finished ntfy server thingies

ansible/services/ntfy/deploy_ntfy_playbook.yml

@@ -0,0 +1,116 @@
+- name: Deploy ntfy and configure Caddy reverse proxy
+  hosts: watchtower
+  become: yes
+  vars_files:
+    - ../../infra_vars.yml
+    - ./ntfy_vars.yml
+  vars:
+    ntfy_domain: "{{ ntfy_subdomain }}.{{ root_domain }}"
+
+  tasks:
+    - name: Ensure /etc/apt/keyrings exists
+      file:
+        path: /etc/apt/keyrings
+        state: directory
+        mode: '0755'
+
+    - name: Download and dearmor ntfy GPG key
+      shell: curl -fsSL https://archive.heckel.io/apt/pubkey.txt | gpg --dearmor -o /etc/apt/keyrings/archive.heckel.io.gpg
+      args:
+        creates: /etc/apt/keyrings/archive.heckel.io.gpg
+
+    - name: Add ntfy APT repository
+      copy:
+        dest: /etc/apt/sources.list.d/archive.heckel.io.list
+        content: |
+          deb [arch=amd64 signed-by=/etc/apt/keyrings/archive.heckel.io.gpg] https://archive.heckel.io/apt debian main
+        mode: '0644'
+
+    - name: Update APT cache
+      apt:
+        update_cache: yes
+
+    - name: Install ntfy
+      apt:
+        name: ntfy
+        state: present
+
+    - name: Ensure ntfy cache directories exist
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: ntfy
+        group: ntfy
+        mode: '0755'
+      loop:
+        - /var/cache/ntfy
+        - /var/cache/ntfy/attachments
+
+    - name: Deploy ntfy configuration file
+      copy:
+        dest: /etc/ntfy/server.yml
+        content: |
+          base-url: "http://{{ ntfy_domain }}"
+          listen-http: ":{{ ntfy_port }}"
+          cache-file: "/var/cache/ntfy/cache.db"
+          attachment-cache-dir: "/var/cache/ntfy/attachments"
+          behind-proxy: true
+          auth-file: "/var/lib/ntfy/user.db"
+          auth-default-access: "deny-all"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Restart ntfy
+
+    - name: Enable and start ntfy service
+      systemd:
+        name: ntfy
+        enabled: yes
+        state: started
+    
+    - name: Create ntfy admin user
+      shell: |
+        (echo "{{ lookup('env', 'NTFY_PASSWORD') }}"; echo "{{ lookup('env', 'NTFY_PASSWORD') }}") | ntfy user add --role=admin "{{ lookup('env', 'NTFY_USER') }}"
+
+    - name: Ensure Caddy sites-enabled directory exists
+      file:
+        path: "{{ caddy_sites_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Ensure Caddyfile includes import directive for sites-enabled
+      lineinfile:
+        path: /etc/caddy/Caddyfile
+        line: 'import sites-enabled/*'
+        insertafter: EOF
+        state: present
+        backup: yes
+
+    - name: Create Caddy reverse proxy configuration for ntfy
+      copy:
+        dest: "{{ caddy_sites_dir }}/ntfy.conf"
+        content: |
+          {{ ntfy_domain }}, http://{{ ntfy_domain }} {
+              reverse_proxy 127.0.0.1:{{ ntfy_port }}
+
+              @httpget {
+                  protocol http
+                  method GET
+                  path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
+              }
+              redir @httpget https://{host}{uri}
+          }
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Reload Caddy to apply new config
+      command: systemctl reload caddy
+
+  handlers:
+    - name: Restart ntfy
+      systemd:
+        name: ntfy
+        state: restarted

ansible/services/ntfy/ntfy_vars.yml

@@ -0,0 +1,3 @@
+caddy_sites_dir: /etc/caddy/sites-enabled
+ntfy_subdomain: ntfy
+ntfy_port: 6674