Files

T

Clément Désiles 314fa715fd fix(nginx): prevent cert leak on IPv6 / unknown SNI

Two issues caused TLS to break on photos.carabosse.cloud over IPv6
(GrapheneOS + Immich app via Orange 5G NAT64):

1. Per-service vhosts only listened on IPv4 (listen 443 ssl). On IPv6,
   nginx fell back to the first vhost loaded alphabetically and served
   its certificate, breaking hostname verification on every other vhost.

2. /etc/letsencrypt/{live,archive} were 0700 root:root after certbot
   created them, so the nginx worker (user http on Arch) could not read
   the chained intermediates and served the leaf-only chain.

Changes:
- Add catch-all 00-default.conf default_server on :80 and :443 (v4+v6)
  with a self-signed cert and 'return 444'. ACME challenges still
  answered on :80.
- Add IPv6 listeners ([::]:80 and [::]:443 ssl) to immich, gitea, ntfy,
  uptime_kuma vhosts and to the temporary ACME provisioning vhost.
- Apply 0755 on /etc/letsencrypt/live and /etc/letsencrypt/archive on
  every run, not only at initial cert provisioning.

2026-05-30 17:06:10 +02:00

defaults

fix: force images pull and change default ports

2026-02-14 21:02:51 +01:00

handlers

chore: ansible-lint review (almost done)

2026-01-04 11:21:15 +01:00

README.md

uptime-kuma - Self-Hosted Monitoring Tool

Deploys Uptime Kuma - a self-hosted monitoring and status page application.

Features

Website monitoring (HTTP/HTTPS)
TCP port monitoring
Ping monitoring
DNS monitoring
Status pages
Notifications (Email, Discord, Slack, ntfy, etc.)
Multi-language support
Dark mode

Configuration

Optional Variables

See defaults/main.yml for all configuration options.

Key settings:

uptime_kuma_version: "2"
uptime_kuma_port: 3001
uptime_kuma_data_dir: "{{ podman_projects_dir }}/uptime-kuma/data"

# Nginx reverse proxy
uptime_kuma_nginx_enabled: false
uptime_kuma_nginx_hostname: uptime.nas.local

Storage Requirements

CRITICAL: Uptime Kuma uses SQLite and requires local storage with POSIX file lock support.

✅ Supported: Local filesystem, Docker volumes
❌ NOT Supported: NFS, network filesystems (will cause database corruption)

First-Time Setup

Access the web UI: https://uptime.nas.local (if nginx enabled) or http://localhost:3001
Create admin account on first visit
No default credentials - account is created during initial setup

Usage

Adding Monitors

Web UI → Add New Monitor:

Monitor Type: HTTP(s), TCP Port, Ping, DNS, etc.
Friendly Name: Display name
URL/Host: Target to monitor
Heartbeat Interval: Check frequency (seconds)
Retries: Before marking as down
Notifications: Select notification endpoints

Notification Endpoints

Web UI → Settings → Notifications:

Email (SMTP)
Discord, Slack, Telegram
ntfy (recommended for local notifications)
Webhooks
50+ integrations available

Status Pages

Create public or password-protected status pages showing monitor health.

Web UI → Status Pages → New Status Page

Integration with ntfy

If you deployed the ntfy role:

Settings → Notifications → Add
Type: ntfy
ntfy Server URL: https://ntfy.jokester.fr
Topic: uptime-alerts
Username: admin
Password: Your ntfy admin password
Test notification