Switch to using an external Ntfy role
The newly extracted role also has native Traefik support, so we no longer need to rely on `matrix-nginx-proxy` for reverse-proxying to Ntfy. The new role uses port `80` inside the container (not `8080`, like before), because that's the default assumption of the officially published container image. Using a custom port (like `8080`), means the default healthcheck command (which hardcodes port `80`) doesn't work. Instead of fiddling to override the healthcheck command, we've decided to stick to the default port instead. This only affects the inside-the-container port, not any external ports. The new role also supports adding the network ranges of the container's multiple additional networks as "exempt hosts". Previously, only one network's address range was added to "exempt hosts".
This commit is contained in:
Slavi Pantaleev
@ -91,11 +91,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_se
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname }}`)"
|
||||
|
||||
# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
|
||||
@ -109,18 +109,6 @@ traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled %}
|
||||
# ntfy
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
|
||||
set $backend "matrix-ntfy:8080";
|
||||
set $backend "matrix-ntfy:80";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
|
||||
@ -1,56 +0,0 @@
|
||||
---
|
||||
# Project source code URL: https://github.com/binwiederhier/ntfy
|
||||
|
||||
matrix_ntfy_enabled: true
|
||||
|
||||
matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy"
|
||||
matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config"
|
||||
matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data"
|
||||
|
||||
matrix_ntfy_version: v2.0.0
|
||||
matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}"
|
||||
matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}"
|
||||
|
||||
# Public facing base URL of the ntfy service
|
||||
matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}"
|
||||
|
||||
# Rate limits
|
||||
|
||||
matrix_ntfy_global_topic_limit: 15000 # default
|
||||
matrix_ntfy_visitor_subscription_limit: 30 # default
|
||||
matrix_ntfy_visitor_request_limit_burst: 60 # default
|
||||
matrix_ntfy_visitor_request_limit_replenish: "5s" # default
|
||||
|
||||
|
||||
# Controls whether the container exposes its HTTP port (tcp/80 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:2586"), or empty string to not expose.
|
||||
matrix_ntfy_container_http_host_bind_port: ''
|
||||
|
||||
# A list of extra arguments to pass to the container (`docker run` command)
|
||||
matrix_ntfy_container_extra_arguments: []
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_ntfy_self_check_validate_certificates: true
|
||||
|
||||
# Default ntfy configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_ntfy_configuration_extension_yaml`)
|
||||
# or completely replace this variable with your own template.
|
||||
matrix_ntfy_configuration_yaml: "{{ lookup('template', 'templates/ntfy/server.yml.j2') }}"
|
||||
|
||||
matrix_ntfy_configuration_extension_yaml: |
|
||||
# Your custom YAML configuration for ntfy goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_ntfy_configuration_yaml`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_ntfy_configuration_yaml`.
|
||||
|
||||
matrix_ntfy_configuration_extension: "{{ matrix_ntfy_configuration_extension_yaml | from_yaml if matrix_ntfy_configuration_extension_yaml | from_yaml is mapping else {} }}"
|
||||
|
||||
# Holds the final ntfy configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_ntfy_configuration_yaml`.
|
||||
matrix_ntfy_configuration: "{{ matrix_ntfy_configuration_yaml | from_yaml | combine(matrix_ntfy_configuration_extension, recursive=True) }}"
|
||||
@ -1,23 +0,0 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- when: matrix_ntfy_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-ntfy
|
||||
- install-all
|
||||
- install-ntfy
|
||||
|
||||
- block:
|
||||
- when: not matrix_ntfy_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-ntfy
|
||||
|
||||
- block:
|
||||
- when: matrix_ntfy_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
|
||||
tags:
|
||||
- self-check
|
||||
@ -1,27 +0,0 @@
|
||||
---
|
||||
|
||||
# Query an arbitrary ntfy topic using ntfy's UnifiedPush topic name syntax.
|
||||
# Expect an empty response (because we query 'since=1s').
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_ntfy_url_endpoint_public: "{{ matrix_ntfy_base_url }}/upSELFCHECK123/json?poll=1&since=1s"
|
||||
|
||||
- name: Check ntfy
|
||||
ansible.builtin.uri:
|
||||
url: "{{ matrix_ntfy_url_endpoint_public }}"
|
||||
follow_redirects: none
|
||||
validate_certs: "{{ matrix_ntfy_self_check_validate_certificates }}"
|
||||
register: matrix_ntfy_self_check_result
|
||||
check_mode: false
|
||||
ignore_errors: true
|
||||
delegate_to: 127.0.0.1
|
||||
become: false
|
||||
|
||||
- name: Fail if ntfy not working
|
||||
ansible.builtin.fail:
|
||||
msg: "Failed checking ntfy is up at `{{ matrix_server_fqn_ntfy }}` (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`). Is ntfy running? Is port 443 open in your firewall? Full error: {{ matrix_ntfy_self_check_result }}"
|
||||
when: "matrix_ntfy_self_check_result.failed"
|
||||
|
||||
- name: Report working ntfy
|
||||
ansible.builtin.debug:
|
||||
msg: "ntfy at `{{ matrix_server_fqn_ntfy }}` is working (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`)"
|
||||
@ -1,38 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Ensure matrix-ntfy image is pulled
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_ntfy_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_ntfy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ntfy_docker_image_force_pull }}"
|
||||
register: result
|
||||
retries: "{{ devture_playbook_help_container_retries_count }}"
|
||||
delay: "{{ devture_playbook_help_container_retries_delay }}"
|
||||
until: result is not failed
|
||||
|
||||
- name: Ensure matrix-ntfy paths exists
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- "{{ matrix_ntfy_base_path }}"
|
||||
- "{{ matrix_ntfy_config_dir_path }}"
|
||||
- "{{ matrix_ntfy_data_path }}"
|
||||
|
||||
- name: Ensure matrix-ntfy config installed
|
||||
ansible.builtin.copy:
|
||||
content: "{{ matrix_ntfy_configuration | to_nice_yaml(indent=2, width=999999) }}"
|
||||
dest: "{{ matrix_ntfy_config_dir_path }}/server.yml"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure matrix-ntfy.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-ntfy.service.j2"
|
||||
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service"
|
||||
mode: 0644
|
||||
@ -1,25 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Check existence of matrix-ntfy service
|
||||
ansible.builtin.stat:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service"
|
||||
register: matrix_ntfy_service_stat
|
||||
|
||||
- when: matrix_ntfy_service_stat.stat.exists | bool
|
||||
block:
|
||||
- name: Ensure matrix-ntfy is stopped
|
||||
ansible.builtin.service:
|
||||
name: matrix-ntfy
|
||||
state: stopped
|
||||
enabled: false
|
||||
daemon_reload: true
|
||||
|
||||
- name: Ensure matrix-ntfy.service doesn't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service"
|
||||
state: absent
|
||||
|
||||
- name: Ensure matrix-ntfy path doesn't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_ntfy_base_path }}"
|
||||
state: absent
|
||||
@ -1,11 +0,0 @@
|
||||
base_url: {{ matrix_ntfy_base_url }}
|
||||
behind_proxy: true
|
||||
cache_file: /data/cache.db
|
||||
listen-http: :8080
|
||||
|
||||
# Rate Limits
|
||||
global-topic-limit: {{ matrix_ntfy_global_topic_limit | to_json }}
|
||||
visitor-subscription-limit: {{ matrix_ntfy_visitor_subscription_limit | to_json }}
|
||||
|
||||
visitor-request-limit-burst: {{ matrix_ntfy_visitor_request_limit_burst | to_json }}
|
||||
visitor-request-limit-replenish: "{{ matrix_ntfy_visitor_request_limit_replenish }}"
|
||||
@ -1,39 +0,0 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=matrix-ntfy
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--env NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS={{matrix_server_fqn_matrix}},localhost,$(docker network inspect {{matrix_docker_network}} -f "{% raw %}{{ (index .IPAM.Config 0).Subnet }}{% endraw %}") \
|
||||
{% for arg in matrix_ntfy_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_ntfy_container_http_host_bind_port %}
|
||||
-p {{ matrix_ntfy_container_http_host_bind_port }}:8080 \
|
||||
{% endif %}
|
||||
--mount type=bind,src={{ matrix_ntfy_config_dir_path }},dst=/etc/ntfy,ro \
|
||||
--mount type=bind,src={{ matrix_ntfy_data_path }},dst=/data \
|
||||
{{ matrix_ntfy_docker_image }} \
|
||||
serve'
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-ntfy
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -11,3 +11,6 @@ matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled: true
|
||||
|
||||
# Controls if (`matrix_grafana` -> `grafana`) validation will run.
|
||||
matrix_playbook_migration_matrix_grafana_migration_validation_enabled: true
|
||||
|
||||
# Controls if (`matrix_ntfy` -> `ntfy`) validation will run.
|
||||
matrix_playbook_migration_matrix_ntfy_migration_validation_enabled: true
|
||||
|
||||
@ -82,7 +82,7 @@
|
||||
when: "matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars | length > 0"
|
||||
|
||||
- when: matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled | bool
|
||||
block:
|
||||
block:ntfy
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_playbook_migration_backup_borg_migration_vars: |-
|
||||
{{ vars | dict2items | selectattr('key', 'match', 'matrix_backup_borg_.*') | list | items2dict }}
|
||||
@ -110,3 +110,18 @@
|
||||
Please change your configuration (vars.yml) to rename all variables (`matrix_grafana_` -> `grafana_`).
|
||||
We found usage of the following variables: {{ matrix_playbook_migration_grafana_migration_vars.keys() | join(', ') }}
|
||||
when: "matrix_playbook_migration_grafana_migration_vars | length > 0"
|
||||
|
||||
- when: matrix_playbook_migration_matrix_ntfy_migration_validation_enabled | bool
|
||||
block:
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_playbook_migration_ntfy_migration_vars: |-
|
||||
{{ vars | dict2items | selectattr('key', 'match', 'matrix_ntfy_.*') | list | items2dict }}
|
||||
|
||||
- name: (Deprecation) Catch and report matrix_ntfy variables
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
The matrix-ntfy role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/ntfy.
|
||||
The new role is compatible with the old one, but uses different names for its variables.
|
||||
Please change your configuration (vars.yml) to rename all variables (`matrix_ntfy_` -> `ntfy_`).
|
||||
We found usage of the following variables: {{ matrix_playbook_migration_ntfy_migration_vars.keys() | join(', ') }}
|
||||
when: "matrix_playbook_migration_ntfy_migration_vars | length > 0"
|
||||
|
||||
Reference in New Issue
Block a user