finished ntfy server thingies

02_vps_core_services_setup.md

@@ -120,6 +120,25 @@ Forgejo is a git server.
 * You can tweak more settings from that point on.
 * SSH cloning should work out of the box (after you've set up your SSH pub key in Forgejo, that is).
 
+
+## ntfy
+
+ntfy is a notifications server.
+
+### Deploy
+
+* Decide what subdomain you want to serve ntfy on and add it to `services/ntfy/ntfy_vars.yml` on the `ntfy_subdomain`.
+    * Note that you will have to add a DNS entry to point to the VPS public IP.
+* Before running the playbook, you should decide on a user and password for the admin user. This user is the only one authorised to send and read messages from topics. Once you've picked, export them in your terminal like this `export NTFY_USER=admin; export NTFY_PASSWORD=secret`.
+* In the same shell, run the deployment playbook: `ansible-playbook -i inventory.ini services/ntfy/deploy_ntfy_playbook.yml`.
+
+### Configure
+
+* You can visit the ntfy web UI at the FQDN you configured.
+* You can start using notify to send alerts with uptime kuma by visiting the uptime kuma UI and using the credentials for the ntfy admin user.
+* To receive alerts on your phone, install the official ntfy app: https://github.com/binwiederhier/ntfy-android.
+* You can also subscribe on the web UI on your laptop.
+
 ### Backups
 
-No explicit backups. It's assumed that important repos will be in Lapy, and that perhaps you might even backup lapy as well.
+Given that ntfy is almost stateless, no backups are made. If it blows up, simply set it up again.

ansible/services/ntfy/deploy_ntfy_playbook.yml

@@ -0,0 +1,116 @@
+- name: Deploy ntfy and configure Caddy reverse proxy
+  hosts: watchtower
+  become: yes
+  vars_files:
+    - ../../infra_vars.yml
+    - ./ntfy_vars.yml
+  vars:
+    ntfy_domain: "{{ ntfy_subdomain }}.{{ root_domain }}"
+
+  tasks:
+    - name: Ensure /etc/apt/keyrings exists
+      file:
+        path: /etc/apt/keyrings
+        state: directory
+        mode: '0755'
+
+    - name: Download and dearmor ntfy GPG key
+      shell: curl -fsSL https://archive.heckel.io/apt/pubkey.txt | gpg --dearmor -o /etc/apt/keyrings/archive.heckel.io.gpg
+      args:
+        creates: /etc/apt/keyrings/archive.heckel.io.gpg
+
+    - name: Add ntfy APT repository
+      copy:
+        dest: /etc/apt/sources.list.d/archive.heckel.io.list
+        content: |
+          deb [arch=amd64 signed-by=/etc/apt/keyrings/archive.heckel.io.gpg] https://archive.heckel.io/apt debian main
+        mode: '0644'
+
+    - name: Update APT cache
+      apt:
+        update_cache: yes
+
+    - name: Install ntfy
+      apt:
+        name: ntfy
+        state: present
+
+    - name: Ensure ntfy cache directories exist
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: ntfy
+        group: ntfy
+        mode: '0755'
+      loop:
+        - /var/cache/ntfy
+        - /var/cache/ntfy/attachments
+
+    - name: Deploy ntfy configuration file
+      copy:
+        dest: /etc/ntfy/server.yml
+        content: |
+          base-url: "http://{{ ntfy_domain }}"
+          listen-http: ":{{ ntfy_port }}"
+          cache-file: "/var/cache/ntfy/cache.db"
+          attachment-cache-dir: "/var/cache/ntfy/attachments"
+          behind-proxy: true
+          auth-file: "/var/lib/ntfy/user.db"
+          auth-default-access: "deny-all"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Restart ntfy
+
+    - name: Enable and start ntfy service
+      systemd:
+        name: ntfy
+        enabled: yes
+        state: started
+    
+    - name: Create ntfy admin user
+      shell: |
+        (echo "{{ lookup('env', 'NTFY_PASSWORD') }}"; echo "{{ lookup('env', 'NTFY_PASSWORD') }}") | ntfy user add --role=admin "{{ lookup('env', 'NTFY_USER') }}"
+
+    - name: Ensure Caddy sites-enabled directory exists
+      file:
+        path: "{{ caddy_sites_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Ensure Caddyfile includes import directive for sites-enabled
+      lineinfile:
+        path: /etc/caddy/Caddyfile
+        line: 'import sites-enabled/*'
+        insertafter: EOF
+        state: present
+        backup: yes
+
+    - name: Create Caddy reverse proxy configuration for ntfy
+      copy:
+        dest: "{{ caddy_sites_dir }}/ntfy.conf"
+        content: |
+          {{ ntfy_domain }}, http://{{ ntfy_domain }} {
+              reverse_proxy 127.0.0.1:{{ ntfy_port }}
+
+              @httpget {
+                  protocol http
+                  method GET
+                  path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
+              }
+              redir @httpget https://{host}{uri}
+          }
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Reload Caddy to apply new config
+      command: systemctl reload caddy
+
+  handlers:
+    - name: Restart ntfy
+      systemd:
+        name: ntfy
+        state: restarted

ansible/services/ntfy/ntfy_vars.yml

@@ -0,0 +1,3 @@
+caddy_sites_dir: /etc/caddy/sites-enabled
+ntfy_subdomain: ntfy
+ntfy_port: 6674