From 15f6aafeeb4cae96bc601270d56614b48e11a007 Mon Sep 17 00:00:00 2001
From: Mannu <manohar6839@gmail.com>
Date: Mon, 27 Apr 2026 00:04:33 +0530
Subject: [PATCH] apprise: switch from IP whitelist to basic auth

---
 apprise.compose.yml | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/apprise.compose.yml b/apprise.compose.yml
index 911d4cb..5ef11e6 100644
--- a/apprise.compose.yml
+++ b/apprise.compose.yml
@@ -1,24 +1,18 @@
 # Apprise — notify.manohargupta.com
 # Unified notification API. POST one message, fans out to Telegram, email, ~80 services.
-# Stateless except for YAML config files stored in the config volume.
-# No built-in auth -- protected by Traefik IP whitelist (Tailscale range only).
-#
-# Honest framing: n8n's built-in Telegram/email nodes cover most workflow notifications.
-# Apprise's value is for non-n8n scripts (Python crons, server healthchecks) that also
-# need to notify without importing the full n8n stack.
+# Auth: bcrypt basic auth via Traefik (hash hardcoded -- env vars don't work in labels).
+# Whitelist removed -- basic auth is sufficient protection.
 
 services:
   apprise:
     image: caronc/apprise:latest
     restart: unless-stopped
     environment:
-      # Persist notification configs (tagged YAML files) across restarts
       APPRISE_STATEFUL_MODE: simple
-      # Allow API to update configs -- lock this down after initial setup
       APPRISE_CONFIG_LOCK: "no"
     volumes:
-      - apprise_config:/config    # stores per-tag YAML notification configs
-      - apprise_attach:/attach    # stores file attachments for notifications
+      - apprise_config:/config
+      - apprise_attach:/attach
     networks:
       - dokploy-network
     labels:
@@ -28,10 +22,8 @@ services:
       - "traefik.http.routers.apprise.entrypoints=websecure"
       - "traefik.http.routers.apprise.tls.certresolver=letsencrypt"
       - "traefik.http.services.apprise.loadbalancer.server.port=8000"
-      # IP whitelist -- Tailscale CGNAT range only. Only your tailnet can call this API.
-      # Without this, anyone who finds the URL can send notifications on your behalf.
-      - "traefik.http.middlewares.apprise-ipallow.ipwhitelist.sourcerange=100.64.0.0/10"
-      - "traefik.http.routers.apprise.middlewares=apprise-ipallow@docker"
+      - "traefik.http.middlewares.apprise-auth.basicauth.users=manohar:$$2y$$05$$xzm9ssFqu4alRc5XvLLiSunZXviyj5CkfxQdJAPw2NyqEQ1gTIDuq"
+      - "traefik.http.routers.apprise.middlewares=apprise-auth@docker"
     deploy:
       labels:
         - "traefik.enable=true"
@@ -40,8 +32,8 @@ services:
         - "traefik.http.routers.apprise.entrypoints=websecure"
         - "traefik.http.routers.apprise.tls.certresolver=letsencrypt"
         - "traefik.http.services.apprise.loadbalancer.server.port=8000"
-        - "traefik.http.middlewares.apprise-ipallow.ipwhitelist.sourcerange=100.64.0.0/10"
-        - "traefik.http.routers.apprise.middlewares=apprise-ipallow@docker"
+        - "traefik.http.middlewares.apprise-auth.basicauth.users=manohar:$$2y$$05$$xzm9ssFqu4alRc5XvLLiSunZXviyj5CkfxQdJAPw2NyqEQ1gTIDuq"
+        - "traefik.http.routers.apprise.middlewares=apprise-auth@docker"
 
 volumes:
   apprise_config: