apprise: switch from IP whitelist to basic auth

2026-04-27 00:04:33 +05:30 · 2026-04-27 00:04:33 +05:30 · 15f6aafeeb
commit 15f6aafeeb
parent fa2a7e2282
1 changed files with 8 additions and 16 deletions
--- a/apprise.compose.yml
+++ b/apprise.compose.yml
@ -1,24 +1,18 @@
 # Apprise — notify.manohargupta.com
 # Unified notification API. POST one message, fans out to Telegram, email, ~80 services.
-# Stateless except for YAML config files stored in the config volume.
-# No built-in auth -- protected by Traefik IP whitelist (Tailscale range only).
-#
-# Honest framing: n8n's built-in Telegram/email nodes cover most workflow notifications.
-# Apprise's value is for non-n8n scripts (Python crons, server healthchecks) that also
-# need to notify without importing the full n8n stack.
+# Auth: bcrypt basic auth via Traefik (hash hardcoded -- env vars don't work in labels).
+# Whitelist removed -- basic auth is sufficient protection.

 services:
  apprise:
    image: caronc/apprise:latest
    restart: unless-stopped
    environment:
-      # Persist notification configs (tagged YAML files) across restarts
      APPRISE_STATEFUL_MODE: simple
-      # Allow API to update configs -- lock this down after initial setup
      APPRISE_CONFIG_LOCK: "no"
    volumes:
-      - apprise_config:/config    # stores per-tag YAML notification configs
-      - apprise_attach:/attach    # stores file attachments for notifications
+      - apprise_config:/config
+      - apprise_attach:/attach
    networks:
      - dokploy-network
    labels:
@ -28,10 +22,8 @@ services:
      - "traefik.http.routers.apprise.entrypoints=websecure"
      - "traefik.http.routers.apprise.tls.certresolver=letsencrypt"
      - "traefik.http.services.apprise.loadbalancer.server.port=8000"
-      # IP whitelist -- Tailscale CGNAT range only. Only your tailnet can call this API.
-      # Without this, anyone who finds the URL can send notifications on your behalf.
-      - "traefik.http.middlewares.apprise-ipallow.ipwhitelist.sourcerange=100.64.0.0/10"
-      - "traefik.http.routers.apprise.middlewares=apprise-ipallow@docker"
+      - "traefik.http.middlewares.apprise-auth.basicauth.users=manohar:$$2y$$05$$xzm9ssFqu4alRc5XvLLiSunZXviyj5CkfxQdJAPw2NyqEQ1gTIDuq"
+      - "traefik.http.routers.apprise.middlewares=apprise-auth@docker"
    deploy:
      labels:
        - "traefik.enable=true"
@ -40,8 +32,8 @@ services:
        - "traefik.http.routers.apprise.entrypoints=websecure"
        - "traefik.http.routers.apprise.tls.certresolver=letsencrypt"
        - "traefik.http.services.apprise.loadbalancer.server.port=8000"
-        - "traefik.http.middlewares.apprise-ipallow.ipwhitelist.sourcerange=100.64.0.0/10"
-        - "traefik.http.routers.apprise.middlewares=apprise-ipallow@docker"
+        - "traefik.http.middlewares.apprise-auth.basicauth.users=manohar:$$2y$$05$$xzm9ssFqu4alRc5XvLLiSunZXviyj5CkfxQdJAPw2NyqEQ1gTIDuq"
+        - "traefik.http.routers.apprise.middlewares=apprise-auth@docker"

 volumes:
  apprise_config: