Compare commits

..

2 Commits

Author SHA1 Message Date
Walusimbi Silver
c0655293ac Use certbot ntfy topic for certificate alerts 2026-04-24 12:03:22 +03:00
Walusimbi Silver
b1b42968a1 Clarify server ops repo scope 2026-04-24 12:03:05 +03:00
2 changed files with 9 additions and 54 deletions

View File

@@ -2,60 +2,15 @@
Server-wide maintenance scripts and operational notes for the Silver Cloud Hetzner host. Server-wide maintenance scripts and operational notes for the Silver Cloud Hetzner host.
Suggested repository name: This repo is for host-level improvements that are not tied to one specific app or
service. SSL expiry alerts are the first check in the repo; more server-wide
maintenance checks can be added here over time.
```text ## Implemented Checks
silver-server-ops
``` - SSL certificate expiry alerts
## SSL Certificate Expiry Alerts ## SSL Certificate Expiry Alerts
`scripts/check-cert-expiry.sh` checks every Let's Encrypt certificate under `/etc/letsencrypt/live` and sends an ntfy alert when any certificate expires in less than 14 days. `scripts/check-cert-expiry.sh` checks Let's Encrypt certificates and alerts when
any certificate expires in less than 14 days.
Install on the server:
```bash
sudo install -m 0755 scripts/check-cert-expiry.sh /opt/scripts/check-cert-expiry.sh
```
Recommended root cron:
```cron
15 8 * * * /opt/scripts/check-cert-expiry.sh >/var/log/cert-expiry-check.log 2>&1
```
Defaults:
```bash
CERT_DIR=/etc/letsencrypt/live
EXPIRY_DAYS=14
NTFY_URL=https://ntfy.silverwal.com/silver
```
Optional overrides:
```bash
EXPIRY_DAYS=21 NTFY_URL=https://ntfy.silverwal.com/silver /opt/scripts/check-cert-expiry.sh
```
If your ntfy topic is protected with an access token:
```bash
NTFY_TOKEN=your-token /opt/scripts/check-cert-expiry.sh
```
Manual test:
```bash
sudo /opt/scripts/check-cert-expiry.sh
```
The script exits with `0` when all certificates are healthy and `1` when it sends an alert or cannot run the check correctly.
## Notification Notes
ntfy is a good default for this server because it is already self-hosted, simple to call from shell scripts, and supports useful alert metadata such as title, priority, and tags.
For jobs where silence is also a failure, pair ntfy with a dead man's switch such as Healthchecks. ntfy tells you what the script found; Healthchecks tells you when the script did not run at all.
If you later want one notification config that can fan out to ntfy, email, Slack, Discord, Telegram, and similar services, use Apprise as the wrapper and keep ntfy as one destination.

View File

@@ -4,7 +4,7 @@ set -uo pipefail
CERT_DIR="${CERT_DIR:-/etc/letsencrypt/live}" CERT_DIR="${CERT_DIR:-/etc/letsencrypt/live}"
EXPIRY_DAYS="${EXPIRY_DAYS:-14}" EXPIRY_DAYS="${EXPIRY_DAYS:-14}"
NTFY_URL="${NTFY_URL:-https://ntfy.silverwal.com/silver}" NTFY_URL="${NTFY_URL:-https://ntfy.silverwal.com/certbot}"
NTFY_TITLE="${NTFY_TITLE:-SSL certificate warning}" NTFY_TITLE="${NTFY_TITLE:-SSL certificate warning}"
NTFY_PRIORITY="${NTFY_PRIORITY:-high}" NTFY_PRIORITY="${NTFY_PRIORITY:-high}"
NTFY_TAGS="${NTFY_TAGS:-warning,lock}" NTFY_TAGS="${NTFY_TAGS:-warning,lock}"