From 4e23d2b054d181e8e1cd0b58c5ed827edfd102e2 Mon Sep 17 00:00:00 2001
From: "alexei.dolgolyov" <dolgolyov.alexei@gmail.com>
Date: Wed, 22 Apr 2026 02:49:19 +0300
Subject: [PATCH] chore(compose): hardcode NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1
 in compose
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This project ships for homelab use; downstream targets (Immich, Gitea,
...) sit on RFC1918 addresses which the SSRF guard blocks by default.
Setting the flag directly in compose — not via ${...} substitution —
avoids the Portainer gotcha where the stack-level "Environment variables"
panel is for compose-file substitutions only, not runtime container env.
Operators who want to run this on a public-facing box can drop the line.
---
 docker-compose.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index ad37114..4a9d7b3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,6 +12,10 @@ services:
     environment:
       - NOTIFY_BRIDGE_SECRET_KEY=${NOTIFY_BRIDGE_SECRET_KEY:?Set NOTIFY_BRIDGE_SECRET_KEY (min 32 chars)}
       - NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS=${NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS:-*}
+      # Homelab target: allow outbound requests to RFC1918 / link-local addresses.
+      # The SSRF guard otherwise rejects 10.*/172.16.*/192.168.*/169.254.* hosts,
+      # which breaks tracking of Immich / Gitea / etc. running on the same LAN.
+      - NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1
     healthcheck:
       test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8420/api/health')"]
       interval: 30s