Watchtower, again and Gotify for the rescue

Table of Contents

Watchtower - revisited

So last time, I was vehemently against using Watchtower to update my docker images. Like, it’s a recipe for disaster, you will end up with Traefik that breaks since some configuration broke.

Or your homeassistant/zigbee2mqtt/mqtt is broke, and none of your lights work. And let’s be real, Smart Home is only good, if everything actually work. But after doing the manual

docker compose pull && docker compose up -d

I was getting fed up with it. I wanted to stay bleeding edge, I want all the security updates and the bug fixes, I don’t want to constantly go and log into multiple machines with SSH and do the manual magic, and find out everything works (everything doesn’t always work winkwink). Notifications for the win

So what changed was as I was browsing watchtower for notification ways, I stumbled upon ntfy. And with subsequent testing, gotify (I like the UI of gotify way more than the UI of ntfy). And these gave me the push I wanted. If I could have a separate software, in my phone, that would send me notifications on anything that happens, then I would be ok for watchtower doing stuff behind the scenes.

I could get monitoring updates on images I want to update manually (Home Assistant, Omada Controller, etc), and I could auto-update lesser images, and hope everything works. But with notifications, it would give me the reminder, that hey, go and check that everything works.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

services:

  gotify:
    image: gotify/server:latest
    container_name: gotify
    restart: unless-stopped
    environment:
      - TZ=Europe/Helsinki
      - GOTIFY_SERVER_PORT=80
      - GOTIFY_SERVER_KEEPALIVEPERIODSECONDS=0
      - GOTIFY_SERVER_SSL_ENABLED=false
      - GOTIFY_SERVER_STREAM_PINGPERIODSECONDS=45
      - GOTIFY_DATABASE_DIALECT=sqlite3
      - GOTIFY_DATABASE_CONNECTION=data/gotify.db
      - GOTIFY_DEFAULTUSER_NAME=xxx
      - GOTIFY_DEFAULTUSER_PASS=xxx
      - GOTIFY_PASSSTRENGTH=10
      - GOTIFY_UPLOADEDIMAGESDIR=data/images
      - GOTIFY_PLUGINSDIR=data/plugins
      - GOTIFY_REGISTRATION=false
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - ./data:/app/data
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

So with gotify done, next is time to give watchtower a spin. And yes, I think it’s hilarious how watchtower can set itself to update itself.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

services:

  watchtower:
    image: containrrr/watchtower:latest
    container_name: watchtower
    hostname: Duckpond
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - "TZ=Europe/Helsinki"
      - "WATCHTOWER_POLL_INTERVAL=3600"         # Poll interval in seconds
      - "WATCHTOWER_INCLUDE_STOPPED=true"       # Include stopped containers
      - "WATCHTOWER_INCLUDE_RESTARTING=true"    # Will also include restarting containers 
      - "WATCHTOWER_REVIVE_STOPPED=true"        # Restart stopped containers
      - "WATCHTOWER_CLEANUP=true"               # Delete unused image
      - "WATCHTOWER_LABEL_ENABLE=true"          # Only include containers with enable label
      - "WATCHTOWER_LIFECYCLE_HOOKS=true"       # Enable pre/post-update scripts
      - "WATCHTOWER_NOTIFICATIONS_LEVEL=info"
      - "WATCHTOWER_NOTIFICATIONS=gotify"
      - "WATCHTOWER_NOTIFICATION_GOTIFY_URL=http://gotify"
      - "WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN=xxxx"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

Happy times

Gotify in android

So yes, this makes my life really a lot simpler. I don’t have to stress about updating every single container. Especially the ones that are exposed to the world (not like there is anything crtitical but the principle).

And I get to do some nifty security stuff also, since I added some nice cron scripts that notify me with:

  • Someone logs into my VPS
  • I have package updates that need to be run on any of my servers

So it’s not just about docker containers, it’s about everything in my network. And again, this is a separate app that I choose to run. It separates my messages I receive from any of my machines, apps I wish to run in my network.

Separation of concerns.