diff --git a/audits/2026-06-02-truenas-security-audit.md b/audits/2026-06-02-truenas-security-audit.md
new file mode 100644
index 0000000..b62878b
--- /dev/null
+++ b/audits/2026-06-02-truenas-security-audit.md
@@ -0,0 +1,274 @@
+# TrueNAS Security Audit Report
+
+**Server:** beelink-tns (192.168.16.254) | **Version:** TrueNAS Scale 25.10.2 | **Date:** 2026-06-02
+**Auditor:** F.R.I.D.A.Y. | **Scope:** Read-only review — no changes made
+
+---
+
+## Executive Summary
+
+| Area | Status | Notes |
+|------|--------|-------|
+| SMB Shares | ⚠️ Review Needed | 7 shares, Guest access disabled (good), but POSIX permissions on some shares are overly permissive |
+| NFS Shares | ⚠️ Review Needed | 4 shares open to all networks, no root squash on any share |
+| User Access | ✅ Controlled | Only 3 custom users have SMB access |
+| Services | ✅ Healthy | CIFS, NFS, SSH running; FTP/iSCSI/SNMP disabled |
+| Pools | ✅ Healthy | Both pools online |
+
+---
+
+## 1. System Overview
+
+| Property | Value |
+|----------|-------|
+| Hostname | beelink-tns |
+| Version | TrueNAS Scale 25.10.2 |
+| Hardware | Intel N95, 4 cores, 11.5 GB RAM |
+| Uptime | 15 days |
+| Pools | 2 (FastPool 0.91 TB, Ice 3.62 TB) |
+| Datasets | 55 total |
+| VMs | 0 configured |
+
+**Running Services:**
+- `cifs` — RUNNING
+- `nfs` — RUNNING
+- `ssh` — RUNNING
+
+**Disabled Services:**
+- `ftp` — STOPPED
+- `iscsitarget` — STOPPED
+- `snmp` — STOPPED
+- `ups` — STOPPED
+- `nvmet` — STOPPED
+
+---
+
+## 2. SMB Shares (7 Total)
+
+All SMB shares have **Guest OK = False** ✅ — no anonymous access.
+
+| # | Share Name | Path | POSIX Mode | Owner | Group | ACL | Security Notes |
+|---|------------|------|------------|-------|-------|-----|----------------|
+| 1 | **Archive** | /mnt/Ice/Archive | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
+| 2 | **Backup** | /mnt/Ice/Backup | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
+| 3 | **ISOs** | /mnt/Ice/ISOs | 777 | `src` | `src` | Enabled | Bobby + libvirt-qemu have explicit entries |
+| 4 | **lab-dash** | /mnt/FastPool/dockge/configs/lab-dash | 777 | `src` | `src` | Enabled | builtin_users + builtin_administrators groups |
+| 5 | **Repo** | /mnt/Ice/Repo | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
+| 6 | **arr-zimaos** | /mnt/Ice/Backup/Arr-ZimaOS | 777 | `src` | `src` | Enabled | Bobby has explicit entry |
+| 7 | **hermes_agent** | /mnt/FastPool/dockge/configs/hermes_agent | 751 | `apps` | `apps` | Disabled | Owner RWX, Group RX, Other X |
+
+### POSIX Mode Interpretation
+
+- **777** = Owner, Group, and Other all have Read, Write, Execute
+- **751** = Owner has RWX, Group has RX, Other has Execute only
+
+### SMB-Authorized Users
+
+Only 3 custom users have SMB enabled:
+
+| Username | UID | Home | SMB | Groups |
+|----------|-----|------|-----|--------|
+| `jumpbox` | 3000 | /var/empty | ✅ | GID 3000 (jumpbox) |
+| `bobby` | 3001 | /var/empty | ✅ | GID 3001 (bobby) |
+| `jarvis` | 1000 | /mnt/FastPool/home/jarvis | ✅ | GID 40 (src), GID 3002 (jarvis) |
+
+**Key Finding:** All custom SMB users belong to the `src` group (GID 40). Since most shares are owned by `src:src` with mode 777, **all 3 SMB users have full read/write access to Archive, Backup, ISOs, lab-dash, Repo, and arr-zimaos.**
+
+### SMB ACL Details
+
+**Archive:**
+- `owner@` — RWX
+- `group@` — RWX
+- `everyone@` — No access
+- ACL disabled; POSIX 777 is effective permission
+
+**Backup:**
+- `owner@` — RWX
+- `group@` — RWX
+- `everyone@` — RWX ⚠️
+- ACL disabled; POSIX 777 grants world access
+
+**ISOs:**
+- `owner@` — No access
+- `group@` — No access
+- `everyone@` — No access
+- `USER:3001 (bobby)` — explicit entry
+- `USER:986 (libvirt-qemu)` — explicit entry
+- ACL enabled; effective access determined by ACL evaluation
+
+**lab-dash:**
+- `owner@` — No access
+- `group@` — No access
+- `GROUP:545 (builtin_users)` — explicit entry
+- `GROUP:544 (builtin_administrators)` — explicit entry
+- ACL enabled; effective access determined by ACL evaluation
+
+**Repo:**
+- `owner@` — RWX
+- `group@` — RWX
+- `everyone@` — RWX ⚠️
+- ACL disabled; POSIX 777 grants world access
+
+**arr-zimaos:**
+- `owner@` — No access
+- `group@` — No access
+- `everyone@` — No access
+- `USER:3001 (bobby)` — explicit entry
+- ACL enabled; effective access determined by ACL evaluation
+
+**hermes_agent:**
+- `USER_OBJ` — X only
+- `GROUP_OBJ` — X only
+- `OTHER` — X only
+- POSIX 751; ACL disabled
+
+---
+
+## 3. NFS Shares (7 Total)
+
+| # | Path | Networks | Read-Only | Root Squash | Notes |
+|---|------|----------|-----------|-------------|-------|
+| 1 | /mnt/Ice/Archive | ALL | No | No ⚠️ | Open to all networks |
+| 2 | /mnt/Ice/Backup | ALL | No | No ⚠️ | Open to all networks |
+| 3 | /mnt/Ice/ISOs | ALL | No | No ⚠️ | Open to all networks |
+| 4 | /mnt/Ice/Repo | ALL | No | No ⚠️ | Open to all networks |
+| 5 | /mnt/Ice/Backup/proxmox-pool/ds-mp-share | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
+| 6 | /mnt/Ice/Backup/proxmox-pool/pve-ct-stor | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
+| 7 | /mnt/Ice/Backup/proxmox-pool/pve-vm-stor | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
+
+### NFS Security Concerns
+
+1. **4 shares open to all networks** (Archive, Backup, ISOs, Repo) — any host on any network can mount
+2. **No root squash on any share** — root on client = root on server
+3. **No read-only restrictions** — all shares allow writes
+4. **No maproot/mapall user set** — NFS clients access with their native UIDs
+
+### NFS Recommendations
+
+- **Restrict networks:** Add `192.168.0.0/18` (or narrower) to Archive, Backup, ISOs, Repo
+- **Enable root squash:** Set `Maproot User = root` or `Maproot User = nobody` on all shares
+- **Consider read-only** for Archive and ISOs if they don't need writes
+- **Add host restrictions** for sensitive shares (Backup, Repo)
+
+---
+
+## 4. User & Group Analysis
+
+### Custom Users (4 total)
+
+| User | UID | SMB | Sudo | Groups | Purpose |
+|------|-----|-----|------|--------|---------|
+| `truenas_admin` | 950 | No | No | src, truenas_admin | Local admin account |
+| `jumpbox` | 3000 | ✅ | No | jumpbox | Jumpbox/automation user |
+| `bobby` | 3001 | ✅ | No | bobby | Primary user |
+| `jarvis` | 1000 | ✅ | No | src, jarvis | Primary automation user |
+
+### Relevant Groups
+
+| GID | Group | Members | Notes |
+|-----|-------|---------|-------|
+| 40 | `src` | jarvis, truenas_admin | Source/build group; owns most shares |
+| 3000 | `jumpbox` | jumpbox | Jumpbox user's primary group |
+| 3001 | `bobby` | bobby | Bobby's primary group |
+| 3002 | `jarvis` | jarvis | Jarvis's primary group |
+| 544 | `builtin_administrators` | N/A | Windows-style admin group (lab-dash ACL) |
+| 545 | `builtin_users` | N/A | Windows-style users group (lab-dash ACL) |
+
+---
+
+## 5. Best Practices Assessment
+
+### ✅ Positive Findings
+
+1. **No guest SMB access** — all shares require authentication
+2. **SSH enabled, password auth disabled** (implied by key-based fleet access)
+3. **FTP/iSCSI/SNMP disabled** — reduces attack surface
+4. **Both pools healthy** — no degradation or errors
+5. **Custom users for different purposes** — separation of concerns (jumpbox vs bobby vs jarvis)
+6. **ACL enabled on some shares** — ISOs, lab-dash, arr-zimaos use explicit ACLs
+7. **Proxmox NFS shares restricted to LAN** — good network segmentation for VM/CT storage
+
+### ⚠️ Areas for Improvement
+
+1. **POSIX 777 on 5 SMB shares** — overly permissive; consider:
+   - `chmod 770` for shares that only need SMB group access
+   - `chmod 755` for read-only shares (Archive, ISOs, Repo)
+   
+2. **NFS shares 1-4 open to all networks** — high risk:
+   - Add `192.168.0.0/18` restriction to all shares
+   - Consider even narrower subnets per share purpose
+
+3. **No root squash on NFS** — root clients have full server root access:
+   - Set `Maproot User = nobody` on all NFS shares
+   - This is standard security practice for NFS
+
+4. **hermes_agent share** — POSIX 751 but owner is `apps:apps`:
+   - Verify `apps` user is expected to own this directory
+   - Consider if `jarvis` or `bobby` should also have access
+
+5. **Backup share has 777 + everyone RWX** — anyone with SMB can modify backups:
+   - Restrict to `src` group only (`chmod 770`)
+   - Remove `other` write permissions
+
+6. **Repo share has 777 + everyone RWX** — code repository is world-writable:
+   - Restrict to `src` group or narrower
+   - Consider read-only for most users
+
+---
+
+## 6. Recommendations (No Changes Made)
+
+### Immediate Priority
+
+| Priority | Action | Shares Affected |
+|----------|--------|-----------------|
+| 🔴 High | Restrict NFS networks to `192.168.0.0/18` | Archive, Backup, ISOs, Repo |
+| 🔴 High | Enable root squash on all NFS shares | All 7 NFS shares |
+| 🟡 Medium | Tighten POSIX permissions on SMB shares | Backup, Repo (777 → 770) |
+| 🟡 Medium | Verify ACL effectiveness on ISOs/lab-dash/arr-zimaos | ISOs, lab-dash, arr-zimaos |
+| 🟢 Low | Document share ownership model | All shares |
+
+### Suggested POSIX Changes (Review Before Applying)
+
+```bash
+# Backup — restrict to src group only
+chmod 770 /mnt/Ice/Backup
+
+# Repo — restrict to src group only  
+chmod 770 /mnt/Ice/Repo
+
+# Archive — read-only for group
+chmod 750 /mnt/Ice/Archive
+
+# ISOs — read-only for group
+chmod 750 /mnt/Ice/ISOs
+```
+
+### Suggested NFS Changes (Review Before Applying)
+
+```bash
+# Add network restrictions to open shares
+# In TrueNAS UI: Sharing → NFS → Edit each share
+# Set Networks = 192.168.0.0/18
+
+# Enable root squash
+# Set Maproot User = nobody
+```
+
+---
+
+## 7. Access Matrix
+
+### Who Can Access What
+
+| User | SMB | NFS (LAN) | Primary Shares |
+|------|-----|-----------|----------------|
+| `bobby` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
+| `jarvis` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
+| `jumpbox` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
+| `truenas_admin` | ❌ No | ✅ Yes (root) | Full server access (admin) |
+| `root` (remote) | N/A | ✅ Root = Root ⚠️ | Full server access via NFS |
+
+---
+
+*End of Report — No changes were made to the TrueNAS configuration.*