apprise: switch from IP whitelist to basic auth

apprise.compose.yml

@@ -1,24 +1,18 @@
 # Apprise — notify.manohargupta.com
 # Unified notification API. POST one message, fans out to Telegram, email, ~80 services.
-# Stateless except for YAML config files stored in the config volume.
+# Auth: bcrypt basic auth via Traefik (hash hardcoded -- env vars don't work in labels).
-# No built-in auth -- protected by Traefik IP whitelist (Tailscale range only).
+# Whitelist removed -- basic auth is sufficient protection.
-#
-# Honest framing: n8n's built-in Telegram/email nodes cover most workflow notifications.
-# Apprise's value is for non-n8n scripts (Python crons, server healthchecks) that also
-# need to notify without importing the full n8n stack.
 
 services:
   apprise:
     image: caronc/apprise:latest
     restart: unless-stopped
     environment:
-      # Persist notification configs (tagged YAML files) across restarts
       APPRISE_STATEFUL_MODE: simple
-      # Allow API to update configs -- lock this down after initial setup
       APPRISE_CONFIG_LOCK: "no"
     volumes:
-      - apprise_config:/config    # stores per-tag YAML notification configs
+      - apprise_config:/config
-      - apprise_attach:/attach    # stores file attachments for notifications
+      - apprise_attach:/attach
     networks:
       - dokploy-network
     labels:
@@ -28,10 +22,8 @@ services:
       - "traefik.http.routers.apprise.entrypoints=websecure"
       - "traefik.http.routers.apprise.tls.certresolver=letsencrypt"
       - "traefik.http.services.apprise.loadbalancer.server.port=8000"
-      # IP whitelist -- Tailscale CGNAT range only. Only your tailnet can call this API.
+      - "traefik.http.middlewares.apprise-auth.basicauth.users=manohar:$$2y$$05$$xzm9ssFqu4alRc5XvLLiSunZXviyj5CkfxQdJAPw2NyqEQ1gTIDuq"
-      # Without this, anyone who finds the URL can send notifications on your behalf.
+      - "traefik.http.routers.apprise.middlewares=apprise-auth@docker"
-      - "traefik.http.middlewares.apprise-ipallow.ipwhitelist.sourcerange=100.64.0.0/10"
-      - "traefik.http.routers.apprise.middlewares=apprise-ipallow@docker"
     deploy:
       labels:
         - "traefik.enable=true"
@@ -40,8 +32,8 @@ services:
         - "traefik.http.routers.apprise.entrypoints=websecure"
         - "traefik.http.routers.apprise.tls.certresolver=letsencrypt"
         - "traefik.http.services.apprise.loadbalancer.server.port=8000"
-        - "traefik.http.middlewares.apprise-ipallow.ipwhitelist.sourcerange=100.64.0.0/10"
+        - "traefik.http.middlewares.apprise-auth.basicauth.users=manohar:$$2y$$05$$xzm9ssFqu4alRc5XvLLiSunZXviyj5CkfxQdJAPw2NyqEQ1gTIDuq"
-        - "traefik.http.routers.apprise.middlewares=apprise-ipallow@docker"
+        - "traefik.http.routers.apprise.middlewares=apprise-auth@docker"
 
 volumes:
   apprise_config: