Merge pull request 'feat: add s3 and init postgres' (#5513) from tmp/ntfy into main

Reviewed-on: #5513
2026-04-05 00:26:24 +00:00
parent 9d3a39bfe3 b405bb8976
commit ac3eb35275
6 changed files with 200 additions and 38 deletions
--- a/clusters/cl01tl/helm/ntfy/Chart.lock
+++ b/clusters/cl01tl/helm/ntfy/Chart.lock
@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
-digest: sha256:30d747f8b08ed690202fda39ab6e19bd74ebc45548847a087ddbf175abe1438c
-generated: "2026-01-16T18:50:22.233502056Z"
+- name: postgres-cluster
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 7.11.2
+digest: sha256:a689da8f05654c3e83e3f1459670cc201c28b9b4444c6891dca7ac4b70c5a4be
+generated: "2026-04-04T19:19:40.397469-05:00"
--- a/clusters/cl01tl/helm/ntfy/Chart.yaml
+++ b/clusters/cl01tl/helm/ntfy/Chart.yaml
@@ -5,8 +5,7 @@ description: Ntfy
 keywords:
  - ntfy
  - notifications
-  - messaging
-home: https://wiki.alexlebens.dev/s/5bfc09dd-688b-48f0-8d33-b9bf452df98a
+home: https://docs.alexlebens.dev/applications/ntfy/
 sources:
  - https://github.com/binwiederhier/ntfy
  - https://hub.docker.com/r/binwiederhier/ntfy
@@ -18,6 +17,10 @@ dependencies:
    alias: ntfy
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
+  - name: postgres-cluster
+    alias: postgres-18-cluster
+    version: 7.11.2
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ntfy.png
 # renovate: datasource=github-releases depName=binwiederhier/ntfy
 appVersion: 2.21.0
--- a/clusters/cl01tl/helm/ntfy/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/ntfy/templates/external-secret.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ntfy-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ntfy-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: attachment-cache-dir
+      remoteRef:
+        key: /garage/home-infra/ntfy-attachments
+        property: attachment-cache-dir
--- a/clusters/cl01tl/helm/ntfy/values.yaml
+++ b/clusters/cl01tl/helm/ntfy/values.yaml
@@ -4,17 +4,15 @@ ntfy:
      type: deployment
      replicas: 1
      strategy: Recreate
-      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: binwiederhier/ntfy
-            tag: v2.21.0
-            pullPolicy: IfNotPresent
+            tag: v2.21.0@sha256:2b9e12d56a538f4402da51328eeca02696c4b207ab7fbe031c27e51a22ca9b86
          args: ["serve"]
          env:
            - name: TZ
-              value: US/Central
+              value: America/Chicago
            - name: NTFY_BASE_URL
              value: https://ntfy.alexlebens.net
            - name: NTFY_LISTEN_HTTP
@@ -32,36 +30,32 @@ ntfy:
                vacuum;
            - name: NTFY_BEHIND_PROXY
              value: true
+            # - name: NTFY_DATABASE_URL
+            #   valueFrom:
+            #     secretKeyRef:
+            #       name: ntfy-postgresql-18-cluster-app
+            #       key: uri
            - name: NTFY_ATTACHMENT_CACHE_DIR
-              value: /var/cache/ntfy/attachments
+              valueFrom:
+                secretKeyRef:
+                  name: ntfy-config-secret
+                  key: attachment-cache-dir
            - name: NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT
-              value: 4G
+              value: 10G
            - name: NTFY_ATTACHMENT_FILE_SIZE_LIMIT
-              value: 15M
+              value: 150M
            - name: NTFY_ATTACHMENT_EXPIRY_DURATION
-              value: 36h
+              value: 72h
            - name: NTFY_ENABLE_SIGNUP
              value: false
            - name: NTFY_ENABLE_LOGIN
              value: true
            - name: NTFY_ENABLE_RESERVATIONS
              value: false
-            # - name: NTFY_UPSTREAM_BASE_URL
-            #   value: https://ntfy.sh
            - name: NTFY_AUTH_FILE
              value: /var/cache/ntfy/user.db
            - name: NTFY_AUTH_DEFAULT_ACCESS
              value: deny-all
-            # - name: NTFY_UPSTREAM_ACCESS_TOKEN
-            #   value: ""
-            # - name: NTFY_WEB_PUSH_PUBLIC_KEY
-            #   value: ""
-            # - name: NTFY_WEB_PUSH_PRIVATE_KEY
-            #   value: ""
-            # - name: NTFY_WEB_PUSH_FILE
-            #   value: /var/lib/ntfy/webpush.db
-            # - name: NTFY_WEB_PUSH_EMAIL_ADDRESS
-            #   value: ""
            - name: NTFY_METRICS_LISTEN_HTTP
              value: :9090
            - name: NTFY_LOG_LEVEL
@@ -71,13 +65,9 @@ ntfy:
              enabled: false
              custom: true
              spec:
-                exec:
-                  command:
-                  - /usr/bin/env
-                  - sh
-                  - -c
-                  - wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1
-                failureThreshold: 10
+                httpGet:
+                  path: /v1/health
+                  port: 80
                initialDelaySeconds: 60
                periodSeconds: 60
                successThreshold: 1
@@ -85,7 +75,7 @@ ntfy:
          resources:
            requests:
              cpu: 10m
-              memory: 128Mi
+              memory: 40Mi
  service:
    main:
      controller: main
@@ -93,11 +83,9 @@ ntfy:
        http:
          port: 80
          targetPort: 80
-          protocol: HTTP
        metrics:
          port: 9090
          targetPort: 9090
-          protocol: HTTP
  serviceMonitor:
    main:
      selector:
@@ -122,11 +110,8 @@ ntfy:
        - ntfy.alexlebens.net
      rules:
        - backendRefs:
-            - group: ''
-              kind: Service
-              name: ntfy
+            - name: ntfy
              port: 80
-              weight: 100
          matches:
            - path:
                type: PathPrefix
@@ -141,3 +126,22 @@ ntfy:
          main:
            - path: /var/cache/ntfy
              readOnly: false
+postgres-18-cluster:
+  mode: standalone
+  recovery:
+    method: objectStore
+    objectStore:
+      index: 1
+  backup:
+    objectStore:
+      - name: garage-local
+        index: 1
+        destinationBucket: postgres-backups
+        externalSecretCredentialPath: /garage/home-infra/postgres-backups
+        isWALArchiver: true
+    scheduledBackups:
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 15 14 * * *"
+        backupName: garage-local
--- a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml
@@ -251,3 +251,54 @@ spec:
        key: /garage/config/remote
        metadataPolicy: None
        property: ENDPOINT
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: garage-ntfy-attachments-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: garage-ntfy-attachments-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/ntfy-attachments
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/ntfy-attachments
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/ntfy-attachments
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: SRC_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/config/local
+        metadataPolicy: None
+        property: ENDPOINT
+    - secretKey: DEST_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/config/remote
+        metadataPolicy: None
+        property: ENDPOINT
--- a/clusters/cl01tl/helm/rclone/values.yaml
+++ b/clusters/cl01tl/helm/rclone/values.yaml
@@ -503,3 +503,86 @@ rclone:
                  key: DEST_ENDPOINT
            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
              value: true
+    ntfy-attachments:
+      type: cronjob
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: "10 0 * * *"
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 1
+        failedJobsHistory: 1
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        sync:
+          image:
+            repository: rclone/rclone
+            tag: 1.73.3
+            pullPolicy: IfNotPresent
+          args:
+            - sync
+            - src:ntfy-attachments
+            - dest:ntfy-attachments
+            - --s3-no-check-bucket
+            - --verbose
+          env:
+            - name: RCLONE_S3_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_SRC_TYPE
+              value: s3
+            - name: RCLONE_CONFIG_SRC_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_SRC_ENV_AUTH
+              value: false
+            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: garage-ntfy-attachments-secret
+                  key: ACCESS_KEY_ID
+            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: garage-ntfy-attachments-secret
+                  key: ACCESS_SECRET_KEY
+            - name: RCLONE_CONFIG_SRC_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: garage-ntfy-attachments-secret
+                  key: ACCESS_REGION
+            - name: RCLONE_CONFIG_SRC_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: garage-ntfy-attachments-secret
+                  key: SRC_ENDPOINT
+            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
+              value: true
+            - name: RCLONE_CONFIG_DEST_TYPE
+              value: s3
+            - name: RCLONE_CONFIG_DEST_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_DEST_ENV_AUTH
+              value: false
+            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: garage-ntfy-attachments-secret
+                  key: ACCESS_KEY_ID
+            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: garage-ntfy-attachments-secret
+                  key: ACCESS_SECRET_KEY
+            - name: RCLONE_CONFIG_DEST_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: garage-ntfy-attachments-secret
+                  key: ACCESS_REGION
+            - name: RCLONE_CONFIG_DEST_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: garage-ntfy-attachments-secret
+                  key: DEST_ENDPOINT
+            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
+              value: true