ops: attach vault-dash to proxy-net and document vd1 route

docs/DEVOPS_DEPLOY_PROMPT.md

@@ -78,11 +78,19 @@ env:
 4. **Configure Docker on the VPS**:
    - Ensure Docker and Docker Compose are installed
    - The deploy script will pull the container image from the registry
+   - Ensure the shared external Docker network `proxy-net` exists so Caddy can reverse proxy the deployment by container name
 
-5. **Verify network connectivity**:
+5. **Publish VPN route through Caddy**:
+   - Add `http://vd1.uncloud.vpn` to `/opt/caddy/Caddyfile`
+   - Restrict access with the existing `@not-vpn` matcher for `10.100.0.0/24`
+   - Reverse proxy to `vault-dash:8000` on `proxy-net`
+   - Reload Caddy and verify `http://vd1.uncloud.vpn/health` over VPN
+
+6. **Verify network connectivity**:
    - Forgejo runner must be able to reach the VPS via SSH
    - VPS must be able to pull images from the registry
 
+
 ## Instructions for the DevOps Agent
 
 When setting up the deployment: