Another solution I don’t see mentioned (yet) is have both ends connect to a VPS running your WG endpoint. Then both sides only have to have egress ability, nothing coming in, no CGNAT to worry about.

Negative. All done in uptimekuma/HA. You’ll need an access-token from your home assistant server but it’s pretty straightforward.

I use uptimekuma with notifications through home assistant. I get notifications on my phone and watch. I had notifications set up to go to a room on my matrix homeserver but recently migrated it and don’t feel like messing with the room.

FWIW, here’s my compose file. I 100% use https for everything internal. With LetsEncrypt and Pihole, why wouldn’t you? It’s dead-simple.

networks:
  backend:
    external: True

services:
  vaultwarden:
    container_name: vw-svr-00
    image: vaultwarden/server
    environment:
      - TZ=My/Timezone
      - DOMAIN=https://my.internal.domain/
#    ports:
#      - "82:80"
    volumes:
      - ./vw_data:/data
    networks:
      - backend
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`my.internal.domain`)”
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

edit: I also run my instance on a subdomain vs a path. So my instances is actually at vw.internal.domain.

Yes. You can enable password requirements to install them. iOS at least, don’t know about Android.

This looks like it’s just sponsor blocking in the videos. Does this block pre/post ads?