diff --git a/scripts/health-check b/scripts/health-check
index 3b4b605e..545760cd 100755
--- a/scripts/health-check
+++ b/scripts/health-check
@@ -1,27 +1,52 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p curl -p dig -p iputils
-set -eu
 
 echo "this script will check that uninsane.org is baseline operational"
 echo "it doesn't check all services, just the most critical ones"
 echo ""
 
-set -x
+last_error=0
+check() {
+  local label=$1
+  shift
+  printf "checking %s\n" "$label"
+  "$@" > /dev/null
+  local rc=$?
+  if [ $rc -ne 0 ]; then
+    last_error=$rc
+    printf "FAILED CHECK '%s'\n" "$label" >&2
+    echo "  $@" >&2
+  fi
+  return $rc
+}
 
-nslookup uninsane.org. > /dev/null || echo "uninsane.org. DNS not reachable"
-nslookup uninsane.org. 1.1.1.1 > /dev/null || echo "uninsane.org. DNS not reachable via external resolver"
-nslookup uninsane.org. ovpns.uninsane.org > /dev/null || echo "uninsane.org. bootstrap DNS not reachable"
+check "self-test" false 2> /dev/null
+if [ $last_error -eq 0 ]; then
+  echo "SELF-TEST FAILED" >&2
+  echo "SELF-TEST FAILED"
+  exit 1
+fi
+last_error=0
 
-curl --silent --fail-with-body https://uninsane.org > /dev/null || echo "https://uninsane.org not online"
-curl --silent --fail-with-body https://matrix.uninsane.org > /dev/null || echo "https://matrix.uninsane.org not online"
-curl --silent --fail-with-body https://fed.uninsane.org > /dev/null || echo "https://fed.uninsane.org not online"
 
-nslookup -querytype=TXT _dmarc.uninsane.org. > /dev/null || echo "missing DMARC record for uninsane.org"
+check "uninsane.org. DNS" nslookup uninsane.org.
+check "uninsane.org. DNS via external resolver" nslookup uninsane.org. 1.1.1.1
+check "uninsane.org. bootstrap DNS" nslookup uninsane.org. ovpns.uninsane.org
 
-ping -c 1 -W 3 servo-hn  >/dev/null || echo "servo-hn not pingable"
+check "https://uninsane.org online" curl --silent --fail-with-body https://uninsane.org
+check "https://matrix.uninsane.org online" curl --silent --fail-with-body https://matrix.uninsane.org
+check "https://fed.uninsane.org online" curl --silent --fail-with-body https://fed.uninsane.org
+
+check "uninsane.org DMARC record" nslookup -querytype=TXT _dmarc.uninsane.org.
+
+check "servo-hn wireguard network" ping -c 1 -W 3 servo-hn
 
-set +x
 echo ""
-echo "SUCCESS"
-echo "now manually test email services:"
-echo "- <https://www.appmaildev.com/en/dkim>"
+if [ $last_error -eq 0 ]; then
+  echo "SUCCESS"
+  echo "now manually test email services:"
+  echo "- <https://www.appmaildev.com/en/dkim>"
+else
+  echo "FAILED"
+  exit $last_error
+fi