Incus Server¶

Monitoring¶

updown.io sits at the top of the monitoring stack: it watches both Uptime Kuma and the Incus server via Pulse, a cron-based dead man's switch. Everything else in the infrastructure is monitored by Uptime Kuma itself. Alerts from updown.io are sent via SMS, since all self-hosted notification channels (email, etc.) could be down at the same time.

The Incus server sends a Pulse ping every hour; if the ping stops arriving, updown.io triggers an alert.

Cron job (runs every hour)

0 * * * * curl -sSo /dev/null -m 10 --retry 5 https://pulse.updown.io/<token>/<token>

needrestart Configuration¶

unattended-upgrades runs needrestart after each upgrade to detect and restart affected services. Two services must not be restarted automatically:

systemd-networkd: a restart flushes routing table 52, wiping Tailscale's throw <subnet> entries and breaking container routing when an exit node is active (see Post Mortem: Tailscale Throw Route Lost After needrestart Restarted networkd)
tailscaled: must only restart after systemd-networkd if at all, never automatically

/etc/needrestart/conf.d/incus.conf

$nrconf{blacklist_rc} = [
    qr(^systemd-networkd$),
    qr(^tailscaled$),
];

blacklist_rc tells needrestart to skip these services entirely. Restarts remain available via systemctl restart when genuinely needed.