From 3bb0585e43dc16fb34929cc1219edd155d44d942 Mon Sep 17 00:00:00 2001
From: "alexei.dolgolyov" <dolgolyov.alexei@gmail.com>
Date: Wed, 22 Apr 2026 02:46:10 +0300
Subject: [PATCH] chore(compose): default NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1
 for homelab
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Homelab targets (Immich, Gitea, ...) are almost always on RFC1918
addresses, which the SSRF guard rejects by default.  Exporting the flag
to 1 in the compose file — overridable via the host environment —
matches how this project is actually deployed (TrueNAS / unraid / etc.)
without weakening the defense for anyone who sets it to 0 on a
public-facing box.
---
 docker-compose.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index ad37114..9993915 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,6 +12,12 @@ services:
     environment:
       - NOTIFY_BRIDGE_SECRET_KEY=${NOTIFY_BRIDGE_SECRET_KEY:?Set NOTIFY_BRIDGE_SECRET_KEY (min 32 chars)}
       - NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS=${NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS:-*}
+      # Allow outbound requests to RFC1918 / link-local addresses. Homelab
+      # deployments target LAN services (Immich, Gitea, ...) and the SSRF
+      # guard otherwise rejects 10.*/172.16.*/192.168.* / 169.254.* hosts.
+      # Set to 0 on internet-exposed deployments where outbound targets must
+      # be public.
+      - NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=${NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS:-1}
     healthcheck:
       test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8420/api/health')"]
       interval: 30s