diff --git a/group_vars/nas/vars.yml b/group_vars/nas/vars.yml index abc0340..9928272 100644 --- a/group_vars/nas/vars.yml +++ b/group_vars/nas/vars.yml @@ -11,3 +11,5 @@ lander_commit_sha: 'e438bd045ca2ee64e3d9ab98f416027b5417c3f6' lander_api_key: "{{ vault_lander_api_key }}" restic_rest_version: '0.12.1' + +ntfy_user_pi_pass: "{{ vault_ntfy_user_pi_pass }}" diff --git a/group_vars/nas/vault.yml b/group_vars/nas/vault.yml index 393c6c6..d00cfa3 100644 --- a/group_vars/nas/vault.yml +++ b/group_vars/nas/vault.yml @@ -1,32 +1,35 @@ $ANSIBLE_VAULT;1.1;AES256 -37346237633132376331343965346531353137643430376563323237353761313035396634316464 -6562336662656266636466626531373834653832353331630a653962656431373932363937396438 -65663735326331323333396336653933373633383530386463346435316466393664383630393065 -6366326463306435340a616263613366333536626239636239393364333363346630666430393163 -65613063383539323339636262353462343439656135333130396134326433356333623366333638 -38653939306564633865303032666337616436666264656432346339386361666161333034376632 -34363035333431343035643635663839326130396465653066323639333833663761313565393537 -31363861646630633032643838636663396235336265316161353036623539356534646530323534 -65313863333233383461383165383534386435633130633864363038353932636631376461663763 -35626364636633303738346161393161356333306630386438626534356336646531336164396537 -63613434366232333738326166303237353831666137386134346562663766656536373431343630 -66363666353432306539383035356636303635636639646537663362656235373236393866383364 -30333261646661393566373833613336316533336632613663383061613431376337376234666636 -34393864313462303937366136333662386465653839356563653236663632376531363663343963 -61333966323661383364363733373062373230363664356661306134393061386464393763633433 -35333330616234656531306431306566663131663932303231613665363030313733326337313635 -32666539306638333763623161303730613663366630326562303731343064376634373264323337 -66353161376537333461613438316662623138393835666539303030656134373664663537373462 -36303833333831626632633337393562336538633465326537653431386162346165356465393837 -66393161383639643638366336356139323533393932646333373631366566626537313536346664 -64343064373432326633393263623365323561386261633161313638656539363434393332353736 -38633537653730333837303766353338383433626331623937313136326561623730346361623336 -65303961626230363634653333396566333735323132336165623734363165366137663765663636 -65316431363666653738623838663831343433333939616162366337346135336631333661643865 -38613536373837393664336133333934303166356365346563643265326136353838316336666664 -35376138326431343661316264626665343366613335383062366331373634626133626163333361 -61366262633965323165336663633963626633656236666239346434396439393461336230663366 -31393135663433313933613862353962333664653962653562303832616334663334356562646133 -64303761363833316464363237366238376230386236636265363339666332613238353865646537 -34333333336631393033353532366333376465643362326438396138383861646463363462396164 -343064393363653934613861366638616461 +62346334613664653131343434626663336631396537393434353165616236306339376365656539 +6435616564373934616339363363333431313531336262350a373137646264636364333464336230 +30613464636139363061376563333563383634653564623264633133613337663465653633323830 +3232343731636135340a316263363633373038393261346637623333616137303662613132623661 +66363736356631316231303262356531326663333566313832346165323863376236393335363130 +39393262623633646230656130316461396530646565353234663766356563326338613261313832 +33373232333231333666366564396562383034353961393262646231626632396135373265303066 +61613131323762363635633939666464633730376538323538313339306464643036656337393633 +64386439636665366630633462623530663833326438613433306134373966393130343438323334 +33366530373831326533303632373564376463643439633538653039373464386433663037346535 +61326430393662353732383231663632363433333565373136633930623533343061366639333262 +32613435363232346131393862663066663539323334326566356235626565333831393066343731 +36356539326632666665633166363135313139646136373934613561323531393533643131333963 +66613561343864353937386632376330346666626262303166353838333966366239363363656335 +39393163616133316531356339623933633237393663323630386363636163636136383334343230 +39326431663232303835656632373035623531656131383763323536383433343131363239343536 +31643364613031386162656236373635303235303262393239396138393061313331333436663663 +36613963343262346131643263373937653264626230373737643935386338343434613434663061 +36396265336466306437383664653731343838396663396233393663656138363932323563326631 +62363332613261383637653861346338626531353330346532303066623638376663366133313532 +63623930303363333162373562323334373332346335303065643536396565626534316537376466 +64663266396238653165346134363432386532323534373366643233373366316365323938313661 +36346362646430623563376261306265623663326534373562636633303835333330613761326264 +33353264316238663134346463333033346564653137646336373134623134633534343333366262 +37646166623463323436363436386539343061646230626638313537643862316338383939316233 +62333535663338346663363334386538366437393161356639306636393232396562303366383232 +64313762363436333262396631663331333033356362373764373732313330396237383864316638 +34306563646633366666343535346630616632343033343036393232376264653831373664356361 +66333737343731393837633432383862326532336434326461313439653763613062343331646639 +38376536306532623834336435353962323635383930323435376234316230636533353264626663 +38306366316534383530613131346163613765326534396231373932303639393430656233363234 +63643133623637326466623765653638383437343035343035653766333036373334343961326534 +32303665336130346636616564613332393235303034643939643635346662316466356535653331 +3265353466356535346632623363373037303861346135613066 diff --git a/hosts.ini b/hosts.ini index 6dea340..850d8a0 100644 --- a/hosts.ini +++ b/hosts.ini @@ -17,3 +17,6 @@ [monica] 192.168.0.2 static_ip=192.168.0.2 + +[ntfyserver] +192.168.0.3 static_ip=192.168.0.3 diff --git a/nas.yml b/nas.yml index 0eaccc8..1136381 100644 --- a/nas.yml +++ b/nas.yml @@ -7,6 +7,13 @@ - common tags: base +- hosts: nas + become: yes + roles: + - ntfy + - ntfy-server + tags: ntfy + - name: Configure BTRFS RAID hosts: nas become: yes diff --git a/roles/ntfy-server-web/meta/main.yml b/roles/ntfy-server-web/meta/main.yml new file mode 100644 index 0000000..1dbd0f6 --- /dev/null +++ b/roles/ntfy-server-web/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: caddy diff --git a/roles/ntfy-server-web/tasks/main.yml b/roles/ntfy-server-web/tasks/main.yml new file mode 100644 index 0000000..2c65480 --- /dev/null +++ b/roles/ntfy-server-web/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: Ensure Caddyfile is present + template: + src: 'ntfy-server.Caddyfile.j2' + dest: '/etc/caddy/ntfy-server.Caddyfile' + owner: root + group: root + mode: '0644' + notify: caddy-reload diff --git a/roles/ntfy-server-web/templates/ntfy-server.Caddyfile.j2 b/roles/ntfy-server-web/templates/ntfy-server.Caddyfile.j2 new file mode 100644 index 0000000..437bf11 --- /dev/null +++ b/roles/ntfy-server-web/templates/ntfy-server.Caddyfile.j2 @@ -0,0 +1,3 @@ +ntfy.roosens.me { + reverse_proxy {{ hostvars[groups['ntfyserver'][0]].static_ip }}:8003 +} diff --git a/roles/ntfy-server/files/server.yml b/roles/ntfy-server/files/server.yml new file mode 100644 index 0000000..4015218 --- /dev/null +++ b/roles/ntfy-server/files/server.yml @@ -0,0 +1,363 @@ +# ntfy server config file +# +# Please refer to the documentation at https://ntfy.sh/docs/config/ for details. +# All options also support underscores (_) instead of dashes (-) to comply with the YAML spec. + +# Public facing base URL of the service (e.g. https://ntfy.sh or https://ntfy.example.com) +# +# This setting is required for any of the following features: +# - attachments (to return a download URL) +# - e-mail sending (for the topic URL in the email footer) +# - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic) +# - Matrix Push Gateway (to validate that the pushkey is correct) +# +base-url: 'https://ntfy.roosens.me' + +# Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also +# set "key-file" and "cert-file". Format: []:, e.g. "1.2.3.4:8080". +# +# To listen on all interfaces, you may omit the IP address, e.g. ":443". +# To disable HTTP, set "listen-http" to "-". +# +listen-http: ":8003" +# listen-https: + +# Listen on a Unix socket, e.g. /var/lib/ntfy/ntfy.sock +# This can be useful to avoid port issues on local systems, and to simplify permissions. +# +# listen-unix: +# listen-unix-mode: + +# Path to the private key & cert file for the HTTPS web server. Not used if "listen-https" is not set. +# +# key-file: +# cert-file: + +# If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app. +# This is optional and only required to save battery when using the Android app. +# +# firebase-key-file: + +# If "cache-file" is set, messages are cached in a local SQLite database instead of only in-memory. +# This allows for service restarts without losing messages in support of the since= parameter. +# +# The "cache-duration" parameter defines the duration for which messages will be buffered +# before they are deleted. This is required to support the "since=..." and "poll=1" parameter. +# To disable the cache entirely (on-disk/in-memory), set "cache-duration" to 0. +# The cache file is created automatically, provided that the correct permissions are set. +# +# The "cache-startup-queries" parameter allows you to run commands when the database is initialized, +# e.g. to enable WAL mode (see https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)). +# Example: +# cache-startup-queries: | +# pragma journal_mode = WAL; +# pragma synchronous = normal; +# pragma temp_store = memory; +# pragma busy_timeout = 15000; +# vacuum; +# +# The "cache-batch-size" and "cache-batch-timeout" parameter allow enabling async batch writing +# of messages. If set, messages will be queued and written to the database in batches of the given +# size, or after the given timeout. This is only required for high volume servers. +# +# Debian/RPM package users: +# Use /var/cache/ntfy/cache.db as cache file to avoid permission issues. The package +# creates this folder for you. +# +# Check your permissions: +# If you are running ntfy with systemd, make sure this cache file is owned by the +# ntfy user and group by running: chown ntfy.ntfy . +# +cache-file: /mnt/data1/ntfy/cache.db +# cache-duration: "12h" +# cache-startup-queries: +# cache-batch-size: 0 +# cache-batch-timeout: "0ms" + +# If set, access to the ntfy server and API can be controlled on a granular level using +# the 'ntfy user' and 'ntfy access' commands. See the --help pages for details, or check the docs. +# +# - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist +# - auth-default-access defines the default/fallback access if no access control entry is found; it can be +# set to "read-write" (default), "read-only", "write-only" or "deny-all". +# - auth-startup-queries allows you to run commands when the database is initialized, e.g. to enable +# WAL mode. This is similar to cache-startup-queries. See above for details. +# +# Debian/RPM package users: +# Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package +# creates this folder for you. +# +# Check your permissions: +# If you are running ntfy with systemd, make sure this user database file is owned by the +# ntfy user and group by running: chown ntfy.ntfy . +# +auth-file: /mnt/data1/ntfy/user.db +auth-default-access: "deny-all" +# auth-startup-queries: + +# If set, the X-Forwarded-For header is used to determine the visitor IP address +# instead of the remote address of the connection. +# +# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited +# as if they are one. +# +behind-proxy: true + +# If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments +# are "attachment-cache-dir" and "base-url". +# +# - attachment-cache-dir is the cache directory for attached files +# - attachment-total-size-limit is the limit of the on-disk attachment cache directory (total size) +# - attachment-file-size-limit is the per-file attachment size limit (e.g. 300k, 2M, 100M) +# - attachment-expiry-duration is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h) +# +attachment-cache-dir: '/mnt/data1/ntfy/attachments' +# attachment-total-size-limit: "5G" +# attachment-file-size-limit: "15M" +# attachment-expiry-duration: "3h" + +# If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set, +# messages will additionally be sent out as e-mail using an external SMTP server. +# +# As of today, only SMTP servers with plain text auth (or no auth at all), and STARTLS are supported. +# Please also refer to the rate limiting settings below (visitor-email-limit-burst & visitor-email-limit-burst). +# +# - smtp-sender-addr is the hostname:port of the SMTP server +# - smtp-sender-from is the e-mail address of the sender +# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user (leave blank for no auth) +# +# smtp-sender-addr: +# smtp-sender-from: +# smtp-sender-user: +# smtp-sender-pass: + +# If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send +# emails to a topic e-mail address to publish messages to a topic. +# +# - smtp-server-listen defines the IP address and port the SMTP server will listen on, e.g. :25 or 1.2.3.4:25 +# - smtp-server-domain is the e-mail domain, e.g. ntfy.sh +# - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-", +# for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to +# $topic@ntfy.sh will be accepted (which may obviously be a spam problem). +# +# smtp-server-listen: +# smtp-server-domain: +# smtp-server-addr-prefix: + +# Web Push support (background notifications for browsers) +# +# If enabled, allows ntfy to receive push notifications, even when the ntfy web app is closed. When enabled, users +# can enable background notifications in the web app. Once enabled, ntfy will forward published messages to the push +# endpoint, which will then forward it to the browser. +# +# You must configure web-push-public/private key, web-push-file, and web-push-email-address below to enable Web Push. +# Run "ntfy webpush keys" to generate the keys. +# +# - web-push-public-key is the generated VAPID public key, e.g. AA1234BBCCddvveekaabcdfqwertyuiopasdfghjklzxcvbnm1234567890 +# - web-push-private-key is the generated VAPID private key, e.g. AA2BB1234567890abcdefzxcvbnm1234567890 +# - web-push-file is a database file to keep track of browser subscription endpoints, e.g. `/var/cache/ntfy/webpush.db` +# - web-push-email-address is the admin email address send to the push provider, e.g. `sysadmin@example.com` +# - web-push-startup-queries is an optional list of queries to run on startup` +# +# web-push-public-key: +# web-push-private-key: +# web-push-file: +# web-push-email-address: +# web-push-startup-queries: + +# If enabled, ntfy can perform voice calls via Twilio via the "X-Call" header. +# +# - twilio-account is the Twilio account SID, e.g. AC12345beefbeef67890beefbeef122586 +# - twilio-auth-token is the Twilio auth token, e.g. affebeef258625862586258625862586 +# - twilio-phone-number is the outgoing phone number you purchased, e.g. +18775132586 +# - twilio-verify-service is the Twilio Verify service SID, e.g. VA12345beefbeef67890beefbeef122586 +# +# twilio-account: +# twilio-auth-token: +# twilio-phone-number: +# twilio-verify-service: + +# Interval in which keepalive messages are sent to the client. This is to prevent +# intermediaries closing the connection for inactivity. +# +# Note that the Android app has a hardcoded timeout at 77s, so it should be less than that. +# +# keepalive-interval: "45s" + +# Interval in which the manager prunes old messages, deletes topics +# and prints the stats. +# +# manager-interval: "1m" + +# Defines topic names that are not allowed, because they are otherwise used. There are a few default topics +# that cannot be used (e.g. app, account, settings, ...). To extend the default list, define them here. +# +# Example: +# disallowed-topics: +# - about +# - pricing +# - contact +# +# disallowed-topics: + +# Defines the root path of the web app, or disables the web app entirely. +# +# Can be any simple path, e.g. "/", "/app", or "/ntfy". For backwards-compatibility reasons, +# the values "app" (maps to "/"), "home" (maps to "/app"), or "disable" (maps to "") to disable +# the web app entirely. +# +web-root: 'disable' + +# Various feature flags used to control the web app, and API access, mainly around user and +# account management. +# +# - enable-signup allows users to sign up via the web app, or API +# - enable-login allows users to log in via the web app, or API +# - enable-reservations allows users to reserve topics (if their tier allows it) +# +# enable-signup: false +# enable-login: false +# enable-reservations: false + +# Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh"). +# +# iOS users: +# If you use the iOS ntfy app, you MUST configure this to receive timely notifications. You'll like want this: +# upstream-base-url: "https://ntfy.sh" +# +# If set, all incoming messages will publish a "poll_request" message to the configured upstream server, containing +# the message ID of the original message, instructing the iOS app to poll this server for the actual message contents. +# This is to prevent the upstream server and Firebase/APNS from being able to read the message. +# +# - upstream-base-url is the base URL of the upstream server. Should be "https://ntfy.sh". +# - upstream-access-token is the token used to authenticate with the upstream server. This is only required +# if you exceed the upstream rate limits, or the uptream server requires authentication. +# +# upstream-base-url: +# upstream-access-token: + +# Rate limiting: Total number of topics before the server rejects new topics. +# +# global-topic-limit: 15000 + +# Rate limiting: Number of subscriptions per visitor (IP address) +# +# visitor-subscription-limit: 30 + +# Rate limiting: Allowed GET/PUT/POST requests per second, per visitor: +# - visitor-request-limit-burst is the initial bucket of requests each visitor has +# - visitor-request-limit-replenish is the rate at which the bucket is refilled +# - visitor-request-limit-exempt-hosts is a comma-separated list of hostnames, IPs or CIDRs to be +# exempt from request rate limiting. Hostnames are resolved at the time the server is started. +# Example: "1.2.3.4,ntfy.example.com,8.7.6.0/24" +# +# visitor-request-limit-burst: 60 +# visitor-request-limit-replenish: "5s" +# visitor-request-limit-exempt-hosts: "" + +# Rate limiting: Hard daily limit of messages per visitor and day. The limit is reset +# every day at midnight UTC. If the limit is not set (or set to zero), the request +# limit (see above) governs the upper limit. +# +# visitor-message-daily-limit: 0 + +# Rate limiting: Allowed emails per visitor: +# - visitor-email-limit-burst is the initial bucket of emails each visitor has +# - visitor-email-limit-replenish is the rate at which the bucket is refilled +# +# visitor-email-limit-burst: 16 +# visitor-email-limit-replenish: "1h" + +# Rate limiting: Attachment size and bandwidth limits per visitor: +# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor +# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor +# +# visitor-attachment-total-size-limit: "100M" +# visitor-attachment-daily-bandwidth-limit: "500M" + +# Rate limiting: Enable subscriber-based rate limiting (mostly used for UnifiedPush) +# +# If enabled, subscribers may opt to have published messages counted against their own rate limits, as opposed +# to the publisher's rate limits. This is especially useful to increase the amount of messages that high-volume +# publishers (e.g. Matrix/Mastodon servers) are allowed to send. +# +# Once enabled, a client may send a "Rate-Topics: ,,..." header when subscribing to topics via +# HTTP stream, or websockets, thereby registering itself as the "rate visitor", i.e. the visitor whose rate limits +# to use when publishing on this topic. Note: Setting the rate visitor requires READ-WRITE permission on the topic. +# +# UnifiedPush only: If this setting is enabled, publishing to UnifiedPush topics will lead to a HTTP 507 response if +# no "rate visitor" has been previously registered. This is to avoid burning the publisher's "visitor-message-daily-limit". +# +# visitor-subscriber-rate-limiting: false + +# Payments integration via Stripe +# +# - stripe-secret-key is the key used for the Stripe API communication. Setting this values +# enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys. +# - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe. +# Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks. +# - billing-contact is an email address or website displayed in the "Upgrade tier" dialog to let people reach +# out with billing questions. If unset, nothing will be displayed. +# +# stripe-secret-key: +# stripe-webhook-key: +# billing-contact: + +# Metrics +# +# ntfy can expose Prometheus-style metrics via a /metrics endpoint, or on a dedicated listen IP/port. +# Metrics may be considered sensitive information, so before you enable them, be sure you know what you are +# doing, and/or secure access to the endpoint in your reverse proxy. +# +# - enable-metrics enables the /metrics endpoint for the default ntfy server (i.e. HTTP, HTTPS and/or Unix socket) +# - metrics-listen-http exposes the metrics endpoint via a dedicated [IP]:port. If set, this option implicitly +# enables metrics as well, e.g. "10.0.1.1:9090" or ":9090" +# +# enable-metrics: false +# metrics-listen-http: + +# Profiling +# +# ntfy can expose Go's net/http/pprof endpoints to support profiling of the ntfy server. If enabled, ntfy will listen +# on a dedicated listen IP/port, which can be accessed via the web browser on http://:/debug/pprof/. +# This can be helpful to expose bottlenecks, and visualize call flows. See https://pkg.go.dev/net/http/pprof for details. +# +# profile-listen-http: + +# Logging options +# +# By default, ntfy logs to the console (stderr), with an "info" log level, and in a human-readable text format. +# ntfy supports five different log levels, can also write to a file, log as JSON, and even supports granular +# log level overrides for easier debugging. Some options (log-level and log-level-overrides) can be hot reloaded +# by calling "kill -HUP $pid" or "systemctl reload ntfy". +# +# - log-format defines the output format, can be "text" (default) or "json" +# - log-file is a filename to write logs to. If this is not set, ntfy logs to stderr. +# - log-level defines the default log level, can be one of "trace", "debug", "info" (default), "warn" or "error". +# Be aware that "debug" (and particularly "trace") can be VERY CHATTY. Only turn them on briefly for debugging purposes. +# - log-level-overrides lets you override the log level if certain fields match. This is incredibly powerful +# for debugging certain parts of the system (e.g. only the account management, or only a certain visitor). +# This is an array of strings in the format: +# - "field=value -> level" to match a value exactly, e.g. "tag=manager -> trace" +# - "field -> level" to match any value, e.g. "time_taken_ms -> debug" +# Warning: Using log-level-overrides has a performance penalty. Only use it for temporary debugging. +# +# Check your permissions: +# If you are running ntfy with systemd, make sure this log file is owned by the +# ntfy user and group by running: chown ntfy.ntfy . +# +# Example (good for production): +# log-level: info +# log-format: json +# log-file: /var/log/ntfy.log +# +# Example level overrides (for debugging, only use temporarily): +# log-level-overrides: +# - "tag=manager -> trace" +# - "visitor_ip=1.2.3.4 -> debug" +# - "time_taken_ms -> debug" +# +# log-level: info +# log-level-overrides: +# log-format: text +# log-file: diff --git a/roles/ntfy-server/handlers/main.yml b/roles/ntfy-server/handlers/main.yml new file mode 100644 index 0000000..1207786 --- /dev/null +++ b/roles/ntfy-server/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: ntfy-restart + service: + name: ntfy + state: restarted diff --git a/roles/ntfy-server/meta/main.yml b/roles/ntfy-server/meta/main.yml new file mode 100644 index 0000000..ff992ba --- /dev/null +++ b/roles/ntfy-server/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: ntfy diff --git a/roles/ntfy-server/tasks/main.yml b/roles/ntfy-server/tasks/main.yml new file mode 100644 index 0000000..e4ccfbf --- /dev/null +++ b/roles/ntfy-server/tasks/main.yml @@ -0,0 +1,50 @@ +--- +- name: Ensure system group exists + ansible.builtin.group: + name: 'ntfy' + gid: 203 + system: true + state: present + +- name: Ensure system user exists + ansible.builtin.user: + name: 'ntfy' + group: 'ntfy' + uid: 203 + system: true + create_home: false + +- name: Ensure data subvolume is present + community.general.btrfs_subvolume: + name: '/ntfy' + +- name: Ensure data subvolume permissions are correct + ansible.builtin.file: + path: '/mnt/data1/ntfy' + state: directory + mode: '0755' + owner: 'ntfy' + group: 'ntfy' + +- name: Ensure attachment directory is present + ansible.builtin.file: + path: '/mnt/data1/ntfy/attachments' + state: directory + mode: '0755' + owner: 'ntfy' + group: 'ntfy' + +- name: Ensure server config file is present + ansible.builtin.copy: + src: 'server.yml' + dest: '/etc/ntfy/server.yml' + mode: '0644' + owner: 'root' + group: 'root' + notify: 'ntfy-restart' + +- name: Ensure service is running & enabled + service: + name: ntfy + state: started + enabled: true diff --git a/roles/ntfy/tasks/main.yml b/roles/ntfy/tasks/main.yml new file mode 100644 index 0000000..ba92b37 --- /dev/null +++ b/roles/ntfy/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Ensure repository GPG key is present + ansible.builtin.apt_key: + url: 'https://archive.heckel.io/apt/pubkey.txt' + state: present + +- name: Ensure Apt repository is present + apt_repository: + repo: 'deb [arch=arm64] https://archive.heckel.io/apt debian main' + filename: ntfy + state: present + +- name: Ensure ntfy is installed + apt: + name: ntfy + state: present + +- name: Ensure configuration directory is present + ansible.builtin.file: + path: '/etc/ntfy' + state: directory + mode: '0755' + owner: 'root' + group: 'root' + +- name: Ensure client config file is present + ansible.builtin.template: + src: 'client.yml.j2' + dest: '/etc/ntfy/client.yml' + mode: '0644' + owner: 'root' + group: 'root' diff --git a/roles/ntfy/templates/client.yml.j2 b/roles/ntfy/templates/client.yml.j2 new file mode 100644 index 0000000..4df2c94 --- /dev/null +++ b/roles/ntfy/templates/client.yml.j2 @@ -0,0 +1,57 @@ +# ntfy client config file + +# Base URL used to expand short topic names in the "ntfy publish" and "ntfy subscribe" commands. +# If you self-host a ntfy server, you'll likely want to change this. +# +default-host: http://{{ hostvars[groups['ntfyserver'][0]].static_ip }}:8003 + +# Default credentials will be used with "ntfy publish" and "ntfy subscribe" if no other credentials are provided. +# You can set a default token to use or a default user:password combination, but not both. For an empty password, +# use empty double-quotes (""). +# +# To override the default user:password combination or default token for a particular subscription (e.g., to send +# no Authorization header), set the user:pass/token for the subscription to empty double-quotes (""). + +# default-token: + +default-user: pi +default-password: '{{ ntfy_user_pi_pass }}' + +# Default command will execute after "ntfy subscribe" receives a message if no command is provided in subscription below +# default-command: + +# Subscriptions to topics and their actions. This option is primarily used by the systemd service, +# or if you cann "ntfy subscribe --from-config" directly. +# +# Example: +# subscribe: +# - topic: mytopic +# command: /usr/local/bin/mytopic-triggered.sh +# - topic: myserver.com/anothertopic +# command: 'echo "$message"' +# if: +# priority: high,urgent +# - topic: secret +# command: 'notify-send "$m"' +# user: phill +# password: mypass +# - topic: token_topic +# token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2 +# +# Variables: +# Variable Aliases Description +# --------------- --------------------- ----------------------------------- +# $NTFY_ID $id Unique message ID +# $NTFY_TIME $time Unix timestamp of the message delivery +# $NTFY_TOPIC $topic Topic name +# $NTFY_MESSAGE $message, $m Message body +# $NTFY_TITLE $title, $t Message title +# $NTFY_PRIORITY $priority, $prio, $p Message priority (1=min, 5=max) +# $NTFY_TAGS $tags, $tag, $ta Message tags (comma separated list) +# $NTFY_RAW $raw Raw JSON message +# +# Filters ('if:'): +# You can filter 'message', 'title', 'priority' (comma-separated list, logical OR) +# and 'tags' (comma-separated list, logical AND). See https://ntfy.sh/docs/subscribe/api/#filter-messages. +# +# subscribe: diff --git a/web.yml b/web.yml index 7f4666a..2672558 100644 --- a/web.yml +++ b/web.yml @@ -16,3 +16,9 @@ roles: - monica-web tags: monica + +- hosts: web + become: yes + roles: + - ntfy-server-web + tags: ntfy