kuma labels**:
+   - The document does not provide any Uptime Kuma labels, so this check cannot be verified with the provided YAML.
+
+3. **Caddy labels on exposed services**:
+   - `caddy=filebrowser.netgrimoire.com`: PASS
+   - `caddy.reverse_proxy="{{upstreams 80}}"`: PASS
+
+4. **Placement constraints**:
+   - The document specifies a constraint `node.labels.general == true`, which is not provided in the YAML.
+     - **Issue**: The placement constraint refers to a label that may not be present on all nodes.
+     - **Fix**: Ensure that all target nodes have the label `general=true`.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - The volumes are located at `/data/nfs/Baxter/Docker/filebrowser/config` and `/data/nfs/Baxter/Docker/filebrowser/srv`.
+     - **Issue**: These paths do not follow the `/DockerVol/<service>` convention.
+     - **Fix**: Rename the volumes to follow the convention, e.g., `volume: /DockerVol/filebrowser/config`.
+
+6. **Network references external netgrimoire overlay**:
+   - The network is correctly set as `netgrimoire` with `external: true`.
+     - **PASS**
+
+### VERDICT: FAIL
+
+- The placement constraint and volume naming do not meet the specified conventions, which prevents a complete PASS status.
--- a/Netgrimoire/Audits/firefox-2026-04-03.md
+++ b/Netgrimoire/Audits/firefox-2026-04-03.md
@ -0,0 +1,49 @@
+---
+title: Audit - firefox.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:51:09.611Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:51:09.611Z
+---
+
+# Audit Report — firefox.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/firefox.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT**
+
+1. **Homepage labels**: 
+   - `homepage.group`: Remote Access (PASS)
+   - `homepage.name`: Firefox (PASS)
+   - `homepage.icon`: firefox.png (PASS)
+   - `homepage.href`: https://firefox.netgrimoire.com (PASS)
+   - `homepage.description`: Remote Browser (PASS)
+
+2. **Uptime Kuma labels**: 
+   - No Uptime Kuma labels found in the provided YAML file (FAIL). Ensure that any services running on this host have proper Uptime Kuma labels for visibility.
+
+3. **Caddy labels on exposed services**:
+   - `caddy=firefox.netgrimoire.com` (PASS)
+   - `caddy.reverse_proxy=http://firefox:5800` (PASS)
+
+4. **Placement constraints**: 
+   - No placement constraints found in the provided YAML file (FAIL). Ensure that any critical services have proper placement constraints to meet availability requirements.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - Volume path `/data/nfs/znas/Docker/firefox` does not follow the `/DockerVol/<service>` convention (FAIL). Volumes should be placed in a directory following this naming scheme for consistency and ease of management.
+
+6. **Network references external netgrimoire overlay**: 
+   - Network `netgrimoire` is referenced correctly and marked as external (PASS).
+
+**VERDICT: FAIL**
+
+- The YAML file lacks Uptime Kuma labels, which are essential for monitoring the status of services.
+- No placement constraints are defined, which can lead to issues with service availability and redundancy.
+- Volumes do not follow the recommended path convention, which may cause confusion and difficulty in managing storage resources.
--- a/Netgrimoire/Audits/forgejo-2026-04-03.md
+++ b/Netgrimoire/Audits/forgejo-2026-04-03.md
@ -0,0 +1,53 @@
+---
+title: Audit - forgejo.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:52:02.048Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:52:02.048Z
+---
+
+# Audit Report — forgejo.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/forgejo.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT
+
+1. **Homepage labels**:
+   - `homepage.group`: Applications (PASS)
+   - `homepage.name`: Forgejo (PASS)
+   - `homepage.icon`: forgejo.png (FAIL)
+     - Issue: The icon file path should be relative to the service's working directory or a valid URL.
+   - `homepage.href`: https://git.netgrimoire.com (PASS)
+   - `homepage.description`: Git Repository (PASS)
+
+2. **Uptime Kuma labels**:
+   - `kuma.git.http.name`: Forgejo (PASS)
+   - `kuma.git.http.url`: http://forgejo:3000 (PASS)
+
+3. **Caddy labels on exposed services**:
+   - `caddy=git.netgrimoire.com` (PASS)
+   - `caddy.reverse_proxy=forgejo:3000` (PASS)
+
+4. **Placement constraints**:
+   - `node.hostname==znas` (PASS)
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/forgejo:/data` (PASS)
+   - `/etc/timezone:/etc/timezone:ro` (FAIL)
+     - Issue: The timezone files should be mounted from a local path within the host or a valid network location.
+   - `/etc/localtime:/etc/localtime:ro` (FAIL)
+     - Same issue as above.
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire`: (PASS)
+
+### Final Line
+
+VERDICT: FAIL
--- a/Netgrimoire/Audits/freshrss-2026-04-03.md
+++ b/Netgrimoire/Audits/freshrss-2026-04-03.md
@ -0,0 +1,46 @@
+---
+title: Audit - freshrss.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:52:41.486Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:52:41.486Z
+---
+
+# Audit Report — freshrss.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/freshrss.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+```plaintext
+1. Homepage labels:
+   - homepage.group: "Services" (PASS)
+   - homepage.name: "FreshRSS" (PASS)
+   - homepage.icon: "rss" (PASS)
+   - homepage.href: "https://rss.netgrimoire.com" (PASS)
+   - homepage.description is missing (FAIL)
+
+2. Uptime Kuma labels:
+   - kuma.freshrss.http.name: "FreshRSS" (PASS)
+   - kuma.freshrss.http.url: "https://rss.netgrimoire.com" (PASS)
+
+3. Caddy labels on exposed services:
+   - caddy=<domain>: Missing specific domain (FAIL)
+   - caddy.reverse_proxy: "{{upstreams 80}}" (PASS)
+
+4. Placement constraints:
+   - node.hostname is missing (FAIL)
+
+5. Volumes use /DockerVol/<service> path convention:
+   - /data/nfs/Baxter/Docker/freshrss:/config does not follow the convention (FAIL)
+
+6. Network references external netgrimoire overlay:
+   - netgrimoire network referenced correctly (PASS)
+
+VERDICT: FAIL
+```
--- a/Netgrimoire/Audits/gitrunner-2026-04-03.md
+++ b/Netgrimoire/Audits/gitrunner-2026-04-03.md
@ -0,0 +1,40 @@
+---
+title: Audit - gitrunner.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:53:10.577Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:53:10.577Z
+---
+
+# Audit Report — gitrunner.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/gitrunner.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+```plaintext
+1. Homepage labels:
+   - PASS: homepage.group, homepage.name, homepage.icon, homepage.href, homepage.description are present.
+
+2. Uptime Kuma labels:
+   - FAIL: No Uptime Kuma services found in the YAML file.
+
+3. Caddy labels on exposed services:
+   - FAIL: No Caddy services or configuration found in the YAML file.
+
+4. Placement constraints:
+   - PASS: node.role == manager constraint is present.
+
+5. Volumes use /DockerVol/<service> path convention:
+   - PASS: All volumes follow the /DockerVol/<service> path convention.
+
+6. Network references external netgrimoire overlay:
+   - PASS: The network "netgrimoire" is referenced and marked as external.
+
+VERDICT: PASS
+```
--- a/Netgrimoire/Audits/glance-2026-04-03.md
+++ b/Netgrimoire/Audits/glance-2026-04-03.md
@ -0,0 +1,42 @@
+---
+title: Audit - glance.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:53:50.034Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:53:50.034Z
+---
+
+# Audit Report — glance.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/glance.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+### Audit Summary:
+
+1. **Homepage labels**:
+   - **PASS**: homepage.group, homepage.name, homepage.href, homepage.description are correctly set.
+
+2. **Uptime Kuma labels**:
+   - **FAIL**: No Uptime Kuma related labels found.
+     - **Fix**: Add the necessary labels under `labels` for Uptime Kuma if needed.
+
+3. **Caddy labels on exposed services**:
+   - **PASS**: The `caddy` label is present with the domain and reverse proxy configuration.
+
+4. **Placement constraints**:
+   - **FAIL**: No placement constraints found.
+     - **Fix**: Add constraints under `deploy.resources` to specify node.hostname or any other resource constraint if needed.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **PASS**: The volume path `/data/nfs/znas/Docker/glance:/app/config` follows the recommended naming convention.
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: The service references an external network `netgrimoire`.
+
+### VERDICT: PASS
--- a/Netgrimoire/Audits/gremlin-stack-2026-04-03.md
+++ b/Netgrimoire/Audits/gremlin-stack-2026-04-03.md
@ -0,0 +1,41 @@
+---
+title: Audit - gremlin-stack.yml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:30:10.234Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:30:10.234Z
+---
+
+# Audit Report — gremlin-stack.yml
+
+**Date:** 2026-04-03  
+**File:** swarm/stack/Gremlin/gremlin-stack.yml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT RESULTS:
+
+1. **Homepage labels**:
+   - **PASS**: All homepage labels are present for each service.
+
+2. **Uptime Kuma labels**:
+   - **FAIL (n8n)**: Missing kuma.n8n.http.name and kuma.n8n.http.url.
+     **Fix**: Add these labels to the n8n service configuration.
+   
+3. **Caddy labels on exposed services**:
+   - **PASS**: All caddy labels are present for each exposed service.
+
+4. **Placement constraints**:
+   - **PASS**: All placement constraints are correctly set for node.hostname.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **PASS**: All volumes follow the /DockerVol/<service> path convention.
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: The swarm network 'netgrimoire' is correctly referenced as an external network for all services.
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/homepage-2026-04-03.md
+++ b/Netgrimoire/Audits/homepage-2026-04-03.md
@ -0,0 +1,44 @@
+---
+title: Audit - homepage.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:54:34.224Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:54:34.224Z
+---
+
+# Audit Report — homepage.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/homepage.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT REVIEW
+
+1. **Homepage labels**:
+   - **FAIL**: `homepage.group` label is missing.
+     - **Fix**: Add `homepage.group=<group>` to the labels.
+
+2. **Uptime Kuma labels**:
+   - **PASS**: No Uptime Kuma services are defined in this configuration, so no labels need to be checked.
+
+3. **Caddy labels on exposed services**:
+   - **FAIL**: The `caddy` label is incorrectly used as a boolean flag rather than specifying the domain.
+     - **Fix**: Correctly define the `caddy` label with the domain and reverse proxy configuration: `caddy=homepage.netgrimoire.com caddy.reverse_proxy="{{upstreams 3000}}"`.
+
+4. **Placement constraints**:
+   - **PASS**: The `node.hostname==znas` constraint is correctly defined.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **PASS**: All volume paths follow the `/DockerVol/<service>` convention.
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: The `netgrimoire` network is correctly referenced as an external overlay.
+
+### VERDICT: FAIL
+
+The configuration is missing several required labels and has incorrect label syntax, resulting in a fail verdict.
--- a/Netgrimoire/Audits/hydra-2026-04-03.md
+++ b/Netgrimoire/Audits/hydra-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - hydra.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:55:21.784Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:55:21.784Z
+---
+
+# Audit Report — hydra.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/hydra.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels**:
+   - `homepage.group`: PASSED
+   - `homepage.name`: PASSED
+   - `homepage.icon`: PASSED
+   - `homepage.href`: PASSED
+   - `homepage.description`: PASSED
+
+2. **Uptime Kuma labels**:
+   - `kuma.hydra.http.name`: PASSED
+   - `kuma.hydra.http.url`: PASSED
+
+3. **Caddy labels on exposed services**:
+   - `caddy=hydra.netgrimoire.com`: PASSED
+   - `caddy.reverse_proxy: hydra2:5076`: PASSED
+
+4. **Placement constraints**:
+   - `node.labels.general == true`: PASSED
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/data/nfs/znas/Docker/hydra2/config`: FAIL
+     - Fix: Update the volume to follow the convention, e.g., `/DockerVol/hydra2/config`.
+   - `/data/nfs/znas/Docker/hydra2/downloads`: FAIL
+     - Fix: Update the volume to follow the convention, e.g., `/DockerVol/hydra2/downloads`.
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire`: PASSED
+
+VERDICT: FAIL
--- a/Netgrimoire/Audits/joplin-2026-04-03.md
+++ b/Netgrimoire/Audits/joplin-2026-04-03.md
@ -0,0 +1,50 @@
+---
+title: Audit - joplin.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:56:20.747Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:56:20.747Z
+---
+
+# Audit Report — joplin.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/joplin.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT**
+
+1. **Homepage labels**: 
+   - **PASS**: `homepage.group=Services`
+   - **PASS**: `homepage.name=Joplin`
+   - **FAIL**: `homepage.icon=joplin.png` (should be a valid URL or path)
+   - **PASS**: `homepage.href=https://joplin.netgrimoire.com`
+   - **PASS**: `homepage.description=Note Server`
+
+2. **Uptime Kuma labels**:
+   - **FAIL**: No Uptime Kuma labels found.
+
+3. **Caddy labels on exposed services**:
+   - **PASS**: `caddy=joplin.netgrimoire.com`
+   - **FAIL**: `caddy.reverse_proxy="{{upstreams 22300}}"` should be `caddy.reverse_proxy=["http://joplin:22300"]`
+
+4. **Placement constraints**:
+   - **PASS**: `node.hostname == docker3`
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **PASS**: `/DockerVol/joplindb:/var/lib/postgresql/data`
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: Uses `netgrimoire` network which is marked as `external: true`.
+
+**VERDICT: FAIL**
+
+Fixes required:
+- Correct the icon URL in `homepage.icon`.
+- Add Uptime Kuma labels.
+- Correct the Caddy reverse proxy configuration.
--- a/Netgrimoire/Audits/journiv-2026-04-03.md
+++ b/Netgrimoire/Audits/journiv-2026-04-03.md
@ -0,0 +1,27 @@
+---
+title: Audit - journiv.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:57:23.495Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:57:23.495Z
+---
+
+# Audit Report — journiv.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/journiv.yaml  
+**Type:** Docker Compose  
+**Verdict:** FAIL
+
+---
+
+PASS: Caddyfile has a global block for Crowdsec configuration.
+PASS: All services are reverse-proxied through Caddy, ensuring they do not expose ports directly.
+
+FAIL:
+- The service at `fish.pncharris.com` is missing a Caddyfile entry.
+- No entries exist for the subdomains of `webmail.netgrimoire.com`.
+
+VERDICT: FAIL
--- a/Netgrimoire/Audits/kavita-2026-04-03.md
+++ b/Netgrimoire/Audits/kavita-2026-04-03.md
@ -0,0 +1,52 @@
+---
+title: Audit - kavita.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:58:18.686Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:58:18.686Z
+---
+
+# Audit Report — kavita.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/kavita.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT REPORT**
+
+1. **Homepage labels**: 
+   - `homepage.group`: PASS
+   - `homepage.name`: PASS
+   - `homepage.icon`: PASS
+   - `homepage.href`: PASS
+   - `homepage.description`: PASS
+
+2. **Uptime Kuma labels**:
+   - Missing Uptime Kuma labels (e.g., `kuma.kavita.http.name` and `kuma.kavita.http.url`). These are not defined in the provided configuration.
+   - **FAIL**: Add appropriate Uptime Kuma labels for monitoring.
+
+3. **Caddy labels on exposed services**:
+   - `caddy`: PASS
+   - `caddy.reverse_proxy`: PASS
+
+4. **Placement constraints**:
+   - No placement constraints (e.g., `node.hostname`) specified.
+   - **FAIL**: Consider adding placement constraints if specific nodes are required for service placement.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/data/nfs/Baxter/Data/media/comics`: FAIL
+     - Volume paths do not follow the `/DockerVol/<service>` convention.
+     - **Fix**: Update volume paths to conform to the convention, e.g., `/DockerVol/kavita/media/comics`.
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire`: PASS
+
+**VERDICT: FAIL**
+
+- The configuration contains several issues that need resolution before it can be considered fully compliant with best practices.
+- Address the Uptime Kuma labels, placement constraints, and volume paths as indicated.
--- a/Netgrimoire/Audits/kopia-2026-04-03.md
+++ b/Netgrimoire/Audits/kopia-2026-04-03.md
@ -0,0 +1,46 @@
+---
+title: Audit - kopia.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:59:09.430Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:59:09.430Z
+---
+
+# Audit Report — kopia.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/kopia.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+1. **Homepage labels**:
+   - `homepage.group`: PASS (Backup)
+   - `homepage.name`: PASS (Kopia)
+   - `homepage.icon`: PASS (kopia.png)
+   - `homepage.href`: PASS (https://kopia.netgrimoire.com)
+   - `homepage.description`: PASS (Snapshot backup and deduplication)
+
+2. **Uptime Kuma labels**:
+   - Not applicable as there are no Uptime Kuma labels.
+
+3. **Caddy labels on exposed services**:
+   - `caddy`: PASS (kopia.netgrimoire.com)
+   - `caddy.reverse_proxy`: PASS (kopia.netgrimoire.com:51515)
+
+4. **Placement constraints**:
+   - `node.hostname == znas`: PASS
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/kopia/config`: PASS
+   - `/DockerVol/kopia/cache`: PASS
+   - `/DockerVol/kopia/cert`: PASS
+   - `/DockerVol/kopia/logs`: PASS
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire`: PASS (external)
+
+VERDICT: PASS
--- a/Netgrimoire/Audits/kuma-2026-04-03.md
+++ b/Netgrimoire/Audits/kuma-2026-04-03.md
@ -0,0 +1,44 @@
+---
+title: Audit - kuma.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T02:59:59.242Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T02:59:59.242Z
+---
+
+# Audit Report — kuma.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/kuma.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT**
+
+1. **Homepage labels**: 
+   - **PASS**: homepage.group=Monitoring, homepage.name=Kuma Uptime, homepage.icon=kuma.png, homepage.href=https://kuma.netgrimoire.com, homepage.description=Services Monitor
+
+2. **Uptime Kuma labels**:
+   - **FAIL**: No labels found for Uptime Kuma service.
+     - **Fix**: Add appropriate labels to the Uptime Kuma service under the `labels` section.
+
+3. **Caddy labels on exposed services**:
+   - **PASS**: caddy=kuma.netgrimoire.com, caddy.reverse_proxy=kuma:3001
+
+4. **Placement constraints**:
+   - **FAIL**: node.hostname constraint for autokuma service does not match the provided fix.
+     - **Fix**: Use `node.role == manager` instead of `node.hostname`.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **PASS**: All volumes follow the /DockerVol/<service> path convention.
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: The swarm uses an external network netgrimoire.
+
+**VERDICT: FAIL**
+
+- Missing or incorrect labels for Uptime Kuma and placement constraints for autokuma service are preventing the audit from being PASS.
--- a/Netgrimoire/Audits/library-2026-04-03.md
+++ b/Netgrimoire/Audits/library-2026-04-03.md
@ -0,0 +1,64 @@
+---
+title: Audit - library.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:00:59.147Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:00:59.147Z
+---
+
+# Audit Report — library.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/library.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT REPORT**
+
+1. **Homepage labels:** 
+   - `homepage.group=Library`
+   - `homepage.name=Netgrimoire Library`
+   - `homepage.icon=calibre-web.png`
+   - `homepage.href=http://books.netgrimoire.com`
+   - `homepage.description=Curated Library`
+
+   **PASS**: All homepage labels are correctly configured.
+
+2. **Uptime Kuma labels:**
+   - `kuma.calibre1.http.name="Calibre-Netgrimoire"`
+   - `kuma.auth.http.url=http://calibre-netgrimoire:8083`
+
+   **PASS**: Uptime Kuma labels are correctly configured for the Calibre service.
+
+3. **Caddy labels on exposed services:**
+   - `caddy=books.netgrimoire.com`
+   - `caddy.reverse_proxy="{{upstreams 8083}}"`
+
+   **PASS**: Caddy labels are correctly configured to reverse proxy to the Calibre service.
+
+4. **Placement constraints:**
+   - `node.labels.general == true`
+
+   **FAIL**: The placement constraint should use `node.hostname` instead of `node.labels.general`.
+
+5. **Volumes use /DockerVol/<service> path convention:**
+   - `/data/nfs/Baxter/Docker/Calibre-netgrimoire/Config:/config`
+   - `/data/nfs/Baxter/Data:/data:shared`
+
+   **FAIL**: Volumes are not using the recommended `/DockerVol/<service>` path convention. They should be mounted under `/DockerVol/Calibre-Netgrimoire`.
+
+6. **Network references external netgrimoire overlay:**
+   - `networks:`
+     - `- netgrimoire`
+
+   **PASS**: The service is correctly using an external network.
+
+**VERDICT: FAIL**
+
+Fixes required:
+1. Update the placement constraint to use `node.hostname`.
+2. Update volume paths to follow the `/DockerVol/<service>` convention.
--- a/Netgrimoire/Audits/linkding-2026-04-03.md
+++ b/Netgrimoire/Audits/linkding-2026-04-03.md
@ -0,0 +1,50 @@
+---
+title: Audit - linkding.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:01:44.209Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:01:44.209Z
+---
+
+# Audit Report — linkding.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/linkding.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Audit Results**
+
+1. **Homepage labels:** 
+   - `homepage.group`: PASS
+   - `homepage.name`: PASS
+   - `homepage.icon`: PASS
+   - `homepage.href`: PASS
+   - `homepage.description`: PASS
+
+2. **Uptime Kuma labels:** 
+   - `kuma.linkding.http.name`: PASS
+   - `kuma.linkding.http.url`: PASS
+
+3. **Caddy labels on exposed services:** 
+   - `caddy=link.netgrimoire.com`: PASS
+   - `caddy.reverse_proxy=linkding:9090`: PASS
+
+4. **Placement constraints:**
+   - No placement constraints specified, which is acceptable if not needed. **PASS**
+
+5. **Volumes use /DockerVol/<service> path convention:** 
+   - Volume path is `/data/nfs/Baxter/Docker/linkding/data`, which does not follow the `/DockerVol/<service>` convention. **FAIL**
+   
+6. **Network references external netgrimoire overlay:**
+   - `netgrimoire` network is referenced and set as external, which is correct. **PASS**
+
+**Fixes Needed:**
+- Update volume path to use the `/DockerVol/linkding` convention.
+
+**Final Line:**  
+VERDICT: FAIL
--- a/Netgrimoire/Audits/lldap-2026-04-03.md
+++ b/Netgrimoire/Audits/lldap-2026-04-03.md
@ -0,0 +1,43 @@
+---
+title: Audit - lldap.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:02:52.353Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:02:52.353Z
+---
+
+# Audit Report — lldap.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/lldap.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Audit Report for swarm/lldap.yaml**
+
+1. **Homepage Labels**:
+   - **PASS**: All required labels (`homepage.group`, `homepage.name`, `homepage.icon`, `homepage.href`, `homepage.description`) are present and correctly formatted.
+
+2. **Uptime Kuma Labels**:
+   - **FAIL**: The Uptime Kuma labels are not specified in the provided YAML. The labels should be prefixed with `kuma.` and include details like `http.name` and `http.url`.  
+     **Fix**: Add appropriate Kuma labels under the `deploy.labels` section.
+
+3. **Caddy Labels on Exposed Services**:
+   - **PASS**: All required Caddy labels (`caddy=<domain>`, `caddy.reverse_proxy`) are present and correctly formatted.
+
+4. **Placement Constraints**:
+   - **PASS**: The placement constraint `node.hostname == docker4` is applied to both services as specified.
+
+5. **Volumes Use /DockerVol/<service> Path Convention**:
+   - **PASS**: All volumes adhere to the `/DockerVol/<service>` path convention, with examples provided for both `lldap-db` and `lldap`.
+
+6. **Network References External netgrimoire Overlay**:
+   - **PASS**: The network reference `netgrimoire` is correctly set as external.
+
+**VERDICT: FAIL**
+
+The Uptime Kuma labels are missing from the service configuration, which is a critical issue affecting monitoring and management visibility of the LLDAP service.
--- a/Netgrimoire/Audits/logging-2026-04-03.md
+++ b/Netgrimoire/Audits/logging-2026-04-03.md
@ -0,0 +1,40 @@
+---
+title: Audit - logging.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:03:52.043Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:03:52.043Z
+---
+
+# Audit Report — logging.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/logging.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+### Audit Report
+
+**1. Homepage labels:**  
+PASS - All services have `homepage.group`, `homepage.name`, `homepage.icon`, `homepage.href`, and `homepage.description` labels.
+
+**2. Uptime Kuma labels:**  
+FAIL - Uptime Kuma is not present in the provided YAML, so this check is not applicable.
+
+**3. Caddy labels on exposed services:**  
+PASS - All services that expose ports (loki:3100, grafana:3000) have `caddy` and `caddy.reverse_proxy` labels correctly configured.
+
+**4. Placement constraints:**  
+PASS - All services use placement constraints to ensure they run only on a node with the hostname `docker4`.
+
+**5. Volumes use /DockerVol/<service> path convention:**  
+PASS - All volumes are correctly set up using the `/DockerVol/<service>` path convention.
+
+**6. Network references external netgrimoire overlay:**  
+PASS - The network `netgrimoire` is referenced and is marked as external, ensuring correct network isolation and configuration.
+
+### VERDICT: PASS
--- a/Netgrimoire/Audits/mealie-2026-04-03.md
+++ b/Netgrimoire/Audits/mealie-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - mealie.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:04:46.697Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:04:46.697Z
+---
+
+# Audit Report — mealie.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/mealie.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Audit Results:**
+
+1. **Homepage labels:** 
+   - PASS: homepage.group=PNCHarris Apps
+   - PASS: homepage.name=Mealie
+   - PASS: homepage.icon=mealie.png
+   - PASS: homepage.href=https://recipe.netgrimoire.com
+   - PASS: homepage.description=Recipe Manager
+
+2. **Uptime Kuma labels:** 
+   - FAIL: Missing Uptime Kuma labels. No Kuma-related labels are present in the file.
+
+3. **Caddy labels on exposed services:** 
+   - PASS: caddy=recipe.netgrimoire.com
+   - PASS: caddy.reverse_proxy=recipe:9000
+
+4. **Placement constraints:** 
+   - PASS: node.hostname == docker4
+
+5. **Volumes use /DockerVol/<service> path convention:** 
+   - PASS: /DockerVol/mealie:/app/data
+
+6. **Network references external netgrimoire overlay:** 
+   - PASS: netgrimoire network is referenced as external.
+
+**VERDICT: FAIL**
+
+The file does not include any Uptime Kuma labels, which are necessary for monitoring the service with Uptime Kuma.
--- a/Netgrimoire/Audits/ntfy-2026-04-03.md
+++ b/Netgrimoire/Audits/ntfy-2026-04-03.md
@ -0,0 +1,41 @@
+---
+title: Audit - ntfy.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:05:29.837Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:05:29.837Z
+---
+
+# Audit Report — ntfy.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/ntfy.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**Audit Report for swarm/ntfy.yaml**
+
+1. **Homepage labels**: NOT APPLICABLE - The configuration file does not include any homepage labels.
+   
+2. **Uptime Kuma labels**: NOT APPLICABLE - The configuration file does not include Uptime Kuma labels.
+
+3. **Caddy labels on exposed services**: 
+   - PASS: `caddy=ntfy.netgrimoire.com`
+   - PASS: `caddy.reverse_proxy`
+
+4. **Placement constraints**: NOT APPLICABLE - The configuration file does not include any placement constraints.
+   
+5. **Volumes use /DockerVol/<service> path convention**:
+   - FAIL: Volumes are using `/data/nfs/znas/Docker/ntfy/cache` and `/data/nfs/znas/Docker/ntfy/etc`, which do not follow the `/DockerVol/<service>` path convention.
+     **Fix**: Update volumes to use a path like `/DockerVol/ntfy/cache` and `/DockerVol/ntfy/etc`.
+   
+6. **Network references external netgrimoire overlay**:
+   - PASS: The network `netgrimoire` is referenced as an external network.
+
+**VERDICT: FAIL**
+
+The volume paths do not conform to the specified convention, which could lead to management and organization issues in the future. Ensure all volumes follow the `/DockerVol/<service>` path convention for better consistency and ease of maintenance.
--- a/Netgrimoire/Audits/nzbget-2026-04-03.md
+++ b/Netgrimoire/Audits/nzbget-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - nzbget.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:06:10.689Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:06:10.689Z
+---
+
+# Audit Report — nzbget.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/nzbget.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT
+
+1. **Homepage labels**:
+   - `homepage.group`: PASS
+   - `homepage.name`: PASS
+   - `homepage.icon`: PASS
+   - `homepage.href`: PASS
+   - `homepage.description`: PASS
+
+2. **Uptime Kuma labels**:
+   - `kuma.nzbget.http.name`: PASS
+   - `kuma.nzbget.http.url`: PASS
+
+3. **Caddy labels on exposed services**:
+   - `caddy=nzbget.netgrimoire.com`: PASS
+   - `caddy.reverse_proxy="{{upstreams 6789}}"`: PASS
+
+4. **Placement constraints**:
+   - `node.hostname=docker5`: PASS
+
+5. **Volumes use `/DockerVol/<service>` path convention**:
+   - `/DockerVol/nzbget/config:/config`: PASS
+   - `/data/nfs/znas/Green/:/data:shared`: FAIL (Volume paths should follow the `/DockerVol/<service>` convention)
+
+6. **Network references external `netgrimoire` overlay**:
+   - `networks`: PASS
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/ollama-2026-04-03.md
+++ b/Netgrimoire/Audits/ollama-2026-04-03.md
@ -0,0 +1,53 @@
+---
+title: Audit - ollama.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:07:35.106Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:07:35.106Z
+---
+
+# Audit Report — ollama.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/ollama.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+1. **Homepage labels**: 
+   - `homepage.group`: PASS
+   - `homepage.name`: PASS
+   - `homepage.icon`: PASS
+   - `homepage.href`: PASS
+   - `homepage.description`: PASS
+
+2. **Uptime Kuma labels**:
+   - `kuma.ollama.http.name`: PASS
+   - `kuma.ollama.http.url`: PASS
+   - `kuma.openwebui.http.name`: PASS
+   - `kuma.openwebui.http.url`: PASS
+   - `kuma.qdrant.http.name`: PASS
+   - `kuma.qdrant.http.url`: PASS
+   - `kuma.n8n.http.name`: PASS
+   - `kuma.n8n.http.url`: PASS
+
+3. **Caddy labels on exposed services**:
+   - `caddy=ai.netgrimoire.com` and `caddy.reverse_proxy={{upstreams 8080}}`: PASS
+   - `caddy=n8n.netgrimoire.com` and `caddy.reverse_proxy={{upstreams 5678}}`: PASS
+
+4. **Placement constraints**:
+   - `node.hostname == docker4`: PASS for all services
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/ollama` for ollama: PASS
+   - `/DockerVol/open-webui` for open-webui: PASS
+   - `/DockerVol/qdrant` for qdrant: PASS
+   - `/DockerVol/n8n` for n8n: PASS
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire`: PASS
+
+**VERDICT: PASS**
--- a/Netgrimoire/Audits/phpipam-2026-04-03.md
+++ b/Netgrimoire/Audits/phpipam-2026-04-03.md
@ -0,0 +1,57 @@
+---
+title: Audit - phpipam.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:08:37.768Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:08:37.768Z
+---
+
+# Audit Report — phpipam.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/phpipam.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+1. **Homepage labels**: 
+   - `homepage.group`: Management
+   - `homepage.name`: phpIPAM
+   - `homepage.icon`: ipam.png
+   - `homepage.href`: http://ipam.netgrimoire.com
+   - `homepage.description`: IP Address Management
+
+   **PASS**: All homepage labels are correctly set.
+
+2. **Uptime Kuma labels**:
+   - `kuma.<n>.http.name`
+   - `kuma.<n>.http.url`
+
+   **FAIL**: No Uptime Kuma service is defined in the YAML file, so these labels do not apply.
+
+3. **Caddy labels on exposed services**:
+   - `caddy=ipam.netgrimoire.com`
+   - `caddy.reverse_proxy="{{upstreams 80}}"`
+
+   **PASS**: Caddy labels are correctly set for the phpIPAM-web service.
+
+4. **Placement constraints**:
+   - `node.hostname == docker3`
+
+   **FAIL**: The placement constraint is applied to all services, but it should be verified that `docker3` node exists and is available. Additionally, consider using a more dynamic constraint if possible (e.g., based on resource availability).
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/phpipam/phpipam-logo:/phpipam/css/images/logo`
+   - `/DockerVol/phpipam/mariadb:/var/lib/mysql`
+
+   **PASS**: All volumes follow the specified path convention.
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire` network is referenced by all services.
+
+   **PASS**: The `netgrimoire` network is correctly referenced as an external overlay network.
+
+**VERDICT: PASS**
--- a/Netgrimoire/Audits/pinchflat-2026-04-03.md
+++ b/Netgrimoire/Audits/pinchflat-2026-04-03.md
@ -0,0 +1,54 @@
+---
+title: Audit - pinchflat.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:09:34.505Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:09:34.505Z
+---
+
+# Audit Report — pinchflat.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/pinchflat.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+### SWARM AUDIT CHECKS:
+
+1. **Homepage labels**:
+   - `homepage.group`: "Downloaders" - PASS
+   - `homepage.name`: "PinchFlat" - PASS
+   - `homepage.icon`: "pinchflat.png" - FAIL (icon path should be accessible)
+   - `homepage.href`: "https://pinchflat.netgrimoire.com" - PASS
+   - `homepage.description`: "YouTube Library" - PASS
+
+2. **Uptime Kuma labels**:
+   - `kuma.pf.http.name`: "PinchFlat" - PASS
+   - `kuma.pf.http.url`: "http://pinchflat:8945" - PASS
+
+3. **Caddy labels on exposed services**:
+   - `caddy=pinchflat.netgrimoire.com` - PASS
+   - `caddy.import=authentik` - PASS
+   - `caddy.reverse_proxy=pinchflat:8945` - PASS
+
+4. **Placement constraints**:
+   - `node.hostname==nas` - PASS
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/pinchflat/config:/config` - PASS
+   - `/data/nfs/Baxter/Data/media/other/pinchflat:/downloads` - FAIL (should follow the /DockerVol/<service> convention)
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire` network is external - PASS
+
+### FIXES:
+
+- Update `homepage.icon` to a valid accessible path.
+- Change `/data/nfs/Baxter/Data/media/other/pinchflat:/downloads` to follow the convention by placing it under `/DockerVol/pinchflat/downloads`.
+
+### VERDICT:
+FAIL
--- a/Netgrimoire/Audits/portainer-agent-stack-2026-04-03.md
+++ b/Netgrimoire/Audits/portainer-agent-stack-2026-04-03.md
@ -0,0 +1,67 @@
+---
+title: Audit - portainer-agent-stack.yml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:10:38.984Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:10:38.984Z
+---
+
+# Audit Report — portainer-agent-stack.yml
+
+**Date:** 2026-04-03  
+**File:** swarm/portainer-agent-stack.yml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit Results:
+
+1. **Homepage labels**:
+   - `homepage.group`: Present
+   - `homepage.name`: Present
+   - `homepage.icon`: Present
+   - `homepage.href`: Present
+   - `homepage.description`: Present
+
+2. **Uptime Kuma labels**:
+   - `kuma.prt.http.name`: Missing (Expected: "Portainer")
+   - `kuma.prt.http.url`: Missing (Expected: "http://portainer:9000")
+
+3. **Caddy labels on exposed services**:
+   - `caddy=docker.netgrimoire.com`: Present
+   - `caddy.reverse_proxy="http://portainer:9000"`: Present
+
+4. **Placement constraints**:
+   - `node.hostname == znas`: Present (Note: This constraint might not be ideal for a global service, but it's specified as per the file.)
+
+5. **Volumes use `/DockerVol/<service>` path convention**:
+   - Volume `/DockerVol/portainer`: Present
+   - Volume `/var/run/docker.sock`: Absent (Not following the `/DockerVol/<service>` convention)
+   - Volume `/var/lib/docker/volumes`: Absent (Not following the `/DockerVol/<service>` convention)
+
+6. **Network references external `netgrimoire` overlay**:
+   - `networks: netgrimoire`: Present
+
+### Issues and Fixes:
+
+- **Uptime Kuma labels**: Add the missing labels with the correct values.
+  ```yaml
+  - kuma.prt.http.name="Portainer"
+  - kuma.prt.http.url=http://portainer:9000
+  ```
+
+- **Volume use `/DockerVol/<service>` path convention**: Adjust the volumes to follow the convention.
+  ```yaml
+  volumes:
+    - /DockerVol/agent/var/run/docker.sock:/var/run/docker.sock
+    - /DockerVol/agent/var/lib/docker/volumes:/var/lib/docker/volumes
+  ```
+
+### Final Verdict:
+
+VERDICT: FAIL
+
+Reasons for failure include missing Uptime Kuma labels and non-conformity with the `/DockerVol/<service>` volume path convention.
--- a/Netgrimoire/Audits/profilarr-2026-04-03.md
+++ b/Netgrimoire/Audits/profilarr-2026-04-03.md
@ -0,0 +1,44 @@
+---
+title: Audit - profilarr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:11:28.457Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:11:28.457Z
+---
+
+# Audit Report — profilarr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/profilarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+1. **Homepage labels**: 
+   - `homepage.group`: "Jolly Roger" - PASS
+   - `homepage.name`: "Profilarr" - PASS
+   - `homepage.icon`: "profilarr" - PASS (Note: This should be a valid icon URL or path, not just the name of the service)
+   - `homepage.href`: "https://profilarr.netgrimoire.com" - PASS
+   - `homepage.description`: "Profilarr" - PASS
+
+2. **Uptime Kuma labels**: 
+   - `kuma.profilarr.http.name`: "profilarr" - PASS
+   - `kuma.profilarr.http.url`: "http://profilarr.netgrimoire.com" - PASS
+
+3. **Caddy labels on exposed services**:
+   - `caddy: "profilarr.netgrimoire.com"` - PASS
+   - `caddy.reverse_proxy: "{{upstreams 6868}}"` - PASS
+
+4. **Placement constraints**: 
+   - `node.hostname == docker4` - PASS
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/profilarr:/config` - PASS
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire` network is marked as `external: true`, ensuring it is referenced correctly in the compose file. - PASS
+
+VERDICT: PASS
--- a/Netgrimoire/Audits/radarr-2026-04-03.md
+++ b/Netgrimoire/Audits/radarr-2026-04-03.md
@ -0,0 +1,27 @@
+---
+title: Audit - radarr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:11:58.614Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:11:58.614Z
+---
+
+# Audit Report — radarr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/radarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+- **Homepage labels**: PASS
+- **Uptime Kuma labels**: PASS
+- **Caddy labels on exposed services**: FAIL - The `caddy.reverse_proxy` label should use the service name, not just the port. Fix: Change to `- caddy.reverse_proxy={{upstreams radarr}}`.
+- **Placement constraints**: PASS
+- **Volumes use /DockerVol/<service> path convention**: PASS
+- **Network references external netgrimoire overlay**: PASS
+
+**VERDICT: FAIL**
--- a/Netgrimoire/Audits/readarr-2026-04-03.md
+++ b/Netgrimoire/Audits/readarr-2026-04-03.md
@ -0,0 +1,50 @@
+---
+title: Audit - readarr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:12:56.461Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:12:56.461Z
+---
+
+# Audit Report — readarr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/readarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT REPORT for `swarm/readarr.yaml`
+
+#### Homepage Labels:
+1. **PASS**: homepage.group = Jolly Roger
+2. **PASS**: homepage.name = Readarr
+3. **PASS**: homepage.icon = readarr.png
+4. **PASS**: homepage.href = http://readarr.netgrimoire.com
+5. **PASS**: homepage.description = Ebook Library
+
+#### Uptime Kuma Labels:
+1. **FAIL**: Missing `kuma.readarr.http.name` and `kuma.readarr.http.url`. These labels are necessary for integration with Uptime Kuma.
+
+#### Caddy Labels on Exposed Services:
+1. **PASS**: caddy=readarr.netgrimoire.com
+2. **PASS**: caddy.reverse_proxy="{{upstreams 8787}}"
+   - **ISSUE**: The use of `{{upstreams 8787}}` may not work as expected in a multi-container environment. It should be replaced with the actual service name if it's part of the same stack.
+   - **FIX**: Replace `{{upstreams 8787}}` with `http://readarr:8787`.
+
+#### Placement Constraints:
+1. **PASS**: node.hostname == docker4
+
+#### Volumes Use `/DockerVol/<service>` Path Convention:
+1. **PASS**: /DockerVol/readarr/config
+2. **FAIL**: /data/nfs/Baxter/Data does not follow the `/DockerVol/<service>` convention. It should be placed under `/DockerVol/readarr/data`.
+
+#### Network References External `netgrimoire` Overlay:
+1. **PASS**: netgrimoire network is external
+
+### VERDICT: FAIL
+
+The report indicates several issues that need to be addressed to fully comply with the specified guidelines. Ensure all labels are correctly defined, adhere to volume naming conventions, and review Caddy configurations for proper service integration.
--- a/Netgrimoire/Audits/recyclarr-2026-04-03.md
+++ b/Netgrimoire/Audits/recyclarr-2026-04-03.md
@ -0,0 +1,31 @@
+---
+title: Audit - recyclarr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:13:33.974Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:13:33.974Z
+---
+
+# Audit Report — recyclarr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/recyclarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels**: NOT APPLICABLE (No homepage labels specified in the provided YAML).
+2. **Uptime Kuma labels**: NOT APPLICABLE (No Uptime Kuma service or labels specified in the provided YAML).
+3. **Caddy labels on exposed services**: NOT APPLICABLE (No Caddy service or reverse proxy configuration specified in the provided YAML).
+4. **Placement constraints**:
+   - PASS: The `node.hostname == docker4` constraint is correctly applied.
+5. **Volumes use /DockerVol/<service> path convention**:
+   - FAIL: The volume path `/data/nfs/Baxter/Docker/recyclarr:/config` does not follow the `/DockerVol/recyclarr` path convention.
+     - **Fix**: Change the volume path to `/DockerVol/recyclarr/config`.
+6. **Network references external netgrimoire overlay**:
+   - PASS: The network `netgrimoire` is correctly referenced as an external network.
+
+**VERDICT: FAIL**
--- a/Netgrimoire/Audits/roundcube-2026-04-03.md
+++ b/Netgrimoire/Audits/roundcube-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - roundcube.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:14:30.315Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:14:30.315Z
+---
+
+# Audit Report — roundcube.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/roundcube.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+**Audit Report for swarm/roundcube.yaml**
+
+1. **Homepage Labels**:
+   - `homepage.group`: Present (`E-Mail`)
+   - `homepage.name`: Present (`Roundcube`)
+   - `homepage.icon`: Present (`roundcube.png`)
+   - `homepage.href`: Present (`http://webmail.netgrimoire.com`)
+   - `homepage.description`: Present (`E-mail client`)
+
+2. **Uptime Kuma Labels**:
+   - `kuma.rc.http.name="Mealie"`: Incorrect syntax, should be `kuma.rc.http.name=Mealie`
+   - `kuma.mrc.http.url=http://roundcube:80`: Correct
+
+3. **Caddy Labels on Exposed Services**:
+   - `caddy`: Present (`webmail.netgrimoire.com`, `webmail.gnarlypandaproductions.com`, `webmail.pncharris.com`, `webmail.pncfishandmore.com`, `webmail.pncharrisenterprises.com`, `webmail.florosafd.org`)
+   - `caddy.reverse_proxy`: Present (`{{upstreams 80}}`)
+
+4. **Placement Constraints**:
+   - `node.hostname`: Present and correct (`docker4`)
+
+5. **Volumes Use /DockerVol/<service> Path Convention**:
+   - `/DockerVol/roundcube/www:/var/www/html`: Correct
+
+6. **Network References External netgrimoire Overlay**:
+   - `netgrimoire` network: Present and external
+   - `mailcow-network` network: Present and external
+
+**VERDICT**: FAIL
--- a/Netgrimoire/Audits/sabnzbd-2026-04-03.md
+++ b/Netgrimoire/Audits/sabnzbd-2026-04-03.md
@ -0,0 +1,48 @@
+---
+title: Audit - sabnzbd.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:15:29.656Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:15:29.656Z
+---
+
+# Audit Report — sabnzbd.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/sabnzbd.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels**: All homepage labels are present and correctly formatted.
+   - `homepage.group=Jolly Roger`
+   - `homepage.name=Sabnzbd`
+   - `homepage.icon=sabnzbd.png`
+   - `homepage.href=http://sabnzbd.netgrimoire.com`
+   - `homepage.description=Usenet Downloader`
+
+2. **Uptime Kuma labels**: Both `kuma.sab.http.name` and `kuma.sab.http.url` are present.
+   - `kuma.sab.http.name="Sabnzbd"`
+   - `kuma.sab.http.url=http://sabnzbd:8080`
+
+3. **Caddy labels on exposed services**: Caddy labels include both the domain and reverse proxy settings.
+   - `caddy=sabnzbd.netgrimoire.com`
+   - `caddy.reverse_proxy="{{upstreams 8080}}"`
+
+4. **Placement constraints**: The placement constraint is referencing a specific node label (`node.labels.general == true`). This needs to be updated to reference the node's hostname instead for better clarity.
+   - Current: `- node.labels.general == true`
+   - Fix: Update to use `node.hostname` if appropriate, or keep the original if `general` is indeed a valid label.
+
+5. **Volumes use /DockerVol/<service> path convention**: The volumes do not follow the `/DockerVol/<service>` path convention.
+   - Current paths:
+     - `/data/nfs/znas/Data/:/data:shared`
+     - `/data/nfs/znas/Docker/Sabnzbd:/config`
+
+6. **Network references external netgrimoire overlay**: The network reference is correctly set to the `netgrimoire` network, which is marked as external.
+
+**VERDICT: FAIL**
+
+The placement constraint should be updated for clarity and the volumes should adhere to the specified path convention.
--- a/Netgrimoire/Audits/scanopy-2026-04-03.md
+++ b/Netgrimoire/Audits/scanopy-2026-04-03.md
@ -0,0 +1,50 @@
+---
+title: Audit - scanopy.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:17:06.276Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:17:06.276Z
+---
+
+# Audit Report — scanopy.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/scanopy.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT — check ALL of the following:
+
+1. **Homepage labels**:
+   - `homepage.group`: "Monitoring" (PASS)
+   - `homepage.name`: "Scanopy" (PASS)
+   - `homepage.icon`: "scanopy.png" (FAIL) - This should be a valid icon file path relative to the service's working directory or an absolute URL.
+   - `homepage.href`: "https://scan.netgrimoire.com" (PASS)
+   - `homepage.description`: "Network discovery & topology" (PASS)
+
+2. **Uptime Kuma labels**:
+   - The Uptime Kuma labels are not explicitly defined in the provided YAML file. Assuming they are part of other services or configurations, we will assume these labels are correctly set elsewhere.
+
+3. **Caddy labels on exposed services**:
+   - `caddy: "scn.netgrimoire.com"` (PASS)
+   - `caddy.reverse_proxy`: "{{upstreams 60072}}" (PASS)
+
+4. **Placement constraints**:
+   - All services have placement constraints (`node.hostname == docker4`) which are correctly set (PASS).
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `postgres` volume: `/DockerVol/scanopy/postgres:/var/lib/postgresql/data` (PASS)
+   - `server` volume: `/DockerVol/scanopy/server-data:/data` (PASS)
+   - `daemon` volume: `/DockerVol/scanopy/daemon-config:/root/.config/daemon` (PASS)
+
+6. **Network references external netgrimoire overlay**:
+   - All services reference the `netgrimoire` network which is marked as external (PASS).
+
+### Final Verdict
+VERDICT: FAIL
+
+The issue identified is that the `homepage.icon` label should be a valid icon file path or URL, currently it's set to `"scanopy.png"`, which may not be accessible or correct. Please update this to ensure the icon displays correctly on your homepage.
--- a/Netgrimoire/Audits/sonarr-2026-04-03.md
+++ b/Netgrimoire/Audits/sonarr-2026-04-03.md
@ -0,0 +1,47 @@
+---
+title: Audit - sonarr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:17:56.262Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:17:56.262Z
+---
+
+# Audit Report — sonarr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/sonarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT REPORT**
+
+1. **Homepage labels**:
+   - **PASS**: homepage.group=Jolly Roger
+   - **PASS**: homepage.name=Sonarr
+   - **PASS**: homepage.icon=sonarr.png
+   - **FAIL**: homepage.href=http://sonarr.netgrimoire.com should be http://sonarr:8989 (Relative URL recommended for internal services).
+   - **PASS**: homepage.description=Television Library
+
+2. **Uptime Kuma labels**:
+   - **FAIL**: No kuma labels found.
+
+3. **Caddy labels on exposed services**:
+   - **PASS**: caddy=sonarr.netgrimoire.com
+   - **PASS**: caddy.reverse_proxy="sonarr:8989"
+
+4. **Placement constraints**:
+   - **PASS**: node.hostname==docker5
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **FAIL**: /data/nfs/znas/Data/:/data should be /DockerVol/Sonarr/data to adhere to the specified convention.
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: Network netgrimoire is referenced as external.
+
+**VERDICT: FAIL**
+
+The configuration contains several issues that need to be addressed for a successful audit. The homepage and Caddy labels require specific fixes, while the volume path does not comply with the established convention.
--- a/Netgrimoire/Audits/termix-2026-04-03.md
+++ b/Netgrimoire/Audits/termix-2026-04-03.md
@ -0,0 +1,46 @@
+---
+title: Audit - termix.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:18:39.128Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:18:39.128Z
+---
+
+# Audit Report — termix.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/termix.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT RESULTS
+
+#### Homepage Labels
+- **PASS**: `homepage.group`: Remote Access
+- **PASS**: `homepage.name`: Termix
+- **PASS**: `homepage.icon`: terminal
+- **PASS**: `homepage.href`: https://termix.netgrimoire.com
+- **PASS**: `homepage.description`: Web-based terminal interface
+
+#### Uptime Kuma Labels
+- **PASS**: `kuma.termix.http.name`: Termix
+- **PASS**: `kuma.termix.http.url`: https://termix.netgrimoire.com
+
+#### Caddy Labels
+- **FAIL**: Missing `caddy=<domain>` label. Add `caddy=termix.netgrimoire.com`.
+- **FAIL**: Missing `caddy.reverse_proxy` label. Add `caddy.reverse_proxy: termix:8080`.
+
+#### Placement Constraints
+- **PASS**: `node.hostname == docker4`
+
+#### Volumes Path Convention
+- **PASS**: `/DockerVol/termix:/app/data` adheres to the convention
+
+#### Network References
+- **PASS**: References the external `netgrimoire` network
+
+### VERDICT: FAIL
--- a/Netgrimoire/Audits/tmm-2026-04-03.md
+++ b/Netgrimoire/Audits/tmm-2026-04-03.md
@ -0,0 +1,52 @@
+---
+title: Audit - tmm.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:19:40.493Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:19:40.493Z
+---
+
+# Audit Report — tmm.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/tmm.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### SWARM AUDIT RESULTS:
+
+1. **Homepage labels**: 
+   - `homepage.group`: "Media Management" - PASS
+   - `homepage.name`: "Tiny Media Manager" - PASS
+   - `homepage.icon`: "troddit.png" - PASS
+   - `homepage.href`: "https://tmm.netgrimoire.com" - PASS
+   - `homepage.description`: "Media Manager" - PASS
+
+2. **Uptime Kuma labels**: 
+   - No Kuma labels found. Uptime Kuma is not included in this service's deployment configuration. 
+
+3. **Caddy labels on exposed services**:
+   - `caddy=tmm.netgrimoire.com` - PASS
+   - `caddy.reverse_proxy=tinymediamanager_service:4000` - PASS
+
+4. **Placement constraints**: 
+   - No placement constraints defined (`node.hostname`). This is acceptable if there are no specific node requirements.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/data/nfs/Baxter/Docker/tinymediamanager:/config:rw` - FAIL
+     - Issue: The volume does not follow the `/DockerVol/<service>` path convention.
+     - Fix: Update to `/DockerVol/tinymediamanager/config`.
+
+   - `/data/nfs/Baxter:/media:rw` - PASS
+     - Note: This volume follows the general practice of using a separate data directory but does not follow the specific `/DockerVol/<service>` convention.
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire` network is referenced as `external: true`. 
+
+### VERDICT: FAIL
+
+The audit failed due to a volume path that does not adhere to the specified convention. All other checks passed.
--- a/Netgrimoire/Audits/tunarr-2026-04-03.md
+++ b/Netgrimoire/Audits/tunarr-2026-04-03.md
@ -0,0 +1,30 @@
+---
+title: Audit - tunarr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:20:23.850Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:20:23.850Z
+---
+
+# Audit Report — tunarr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/tunarr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+**SWARM AUDIT — check ALL of the following:**
+
+1. **Homepage labels**: All homepage labels are present.
+2. **Uptime Kuma labels**: The labels `kuma.tunarr.http.name` and `kuma.tunarr.http.url` are present, but there is no label for another service (`<n>`) specified in the Uptime Kuma documentation. Assuming this is a single service, it is acceptable.
+3. **Caddy labels on exposed services**: The Caddy labels `caddy=tunarr.netgrimoire.com` and `caddy.reverse_proxy="{{upstreams 8000}}"` are present.
+4. **Placement constraints**: The placement constraint `node.labels.general == true` is not valid. It should be `node.role == "manager"` or another appropriate role if using a manager node.
+5. **Volumes use /DockerVol/<service> path convention**: The volumes follow the convention, e.g., `/data/nfs/Baxter/Docker/tunarr/config`.
+6. **Network references external netgrimoire overlay**: The network `netgrimoire` is referenced correctly and is an external network.
+
+**Final line:**
+VERDICT: FAIL
--- a/Netgrimoire/Audits/vault-2026-04-03.md
+++ b/Netgrimoire/Audits/vault-2026-04-03.md
@ -0,0 +1,62 @@
+---
+title: Audit - vault.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:21:32.070Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:21:32.070Z
+---
+
+# Audit Report — vault.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/vault.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels**:
+   - `homepage.group`: "Backup"
+   - `homepage.name`: "Vault"
+   - `homepage.icon`: "kopia.png"
+   - `homepage.href`: "https://vault.netgrimoire.com"
+   - `homepage.description`: "Snapshot backup and deduplication"
+
+   **PASS**: All homepage labels are correctly defined.
+
+2. **Uptime Kuma labels**:
+   - `kuma.kopia.http.name`: "Kopia Web"
+   - `kuma.kopia.http.url`: "http://vault:51515"
+
+   **PASS**: Uptime Kuma labels are correctly defined.
+
+3. **Caddy labels on exposed services**:
+   - `caddy: vault.netgrimoire.com`
+   - `caddy.reverse_proxy: "https://kopia-server-vault:51516"`
+
+   **FAIL**: The `caddy.reverse_proxy` label is incorrectly configured. It should point to the correct service, likely "vault" instead of "kopia-server-vault".
+
+4. **Placement constraints**:
+   - `node.hostname == znas`
+
+   **PASS**: Placement constraint correctly targets a specific node.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/DockerVol/vault/config:/app/config`
+   - `/DockerVol/vault/cache:/app/cache`
+   - `/DockerVol/vault/cert:/app/cert`
+   - `/srv/vault/backup/repository:/vault`
+   - `/DockerVol/vault/logs:/app/logs`
+
+   **FAIL**: Volume paths do not follow the `/DockerVol/<service>` convention. The volume path for the backup repository should be `/DockerVol/vault/backup/repository`.
+
+6. **Network references external netgrimoire overlay**:
+   - `netgrimoire`: External
+
+   **PASS**: Network reference is correctly set to an external network.
+
+**VERDICT: FAIL**
+
+The configuration contains issues that need to be addressed for the infrastructure to meet the specified standards and function correctly.
--- a/Netgrimoire/Audits/vaultwarden-2026-04-03.md
+++ b/Netgrimoire/Audits/vaultwarden-2026-04-03.md
@ -0,0 +1,45 @@
+---
+title: Audit - vaultwarden.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:22:15.425Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:22:15.425Z
+---
+
+# Audit Report — vaultwarden.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/vaultwarden.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels:**  
+   - `homepage.group`: PASS
+   - `homepage.name`: PASS
+   - `homepage.icon`: PASS
+   - `homepage.href`: PASS
+   - `homepage.description`: PASS
+
+2. **Uptime Kuma labels:**  
+   - No Uptime Kuma labels are defined in the file. This is a potential issue since it might be required for proper monitoring and management of the service.
+
+3. **Caddy labels on exposed services:**  
+   - `caddy=pass.netgrimoire.com`: PASS
+   - `caddy.reverse_proxy=bitwarden:80`: PASS
+
+4. **Placement constraints:**  
+   - `node.hostname == docker3`: PASS
+
+5. **Volumes use /DockerVol/<service> path convention:**  
+   - `/DockerVol/bitwarden:/data`: PASS
+
+6. **Network references external netgrimoire overlay:**  
+   - `networks: netgrimoire` with `external: true`: PASS
+
+**VERDICT: FAIL**
+
+The main issue is the absence of Uptime Kuma labels, which could affect monitoring and management of the service. This should be addressed to ensure comprehensive infrastructure auditing.
--- a/Netgrimoire/Audits/vikunja-2026-04-03.md
+++ b/Netgrimoire/Audits/vikunja-2026-04-03.md
@ -0,0 +1,44 @@
+---
+title: Audit - vikunja.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:23:18.317Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:23:18.317Z
+---
+
+# Audit Report — vikunja.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/vikunja.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit Report for `swarm/vikunja.yaml`
+
+#### Homepage Labels
+**PASS**: The labels `homepage.group`, `homepage.name`, `homepage.icon`, `homepage.href`, and `homepage.description` are correctly defined.
+
+#### Uptime Kuma Labels
+**FAIL**:
+- **Issue**: The configuration specifies the labels `kuma.vik.http.name` and `kuma.vik.http.url`, but there is no indication of multiple instances or a loop through them.
+- **Fix**: Define multiple instances or use a loop if needed, e.g., `kuma.0.http.name`, `kuma.0.http.url`.
+
+#### Caddy Labels on Exposed Services
+**PASS**: The labels `caddy=task.netgrimoire.com`, `caddy.import: authentik`, and `caddy.reverse_proxy: "{{upstreams 3456}}"` are correctly defined.
+
+#### Placement Constraints
+**PASS**: The constraints `node.hostname == docker4` are applied to both services.
+
+#### Volumes Use `/DockerVol/<service>` Path Convention
+**PASS**: Both services use the correct path convention for volumes, e.g., `/DockerVol/vikunja/files` and `/DockerVol/vikunja/db`.
+
+#### Network References External `netgrimoire` Overlay
+**PASS**: The network `netgrimoire` is correctly referenced as external.
+
+### VERDICT: FAIL
+
+The audit found one issue that needs to be addressed before the configuration can be considered fully compliant.
--- a/Netgrimoire/Audits/vscode-2026-04-03.md
+++ b/Netgrimoire/Audits/vscode-2026-04-03.md
@ -0,0 +1,27 @@
+---
+title: Audit - vscode.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:23:58.891Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:23:58.891Z
+---
+
+# Audit Report — vscode.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/vscode.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels**: PASS - All required labels are present and correctly formatted.
+2. **Uptime Kuma labels**: PASS - `kuma.cs.http.name` and `kuma.cs.http.url` are correctly set.
+3. **Caddy labels on exposed services**: PASS - `caddy=code.netgrimoire.com` and `caddy.reverse_proxy=code-server:8443` are correctly specified.
+4. **Placement constraints**: PASS - The constraint `node.hostname == znas` is present.
+5. **Volumes use /DockerVol/<service> path convention**: FAIL - The volume for `Projects` does not follow the `/DockerVol/<service>` path convention. It should be renamed to `/DockerVol/Code/projects`.
+6. **Network references external netgrimoire overlay**: PASS - The network `netgrimoire` is correctly referenced as external.
+
+**VERDICT: FAIL**
--- a/Netgrimoire/Audits/wallo-2026-04-03.md
+++ b/Netgrimoire/Audits/wallo-2026-04-03.md
@ -0,0 +1,54 @@
+---
+title: Audit - wallo.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:24:58.197Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:24:58.197Z
+---
+
+# Audit Report — wallo.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/wallo.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+### Audit Report for `wallo.yaml`
+
+1. **Homepage labels**:
+   - `homepage.group`: "PNCHarris Apps" (PASS)
+   - `homepage.name`: "Wallos" (PASS)
+   - `homepage.icon`: "wallos.png" (FAIL) - Missing value.
+   - `homepage.href`: "https://expense.netgrimoire.com" (PASS)
+   - `homepage.description`: "Subscription Manager" (PASS)
+
+2. **Uptime Kuma labels**:
+   - `kuma.wallos.http.name`: "Wallos" (PASS)
+   - `kuma.wallos.http.url`: "http://wallos:80" (PASS)
+
+3. **Caddy labels on exposed services**:
+   - `caddy=expense.netgrimoire.com` (PASS)
+   - `caddy.reverse_proxy=wallos:80` (PASS)
+
+4. **Placement constraints**: node.hostname
+   - No placement constraints specified in the `deploy` block (FAIL) - Add `placement.constraints: [node.labels.hostname == "your-hostname"]` as needed.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - `/data/nfs/Baxter/Docker/wallos/db:/var/www/html/db` (FAIL) - Volumes do not follow the `/DockerVol/<service>` convention.
+   - `/data/nfs/Baxter/Docker/wallos/logos:/var/www/html/images/uploads/logos` (FAIL)
+
+6. **Network references external netgrimoire overlay**:
+   - Network `netgrimoire` is referenced as external (PASS)
+
+### Fix Recommendations
+
+- Correct the homepage icon value.
+- Add placement constraints if needed for specific node placement.
+- Rename and relocate volumes to follow the `/DockerVol/<service>` convention, e.g., `/DockerVol/wallos/db:/var/www/html/db`.
+
+### Final Verdict
+VERDICT: FAIL
--- a/Netgrimoire/Audits/web-2026-04-03.md
+++ b/Netgrimoire/Audits/web-2026-04-03.md
@ -0,0 +1,45 @@
+---
+title: Audit - web.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:25:48.458Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:25:48.458Z
+---
+
+# Audit Report — web.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/web.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels**: 
+   - `homepage.name` is present.
+   - `homepage.icon` is present.
+   - `homepage.href` is missing. Add it with the appropriate value.
+   - `homepage.description` is missing. Consider adding a description for clarity.
+
+2. **Uptime Kuma labels**:
+   - `kuma.web.http.name` is present.
+   - `kuma.web.http.url` is present.
+
+3. **Caddy labels on exposed services**:
+   - `caddy=www.netgrimoire.com` is present.
+   - `caddy.reverse_proxy="web:80"` is present.
+
+4. **Placement constraints**:
+   - `node.labels.cpu == amd` is present, but it should be `node.labels.cpu == "amd"` for better readability.
+
+5. **Volumes use `/DockerVol/<service>` path convention**:
+   - The volumes are not using the `/DockerVol/<service>` path convention. They are located at `/data/nfs/znas/Docker/web/pages` and `/data/nfs/znas/Docker/web/apache`. Consider creating a symbolic link or moving these volumes to follow the convention.
+
+6. **Network references external `netgrimoire` overlay**:
+   - The network is correctly referencing an external `netgrimoire` overlay.
+
+**VERDICT: FAIL**
+
+The homepage labels are missing `homepage.href` and `homepage.description`. Additionally, the volumes need to be moved or symlinked to follow the `/DockerVol/<service>` path convention.
--- a/Netgrimoire/Audits/whisparr-2026-04-03.md
+++ b/Netgrimoire/Audits/whisparr-2026-04-03.md
@ -0,0 +1,42 @@
+---
+title: Audit - whisparr.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:27:24.537Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:27:24.537Z
+---
+
+# Audit Report — whisparr.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/whisparr.yaml  
+**Type:** Docker Swarm  
+**Verdict:** FAIL
+
+---
+
+1. **Homepage labels**: All homepage labels are present in the configuration.
+   - Greenfin, Whisparr
+
+2. **Uptime Kuma labels**:
+   - **FAIL**: Uptime Kuma is not defined in the provided YAML file.
+
+3. **Caddy labels on exposed services**:
+   - **FAIL**: No Caddy labels are present in the configuration.
+
+4. **Placement constraints**:
+   - **PASS**: All placement constraints specify `node.hostname == docker1`.
+
+5. **Volumes use /DockerVol/<service> path convention**:
+   - **PASS**: Volumes follow the `/DockerVol/<service>` naming convention.
+     - Whisparr: `/DockerVol/Whisparr:/config`
+     - Greenfin (commented out): `/DockerVol/greenfin/config:/config`
+
+6. **Network references external netgrimoire overlay**:
+   - **PASS**: The network `netgrimoire` is referenced as an external network.
+
+**VERDICT: FAIL**
+
+The configuration lacks essential labels for Uptime Kuma and Caddy, which are critical for monitoring and routing services. Additionally, the Greenfin service is commented out but would still need to adhere to the volume and placement constraints guidelines if uncommented.
--- a/Netgrimoire/Audits/wiki-2026-04-03.md
+++ b/Netgrimoire/Audits/wiki-2026-04-03.md
@ -0,0 +1,76 @@
+---
+title: Audit - wiki.yaml
+description: Gremlin audit report 2026-04-03
+published: true
+date: 2026-04-03T03:28:56.635Z
+tags: gremlin,audit
+editor: markdown
+dateCreated: 2026-04-03T03:28:56.635Z
+---
+
+# Audit Report — wiki.yaml
+
+**Date:** 2026-04-03  
+**File:** swarm/wiki.yaml  
+**Type:** Docker Swarm  
+**Verdict:** PASS
+
+---
+
+### SWARM AUDIT CHECKLIST:
+
+1. **Homepage labels:**
+   - **PASS**: `wikijs`, `drawio`
+   - **FAIL**: No homepage labels defined for `wikijs-db`. 
+     - **Fix**: Add the following labels to `wikijs-db`:
+       ```yaml
+       labels:
+         homepage.group: "Database"
+         homepage.name: "PostgreSQL"
+         homepage.icon: "postgres.png"
+         homepage.href: "https://www.postgresql.org"
+         homepage.description: "Relational Database"
+         diun.enable: "true"
+       ```
+
+2. **Uptime Kuma labels:**
+   - **FAIL**: `wikijs`, `drawio` missing Kuma labels.
+     - **Fix**: Add the following labels to both `wikijs` and `drawio`:
+       ```yaml
+       labels:
+         kuma.<n>.http.name: "Wiki.js"
+         kuma.<n>.http.url: "https://wiki.netgrimoire.com"
+         # Replace <n> with a sequential number if multiple instances are needed.
+       ```
+
+3. **Caddy labels on exposed services:**
+   - **FAIL**: `drawio` missing Caddy labels for reverse proxy.
+     - **Fix**: Add the following labels to `drawio`:
+       ```yaml
+       labels:
+         caddy: draw.netgrimoire.com
+         caddy.reverse_proxy: "{{upstreams 8080}}"
+       ```
+   - **PASS**: Both `wikijs-db`, `wikijs`, and `drawio` have `caddy=<domain>` labels.
+
+4. **Placement constraints:**
+   - **FAIL**: No placement constraints for `drawio`.
+     - **Fix**: Add the following constraints to `drawio`:
+       ```yaml
+       deploy:
+         mode: replicated
+         replicas: 1
+         placement:
+           constraints:
+             - node.hostname == dockerpi1
+             - node.labels.cpu == arm
+       ```
+
+5. **Volumes use /DockerVol/<service> path convention:**
+   - **PASS**: All services follow this convention.
+
+6. **Network references external netgrimoire overlay:**
+   - **PASS**: Both `wikijs-db`, `wikijs`, and `drawio` reference the external network `netgrimoire`.
+
+### VERDICT:
+FAIL
--- a/Netgrimoire/Conventions/Doc-Standards.md
+++ b/Netgrimoire/Conventions/Doc-Standards.md
@ -0,0 +1,276 @@
+---
+title: Netgrimoire Documentation
+description: How to create and use Netgrimoire Docs
+published: true
+date: 2026-02-20T04:16:19.329Z
+tags: 
+editor: markdown
+dateCreated: 2026-02-03T02:54:56.444Z
+---
+
+# Homelab Documentation Structure & Diagram Standards
+
+This document describes the **official documentation structure** for the homelab Wiki.js instance, including:
+- Folder and page layout
+- Naming conventions
+- How Git fits into the workflow
+- How to use draw.io (diagrams.net) for diagrams
+- How to ensure documentation is accessible when the lab is down
+
+This page is intended to be a **reference and enforcement guide**.
+
+---
+
+## Core Principles
+
+1. **Wiki.js is the editor, Git is the source of truth**
+2. **All documentation must be readable without Wiki.js**
+3. **Diagrams must be viewable without draw.io**
+4. **Folder structure must be predictable and consistent**
+5. **Emergency documentation must not depend on the lab being up**
+
+---
+
+## Repository Overview
+
+All documentation lives in a single Git repository.
+
+Wiki.js writes Markdown files into this repository automatically.  
+The repository can be cloned to a laptop or other device for **offline access**.
+
+Example:
+```bash
+git clone ssh://git@forgejo.example.com/homelab/docs.git
+```
+
+---
+
+## Top-Level Folder Structure
+```
+homelab-docs/
+├── README.md
+├── emergency/
+├── infrastructure/
+├── storage/
+├── services/
+├── runbooks/
+├── diagrams/
+└── assets/
+```
+
+### Folder Purpose
+
+| Folder | Purpose |
+|--------|---------|
+| README.md | Entry point when the lab is down |
+| emergency/ | Recovery procedures and break-glass docs |
+| infrastructure/ | Core systems (identity, backups, networking) |
+| storage/ | Storage platforms and layouts |
+| services/ | Application-specific documentation |
+| runbooks/ | Step-by-step operational procedures |
+| diagrams/ | All draw.io diagrams and exports |
+| assets/ | Images or files used by documentation |
+
+---
+
+## Storage Documentation Structure
+```
+storage/
+└── core/
+    ├── zfs.md
+    ├── local-drives.md
+    ├── nas.md
+    └── btrfs.md
+```
+
+**Guidelines:**
+- Each storage technology gets its own page
+- Pages describe architecture, layout, and operational notes
+- Backup and snapshot policies belong elsewhere
+
+---
+
+## Infrastructure Documentation Structure
+```
+infrastructure/
+└── backups/
+    ├── zfs-snapshots.md
+    └── application-backups.md
+```
+
+**Guidelines:**
+- Infrastructure describes cross-cutting systems
+- Anything used by multiple hosts or services belongs here
+- Backup strategies are infrastructure, not storage
+
+---
+
+## Services Documentation Structure
+```
+services/
+└── mailcow.md
+```
+
+**Guidelines:**
+- One page per service
+- Page should include:
+  - Purpose
+  - Architecture
+  - Volumes
+  - Backup considerations
+  - Recovery notes
+
+---
+
+## Emergency Documentation
+```
+emergency/
+├── bring-up-order.md
+├── swarm-recovery.md
+├── zfs-import.md
+├── network-restore.md
+└── identity-break-glass.md
+```
+
+**Rules:**
+
+Emergency docs must be:
+- Text-first
+- Copy/paste friendly
+- Free of dependencies
+
+These pages should be readable directly from Git.
+
+---
+
+## Naming Conventions (Mandatory)
+
+**Folders:**
+- Lowercase
+- No spaces
+- Example: `infrastructure/backups`
+
+**Page filenames:**
+- Lowercase
+- Hyphen-separated
+- Example: `zfs-snapshots.md`
+
+**Page titles:**
+- Human readable
+- Proper case
+- Example: `# ZFS Snapshots`
+
+---
+
+## draw.io (diagrams.net) Usage
+
+draw.io is used **only to create diagrams**, never as the sole storage location.
+
+### Diagram Storage Layout
+```
+diagrams/
+├── network/
+│   ├── core.drawio
+│   ├── core.png
+│   └── core.svg
+├── docker/
+│   ├── swarm-architecture.drawio
+│   └── swarm-architecture.png
+└── storage/
+    ├── zfs-layout.drawio
+    └── zfs-layout.png
+```
+
+### File Types
+
+| File | Purpose |
+|------|---------|
+| .drawio | Editable source |
+| .png | Offline viewing |
+| .svg | Zoomable / high quality (optional) |
+
+**Every diagram MUST have a PNG export.**
+
+---
+
+## Adding a Diagram (Required Workflow)
+
+1. Create or edit the diagram in draw.io
+2. Save the `.drawio` file into `diagrams/<category>/`
+3. Export a `.png` (and optional `.svg`)
+4. Commit all files to Git
+
+If a diagram cannot be viewed without draw.io running, it is **not complete**.
+
+---
+
+## Embedding Diagrams in Wiki.js Pages
+
+Always embed PNG or SVG, never live editors.
+
+Example:
+```markdown
+![Core Network Diagram](../../diagrams/network/core.png)
+
+_Source file: core.drawio_
+```
+
+This ensures:
+- Fast rendering
+- Offline viewing
+- No service dependency
+
+---
+
+## Git Workflow Expectations
+
+**Authoring:**
+- All pages are created and edited in Wiki.js
+- Wiki.js commits changes automatically
+
+**Offline Access:**
+- Documentation is read directly from the Git clone
+- Markdown and images must be sufficient without Wiki.js
+
+**What Not To Do:**
+- Do not create wiki pages directly in Git
+- Do not rename paths outside Wiki.js
+- Do not store diagrams only inside draw.io
+
+---
+
+## Lab-Down Access Model
+
+When the lab is unavailable:
+
+1. Open the local Git clone
+2. Read `README.md`
+3. Navigate to `emergency/`
+4. View diagrams via `.png` files
+5. Execute recovery steps
+
+**No services are required.**
+
+---
+
+## README.md (Recommended Content)
+
+The root `README.md` should contain:
+- Purpose of the documentation
+- Where to start during an outage
+- Link list to emergency procedures
+- High-level architecture notes
+
+---
+
+## Final Notes
+
+This structure is designed to:
+- Scale cleanly
+- Survive outages
+- Remain readable for years
+- Support automation and GitOps workflows
+
+**If documentation cannot be read when the lab is down, it is incomplete.**
+
+This structure makes that impossible.
--- a/Netgrimoire/Conventions/Service-Doc-Template.md
+++ b/Netgrimoire/Conventions/Service-Doc-Template.md
@ -0,0 +1,122 @@
+---
+title: Service Documentation Template
+description: Describe the service
+published: true
+date: 2026-04-10T13:23:01.021Z
+tags: 
+editor: markdown
+dateCreated: 2026-02-03T02:57:07.462Z
+---
+
+# Service Documentation Template - 1
+
+Use this template for **every new service** documented under `services/`.
+
+Copy this file, rename it, and fill in all sections.
+
+---
+
+# Service Name
+
+## Overview
+
+Brief description of what this service does and why it exists.
+
+---
+
+## Architecture
+
+Describe how the service is deployed.
+
+Include:
+- Host(s)
+- Containers
+- External dependencies
+- Network exposure
+
+---
+
+## Volumes & Data
+
+List all persistent data locations.
+```
+/path/on/host → purpose
+```
+
+Include:
+- What data is stored
+- Whether it is critical
+- Where backups occur
+
+---
+
+## Configuration
+
+Document:
+- Environment variables (non-secret)
+- Configuration files
+- Important defaults
+
+**Secrets must not be stored here.** Reference where they live instead.
+
+---
+
+## Authentication & Access
+
+Describe:
+- Authentication method
+- Local access
+- Break-glass access (if applicable)
+
+---
+
+## Backups
+
+Explain:
+- What is backed up
+- How often
+- Using what tool
+- Where backups are stored
+
+Link to infrastructure backup docs if applicable.
+
+---
+
+## Restore Procedure
+
+Step-by-step recovery instructions.
+```bash
+# example commands
+```
+
+This section must be usable when the service is broken.
+
+---
+
+## Monitoring & Health
+
+Describe:
+- How service health is checked
+- Logs of interest
+- Alerting (if any)
+
+---
+
+## Common Failures
+
+List known failure modes and fixes.
+
+---
+
+## Diagrams
+
+Embed architecture diagrams here.
+```markdown
+![Service Architecture](../diagrams/<category>/<diagram>.png)
+```
+
+---
+
+## Notes
+
+Anything that does not fit elsewhere.
--- a/Netgrimoire/Conventions/Theme.md
+++ b/Netgrimoire/Conventions/Theme.md
@ -0,0 +1,174 @@
+---
+title: Documentation Style Guide
+description: Applying a theme
+published: true
+date: 2026-02-25T21:32:16.786Z
+tags: 
+editor: markdown
+dateCreated: 2026-02-24T14:03:00.791Z
+---
+
+# Netgrimoire Theme — Wiki.js Implementation Guide
+
+## What You're Getting
+
+Two files to transform your Wiki.js library into the Netgrimoire aesthetic:
+
+| File | Purpose |
+|------|---------|
+| `netgrimoire-theme.css` | Global site theme — dark background, teal glow, Cinzel headers, animated sidebar |
+| `netgrimoire-hero-block.html` | Animated constellation hero banner for your library landing page |
+
+---
+
+## Part 1 — Apply the Global Theme CSS
+
+This is the main transformation. It reskins the entire Wiki.js UI.
+
+### Step 1: Open the Wiki.js Admin Panel
+
+Navigate to your Wiki.js instance and go to:
+
+```
+Administration (gear icon) → Theme
+```
+
+### Step 2: Locate "Custom CSS"
+
+On the Theme page, scroll down until you see the **"Custom CSS"** text area. It may be labelled "CSS Override" depending on your Wiki.js version.
+
+### Step 3: Paste the CSS
+
+Open `netgrimoire-theme.css`, select all (`Ctrl+A`), copy, and paste the entire contents into the Custom CSS field.
+
+### Step 4: Apply
+
+Click **"Apply"** or **"Save"** at the top or bottom of the Theme page. Wiki.js applies the CSS live — you do not need to restart the container.
+
+### Step 5: Verify
+
+Open your wiki in a new browser tab. You should see:
+
+- Dark `#0a0d12` background
+- Teal/cyan navigation links and headers
+- Cinzel serif font on headings
+- Glowing active sidebar item
+- Teal-bordered code blocks and tables
+
+**If styles are not applying**, do a hard refresh (`Ctrl+Shift+R`) to clear cached CSS.
+
+---
+
+## Part 2 — Add the Animated Hero Banner to Your Library Page
+
+This places a live constellation animation at the top of your document library index page.
+
+### Step 1: Open the Library Page for Editing
+
+Navigate to your document library landing page and click **Edit** (pencil icon, top right).
+
+### Step 2: Switch to Source / HTML Mode
+
+In the Wiki.js editor toolbar, look for one of the following depending on your editor:
+
+- **Markdown editor**: Click the `<>` or "Insert HTML Block" button
+- **Visual editor (WYSIWYG)**: Look for `< >` Source button, or Insert → HTML Block
+
+### Step 3: Paste the Hero HTML
+
+Open `netgrimoire-hero-block.html`, copy the full contents, and paste into the HTML block at the very top of your page, before any other content.
+
+### Step 4: Save the Page
+
+Click **Save**. The constellation animation will render automatically when the page loads.
+
+### Step 5: Customize (Optional)
+
+To change the banner title text, find this line in the HTML:
+
+```html
+>DOCUMENT LIBRARY</div>
+```
+
+Replace `DOCUMENT LIBRARY` with whatever you want (e.g., `THE GRIMOIRE`, `KNOWLEDGE VAULT`).
+
+To change the subtitle:
+
+```html
+>Netgrimoire Knowledge Vault</div>
+```
+
+---
+
+## Part 3 — Google Fonts (Internet Access Required)
+
+The theme imports three fonts automatically via Google Fonts:
+
+| Font | Used For |
+|------|---------|
+| Cinzel | Headers, nav section labels, card titles |
+| Share Tech Mono | Code blocks, inline code, footer |
+| Raleway | Body text, nav items, descriptions |
+
+These load via a `@import` at the top of the CSS and require your browser to have internet access when loading the page. Since Netgrimoire is a local server, this means:
+
+- **If your browser machine has internet**: Fonts load automatically — no action needed.
+- **If fully air-gapped**: The fonts will fall back to system serif/monospace. To self-host, download the font files and serve them from your Forgejo or a local nginx path, then replace the `@import` line with `@font-face` blocks pointing to your local URLs.
+
+---
+
+## Part 4 — Fine-Tuning
+
+### Adjusting the Teal Color
+
+All colors are defined as CSS variables at the top of the CSS file. To shift the color tone, change `--ng-teal`:
+
+```css
+:root {
+  --ng-teal: #00e5cc;   /* default — cyan-teal */
+  /* try:  #00cfff  for more blue */
+  /* try:  #39ff14  for neon green */
+  /* try:  #bf5fff  for purple arcane */
+}
+```
+
+### Making the Background Darker
+
+Adjust `--ng-bg-base` and `--ng-bg-deep`:
+
+```css
+:root {
+  --ng-bg-base: #070a0e;  /* even darker */
+  --ng-bg-deep: #030507;
+}
+```
+
+### Constellation Node Count
+
+In `netgrimoire-hero-block.html`, find:
+
+```javascript
+var NODE_COUNT = 55;
+```
+
+Increase for a denser network, decrease for a sparser, more minimal look.
+
+---
+
+## Troubleshooting
+
+| Symptom | Fix |
+|---------|-----|
+| CSS not applying | Hard refresh (`Ctrl+Shift+R`); check for syntax errors in the CSS field |
+| Fonts showing as Times New Roman | Browser lacks internet access; see Part 3 above |
+| Hero animation not rendering | Check browser console for JS errors; ensure the page saved the HTML block |
+| Sidebar colors still white | Some Wiki.js versions use different class names; inspect with browser DevTools and let Claude know which element needs targeting |
+| Dark mode toggle fighting the theme | Wiki.js's built-in dark mode toggle may conflict — set it to Dark in Administration → Theme before applying custom CSS |
+
+---
+
+## Notes
+
+- Wiki.js stores custom CSS in the database, so it survives container restarts.
+- After updating Wiki.js, re-check the Theme page — major version upgrades occasionally reset the CSS field.
+- The hero block is per-page; you can add it to any page you want the constellation effect on.
--- a/Netgrimoire/Overview.md
+++ b/Netgrimoire/Overview.md
@ -0,0 +1,63 @@
+---
+title: Netgrimoire
+description: Core homelab overview — the spine of the grimoire ecosystem
+published: true
+date: 2026-04-12T00:00:00.000Z
+tags: netgrimoire
+editor: markdown
+dateCreated: 2026-04-12T00:00:00.000Z
+---
+
+# Netgrimoire
+
+![netgrimoire-badge](/images/netgrimoire-badge.png)
+
+Netgrimoire is the primary self-hosted homelab infrastructure running on `znas` and a cluster of worker nodes under Docker Swarm. It is the foundation every other grimoire depends on.
+
+This section is intentionally high-level — the spine. Detailed technical content lives in the specialized grimoires.
+
+---
+
+## Infrastructure at a Glance
+
+| Host | Role | IP | Runtime |
+|------|------|----|---------|
+| znas | NAS + Primary Swarm manager | 192.168.5.10 | Docker Swarm manager + Compose |
+| docker2 | VPN gateway | — | Docker Compose |
+| docker3 | LibreNMS host | — | Docker Compose |
+| docker4 (hermes) | Mail + AI worker | 192.168.5.16 | Docker Compose + Swarm worker |
+| docker5 | Media host | 192.168.5.18 | Docker Compose |
+| Pi nodes | Swarm workers + vault nodes | various | Docker Swarm workers |
+
+---
+
+## The Grimoires
+
+| Grimoire | What Lives There |
+|----------|-----------------|
+| [Keystone Grimoire](/Keystone-Grimoire/Overview) | Architecture, network topology, Caddy, Docker template, DNS, mail infrastructure |
+| [Vault Grimoire](/Vault-Grimoire/Overview) | ZFS storage, Kopia backups, NFS exports, offsite replication |
+| [Ward Grimoire](/Ward-Grimoire/Overview) | OPNsense, CrowdSec, Authentik, Authelia, LLDAP, WireGuard, blocklists |
+| [Watch Grimoire](/Watch-Grimoire/Overview) | Uptime Kuma, Beszel, LibreNMS, Grafana, Graylog, ntfy, DIUN |
+| [Gremlin Grimoire](/Gremlin-Grimoire/Overview) | Ollama, Open WebUI, Qdrant, n8n, AI workflows |
+| [Shadow Grimoire](/Shadow-Grimoire/Overview) | Usenet, torrents, arr stack, indexers, media acquisition |
+| [Green Grimoire](/Green-Grimoire/Overview) | Adult media: Stash, Jellyfinx, Namer, Whisparr |
+| [Pocket Grimoire](/Pocket-Grimoire/Overview) | Portable laptop lab, offline-first, travel vault node |
+
+---
+
+## Key Domains
+
+`netgrimoire.com` · `pncharris.com` · `wasted-bandwidth.net` · `nucking-futz.com` · `florosafd.org` · `gnarlypandaproductions.com` · `pncfishandmore.com` · `pncharrisenterprises.com`
+
+---
+
+## Quick Links
+
+| | |
+|---|---|
+| 📋 [Service Catalog](/Netgrimoire/Service-Catalog) | Full service inventory with status and grimoire assignment |
+| 📖 [Documentation Standards](/Netgrimoire/Conventions/Doc-Standards) | How docs are structured, named, and maintained |
+| 📄 [Service Doc Template](/Netgrimoire/Conventions/Service-Doc-Template) | Template for writing new service docs |
+| 🎨 [Wiki Theme](/Netgrimoire/Conventions/Theme) | CSS customization and branding |
+| 🔍 [Audit Reports](/Netgrimoire/Audits/README) | Gremlin-generated weekly YAML audits |
--- a/Netgrimoire/Service-Catalog.md
+++ b/Netgrimoire/Service-Catalog.md
@ -0,0 +1,356 @@
+---
+title: Netgrimoire Service Catalog
+description: Full service inventory — all grimoires, status, host, URL
+published: true
+date: 2026-04-12T00:00:00.000Z
+tags: 
+editor: markdown
+dateCreated: 2026-03-29T16:05:26.168Z
+---
+
+# Netgrimoire Service Catalog
+
+> **Living document** — tracks all deployed, configured, and planned services across the Netgrimoire homelab.
+> Source of truth: Forgejo repo — `compose/` = Docker Compose per host | `swarm/` = Docker Swarm | `archive/` = not running
+>
+> Status: ✅ Deployed & Configured | 🔧 Deployed, Needs Config | 📋 Planned | 🔍 Evaluating | ❌ Abandoned/Archived
+
+---
+
+## 🏗️ Infrastructure Overview
+
+| Host | Role | IP | Runtime |
+|------|------|----|---------|
+| znas | NAS / Primary Swarm node | 192.168.5.10 | Docker Compose + Swarm manager |
+| docker2 | VPN gateway host | — | Docker Compose |
+| docker3 | LibreNMS host | — | Docker Compose |
+| docker4 (hermes) | Mail server host | 192.168.5.16 | Docker Compose |
+| docker5 | Media host | 192.168.5.18 | Docker Compose |
+| Pi4s / NUCs | Swarm worker nodes | various | Docker Swarm workers |
+
+---
+
+## 📡 Network & Reverse Proxy
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | OPNsense | Firewall appliance | — | Firewall / Dual-WAN / NAT | ATT igc1 primary; 5 static IPs allocated; legacy WAN retiring |
+| 🔧 | Caddy (new) | znas / Swarm | — | Reverse proxy — CrowdSec edition | `serfriz/caddy-crowdsec-geoip-ratelimit-security-dockerproxy`; migration in progress; `caddy.yaml` |
+| ✅ | Caddy (legacy) | znas / Swarm | — | Reverse proxy | `lucaslorentz/caddy-docker-proxy`; `caddy-1.yaml` |
+| ✅ | Authentik | znas / Swarm | — | SSO / IdP | Protects `*.netgrimoire.com` services |
+| ✅ | Authelia | znas / Swarm | — | SSO / IdP | Protects `*.wasted-bandwidth.net` services |
+| ✅ | WireGuard | OPNsense | — | VPN | Peers: Obie (.2), pncfishandmore (.3), GLNet (.4/.6), PortaPotty (.5) — 192.168.32.0/24 |
+| ✅ | OpenVPN | OPNsense | — | VPN | Configured alongside WireGuard |
+| ✅ | Gluetun | docker2 / Compose | — | VPN gateway container | PIA VPN; Jackett + Transmission share `network_mode: container:gluetun` |
+| ✅ | Internal DNS | 192.168.5.7 | dns.netgrimoire.com | Internal name resolution | Technitium DNS; behind Authentik |
+| ✅ | LLDAP | znas / Swarm | ldap.netgrimoire.com | Lightweight LDAP directory | `lldap/lldap:stable` + postgres; user management backend |
+| 📋 | dnscrypt-proxy | TBD | — | Encrypted upstream DNS | Pending install |
+| 📋 | Suricata | OPNsense | — | IDS/IPS | Pending config |
+| 📋 | Zenarmor | OPNsense | — | Deep packet inspection (free tier) | Pending install |
+| 📋 | os-git-backup | OPNsense | — | OPNsense config backup to git | Pending install |
+
+---
+
+## 🔒 Security
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | CrowdSec | OPNsense + Swarm | — | Threat intelligence / IP blocking | OPNsense bouncer active; Caddy bouncer in progress |
+| ✅ | Vaultwarden | znas / Swarm | pass.netgrimoire.com | Password manager | `vaultwarden/server` |
+| 🔧 | CrowdSec Caddy Bouncer | znas / Swarm | — | HTTP-level blocking | Gradual rollout via `caddy.import=crowdsec` label per service |
+| 🔧 | OPNsense Spamhaus + GeoIP | OPNsense | — | IP blocklist / geo-blocking | Currently DISABLED — needs fixing |
+| 📋 | YubiKey PIV (SSH) | All hosts | — | Smartcard SSH authentication | Highest-impact pending integration |
+| 📋 | YubiKey Challenge-Response | znas | — | LUKS / Kopia key derivation | Planned |
+
+---
+
+## 📧 Email
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | MailCow | docker4 / Compose | mail.netgrimoire.com + all domains | Self-hosted mail server | hermes.netgrimoire.com; MXRoute inbound filter + outbound relay for all 8 domains |
+| ✅ | Roundcube | docker4 / Swarm | — | Webmail | SSL peer verify disabled for internal dovecot; SRS catch-all aliases configured |
+| ✅ | MXRoute | External | — | Inbound filter + outbound relay | Two DKIM selectors: `mailcow` + `mxroute` |
+| 📋 | Dedicated ATT_Mail IP | OPNsense | — | Separate static IP for mail traffic | Assignment still pending |
+
+**Domains:** netgrimoire.com · pncharris.com · nucking-futz.com · wasted-bandwidth.net · florosafd.org · gnarlypandaproductions.com · pncfishandmore.com · pncharrisenterprises.com
+
+---
+
+## 🎬 Media — Video
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Jellyfin | docker5 / Compose | — | Media server | Port 8096; VAAPI via `/dev/dri`; dedicated static IP 107.133.34.147 |
+| ✅ | Jellyfinx | docker5 / Compose | — | Green Door media server | Port 7096; separate instance; Green + AfterDark library mounts |
+| ✅ | Sonarr | znas / Swarm | — | TV show downloader | `linuxserver/sonarr` |
+| ✅ | Radarr | znas / Swarm | — | Movie downloader | `linuxserver/radarr` |
+| ✅ | Bazarr | znas / Swarm | bazarr.netgrimoire.com | Subtitle management | `linuxserver/bazarr` |
+| ✅ | Tunarr | znas / Swarm | — | IPTV channel creation | `chrisbenincasa/tunarr`; ErsatzTV replacement (ErsatzTV archived Feb 2026) |
+| ✅ | JellySeerr | znas / Swarm | requests.netgrimoire.com | Media request management | `fallenbagel/jellyseerr` |
+| ✅ | JellyStat | znas / Swarm | — | Jellyfin usage statistics | `cyfershepard/jellystat` + postgres |
+| ✅ | TinyMediaManager | znas / Swarm | tmm.netgrimoire.com | Media metadata manager | `tinymediamanager/tinymediamanager` |
+| ✅ | Pinchflat | znas / Swarm | pinchflat.netgrimoire.com | YouTube channel downloader | `kieraneglin/pinchflat` |
+| 📋 | MeTube | TBD | — | YouTube downloader | Needed for Tunarr period-accurate filler sourcing workflow |
+| 🔍 | Wizarr | TBD | — | Jellyfin user onboarding | Evaluating |
+
+---
+
+## 🎵 Media — Audio
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Lidarr | znas / Swarm | — | Music downloader | (Caddy label not found in yaml — likely static Caddyfile entry) |
+| ✅ | Beets | znas / Swarm | beets.netgrimoire.com | Music library tagging | `linuxserver/beets` |
+| 🔍 | Navidrome | TBD | — | Music streaming server | Lightweight Subsonic-compatible |
+| 🔍 | Soularr | TBD | — | Soulseek integration for Lidarr | Strongly recommended; fills gaps Usenet/torrents miss |
+| 🔍 | Tubifarry | TBD | — | Spotify playlists → YouTube → Lidarr | https://github.com/TypNull/Tubifarry |
+
+---
+
+## 📚 Media — Books & Comics
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Calibre | znas / Compose | calibre.netgrimoire.com | Ebook library management | `linuxserver/calibre`; port 7070; behind Authentik; requires `seccomp=unconfined` (Compose-only) |
+| ✅ | Calibre-Web Automated | znas / Swarm | books.netgrimoire.com · books.pncharris.com | Web UI + auto-import | `crocodilestick/calibre-web-automated`; dual-domain Caddy label |
+| ✅ | Calibre-Web (library) | znas / Swarm | — | Secondary Calibre-Web instance | `linuxserver/calibre-web`; hostname `calibre-netgrimoire`; `library.yaml` |
+| ✅ | Readarr | znas / Swarm | — | Book downloader | Using `blampe/rreading-glasses` image |
+| 📋 | Mylar | znas / Swarm | — | Comic book downloader | Not currently running; needs setup soon. Reference `archive/arr.yaml` for old config |
+| ✅ | Kavita | znas / Swarm | kavita.netgrimoire.com | Ebook/comic reader | `jvmilazz0/kavita` |
+| ✅ | Comixed | znas / Swarm | comics.netgrimoire.com | Comic library server | `comixed/comixed` |
+| ✅ | FreshRSS | znas / Swarm | rss.netgrimoire.com | RSS aggregator | `linuxserver/freshrss` |
+| 🔍 | Komga | TBD | — | Comic/manga server | Evaluating vs Kavita/Comixed |
+| 🔍 | MyAnonaMouse | TBD | — | Private ebook tracker | Worth investigating |
+
+---
+
+## 📥 Download Stack
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | NZBGet | znas / Swarm | — | Usenet download manager | `linuxserver/nzbget` |
+| ✅ | SABnzbd | znas / Swarm | — | Usenet download manager | `linuxserver/sabnzbd` |
+| ✅ | NZBHydra | znas / Swarm | hydra.netgrimoire.com | Usenet indexer aggregator | `linuxserver/nzbhydra2:dev`; altHUB, NZBGeek, Drunken Slug, Usenet Crawler, DogNZB |
+| ✅ | Jackett | docker2 / Compose | jackett.netgrimoire.com | Torrent indexer | Runs inside Gluetun network; behind Authentik |
+| ✅ | Transmission | docker2 / Compose | — | Torrent client | `network_mode: container:gluetun`; shares Gluetun VPN |
+| ✅ | Recyclarr | znas / Swarm | — | Sonarr/Radarr quality profile sync | `recyclarr/recyclarr` |
+| ✅ | Profilarr | znas / Swarm | profilarr.netgrimoire.com | Quality profile management | `santiagosayshey/profilarr` |
+| ✅ | Configarr | znas / Swarm | configarr.netgrimoire.com | Arr config management | `raydak-labs/configarr` |
+| 📋 | Prowlarr | TBD | — | Unified indexer manager | Low priority — light torrent usage; NZBHydra covers current needs |
+
+---
+
+## 🤖 AI & Automation (Gremlin Stack)
+
+> All pinned to `znas` node on Docker Swarm via `swarm/ollama.yaml`.
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Ollama | znas / Swarm | — | Local LLM inference | CPU-only (Ryzen); 3B–14B models |
+| ✅ | Open WebUI | znas / Swarm | — | Chat interface for Ollama | `ghcr.io/open-webui/open-webui` |
+| ✅ | Qdrant | znas / Swarm | — | Vector database for RAG | Wiki.js / markdown doc search |
+| ✅ | n8n | znas / Swarm | — | Workflow automation | Forgejo webhook → doc gen, compose validation, alert triage |
+| 🔍 | Perplexica | TBD | — | Self-hosted AI search | https://github.com/ItzCrazyKns/Perplexica |
+
+---
+
+## ☁️ Files, Notes & Personal Apps
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Nextcloud AIO | znas / Compose | cloud.netgrimoire.com | File sync / cloud storage | `nextcloud/all-in-one`; data at `/srv/NextCloud-AIO`; Caddy → port 11000 |
+| ✅ | Immich | znas / Compose | immich.netgrimoire.com | Photo management | Port 2283; Postgres dump + Kopia backup; external photo + Nextcloud mounts |
+| ✅ | Joplin Server | znas / Swarm | joplin.netgrimoire.com | Note sync server | `joplin/server` + postgres; Homepage widget configured |
+| ✅ | Vikunja | znas / Swarm | task.netgrimoire.com | Task management | `vikunja/vikunja` + MariaDB |
+| ✅ | Linkding | znas / Swarm | link.netgrimoire.com | Bookmark manager | `sissbruecker/linkding:1.13.0` |
+| ✅ | Mealie | znas / Swarm | recipe.netgrimoire.com | Recipe manager | `ghcr.io/mealie-recipes/mealie` |
+| ✅ | Wallos | znas / Swarm | expense.netgrimoire.com | Subscription / expense tracker | `bellamy/wallos` |
+| ✅ | DailyTxT | znas / Swarm | — | Encrypted diary | `phitux/dailytxt:2.x.x` |
+| ✅ | Bigcapital | docker5 / Compose | accounts.netgrimoire.com | Accounting / invoicing | Static Caddyfile entry; `{{upstreams}}` doesn't work for Compose stacks |
+| ✅ | Scanopy | znas / Swarm | scn.netgrimoire.com | Document scanner | `ghcr.io/scanopy/scanopy` (server + daemon) + postgres |
+| ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
+| 📋 | Memos | TBD | — | Self-hosted journaling | Preferred journal addition (alongside Joplin for notes) |
+| 🔍 | Wallabag | TBD | — | Read-it-later / article saving | |
+| 🔍 | Fluid Calendar | TBD | — | Self-hosted calendar | https://github.com/dotnetfactory/fluid-calendar |
+| 🔍 | Firefly III | TBD | — | Personal finance / budgeting | |
+| 🔍 | Stirling-PDF | TBD | — | PDF editor / tools | |
+| 🔍 | Excalidraw | TBD | — | Collaborative whiteboard | |
+| 🔍 | Baikal | TBD | — | CalDAV / CardDAV sync | https://sabre.io/baikal/ |
+
+---
+
+## 📝 Documentation & Dev
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Wiki.js | znas / Swarm | wiki.netgrimoire.com | Documentation wiki | `requarks/wiki:2` + postgres; Grimoire theme; Forgejo git backend |
+| ✅ | Draw.io | znas / Swarm | draw.netgrimoire.com | Diagramming | `jgraph/drawio`; co-deployed in `wiki.yaml` |
+| ✅ | Forgejo | znas / Swarm | git.netgrimoire.com | Self-hosted Git | `codeberg.org/forgejo/forgejo:11`; source of truth for Wiki.js + Gremlin |
+| ✅ | Forgejo Runner | znas / Swarm | — | CI/CD | `data.forgejo.org/forgejo/runner:4.0.0`; `gitrunner.yaml` |
+| ✅ | VS Code Server | znas / Swarm | code.netgrimoire.com | Web-based IDE | `linuxserver/code-server` |
+| ✅ | Webtop (ubuntu-kde) | znas / Compose | webtop.netgrimoire.com | Browser-based desktop | Software rendering via llvmpipe; behind Authentik |
+| ✅ | Firefox (container) | znas / Swarm | firefox.netgrimoire.com | Containerized browser | `jlesage/firefox` |
+
+---
+
+## 📊 Monitoring & Observability
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Uptime Kuma | znas / Swarm | — | Service uptime monitoring | `louislam/uptime-kuma:1` |
+| ✅ | AutoKuma | znas / Swarm | — | Auto-create Kuma monitors from labels | `ghcr.io/bigboot/autokuma`; co-deployed in `kuma.yaml` |
+| ✅ | Beszel | znas / Swarm | — | Docker resource monitoring | `henrygd/beszel` hub + agents on all nodes |
+| ✅ | DIUN | znas / Swarm | — | Docker image update notifications | `crazymax/diun`; label-based per-service |
+| ✅ | ntfy | znas / Swarm | ntfy.netgrimoire.com | Push notifications | `binwiederhier/ntfy`; OPNsense alerts via CrowdSec HTTP plugin |
+| ✅ | Dozzle | znas / Swarm | dozzle.netgrimoire.com | Real-time container logs | `amir20/dozzle`; behind Authentik |
+| ✅ | Scrutiny | znas / Compose | scrutiny.netgrimoire.com | Disk S.M.A.R.T. monitoring | `analogj/scrutiny:master-omnibus`; monitors /dev/sda–sdg; behind Authentik |
+| ✅ | Glances | znas / Compose | — | Real-time system stats | `nicolargo/glances`; `network_mode: host`; co-deployed in `monitor.yaml` |
+| ✅ | Graylog | docker4 / Compose | log.netgrimoire.com | Log aggregation | Graylog 6.0 + MongoDB 5 + DataNode (OpenSearch); compose-only (noted in file) |
+| ✅ | LibreNMS | docker3 / Compose | nms.netgrimoire.com | Network/SNMP monitoring | Full stack: librenms + dispatcher + syslog-ng + snmptrapd + MariaDB + Redis; port 8000 |
+| ✅ | Homelable | znas / Compose | — | Infrastructure visualizer | Frontend + Backend via GHCR; MCP deferred (requires build from source) |
+| ✅ | phpIPAM | znas / Swarm | ipam.netgrimoire.com | IP address management | `phpipam/phpipam-www` + cron + MariaDB |
+| ✅ | Homepage | znas / Swarm | — | Primary dashboard | `ghcr.io/gethomepage/homepage` |
+| ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
+| ✅ | Dockpeek | znas / Swarm | dockpeek.netgrimoire.com | Container inspector | `dockpeek/dockpeek` |
+| ✅ | Loki + Promtail + Grafana | znas / Swarm | — | Metrics/log stack | `logging.yaml`; Grafana 10.4.2 + Loki 2.9.3 + Promtail 2.9.3 |
+| ✅ | phpMyAdmin + phpPgAdmin | znas / Swarm | — | DB admin UIs | `SQL-mgmt.yaml` |
+| ✅ | pgAdmin | znas / Swarm | — | Postgres admin | `dpage/pgadmin4`; `database.yaml` |
+| 🔍 | WatchYourLAN | TBD | — | Network device tracker | https://github.com/aceberg/WatchYourLAN |
+| 🔍 | NUT UPS | TBD | — | UPS power management | https://hub.docker.com/r/instantlinux/nut-upsd |
+| 🔍 | OliveTin | TBD | — | Web button → shell command | Run commands from web UI |
+| 🔍 | Swarm Dashboard | TBD | — | Docker Swarm visualizer | https://github.com/mohsenasm/swarm-dashboard |
+
+---
+
+## 💾 Storage & Backup
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | OpenZFS (ZNAS) | znas | — | Primary storage | ~94TB raw, two RAIDZ1 VDEVs; vault pool |
+| ✅ | NFSv4 | znas | — | Shared storage for Swarm | Loopback NFS at `/data/nfs/znas`; ZFS must fully mount before NFS starts |
+| ✅ | Kopia (primary vault) | znas / Swarm | kopia.netgrimoire.com | Primary backup repo | `kopia.yaml`; dedup + replication |
+| ✅ | Kopia (offsite vault) | znas / Swarm | vault.netgrimoire.com | Offsite replication server | `vault.yaml`; port 51516; separate dataset → ZFS raw send to Pi vaults |
+| ✅ | syncoid | znas | — | ZFS replication | Syncs vault/Green/Pocket → Pocket Grimoire |
+| ✅ | Nextcloud AIO BorgBackup | znas | — | Nextcloud-native backup | Local snapshots before Kopia |
+| ✅ | Czkawka | znas / Swarm | dupes.netgrimoire.com | Duplicate file finder | `jlesage/czkawka` |
+| ✅ | Cloud Commander | znas / Swarm | — | Web file manager | `coderaiser/cloudcmd`; **two instances** (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional |
+| ✅ | File Browser | znas / Swarm | — | Web file manager | `filebrowser/filebrowser` |
+| 🔍 | Manyfold | TBD | — | 3D print model collector | https://github.com/manyfold3d/manyfold |
+
+---
+
+## 🖥️ Management & Remote Access
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Portainer | znas / Swarm | docker.netgrimoire.com | Container management UI | `portainer/portainer-ce:2.33.6` + agents on all nodes |
+| ✅ | ISPConfig | 192.168.4.11 | — | Web/DNS hosting control panel | |
+| ✅ | Cockpit | All hosts | win.netgrimoire.com | Linux server management | Caddy → `192.168.5.10:8006` |
+| ✅ | Termix | znas / Swarm | termix.netgrimoire.com | Web-based terminal | `ghcr.io/lukegus/termix` |
+| ✅ | DumbTerm | znas / Swarm | — | Simple web terminal | `dockwareio/dumbterm` |
+| ✅ | Windows 7 (VM) | znas / Compose | — | Windows VM | `dockurr/windows`; `windows7.yaml` |
+| 🔍 | Guacamole | TBD | — | Remote desktop gateway | Previously tried as `nxterm` — in archive |
+| 🔍 | SSHwifty | TBD | — | SSH web client | In archive; reconsidering |
+
+---
+
+## 🎭 Green Door (Adult Content)
+
+> Protected behind Authelia (`*.wasted-bandwidth.net`)
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Whisparr | znas / Swarm | — | Adult content downloader | `ghcr.io/hotio/whisparr` |
+| ✅ | Namer | znas / Compose | namer.wasted-bandwidth.net | Scene file namer | `theporndatabase/namer`; port 6980; data → `/data/nfs/Baxter/Green/` |
+| ✅ | Stash (main) | znas / Compose | stash.wasted-bandwidth.net | Adult content library | `stashapp/stash`; port 9999 |
+| ✅ | PocketStash | znas / Compose | — | Stash for Pocket Grimoire | Separate instance; port 9998; data → `/export/Green/Pocket/`; `pocketstash.yaml` |
+
+---
+
+## 🌐 Web Hosting
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Apache/PHP web | znas / Swarm | fish.pncharris.com · www.wasted-bandwidth.net | Static/PHP web hosting | `php:8.2-apache`; `web.yaml`; replicas: 1 |
+
+---
+
+## 📦 Archive (Not Currently Running)
+
+> Files in `archive/` — previously evaluated or deployed, not currently active.
+
+| App | File | Notes |
+|-----|------|-------|
+| Plex | `plex.yaml` | Replaced by Jellyfin |
+| Komodo | `komodo.yaml` | Container management platform — evaluated, not deployed |
+| cAdvisor | `cadvisor.yaml` | Container metrics — not deployed |
+| Peekaping | `peekaping.yaml` | Uptime monitor — Kuma preferred |
+| WatchState | `WatchState.yaml` | Jellyfin/Plex watch state sync |
+| Nessus | `nessus.yaml` | Vulnerability scanner — evaluated |
+| NxTerm | `nxterm.yaml` | Guacamole-style remote desktop — evaluated |
+| SSHwifty | `sshwifty.yaml` | SSH web client — evaluated |
+| Wordpress Classifieds | `wordpress-classifieds.yaml` | Not deployed |
+| Cal (calendar?) | `cal.yaml` | Evaluated |
+| CrowdSec (standalone) | `crowdsec.yaml` | Merged into Caddy stack |
+| Arr stack | `arr.yaml` | Old consolidated arr compose — superseded by individual yamls |
+| Caddyfile.old | `Caddyfile.old` | Legacy Caddyfile |
+
+---
+
+## 🗃️ Ideas Backlog
+
+| App | Category | Notes |
+|-----|----------|-------|
+| Soularr | Audio | Soulseek for Lidarr; strongly recommended |
+| Tubifarry | Audio | Spotify → YouTube → Lidarr |
+| MeTube | Video | YouTube downloader for Tunarr filler |
+| Memos | Journal | Preferred self-hosted journal pick |
+| Wallabag | Reading | Read-it-later |
+| Firefly III | Finance | Budgeting |
+| Baikal | PIM | CalDAV/CardDAV |
+| Fluid Calendar | PIM | https://github.com/dotnetfactory/fluid-calendar |
+| Perplexica | AI | Self-hosted AI search |
+| WatchYourLAN | Network | Device tracker |
+| OliveTin | Automation | Web UI → shell commands |
+| Swarm Dashboard | Monitoring | Swarm-aware visualizer |
+| ContainerNursery | Automation | On-demand container start/stop |
+| NUT UPS | Power | UPS management |
+| Wire-pod for Vector | IoT | Anki Vector local server |
+| Kindle reuse | IoT | Repurpose Kindle as weather/info display |
+| Collectarr | Media | https://github.com/RiffSphere/Collectarr |
+| SuggestArr | Media | Automated media recommendations |
+| Recommendarr | Media | AI media recommendations |
+| Manyfold | 3D Print | Model library |
+| OrcaSlicer | 3D Print | Slicer web UI |
+| Memos / Journiv | Journal | Self-hosted journaling (Memos preferred) |
+| Romm | Gaming | ROM library manager |
+| EmulatorJS | Gaming | Browser-based emulation |
+
+---
+
+## 🔑 Key Architecture Decisions & Gotchas
+
+> Reference these before deploying or modifying services.
+
+- **MailCow network isolation:** Only `nginx-mailcow` on the `netgrimoire` overlay. All other containers stay on internal bridge. Mixing causes PHP-FPM → Redis DNS conflicts.
+- **caddy-docker-proxy + static Caddyfile conflict:** Never manage the same hostname via both Docker labels AND a static block. Pick one method exclusively per service.
+- **`{{upstreams}}` is Swarm-only:** Does not work for Docker Compose stacks. Use static Caddyfile with container name or pinned IP.
+- **Docker Compose `ports: []` override:** Does not nullify ports from base file. Remap to unused host ports instead.
+- **Graylog is Compose-only:** The `graylog.yaml` file explicitly notes this — do not attempt to run it in Swarm.
+- **Calibre requires `seccomp=unconfined`:** Necessary for the desktop app container; incompatible with Swarm mode — must remain in `compose/znas/`.
+- **Kopia repos not ZFS-separable:** Use separate repositories with independent retention (`kopia.yaml` vs `vault.yaml`) rather than trying to separate at the ZFS snapshot level.
+- **ZFS encryption:** In-place encryption impossible. Use rsync migration + `-w` flag for raw send to Pi vaults (no key needed on vault side).
+- **SRS rewrite:** All domains using MXRoute inbound forwarding require catch-all aliases in MailCow to prevent `reject_unlisted_sender` rejections.
+- **Docker Swarm DNS caching:** Do NOT use `endpoint_mode: dnsrr` — always use default VIP mode. dnsrr breaks internal DNS resolution.
+- **NFS boot ordering on znas:** ZFS must fully mount before NFS starts — systemd override required (`After=zfs-import.target zfs-mount.service`). Loopback NFS mount needs `x-systemd.after=nfs-server.service` in fstab.
+- **Wiki.js angle brackets:** `<value>` placeholders cause rendering hangs. Use `VALUE` or backtick format instead.
+- **bcrypt in `.env`:** Wrap full hash in single quotes to preserve leading `$`.
+- **Webtop GPU rendering:** Requires `LIBGL_ALWAYS_SOFTWARE=1` + `GALLIUM_DRIVER=llvmpipe`; remove `devices:/dev/dri` mapping.
+- **Cloud Commander duplication:** Two nearly identical `coderaiser/cloudcmd` stacks exist (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional or a duplicate to clean up.
+- **Lidarr missing Caddy label:** Lidarr yaml has no caddy label — either routed via static Caddyfile or not yet exposed. Confirm and standardize.
+- another potential mapping tool https://github.com/gelatinescreams/The-One-File/tree/main
+
+---
+
+*Last updated: March 2026 | Source: Forgejo repo git archive*
--- a/Netgrimoire/Services/Media-Services.md
+++ b/Netgrimoire/Services/Media-Services.md
@ -0,0 +1,72 @@
+---
+title: Media Services
+description: Jellyfin, Immich, Kavita, Calibre, Pinchflat, Tunarr — media stack overview
+published: true
+date: 2026-04-12T00:00:00.000Z
+tags: netgrimoire, media, jellyfin
+editor: markdown
+dateCreated: 2026-04-12T00:00:00.000Z
+---
+
+# Media Services
+
+Media services span several grimoires. This page maps what lives where.
+
+---
+
+## Video
+
+| Service | URL | Host | Grimoire |
+|---------|-----|------|---------|
+| Jellyfin | docker5:8096 | docker5 / Compose | Netgrimoire |
+| Jellyfinx (GreenFin) | docker5:7096 | docker5 / Compose | Green Grimoire |
+| JellySeerr | `requests.netgrimoire.com` | znas / Swarm | Shadow Grimoire |
+| Tunarr | — | znas / Swarm | Shadow Grimoire |
+| JellyStat | — | znas / Swarm | Watch Grimoire |
+| TinyMediaManager | `tmm.netgrimoire.com` | znas / Swarm | Shadow Grimoire |
+| Pinchflat | `pinchflat.netgrimoire.com` | znas / Swarm | Shadow Grimoire |
+
+**Jellyfin** runs on docker5 via Compose. VAAPI GPU acceleration via `/dev/dri`. Dedicated static IP 107.133.34.147 for external access.
+
+---
+
+## Books & Comics
+
+| Service | URL | Host | Grimoire |
+|---------|-----|------|---------|
+| Calibre | `calibre.netgrimoire.com` | znas / Compose | Netgrimoire |
+| Calibre-Web Automated | `books.netgrimoire.com`, `books.pncharris.com` | znas / Swarm | PNC Harris |
+| Readarr | — | znas / Swarm | Shadow Grimoire |
+| Kavita | `kavita.netgrimoire.com` | znas / Swarm | Netgrimoire |
+| Comixed | `comics.netgrimoire.com` | znas / Swarm | Netgrimoire |
+| FreshRSS | `rss.netgrimoire.com` | znas / Swarm | Netgrimoire |
+
+**Calibre** requires `seccomp=unconfined` — runs in Compose, not Swarm.
+
+---
+
+## Music
+
+| Service | URL | Host | Grimoire |
+|---------|-----|------|---------|
+| Lidarr | — | znas / Swarm | Shadow Grimoire |
+| Beets | `beets.netgrimoire.com` | znas / Swarm | Shadow Grimoire |
+
+**Lidarr note:** No Caddy label in YAML — likely routed via static Caddyfile. Verify and standardize.
+
+---
+
+## Photos
+
+| Service | URL | Host | Grimoire |
+|---------|-----|------|---------|
+| Immich | `immich.netgrimoire.com` | znas / Compose | PNC Harris |
+
+---
+
+## Pending
+
+- Mylar (comic downloader) — in `archive/arr.yaml`, needs setup
+- Navidrome — evaluating (music streaming)
+- Soularr — evaluating (Soulseek for Lidarr)
+- MeTube — planned (YouTube → Tunarr filler workflow)