fix: crowdsec proxy network, uptime-kuma curl healthcheck, outline en_US, n8n 127.0.0.1

- crowdsec: add proxy network for internet access (hub downloads) - crowdsec-bouncer: remove (image crowdsecurity/cs-firewall-bouncer doesn't exist on Docker Hub) - uptime-kuma: switch healthcheck from wget to curl (wget not in image) - outline: fix DEFAULT_LANGUAGE ru_RU → en_US (unsupported locale) - n8n: fix healthcheck localhost → 127.0.0.1 (IPv6 issue in Alpine) - alertmanager: config permissions 0644 (was 0640, container couldn't read) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 08:14:07 +07:00 · 2026-03-22 08:14:07 +07:00 · 9ca1177461
commit 9ca1177461
parent 92d2c845d8
4 changed files with 12 additions and 25 deletions
--- a/roles/services/tasks/configs.yml
+++ b/roles/services/tasks/configs.yml
@ -104,7 +104,7 @@
    dest: "{{ services_root }}/prometheus/alertmanager.yml"
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
-    mode: "0640"
+    mode: "0644"
  notify: Restart stack

 - name: Deploy Loki config
--- a/roles/services/templates/docker-compose.yml.j2
+++ b/roles/services/templates/docker-compose.yml.j2
@ -139,7 +139,7 @@ services:
    ports:
      - "2222:22"
    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:3000/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:3000/"]
      interval: 30s
      timeout: 10s
      retries: 5
@ -184,7 +184,7 @@ services:
      - backend
      - plane-internal
    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:80/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:80/"]
      interval: 30s
      timeout: 5s
      retries: 3
@ -201,7 +201,7 @@ services:
      - backend
      - plane-internal
    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:80/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:80/"]
      interval: 30s
      timeout: 5s
      retries: 3
@ -218,7 +218,7 @@ services:
      - backend
      - plane-internal
    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:3000/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:3000/"]
      interval: 30s
      timeout: 5s
      retries: 3
@ -264,7 +264,7 @@ services:
      - ADMIN_BASE_URL=https://{{ domain_plane }}/god-mode
      - SPACE_BASE_URL=https://{{ domain_plane }}/spaces
    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:8000/api/"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:8000/api/"]
      interval: 30s
      timeout: 10s
      retries: 5
@ -494,7 +494,7 @@ services:
      - GF_SERVER_ROOT_URL=https://{{ domain_dashboard }}
      - GF_AUTH_ANONYMOUS_ENABLED=false
    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:3000/api/health"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:3000/api/health"]
      interval: 30s
      timeout: 5s
      retries: 3
@ -539,6 +539,7 @@ services:
    restart: unless-stopped
    networks:
      - monitoring
+      - proxy      # needs internet for hub/threat-intel downloads
    environment:
      - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/linux
      - GID=1000
@ -549,20 +550,6 @@ services:
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/syslog:/var/log/syslog:ro

-  # Bouncer: получает решения от CrowdSec и блокирует IP через firewall
-  crowdsec-bouncer:
-    image: {{ crowdsec_bouncer_image }}
-    container_name: crowdsec-bouncer
-    restart: unless-stopped
-    networks:
-      - monitoring
-    environment:
-      - CROWDSEC_BOUNCER_API_KEY=${CROWDSEC_BOUNCER_KEY}
-      - CROWDSEC_AGENT_HOST=crowdsec:8080
-      - GID=0
-    cap_add:
-      - NET_ADMIN
-      - NET_RAW

  # ── Authelia: 2FA SSO portal ───────────────────────────────────────────────
  # Защищает: Traefik dashboard, Syncthing, Plane /god-mode/
@ -613,7 +600,7 @@ services:
    volumes:
      - uptime_kuma_data:/app/data
    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3001/"]
+      test: ["CMD", "curl", "-sf", "http://localhost:3001/"]
      interval: 30s
      timeout: 5s
      retries: 3
--- a/roles/tools/templates/docker-compose.yml.j2
+++ b/roles/tools/templates/docker-compose.yml.j2
@ -33,7 +33,7 @@ services:
      outline-redis:
        condition: service_healthy
    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3000/_health"]
+      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:3000/_health"]
      interval: 30s
      timeout: 5s
      retries: 3
@ -111,7 +111,7 @@ services:
      - EXECUTIONS_DATA_PRUNE=true
      - EXECUTIONS_DATA_MAX_AGE=336
    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:5678/healthz"]
+      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:5678/healthz"]
      interval: 30s
      timeout: 5s
      retries: 3
--- a/roles/tools/templates/env.j2
+++ b/roles/tools/templates/env.j2
@ -31,7 +31,7 @@ AUTH_PROVIDERS=email
 OUTLINE_DB_PASSWORD={{ outline_db_password }}

 # Optional
-DEFAULT_LANGUAGE=ru_RU
+DEFAULT_LANGUAGE=en_US
 RATE_LIMITER_ENABLED=true
 ENABLE_UPDATES=false