Switch to using an external Ntfy role

The newly extracted role also has native Traefik support, so we no longer need to rely on `matrix-nginx-proxy` for reverse-proxying to Ntfy. The new role uses port `80` inside the container (not `8080`, like before), because that's the default assumption of the officially published container image. Using a custom port (like `8080`), means the default healthcheck command (which hardcodes port `80`) doesn't work. Instead of fiddling to override the healthcheck command, we've decided to stick to the default port instead. This only affects the inside-the-container port, not any external ports. The new role also supports adding the network ranges of the container's multiple additional networks as "exempt hosts". Previously, only one network's address range was added to "exempt hosts".
2 years ago · 964aa0e84d
parent 38c4e464c1
commit 964aa0e84d
17 changed files with 78 additions and 258 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,14 @@
 # 2023-02-17
 ## The matrix-ntfy role lives independently now
 **TLDR**: the `matrix-ntfy` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
 The `matrix-ntfy` role (which configures [Ntfy](https://ntfy.sh/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/ntfy). This makes it possible to easily use it in other Ansible playbooks.
 You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`).
 # 2023-02-15
 ## The matrix-grafana role lives independently now
--- a/docs/configuring-playbook-ntfy.md
+++ b/docs/configuring-playbook-ntfy.md
@ -15,17 +15,20 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
 ```yaml
 # Enabling it is the only required setting
-matrix_ntfy_enabled: true
+ntfy_enabled: true
-# Some other options
+# This is the default hostname.
-matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
+# Uncomment the line below and change it, if you'd like.
-matrix_ntfy_configuration_extension_yaml: |
+# matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
-  log_level: DEBUG
+
 # Uncomment and change to inject additional configuration options.
 # ntfy_configuration_extension_yaml: |
 #   log_level: DEBUG
 ```
-For a more complete list of variables that you could override, see `roles/custom/matrix-ntfy/defaults/main.yml`.
+For a more complete list of variables that you could override, see the [`defaults/main.yml` file](https://gitlab.com/etke.cc/roles/ntfy/-/blob/main/defaults/main.yml) of the ntfy Ansible role.
-For a complete list of ntfy config options that you could put in `matrix_ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options).
+For a complete list of ntfy config options that you could put in `ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options).
 ## Installing
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -326,7 +326,7 @@ devture_systemd_service_manager_services_list_auto: |
    +
    (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable') | list )
    +
-    ([{'name': 'matrix-ntfy.service', 'priority': 800, 'groups': ['matrix', 'ntfy']}] if matrix_ntfy_enabled else [])
+    ([{'name': (ntfy_identifier + '.service'), 'priority': 800, 'groups': ['matrix', 'ntfy']}] if ntfy_enabled else [])
    +
    ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['matrix', 'postgres']}] if devture_postgres_enabled else [])
    +
@ -2379,8 +2379,8 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s
 matrix_nginx_proxy_proxy_matrix_enabled: true
 matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
-matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
+matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
-matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}"
+matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}"
 matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
 matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}"
@ -2389,9 +2389,9 @@ matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
 matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
 matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}"
-matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled }}"
+matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
-matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}"
+matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
@ -2404,7 +2404,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_e
 matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@ -2486,7 +2485,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
    +
    (['matrix-sygnal.service'] if matrix_sygnal_enabled else [])
    +
-    (['matrix-ntfy.service'] if matrix_ntfy_enabled else [])
+    ([(ntfy_identifier + '.service')] if ntfy_enabled else [])
    +
    (['matrix-jitsi.service'] if matrix_jitsi_enabled else [])
    +
@ -2523,7 +2522,7 @@ matrix_ssl_domains_to_obtain_certificates_for: |
    +
    ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else [])
    +
-    ([matrix_server_fqn_ntfy] if matrix_ntfy_enabled else [])
+    ([ntfy_hostname] if ntfy_enabled else [])
    +
    (matrix_bot_postmoogle_domains if matrix_bot_postmoogle_enabled else [])
    +
@ -2886,17 +2885,39 @@ matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_b
 ######################################################################
 #
-# matrix-ntfy
+# etke/ntfy
 #
 ######################################################################
-matrix_ntfy_enabled: false
+ntfy_enabled: false
-matrix_ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
+ntfy_identifier: matrix-ntfy
 ntfy_base_path: "{{ matrix_base_data_path }}/ntfy"
 ntfy_uid: "{{ matrix_user_uid }}"
 ntfy_gid: "{{ matrix_user_gid }}"
 ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
 ntfy_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else ntfy_identifier }}"
 ntfy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
 ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 ntfy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 ntfy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 ntfy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: |
  {{
    [matrix_server_fqn_matrix]
  }}
 ######################################################################
 #
-# /matrix-ntfy
+# /etky/ntfy
 #
 ######################################################################
--- a/playbooks/matrix.yml
+++ b/playbooks/matrix.yml
@ -105,7 +105,7 @@
    - custom/matrix-etherpad
    - custom/matrix-email2matrix
    - custom/matrix-sygnal
-    - custom/matrix-ntfy
+    - galaxy/ntfy
    - custom/matrix-nginx-proxy
    - custom/matrix-coturn
    - custom/matrix-aux
--- a/requirements.yml
+++ b/requirements.yml
@ -42,6 +42,9 @@
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
  version: v9.3.6-1
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
  version: v2.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
  version: fb09fd26f877372417d5586f1e79e83f983f0bd6
--- a/roles/custom/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml
@ -91,11 +91,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_se
 matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)"
 matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: false
 matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname }}`)"
 # matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
--- a/roles/custom/matrix-nginx-proxy/templates/labels.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2
@ -109,18 +109,6 @@ traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy
 {% endif %}
 {% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled %}
 # ntfy
 traefik.http.routers.matrix-nginx-proxy-ntfy.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule }}
 traefik.http.routers.matrix-nginx-proxy-ntfy.service=matrix-nginx-proxy-web
 traefik.http.routers.matrix-nginx-proxy-ntfy.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls | to_json }}
 {% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls %}
 traefik.http.routers.matrix-nginx-proxy-ntfy.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
 {% endif %}
 traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
 {% endif %}
 traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080
 {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
--- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2
@ -21,7 +21,7 @@
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
-			set $backend "matrix-ntfy:8080";
+			set $backend "matrix-ntfy:80";
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
--- a/roles/custom/matrix-ntfy/defaults/main.yml
+++ b/roles/custom/matrix-ntfy/defaults/main.yml
@ -1,56 +0,0 @@
 ---
 # Project source code URL: https://github.com/binwiederhier/ntfy
 matrix_ntfy_enabled: true
 matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy"
 matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config"
 matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data"
 matrix_ntfy_version: v2.0.0
 matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}"
 matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}"
 # Public facing base URL of the ntfy service
 matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}"
 # Rate limits
 matrix_ntfy_global_topic_limit: 15000  # default
 matrix_ntfy_visitor_subscription_limit: 30  # default
 matrix_ntfy_visitor_request_limit_burst: 60  # default
 matrix_ntfy_visitor_request_limit_replenish: "5s"  # default
 # Controls whether the container exposes its HTTP port (tcp/80 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:2586"), or empty string to not expose.
 matrix_ntfy_container_http_host_bind_port: ''
 # A list of extra arguments to pass to the container (`docker run` command)
 matrix_ntfy_container_extra_arguments: []
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_ntfy_self_check_validate_certificates: true
 # Default ntfy configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_ntfy_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_ntfy_configuration_yaml: "{{ lookup('template', 'templates/ntfy/server.yml.j2') }}"
 matrix_ntfy_configuration_extension_yaml: |
  # Your custom YAML configuration for ntfy goes here.
  # This configuration extends the default starting configuration (`matrix_ntfy_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_ntfy_configuration_yaml`.
 matrix_ntfy_configuration_extension: "{{ matrix_ntfy_configuration_extension_yaml | from_yaml if matrix_ntfy_configuration_extension_yaml | from_yaml is mapping else {} }}"
 # Holds the final ntfy configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_ntfy_configuration_yaml`.
 matrix_ntfy_configuration: "{{ matrix_ntfy_configuration_yaml | from_yaml | combine(matrix_ntfy_configuration_extension, recursive=True) }}"
--- a/roles/custom/matrix-ntfy/tasks/main.yml
+++ b/roles/custom/matrix-ntfy/tasks/main.yml
@ -1,23 +0,0 @@
 ---
 - block:
    - when: matrix_ntfy_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
  tags:
    - setup-all
    - setup-ntfy
    - install-all
    - install-ntfy
 - block:
    - when: not matrix_ntfy_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-ntfy
 - block:
    - when: matrix_ntfy_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
  tags:
    - self-check
--- a/roles/custom/matrix-ntfy/tasks/self_check.yml
+++ b/roles/custom/matrix-ntfy/tasks/self_check.yml
@ -1,27 +0,0 @@
 ---
 # Query an arbitrary ntfy topic using ntfy's UnifiedPush topic name syntax.
 # Expect an empty response (because we query 'since=1s').
 - ansible.builtin.set_fact:
    matrix_ntfy_url_endpoint_public: "{{ matrix_ntfy_base_url }}/upSELFCHECK123/json?poll=1&since=1s"
 - name: Check ntfy
  ansible.builtin.uri:
    url: "{{ matrix_ntfy_url_endpoint_public }}"
    follow_redirects: none
    validate_certs: "{{ matrix_ntfy_self_check_validate_certificates }}"
  register: matrix_ntfy_self_check_result
  check_mode: false
  ignore_errors: true
  delegate_to: 127.0.0.1
  become: false
 - name: Fail if ntfy not working
  ansible.builtin.fail:
    msg: "Failed checking ntfy is up at `{{ matrix_server_fqn_ntfy }}` (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`). Is ntfy running? Is port 443 open in your firewall? Full error: {{ matrix_ntfy_self_check_result }}"
  when: "matrix_ntfy_self_check_result.failed"
 - name: Report working ntfy
  ansible.builtin.debug:
    msg: "ntfy at `{{ matrix_server_fqn_ntfy }}` is working (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`)"
--- a/roles/custom/matrix-ntfy/tasks/setup_install.yml
+++ b/roles/custom/matrix-ntfy/tasks/setup_install.yml
@ -1,38 +0,0 @@
 ---
 - name: Ensure matrix-ntfy image is pulled
  community.docker.docker_image:
    name: "{{ matrix_ntfy_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_ntfy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ntfy_docker_image_force_pull }}"
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed
 - name: Ensure matrix-ntfy paths exists
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_ntfy_base_path }}"
    - "{{ matrix_ntfy_config_dir_path }}"
    - "{{ matrix_ntfy_data_path }}"
 - name: Ensure matrix-ntfy config installed
  ansible.builtin.copy:
    content: "{{ matrix_ntfy_configuration | to_nice_yaml(indent=2, width=999999) }}"
    dest: "{{ matrix_ntfy_config_dir_path }}/server.yml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
 - name: Ensure matrix-ntfy.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-ntfy.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service"
    mode: 0644
--- a/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml
@ -1,25 +0,0 @@
 ---
 - name: Check existence of matrix-ntfy service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service"
  register: matrix_ntfy_service_stat
 - when: matrix_ntfy_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-ntfy is stopped
      ansible.builtin.service:
        name: matrix-ntfy
        state: stopped
        enabled: false
        daemon_reload: true
    - name: Ensure matrix-ntfy.service doesn't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service"
        state: absent
    - name: Ensure matrix-ntfy path doesn't exist
      ansible.builtin.file:
        path: "{{ matrix_ntfy_base_path }}"
        state: absent
--- a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2
+++ b/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2
@ -1,11 +0,0 @@
 base_url: {{ matrix_ntfy_base_url }}
 behind_proxy: true
 cache_file: /data/cache.db
 listen-http: :8080
 # Rate Limits
 global-topic-limit: {{ matrix_ntfy_global_topic_limit | to_json }}
 visitor-subscription-limit: {{ matrix_ntfy_visitor_subscription_limit | to_json }}
 visitor-request-limit-burst: {{ matrix_ntfy_visitor_request_limit_burst | to_json }}
 visitor-request-limit-replenish: "{{ matrix_ntfy_visitor_request_limit_replenish }}"
--- a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2
+++ b/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2
@ -1,39 +0,0 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=matrix-ntfy
 After=docker.service
 Requires=docker.service
 DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'
 ExecStart={{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--env NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS={{matrix_server_fqn_matrix}},localhost,$(docker network inspect {{matrix_docker_network}} -f "{% raw %}{{ (index .IPAM.Config 0).Subnet }}{% endraw %}") \
 			{% for arg in matrix_ntfy_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			--network={{ matrix_docker_network }} \
 			{% if matrix_ntfy_container_http_host_bind_port %}
 			-p {{ matrix_ntfy_container_http_host_bind_port }}:8080 \
 			{% endif %}
 			--mount type=bind,src={{ matrix_ntfy_config_dir_path }},dst=/etc/ntfy,ro \
 			--mount type=bind,src={{ matrix_ntfy_data_path }},dst=/data \
 			{{ matrix_ntfy_docker_image }} \
 			serve'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-ntfy
 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix_playbook_migration/defaults/main.yml
+++ b/roles/custom/matrix_playbook_migration/defaults/main.yml
@ -11,3 +11,6 @@ matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled: true
 # Controls if (`matrix_grafana` -> `grafana`) validation will run.
 matrix_playbook_migration_matrix_grafana_migration_validation_enabled: true
 # Controls if (`matrix_ntfy` -> `ntfy`) validation will run.
 matrix_playbook_migration_matrix_ntfy_migration_validation_enabled: true
--- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
@ -82,7 +82,7 @@
      when: "matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars | length > 0"
 - when: matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled | bool
-  block:
+  block:ntfy
    - ansible.builtin.set_fact:
        matrix_playbook_migration_backup_borg_migration_vars: |-
          {{ vars | dict2items | selectattr('key', 'match', 'matrix_backup_borg_.*') | list | items2dict }}
@ -110,3 +110,18 @@
          Please change your configuration (vars.yml) to rename all variables (`matrix_grafana_` -> `grafana_`).
          We found usage of the following variables: {{ matrix_playbook_migration_grafana_migration_vars.keys() | join(', ') }}
      when: "matrix_playbook_migration_grafana_migration_vars | length > 0"
 - when: matrix_playbook_migration_matrix_ntfy_migration_validation_enabled | bool
  block:
    - ansible.builtin.set_fact:
        matrix_playbook_migration_ntfy_migration_vars: |-
          {{ vars | dict2items | selectattr('key', 'match', 'matrix_ntfy_.*') | list | items2dict }}
    - name: (Deprecation) Catch and report matrix_ntfy variables
      ansible.builtin.fail:
        msg: >-
          The matrix-ntfy role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/ntfy.
          The new role is compatible with the old one, but uses different names for its variables.
          Please change your configuration (vars.yml) to rename all variables (`matrix_ntfy_` -> `ntfy_`).
          We found usage of the following variables: {{ matrix_playbook_migration_ntfy_migration_vars.keys() | join(', ') }}
      when: "matrix_playbook_migration_ntfy_migration_vars | length > 0"