From 15894dfc1ba1c9a3fb2725490b8dc1ea1aa2621a Mon Sep 17 00:00:00 2001
From: Nathan <nathan@castaldifamily.com>
Date: Sun, 31 May 2026 21:43:32 -0400
Subject: [PATCH] Revert "fix: switch Ntfy to native auth, remove Authentik
 ForwardAuth"

This reverts commit 2610b5a430bf0738df9749096b626e8cc965c400.
---
 nodes/heimdall/ntfy/compose.yaml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/nodes/heimdall/ntfy/compose.yaml b/nodes/heimdall/ntfy/compose.yaml
index ef74e9d..385c59b 100644
--- a/nodes/heimdall/ntfy/compose.yaml
+++ b/nodes/heimdall/ntfy/compose.yaml
@@ -8,17 +8,26 @@ services:
       - serve
     volumes:
       - /mnt/appdata/ntfy/data:/var/lib/ntfy
-      - /mnt/appdata/ntfy/server.yml:/etc/ntfy/server.yml:ro
     networks:
       - proxy-net
     labels:
       - "traefik.enable=true"
+      # Web UI — protected by Authentik
       - "traefik.http.routers.ntfy.rule=Host(`ntfy.castaldifamily.com`)"
       - "traefik.http.routers.ntfy.entrypoints=websecure"
       - "traefik.http.routers.ntfy.tls=true"
       - "traefik.http.routers.ntfy.tls.certresolver=cloudflare"
+      - "traefik.http.routers.ntfy.middlewares=authentik-auth@file"
+      - "traefik.http.routers.ntfy.service=ntfy"
+      - "traefik.http.routers.ntfy.priority=1"
+      # Publish endpoint — POST only, no auth, validated by Ntfy access token
+      - "traefik.http.routers.ntfy-publish.rule=Host(`ntfy.castaldifamily.com`) && Method(`POST`)"
+      - "traefik.http.routers.ntfy-publish.entrypoints=websecure"
+      - "traefik.http.routers.ntfy-publish.tls=true"
+      - "traefik.http.routers.ntfy-publish.tls.certresolver=cloudflare"
+      - "traefik.http.routers.ntfy-publish.service=ntfy"
+      - "traefik.http.routers.ntfy-publish.priority=10"
       - "traefik.http.services.ntfy.loadbalancer.server.port=80"
-
 networks:
   proxy-net:
     external: true