From dbe11dc8fae413d22e758737256d2c210fdbd415 Mon Sep 17 00:00:00 2001
From: Adrian Cowan <othrayte@gmail.com>
Date: Sat, 18 Apr 2026 16:10:42 +1000
Subject: [PATCH] Add renovate and ntfy (unrelated)

---
 2-nomad-config/gitea.nomad.hcl          |  11 +++
 2-nomad-config/ntfy.nomad.hcl           | 100 ++++++++++++++++++++++++
 2-nomad-config/ntfy.tf                  |  22 ++++++
 2-nomad-config/renovate.nomad.hcl       |  64 +++++++++++++++
 2-nomad-config/renovate.tf              |  10 +++
 2-nomad-config/secrets/secrets.enc.json |  10 ++-
 6 files changed, 215 insertions(+), 2 deletions(-)
 create mode 100644 2-nomad-config/ntfy.nomad.hcl
 create mode 100644 2-nomad-config/ntfy.tf
 create mode 100644 2-nomad-config/renovate.nomad.hcl
 create mode 100644 2-nomad-config/renovate.tf

diff --git a/2-nomad-config/gitea.nomad.hcl b/2-nomad-config/gitea.nomad.hcl
index 8940bde..2f01ce7 100644
--- a/2-nomad-config/gitea.nomad.hcl
+++ b/2-nomad-config/gitea.nomad.hcl
@@ -37,6 +37,17 @@ job "gitea" {
       }
     }
 
+    # Separate service for Consul Connect ingress (address_mode=alloc avoids hairpin NAT issue)
+    service {
+      name         = "code-connect"
+      port         = "http"
+      address_mode = "alloc"
+
+      connect {
+        sidecar_service {}
+      }
+    }
+
     task "gitea" {
       driver = "docker"
 
diff --git a/2-nomad-config/ntfy.nomad.hcl b/2-nomad-config/ntfy.nomad.hcl
new file mode 100644
index 0000000..36fa0b6
--- /dev/null
+++ b/2-nomad-config/ntfy.nomad.hcl
@@ -0,0 +1,100 @@
+job "ntfy" {
+  group "ntfy" {
+    network {
+      mode = "bridge"
+      port "http" {
+        to = 80
+      }
+    }
+
+    # Consul Connect sidecar with upstream to postgres
+    service {
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "postgres"
+              local_bind_port  = 5432
+            }
+          }
+        }
+      }
+    }
+
+    service {
+      name = "ntfy"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.ntfy.middlewares=auth@file",
+        # Token subdomain bypasses Authelia — ntfy's own token auth is sufficient for API access
+        "traefik.http.routers.ntfy-token.rule=Host(`ntfy-2e30e5869ab6bfde4961012b48761a9b.othrayte.one`)",
+      ]
+
+      check {
+        type     = "http"
+        path     = "/healthz"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    # Users and tokens are provisioned declaratively via auth-users / auth-tokens in server.yml.
+    # ntfy reads and applies them on every startup — no poststart task, no race conditions.
+    #
+    # Bcrypt hashes are not secrets and are hardcoded below (same as /etc/shadow — safe to commit).
+    # Generate with: docker run --rm -it binwiederhier/ntfy user hash
+    #            or: echo "mypassword" | docker run --rm -i binwiederhier/ntfy user hash
+    # For the diun account the plaintext is irrelevant (token-only auth); use a random password:
+    #            openssl rand -base64 32 | docker run --rm -i binwiederhier/ntfy user hash
+    #
+    # Required SOPS keys:
+    #   ntfy.database_pw  — postgres password for the ntfy role
+    #   diun.ntfy_token   — access token for Diun (actual secret — grants write access)
+    #                       Must start with "tk_" and be exactly 32 chars total.
+    #                       Generate: tok=$(openssl rand -hex 15); echo "tk_${tok:0:29}"
+    task "ntfy" {
+      driver = "docker"
+
+      config {
+        image   = "binwiederhier/ntfy:latest"
+        ports   = ["http"]
+        command = "serve"
+        volumes = [
+          "local/server.yml:/etc/ntfy/server.yml",
+        ]
+      }
+
+      env = {
+        TZ = "Australia/Melbourne"
+      }
+
+      template {
+        data        = <<EOF
+base-url: "https://ntfy.othrayte.one"
+listen-http: ":80"
+database-url: "postgres://ntfy:{{ with nomadVar "nomad/jobs/ntfy" }}{{ .database_pw }}{{ end }}@localhost:5432/ntfy"
+auth-default-access: "deny-all"
+behind-proxy: true
+enable-login: true
+auth-users:
+  - "admin:$2a$10$rLp4qagJnsA8Es5hQlISH.WrlzwMrXE2MBaEgz7zdd2lkAVu30lMy:admin"
+  - "diun:$2y$10$4wi1VG.Vp5p3Q2OEIXaTSOmwZm.G9dpNca9BqQRMdGGnk2yQqK3Gq:user"
+auth-tokens:
+  - "diun:{{with nomadVar "nomad/jobs/ntfy"}}{{.diun_token}}{{end}}:Diun"
+auth-access:
+  - "diun:diun:write-only"
+EOF
+        destination = "local/server.yml"
+      }
+
+      resources {
+        cpu        = 50
+        memory     = 64
+        memory_max = 128
+      }
+    }
+
+  }
+}
diff --git a/2-nomad-config/ntfy.tf b/2-nomad-config/ntfy.tf
new file mode 100644
index 0000000..5f7905d
--- /dev/null
+++ b/2-nomad-config/ntfy.tf
@@ -0,0 +1,22 @@
+resource "nomad_job" "ntfy" {
+  jobspec = file("ntfy.nomad.hcl")
+}
+
+resource "nomad_variable" "ntfy" {
+  path = "nomad/jobs/ntfy"
+  items = {
+    database_pw = data.sops_file.secrets.data["ntfy.database_pw"]
+    diun_token  = data.sops_file.secrets.data["diun.ntfy_token"]
+  }
+}
+
+resource "postgresql_role" "ntfy" {
+  name     = "ntfy"
+  password = data.sops_file.secrets.data["ntfy.database_pw"]
+  login    = true
+}
+
+resource "postgresql_database" "ntfy" {
+  name  = "ntfy"
+  owner = postgresql_role.ntfy.name
+}
diff --git a/2-nomad-config/renovate.nomad.hcl b/2-nomad-config/renovate.nomad.hcl
new file mode 100644
index 0000000..e2bf78b
--- /dev/null
+++ b/2-nomad-config/renovate.nomad.hcl
@@ -0,0 +1,64 @@
+job "renovate" {
+  type = "batch"
+
+  periodic {
+    cron             = "0 4 * * *" # Daily at 4am
+    prohibit_overlap = true
+  }
+
+  group "renovate" {
+    network {
+      mode = "bridge"
+    }
+
+    # Consul Connect sidecar with upstream to Gitea (service: code-connect, port 3000)
+    service {
+      name = "renovate"
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "code-connect"
+              local_bind_port  = 3000
+            }
+          }
+        }
+      }
+    }
+
+    task "renovate" {
+      driver = "docker"
+
+      config {
+        image = "renovate/renovate:latest"
+      }
+
+      env = {
+        RENOVATE_PLATFORM     = "gitea"
+        RENOVATE_ENDPOINT     = "http://localhost:3000"
+        RENOVATE_GIT_URL      = "endpoint"
+        RENOVATE_REPOSITORIES = "othrayte/infra"
+        RENOVATE_GIT_AUTHOR   = "Renovate Bot <renovate@othrayte.one>"
+        LOG_LEVEL             = "debug"
+      }
+
+      # Required SOPS key:
+      #   renovate.gitea_token  — PAT for the renovate bot account in Gitea
+      #   Create a dedicated 'renovate' user in Gitea with these token scopes:
+      #     repo (read+write), user (read), issue (read+write), organization (read)
+      template {
+        data        = <<EOF
+RENOVATE_TOKEN={{ with nomadVar "nomad/jobs/renovate" }}{{ .gitea_token }}{{ end }}
+EOF
+        destination = "secrets/renovate.env"
+        env         = true
+      }
+
+      resources {
+        cpu        = 500
+        memory     = 512
+        memory_max = 1024
+      }
+    }
+  }
+}
diff --git a/2-nomad-config/renovate.tf b/2-nomad-config/renovate.tf
new file mode 100644
index 0000000..c052129
--- /dev/null
+++ b/2-nomad-config/renovate.tf
@@ -0,0 +1,10 @@
+resource "nomad_job" "renovate" {
+  jobspec = file("renovate.nomad.hcl")
+}
+
+resource "nomad_variable" "renovate" {
+  path = "nomad/jobs/renovate"
+  items = {
+    gitea_token = data.sops_file.secrets.data["renovate.gitea_token"]
+  }
+}
diff --git a/2-nomad-config/secrets/secrets.enc.json b/2-nomad-config/secrets/secrets.enc.json
index c3b502a..066475b 100644
--- a/2-nomad-config/secrets/secrets.enc.json
+++ b/2-nomad-config/secrets/secrets.enc.json
@@ -49,6 +49,12 @@
 	"openreader": {
 		"database_pw": "ENC[AES256_GCM,data:2Ey9Ypb2Ked/LP/ApJhCqhKWuzognxVK7ku60nERp7I=,iv:KdLFD+fuNpYmPEU5G96SvFcQeZB0XlnOh/6uf7OfFqI=,tag:h7DQlqx5fxhiHuWyFd7svQ==,type:str]"
 	},
+	"ntfy": {
+		"database_pw": "ENC[AES256_GCM,data:79c2KFs3tcbet1dSGnkSDlAeKLCZrh4aMYLXTROM8w==,iv:eZ4limyjl++nsvHUzPKy82hfLZEOc+XQYpO6Czo/8os=,tag:iX9SiEACQ5IM8f1jhZh5Qw==,type:str]"
+	},
+	"renovate": {
+		"gitea_token": "ENC[AES256_GCM,data:/J3CDMgWZLe20oQ+ENKBMi8fs/+jgsARV7xihMq0OLmRk8C8ae/IXg==,iv:e7WYOanSOCZ/LhN6SKrH0VrR3xLPTTppOKpGpSl+oAc=,tag:XBAilRdK3jL7WtM+92Fsmg==,type:str]"
+	},
 	"sops": {
 		"age": [
 			{
@@ -56,8 +62,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2026-04-04T05:12:13Z",
-		"mac": "ENC[AES256_GCM,data:P1WUI3bLnB1PFKlhO6M0FXZQ5T9fse1uwus4j7y9D3o1DNHHpq7wZdkXbedtpy3MikQGrXdAlS/jlyWW52CeOoFXdMmdiFNmnlO63BMOiySaoDJ9TyR0Bxf3n5urx7HxgYTQxCSPCaxovtAnQma8i+ckSr3jqJHDchEJlJX4LOc=,iv:+Y2Ml8rKmx8tIlYRGMsvfZMS3PtlwD7Bd6chYPk7EdA=,tag:rQwp7qEpLkQfeNCrfvbYMA==,type:str]",
+		"lastmodified": "2026-04-18T06:07:22Z",
+		"mac": "ENC[AES256_GCM,data:4UJMEZNS8HXtn1vIJ+qCkBJL5oh3Jp7wbaGm5hMiSNPseNq3smTYmMgh+TNK4t/K7yxfukTuhEFTUsnMfi7rIxTrbCpcTdnqJSYm/iflkdA57Tx+mHpY9iG7wtRmObow18Ea0rj6foMu+1V8pVFomzhc/ipafinTCuqodKW1a2Y=,iv:Gu/Lh8mir36ltN++qJg122ry+eJA0GKSrfijulYM7q4=,tag:5tjBzrCZcQUvc76No+E9Ow==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}