apiVersion: v1
kind: ConfigMap
metadata:
  name: ntfy
data:
  server.yml: |
    # Template: https://github.com/binwiederhier/ntfy/blob/main/server/server.yml
    base-url: https://ntfy.bodicsek.host
    behind-proxy: true
    auth-file: /config/user.db
    auth-default-access: deny-all
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ntfy
spec:
  selector:
    matchLabels:
      app: ntfy
  template:
    metadata:
      labels:
        app: ntfy
      annotations:
        diun.enable: "true"
        diun.include_tags: '^v\d+\.\d+\.\d+$'
    spec:
      containers:
      - name: ntfy
        image: binwiederhier/ntfy:v2.12.0
        imagePullPolicy: IfNotPresent
        args: ["serve"]
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 80
          name: http
        volumeMounts:
        - name: config
          mountPath: /config
        - name: config-file
          mountPath: /etc/ntfy
          readOnly: true
      volumes:
        - name: config
          hostPath:
            path: /mnt/ntfy/config
            type: Directory
        - name: config-file
          configMap:
            name: ntfy
---
apiVersion: v1
kind: Service
metadata:
  name: ntfy
spec:
  selector:
    app: ntfy
  ports:
  - port: 80
    targetPort: 80
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ntfy.bodicsek.host
spec:
  secretName: ntfy.bodicsek.host
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - ntfy.bodicsek.host
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: ntfy
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - kind: Rule
    match: Host(`ntfy.bodicsek.host`)
    services:
    - kind: Service
      name: ntfy
      namespace: default
      passHostHeader: true
      port: 80
  tls:
    secretName: ntfy.bodicsek.host