Add renovate and ntfy (unrelated)

2026-04-18 16:10:42 +10:00
parent b27f3e58ca
commit dbe11dc8fa
6 changed files with 215 additions and 2 deletions
--- a/2-nomad-config/ntfy.nomad.hcl
+++ b/2-nomad-config/ntfy.nomad.hcl
@@ -0,0 +1,100 @@
+job "ntfy" {
+  group "ntfy" {
+    network {
+      mode = "bridge"
+      port "http" {
+        to = 80
+      }
+    }
+
+    # Consul Connect sidecar with upstream to postgres
+    service {
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "postgres"
+              local_bind_port  = 5432
+            }
+          }
+        }
+      }
+    }
+
+    service {
+      name = "ntfy"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.ntfy.middlewares=auth@file",
+        # Token subdomain bypasses Authelia — ntfy's own token auth is sufficient for API access
+        "traefik.http.routers.ntfy-token.rule=Host(`ntfy-2e30e5869ab6bfde4961012b48761a9b.othrayte.one`)",
+      ]
+
+      check {
+        type     = "http"
+        path     = "/healthz"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    # Users and tokens are provisioned declaratively via auth-users / auth-tokens in server.yml.
+    # ntfy reads and applies them on every startup — no poststart task, no race conditions.
+    #
+    # Bcrypt hashes are not secrets and are hardcoded below (same as /etc/shadow — safe to commit).
+    # Generate with: docker run --rm -it binwiederhier/ntfy user hash
+    #            or: echo "mypassword" | docker run --rm -i binwiederhier/ntfy user hash
+    # For the diun account the plaintext is irrelevant (token-only auth); use a random password:
+    #            openssl rand -base64 32 | docker run --rm -i binwiederhier/ntfy user hash
+    #
+    # Required SOPS keys:
+    #   ntfy.database_pw  — postgres password for the ntfy role
+    #   diun.ntfy_token   — access token for Diun (actual secret — grants write access)
+    #                       Must start with "tk_" and be exactly 32 chars total.
+    #                       Generate: tok=$(openssl rand -hex 15); echo "tk_${tok:0:29}"
+    task "ntfy" {
+      driver = "docker"
+
+      config {
+        image   = "binwiederhier/ntfy:latest"
+        ports   = ["http"]
+        command = "serve"
+        volumes = [
+          "local/server.yml:/etc/ntfy/server.yml",
+        ]
+      }
+
+      env = {
+        TZ = "Australia/Melbourne"
+      }
+
+      template {
+        data        = <<EOF
+base-url: "https://ntfy.othrayte.one"
+listen-http: ":80"
+database-url: "postgres://ntfy:{{ with nomadVar "nomad/jobs/ntfy" }}{{ .database_pw }}{{ end }}@localhost:5432/ntfy"
+auth-default-access: "deny-all"
+behind-proxy: true
+enable-login: true
+auth-users:
+  - "admin:$2a$10$rLp4qagJnsA8Es5hQlISH.WrlzwMrXE2MBaEgz7zdd2lkAVu30lMy:admin"
+  - "diun:$2y$10$4wi1VG.Vp5p3Q2OEIXaTSOmwZm.G9dpNca9BqQRMdGGnk2yQqK3Gq:user"
+auth-tokens:
+  - "diun:{{with nomadVar "nomad/jobs/ntfy"}}{{.diun_token}}{{end}}:Diun"
+auth-access:
+  - "diun:diun:write-only"
+EOF
+        destination = "local/server.yml"
+      }
+
+      resources {
+        cpu        = 50
+        memory     = 64
+        memory_max = 128
+      }
+    }
+
+  }
+}