Self-host ntfy on pebble for private off-site alerts (ntfy.e.lyte.dev) #690
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "pebble-ntfy"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What & why
The Tier 0 off-site uptime watcher (from #683,
lib/doc/alerting.md) needs a push channel that does not depend on beefcake. Hosted ntfy.sh works, but locking/reserving a topic is a paid feature — so only an unauthenticated public topic is free there. Self-hosting ntfy gives topic auth for free, and pebble is the ideal host: external (Hetzner, static IP), already in the fleet, independent of beefcake, and a tiny footprint (~20 MB RSS measured against pebble's 3.2 GB free / 3.8 GB total).Also introduces the
.e.lyte.devconvention = external / not-home hosts (mirrors.hfor home), as static records to a public IP (unlike the dynamic.hrecords written by dns-updater).Changes
dns-zones.nix:ntfy.eA → pebble (204.168.181.230).packages/hosts/pebble/ntfy.nix(new):services.ntfy-shon127.0.0.1:2586,auth-default-access = deny-all.ntfy.e.lyte.devresolves to it, so no DNS-01/TSIG like beefcake) + open:80/:443.ExecStartPostprovisioning a singlealertsuser (read-write on theinfra-alertstopic) from a sops password (--ignore-exists, so it's a no-op on restart).secrets/pebble/secrets.yml: seedntfy-env(ALERTS_PASSWORD=…, a generated 40-char random password) so the build-time sops-manifest check passes and the service is secure on first deploy (no CHANGEME placeholder).Testing
nix build …#pebble…toplevel✅nix build …#beefcake…toplevel✅ (beefcake is the zone primary, so the DNS change builds there too)Exposure note
This adds Caddy + public :80/:443 to pebble, which was previously DNS/mail-only. Surface is small: ntfy binds loopback, Caddy fronts it, and
deny-allmeans only thealertsuser can touch any topic.Deploy + post-deploy (yours)
ntfy.erecord as zone primary) and pebble.NTFY_URL → https://ntfy.e.lyte.dev/infra-alerts, addNTFY_USER=alerts+NTFY_PASSWORD(same value now in pebble sops), and subscribe the phone's ntfy app toinfra-alertswith those creds.Follow-up to #683 (which documents the Tier 0 watcher and keeps working on the public ntfy.sh topic until this lands).