alexei.dolgolyov
3bb0585e43
Homelab targets (Immich, Gitea, ...) are almost always on RFC1918 addresses, which the SSRF guard rejects by default. Exporting the flag to 1 in the compose file — overridable via the host environment — matches how this project is actually deployed (TrueNAS / unraid / etc.) without weakening the defense for anyone who sets it to 0 on a public-facing box.
30 lines
1.1 KiB
YAML
30 lines
1.1 KiB
YAML
services:
|
|
notify-bridge:
|
|
image: git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge:latest
|
|
# For local builds instead of pulling from registry:
|
|
# build: .
|
|
container_name: notify-bridge
|
|
restart: unless-stopped
|
|
ports:
|
|
- "8420:8420"
|
|
volumes:
|
|
- notify-bridge-data:/data
|
|
environment:
|
|
- NOTIFY_BRIDGE_SECRET_KEY=${NOTIFY_BRIDGE_SECRET_KEY:?Set NOTIFY_BRIDGE_SECRET_KEY (min 32 chars)}
|
|
- NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS=${NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS:-*}
|
|
# Allow outbound requests to RFC1918 / link-local addresses. Homelab
|
|
# deployments target LAN services (Immich, Gitea, ...) and the SSRF
|
|
# guard otherwise rejects 10.*/172.16.*/192.168.* / 169.254.* hosts.
|
|
# Set to 0 on internet-exposed deployments where outbound targets must
|
|
# be public.
|
|
- NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=${NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS:-1}
|
|
healthcheck:
|
|
test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8420/api/health')"]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
start_period: 10s
|
|
|
|
volumes:
|
|
notify-bridge-data:
|