feat(monitoring): homelab vault traceability alerts (TOTP-fetch + volume)

Adds a Loki ruler group (lane=security -> #security) for the homelab vault op-log: VaultwardenTOTPFetched (every 2nd-factor fetch is visible) and VaultwardenFetchVolumeHigh (>100 fetches/10m backstop). The audit spine (Vault audit device, reads of secret/data/workstation/claude-users/*) is already captured. True CLI-bypass detection needs cross-stream correlation (follow-up).
2026-06-24 10:31:32 +00:00 · 2026-06-24 10:31:32 +00:00 · e711b2f971
commit e711b2f971
parent 64104e56e9
1 changed files with 33 additions and 0 deletions
--- a/stacks/monitoring/modules/monitoring/loki.tf
+++ b/stacks/monitoring/modules/monitoring/loki.tf
@ -501,6 +501,39 @@ resource "kubernetes_config_map" "loki_alert_rules" {
              }
            },
          ]
+        },
+        {
+          # Vaultwarden vault CLI (`homelab vault`) traceability. The audit SPINE
+          # is the Vault audit device (reads of secret/data/workstation/claude-users/*
+          # are already captured in the vault-tail stream above). These add
+          # visibility/anomaly alerts off the per-user CLI op-log
+          # (`logger -t homelab-vault[-totp]` → devvm-journal). A true "Vault
+          # creds-read with NO matching CLI op-log = direct bypass" alert needs
+          # cross-stream correlation the Loki ruler can't express — tracked as a
+          # follow-up (small correlation CronJob). lane=security → #security.
+          name = "Vaultwarden vault CLI"
+          rules = [
+            {
+              alert  = "VaultwardenTOTPFetched"
+              expr   = "sum by (user) (count_over_time({job=\"devvm-journal\", identifier=\"homelab-vault-totp\"} | logfmt [5m])) > 0"
+              for    = "0m"
+              labels = { severity = "info", lane = "security" }
+              annotations = {
+                summary     = "Vaultwarden TOTP (2nd factor) fetched via homelab vault by {{ $labels.user }}"
+                description = "A TOTP code was retrieved with `homelab vault code`. A stored TOTP co-located with its password collapses that downstream account's 2FA to 1FA under a same-UID compromise — confirm this fetch was expected."
+              }
+            },
+            {
+              alert  = "VaultwardenFetchVolumeHigh"
+              expr   = "sum by (user) (count_over_time({job=\"devvm-journal\", identifier=\"homelab-vault\"} | logfmt | verb=~\"get|code\" [10m])) > 100"
+              for    = "0m"
+              labels = { severity = "warning", lane = "security" }
+              annotations = {
+                summary     = "Unusually high homelab vault fetch volume (>100/10m) for {{ $labels.user }}"
+                description = "A burst of credential fetches for one user — possible runaway loop or exfiltration. Cross-check the op-log parent process and the Vault audit stream (namespace=vault,container=audit-tail) for reads of secret/data/workstation/claude-users/{{ $labels.user }}."
+              }
+            },
+          ]
        }
      ]
    })