fix: crowdsec proxy network, uptime-kuma curl healthcheck, outline en_US, n8n 127.0.0.1

- crowdsec: add proxy network for internet access (hub downloads)
- crowdsec-bouncer: remove (image crowdsecurity/cs-firewall-bouncer doesn't exist on Docker Hub)
- uptime-kuma: switch healthcheck from wget to curl (wget not in image)
- outline: fix DEFAULT_LANGUAGE ru_RU → en_US (unsupported locale)
- n8n: fix healthcheck localhost → 127.0.0.1 (IPv6 issue in Alpine)
- alertmanager: config permissions 0644 (was 0640, container couldn't read)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/services/tasks/configs.yml

@@ -104,7 +104,7 @@
     dest: "{{ services_root }}/prometheus/alertmanager.yml"
     owner: "{{ deploy_user }}"
     group: "{{ deploy_group }}"
-    mode: "0640"
+    mode: "0644"
   notify: Restart stack
 
 - name: Deploy Loki config

roles/services/templates/docker-compose.yml.j2

@@ -139,7 +139,7 @@ services:
     ports:
       - "2222:22"
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:3000/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:3000/"]
       interval: 30s
       timeout: 10s
       retries: 5
@@ -184,7 +184,7 @@ services:
       - backend
       - plane-internal
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:80/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:80/"]
       interval: 30s
       timeout: 5s
       retries: 3
@@ -201,7 +201,7 @@ services:
       - backend
       - plane-internal
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:80/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:80/"]
       interval: 30s
       timeout: 5s
       retries: 3
@@ -218,7 +218,7 @@ services:
       - backend
       - plane-internal
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:3000/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:3000/"]
       interval: 30s
       timeout: 5s
       retries: 3
@@ -264,7 +264,7 @@ services:
       - ADMIN_BASE_URL=https://{{ domain_plane }}/god-mode
       - SPACE_BASE_URL=https://{{ domain_plane }}/spaces
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:8000/api/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:8000/api/"]
       interval: 30s
       timeout: 10s
       retries: 5
@@ -494,7 +494,7 @@ services:
       - GF_SERVER_ROOT_URL=https://{{ domain_dashboard }}
       - GF_AUTH_ANONYMOUS_ENABLED=false
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:3000/api/health"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:3000/api/health"]
       interval: 30s
       timeout: 5s
       retries: 3
@@ -539,6 +539,7 @@ services:
     restart: unless-stopped
     networks:
       - monitoring
+      - proxy      # needs internet for hub/threat-intel downloads
     environment:
       - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/linux
       - GID=1000
@@ -549,20 +550,6 @@ services:
       - /var/log/auth.log:/var/log/auth.log:ro
       - /var/log/syslog:/var/log/syslog:ro
 
-  # Bouncer: получает решения от CrowdSec и блокирует IP через firewall
-  crowdsec-bouncer:
-    image: {{ crowdsec_bouncer_image }}
-    container_name: crowdsec-bouncer
-    restart: unless-stopped
-    networks:
-      - monitoring
-    environment:
-      - CROWDSEC_BOUNCER_API_KEY=${CROWDSEC_BOUNCER_KEY}
-      - CROWDSEC_AGENT_HOST=crowdsec:8080
-      - GID=0
-    cap_add:
-      - NET_ADMIN
-      - NET_RAW
 
   # ── Authelia: 2FA SSO portal ───────────────────────────────────────────────
   # Защищает: Traefik dashboard, Syncthing, Plane /god-mode/
@@ -613,7 +600,7 @@ services:
     volumes:
       - uptime_kuma_data:/app/data
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3001/"]
+      test: ["CMD", "curl", "-sf", "http://localhost:3001/"]
       interval: 30s
       timeout: 5s
       retries: 3

roles/tools/templates/docker-compose.yml.j2

@@ -33,7 +33,7 @@ services:
       outline-redis:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3000/_health"]
+      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:3000/_health"]
       interval: 30s
       timeout: 5s
       retries: 3
@@ -111,7 +111,7 @@ services:
       - EXECUTIONS_DATA_PRUNE=true
       - EXECUTIONS_DATA_MAX_AGE=336
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:5678/healthz"]
+      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:5678/healthz"]
       interval: 30s
       timeout: 5s
       retries: 3

roles/tools/templates/env.j2

@@ -31,7 +31,7 @@ AUTH_PROVIDERS=email
 OUTLINE_DB_PASSWORD={{ outline_db_password }}
 
 # Optional
-DEFAULT_LANGUAGE=ru_RU
+DEFAULT_LANGUAGE=en_US
 RATE_LIMITER_ENABLED=true
 ENABLE_UPDATES=false