Files

T

Clément Désiles a8545fc501 fix(podman): use Type=notify + service-container so systemd sees pod crashes

The previous Type=oneshot + RemainAfterExit=true pattern made systemd
freeze pod units in 'active (exited)' as soon as 'podman play kube'
returned, so crash-looping containers were invisible to
'systemctl --user --failed' and Restart=on-failure never fired.

For every podman-pod role (immich, fdroid, ntfy, gitea, qfieldcloud,
unifi, matrix, uptime_kuma):

- switch units to Type=notify + NotifyAccess=all
- run 'podman kube play --service-container=true' so the unit's main
  PID stays alive as long as the pod
- use 'podman kube down' for ExecStop
- add TimeoutStartSec=180 to cover slow first-boot image pulls

Pod manifests: flip every container's restartPolicy from Always to
Never. systemd is now the single owner of the restart loop: container
exits -> pod dies -> service container dies -> unit fails ->
Restart=on-failure restarts everything cleanly. With Always, podman
retried internally and hid the failure from systemd.

CLAUDE.md updated to document the new canonical template and the
'restartPolicy: Never' requirement.

2026-05-29 21:49:13 +02:00

defaults

fix: force images pull and change default ports

2026-02-14 21:02:51 +01:00

handlers

chore: ansible-lint review (almost done)

2026-01-04 11:21:15 +01:00

README.md

ntfy - Simple Notification Service

Deploys ntfy - a simple HTTP-based pub-sub notification service.

Security Model

Secure by default:

auth-default-access: deny-all - No anonymous access
enable-signup: false - No public registration
enable-login: true - Authentication required
enable-reservations: true - Only authenticated users can reserve topics

All notifications require authentication to send or receive.

Configuration

Required Variables

Set in inventory or vault:

ntfy_admin_password: "your-secure-password-here" # Min 12 chars

Optional Variables

See defaults/main.yml for all configuration options.

Key settings:

ntfy_version: latest
ntfy_port: 8080
ntfy_base_url: http://localhost:8080
ntfy_admin_user: admin

# Nginx reverse proxy
ntfy_nginx_enabled: false
ntfy_nginx_hostname: ntfy.nas.local

Usage

Managing Users

List users:

podman exec ntfy ntfy user list

Add user:

podman exec ntfy ntfy user add <username>

Change password:

podman exec -i ntfy ntfy user change-pass <username>

Remove user:

podman exec ntfy ntfy user remove <username>

Managing Topic Access

Grant access to topic:

podman exec ntfy ntfy access <username> <topic> <permission>

Permissions: read-write, read-only, write-only, deny

Example:

# Allow user to publish and subscribe to "alerts" topic
podman exec ntfy ntfy access alice alerts read-write

# Allow user to only publish to "monitoring" topic
podman exec ntfy ntfy access bob monitoring write-only

List access control:

podman exec ntfy ntfy access

Publishing Notifications

Using curl with authentication:

curl -u admin:password -d "Backup completed" http://localhost:8080/backups

Using ntfy CLI:

ntfy publish --token <access-token> ntfy.nas.local mytopic "Hello World"

Subscribing to Notifications

Web UI: https://ntfy.nas.local (if nginx enabled)

CLI:

ntfy subscribe --token <access-token> ntfy.nas.local mytopic

Mobile apps available for iOS and Android.

Architecture

Container: Podman-based deployment
Storage: Persistent cache and user database
Networking: Localhost binding by default
Reverse Proxy: Optional nginx with HTTPS

File Locations

Configuration: {{ podman_projects_dir }}/ntfy/server.yml
User database: {{ ntfy_data_dir }}/user.db
Cache database: {{ ntfy_cache_dir }}/cache.db
Attachments: {{ ntfy_cache_dir }}/attachments/

Dependencies

podman
nginx (if ntfy_nginx_enabled: true)