feat: add external monitoring for all Cloudflare-proxied services

Add automatic external HTTPS monitors to Uptime Kuma for ~96 services exposed via Cloudflare tunnel. A sync CronJob (every 10min) reads from a Terraform-generated ConfigMap and creates/deletes [External] monitors to match cloudflare_proxied_names. Status page groups these separately as "External Reachability" and pushes a divergence metric to Pushgateway when services are externally down but internally up. Prometheus alert ExternalAccessDivergence fires after 15min of divergence. [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 19:04:45 +00:00 · 2026-04-14 19:04:45 +00:00 · ff360a8807
commit ff360a8807
parent 3258ff6cb7
4 changed files with 384 additions and 5 deletions
--- a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
+++ b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
@ -1895,6 +1895,15 @@ serverFiles:
              severity: warning
            annotations:
              summary: "Headscale 5xx error rate is {{ $value | printf \"%.1f\" }}%"
+      - name: "External Access"
+        rules:
+          - alert: ExternalAccessDivergence
+            expr: external_internal_divergence_count > 0
+            for: 15m
+            labels:
+              severity: warning
+            annotations:
+              summary: "{{ $value | printf \"%.0f\" }} service(s) externally unreachable but internally healthy — check Cloudflare tunnel, DNS, or Traefik routing"

 extraScrapeConfigs: |
  - job_name: 'proxmox-host'