name: ntfy
services:
  ntfy:
    image: binwiederhier/ntfy:latest
    container_name: ntfy
    restart: unless-stopped
    command:
      - serve
    volumes:
      - /mnt/appdata/ntfy/data:/var/lib/ntfy
    networks:
      - proxy-net
    labels:
      - "traefik.enable=true"
      # Web UI — protected by Authentik
      - "traefik.http.routers.ntfy.rule=Host(`ntfy.castaldifamily.com`)"
      - "traefik.http.routers.ntfy.entrypoints=websecure"
      - "traefik.http.routers.ntfy.tls=true"
      - "traefik.http.routers.ntfy.tls.certresolver=cloudflare"
      - "traefik.http.routers.ntfy.middlewares=authentik-auth@file"
      - "traefik.http.routers.ntfy.service=ntfy"
      - "traefik.http.routers.ntfy.priority=1"
      # Publish endpoint — POST only, no auth, validated by Ntfy access token
      - "traefik.http.routers.ntfy-publish.rule=Host(`ntfy.castaldifamily.com`) && Method(`POST`)"
      - "traefik.http.routers.ntfy-publish.entrypoints=websecure"
      - "traefik.http.routers.ntfy-publish.tls=true"
      - "traefik.http.routers.ntfy-publish.tls.certresolver=cloudflare"
      - "traefik.http.routers.ntfy-publish.service=ntfy"
      - "traefik.http.routers.ntfy-publish.priority=10"
      - "traefik.http.services.ntfy.loadbalancer.server.port=80"
networks:
  proxy-net:
    external: true