personal_infra/ansible/services/ntfy/deploy_ntfy_playbook.yml

- name: Deploy ntfy and configure Caddy reverse proxy
  hosts: watchtower
  become: yes
  vars_files:
    - ../../infra_vars.yml
    - ./ntfy_vars.yml
  vars:
    ntfy_domain: "{{ ntfy_subdomain }}.{{ root_domain }}"

  tasks:
    - name: Ensure /etc/apt/keyrings exists
      file:
        path: /etc/apt/keyrings
        state: directory
        mode: '0755'

    - name: Download and dearmor ntfy GPG key
      shell: curl -fsSL https://archive.heckel.io/apt/pubkey.txt | gpg --dearmor -o /etc/apt/keyrings/archive.heckel.io.gpg
      args:
        creates: /etc/apt/keyrings/archive.heckel.io.gpg

    - name: Add ntfy APT repository
      copy:
        dest: /etc/apt/sources.list.d/archive.heckel.io.list
        content: |
          deb [arch=amd64 signed-by=/etc/apt/keyrings/archive.heckel.io.gpg] https://archive.heckel.io/apt debian main
        mode: '0644'

    - name: Update APT cache
      apt:
        update_cache: yes

    - name: Install ntfy
      apt:
        name: ntfy
        state: present

    - name: Ensure ntfy cache directories exist
      file:
        path: "{{ item }}"
        state: directory
        owner: ntfy
        group: ntfy
        mode: '0755'
      loop:
        - /var/cache/ntfy
        - /var/cache/ntfy/attachments

    - name: Deploy ntfy configuration file
      copy:
        dest: /etc/ntfy/server.yml
        content: |
          base-url: "http://{{ ntfy_domain }}"
          listen-http: ":{{ ntfy_port }}"
          cache-file: "/var/cache/ntfy/cache.db"
          attachment-cache-dir: "/var/cache/ntfy/attachments"
          behind-proxy: true
          auth-file: "/var/lib/ntfy/user.db"
          auth-default-access: "deny-all"
        owner: root
        group: root
        mode: '0644'
      notify: Restart ntfy

    - name: Enable and start ntfy service
      systemd:
        name: ntfy
        enabled: yes
        state: started
    
    - name: Create ntfy admin user
      shell: |
        (echo "{{ lookup('env', 'NTFY_PASSWORD') }}"; echo "{{ lookup('env', 'NTFY_PASSWORD') }}") | ntfy user add --role=admin "{{ lookup('env', 'NTFY_USER') }}"

    - name: Ensure Caddy sites-enabled directory exists
      file:
        path: "{{ caddy_sites_dir }}"
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Ensure Caddyfile includes import directive for sites-enabled
      lineinfile:
        path: /etc/caddy/Caddyfile
        line: 'import sites-enabled/*'
        insertafter: EOF
        state: present
        backup: yes

    - name: Create Caddy reverse proxy configuration for ntfy
      copy:
        dest: "{{ caddy_sites_dir }}/ntfy.conf"
        content: |
          {{ ntfy_domain }}, http://{{ ntfy_domain }} {
              reverse_proxy 127.0.0.1:{{ ntfy_port }}

              @httpget {
                  protocol http
                  method GET
                  path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
              }
              redir @httpget https://{host}{uri}
          }
        owner: root
        group: root
        mode: '0644'

    - name: Reload Caddy to apply new config
      command: systemctl reload caddy

  handlers:
    - name: Restart ntfy
      systemd:
        name: ntfy
        state: restarted
finished ntfy server thingies 2025-07-27 12:54:30 +02:00			`- name: Deploy ntfy and configure Caddy reverse proxy`
			`hosts: watchtower`
			`become: yes`
			`vars_files:`
			`- ../../infra_vars.yml`
			`- ./ntfy_vars.yml`
			`vars:`
			`ntfy_domain: "{{ ntfy_subdomain }}.{{ root_domain }}"`

			`tasks:`
			`- name: Ensure /etc/apt/keyrings exists`
			`file:`
			`path: /etc/apt/keyrings`
			`state: directory`
			`mode: '0755'`

			`- name: Download and dearmor ntfy GPG key`
			`shell: curl -fsSL https://archive.heckel.io/apt/pubkey.txt \| gpg --dearmor -o /etc/apt/keyrings/archive.heckel.io.gpg`
			`args:`
			`creates: /etc/apt/keyrings/archive.heckel.io.gpg`

			`- name: Add ntfy APT repository`
			`copy:`
			`dest: /etc/apt/sources.list.d/archive.heckel.io.list`
			`content: \|`
			`deb [arch=amd64 signed-by=/etc/apt/keyrings/archive.heckel.io.gpg] https://archive.heckel.io/apt debian main`
			`mode: '0644'`

			`- name: Update APT cache`
			`apt:`
			`update_cache: yes`

			`- name: Install ntfy`
			`apt:`
			`name: ntfy`
			`state: present`

			`- name: Ensure ntfy cache directories exist`
			`file:`
			`path: "{{ item }}"`
			`state: directory`
			`owner: ntfy`
			`group: ntfy`
			`mode: '0755'`
			`loop:`
			`- /var/cache/ntfy`
			`- /var/cache/ntfy/attachments`

			`- name: Deploy ntfy configuration file`
			`copy:`
			`dest: /etc/ntfy/server.yml`
			`content: \|`
			`base-url: "http://{{ ntfy_domain }}"`
			`listen-http: ":{{ ntfy_port }}"`
			`cache-file: "/var/cache/ntfy/cache.db"`
			`attachment-cache-dir: "/var/cache/ntfy/attachments"`
			`behind-proxy: true`
			`auth-file: "/var/lib/ntfy/user.db"`
			`auth-default-access: "deny-all"`
			`owner: root`
			`group: root`
			`mode: '0644'`
			`notify: Restart ntfy`

			`- name: Enable and start ntfy service`
			`systemd:`
			`name: ntfy`
			`enabled: yes`
			`state: started`

			`- name: Create ntfy admin user`
			`shell: \|`
			`(echo "{{ lookup('env', 'NTFY_PASSWORD') }}"; echo "{{ lookup('env', 'NTFY_PASSWORD') }}") \| ntfy user add --role=admin "{{ lookup('env', 'NTFY_USER') }}"`

			`- name: Ensure Caddy sites-enabled directory exists`
			`file:`
			`path: "{{ caddy_sites_dir }}"`
			`state: directory`
			`owner: root`
			`group: root`
			`mode: '0755'`

			`- name: Ensure Caddyfile includes import directive for sites-enabled`
			`lineinfile:`
			`path: /etc/caddy/Caddyfile`
			`line: 'import sites-enabled/*'`
			`insertafter: EOF`
			`state: present`
			`backup: yes`

			`- name: Create Caddy reverse proxy configuration for ntfy`
			`copy:`
			`dest: "{{ caddy_sites_dir }}/ntfy.conf"`
			`content: \|`
			`{{ ntfy_domain }}, http://{{ ntfy_domain }} {`
			`reverse_proxy 127.0.0.1:{{ ntfy_port }}`

			`@httpget {`
			`protocol http`
			`method GET`
			`path_regexp ^/([-_a-z0-9]{0,64}$\|docs/\|static/)`
			`}`
			`redir @httpget https://{host}{uri}`
			`}`
			`owner: root`
			`group: root`
			`mode: '0644'`

			`- name: Reload Caddy to apply new config`
			`command: systemctl reload caddy`

			`handlers:`
			`- name: Restart ntfy`
			`systemd:`
			`name: ntfy`
			`state: restarted`