draft: ntfy server

hosts

@@ -72,6 +72,9 @@ pyrocufflink-dns
 [nextcloud]
 cloud0.pyrocufflink.blue
 
+[ntfy:children]
+synapse
+
 [ntpd]
 dc0.pyrocufflink.blue
 

ntfy.yml

@@ -0,0 +1,5 @@
+- hosts: ntfy
+  roles:
+  - role: ntfy
+    tags:
+    - ntfy

roles/ntfy/defaults/main.yml

@@ -0,0 +1,11 @@
+ntfy_version: 1.12.1
+ntfy_arch: '{{ _ntfy_arch_map[ansible_architecture] }}'
+ntfy_archive_name: ntfy_{{ ntfy_version }}_linux_{{ ntfy_arch }}
+ntfy_archive_file: '{{ ntfy_archive_name }}.tar.gz'
+ntfy_archive_sha256: >-
+  1580ce89b7fc6bb7c46479abfd29268439fa0437978aac5b8257c1acc1ce3d1c
+ntfy_download_url: >-
+  https://github.com/binwiederhier/ntfy/releases/download/v{{ ntfy_version }}/{{ ntfy_archive_file }}
+
+ntfy_server_name: ntfy.pyrocufflink.blue
+ntfy_server_alias: ntfy.pyrocufflink.net

roles/ntfy/files/.gitignore

@@ -0,0 +1 @@
+ntfy_*_linux*

roles/ntfy/files/ntfy.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=ntfy
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/ntfy serve
+WorkingDirectory=/var/lib/ntfy
+User=ntfy
+Group=ntfy
+
+[Install]
+WantedBy=multi-user.target

roles/ntfy/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: reload systemd  # noqa: command-instead-of-module
+  command: systemctl daemon-reload
+
+- name: restart ntfy
+  service:
+    name: ntfy
+    state: restarted

roles/ntfy/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: apache
+  tags: apache

roles/ntfy/tasks/main.yml

@@ -0,0 +1,129 @@
+- name: ensure ntfy system group exists
+  group:
+    name: ntfy
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure ntfy system user exists
+  user:
+    name: ntfy
+    group: ntfy
+    system: true
+    home: /var/lib/ntfy
+    createhome: no
+    state: present
+  tags:
+  - user
+
+- name: ensure ntfy data directory exists
+  file:
+    path: /var/lib/ntfy
+    mode: u=rwx,go=
+    owner: ntfy
+    group: ntfy
+    state: directory
+  tags:
+  - datadir
+
+- name: download ntfy archive
+  become: false
+  delegate_to: localhost
+  get_url:
+    url: '{{ ntfy_download_url }}'
+    dest: roles/ntfy/files/{{ ntfy_archive_file }}
+    checksum: sha256:{{ ntfy_archive_sha256 }}
+  tags:
+  - download
+- name: extract ntfy archive
+  become: false
+  delegate_to: localhost
+  unarchive:
+    src: '{{ playbook_dir }}/roles/ntfy/files/{{ ntfy_archive_file }}'
+    dest: '{{ playbook_dir }}/roles/ntfy/files'
+    creates: roles/ntfy/files/{{ ntfy_archive_name }}/ntfy
+    remote_src: true
+  tags:
+  - download
+  - unarchive
+
+- name: ensure ntfy is installed
+  copy:
+    src: roles/ntfy/files/{{ ntfy_archive_name }}/ntfy
+    dest: /usr/local/bin/ntfy
+    mode: u=rwx,go=rx
+    owner: root
+    group: root
+  args:
+    diff: false
+  tags:
+  - install
+
+- name: ensure ntfy systemd unit is installed
+  copy:
+    src: ntfy.service
+    dest: /etc/systemd/system/ntfy.service
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+
+- name: ensure ntfy configuration directory exists
+  file:
+    path: /etc/ntfy
+    mode: u=rwx,g=rx,o=
+    owner: root
+    group: ntfy
+    state: directory
+  tags:
+  - config
+- name: ensure ntfy is configured
+  copy:
+    dest: /etc/ntfy/server.yml
+    mode: u=rw,g=r,o=
+    owner: root
+    group: ntfy
+    content: |
+      {{ ntfy_config|to_nice_yaml }}
+  notify:
+  - restart ntfy
+  tags:
+  - config
+
+- name: ensure ntfy starts at boot
+  service:
+    name: ntfy
+    enabled: true
+  tags:
+  - service
+- name: flush handlers
+  meta: flush_handlers
+- name: ensure ntfy is running
+  service:
+    name: ntfy
+    state: started
+  tags:
+  - service
+
+- name: ensure selinux allows apache to proxy for ntfy
+  seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+  tags:
+  - selinux
+- name: ensure apache is configured to proxy for ntfy
+  template:
+    src: ntfy.httpd.conf.j2
+    dest: /etc/httpd/conf.d/ntfy.conf
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload httpd
+  tags:
+  - apache-config

roles/ntfy/templates/ntfy.httpd.conf.j2

@@ -0,0 +1,25 @@
+<VirtualHost _default_:443>
+    ServerName {{ ntfy_server_name }}
+{% if ntfy_server_alias|d %}
+    ServerAlias {{ ntfy_server_alias }}
+{% endif %}
+
+    Include conf.d/ssl.include
+    
+    SSLCertificateFile {{ apache_ssl_certificate }}
+    SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
+    SSLCertificateChainFile {{ apache_ssl_certificate }}
+    {% if apache_ssl_ca_certificate is defined %}
+    SSLCACertificateFile {{ apache_ssl_ca_certificate }}
+    {% endif %}
+
+    SetEnv proxy-nokeepalive 1
+    SetEnv proxy-sendchunked 1
+
+    ProxyRequests Off
+    ProxyPass / http://[::1]:2586/
+    ProxyPassReverse / http://[::1]:2586
+    ProxyPreserveHost On
+
+    LimitRequestBody 102400
+</VirtualHost>

roles/ntfy/vars/main.yml

@@ -0,0 +1,8 @@
+_ntfy_arch_map:
+  x86_64: x86_64
+  aarch64: arm64
+  armv7l: armv7
+
+ntfy_config:
+  listen-http: '[::1]:2586'
+  behind-proxy: true