infra/apprise.compose.yml

# Apprise — notify.manohargupta.com
# Unified notification API. POST one message, fans out to Telegram, email, ~80 services.
# Stateless except for YAML config files stored in the config volume.
# No built-in auth -- protected by Traefik IP whitelist (Tailscale range only).
#
# Honest framing: n8n's built-in Telegram/email nodes cover most workflow notifications.
# Apprise's value is for non-n8n scripts (Python crons, server healthchecks) that also
# need to notify without importing the full n8n stack.

services:
  apprise:
    image: caronc/apprise:latest
    restart: unless-stopped
    environment:
      # Persist notification configs (tagged YAML files) across restarts
      APPRISE_STATEFUL_MODE: simple
      # Allow API to update configs -- lock this down after initial setup
      APPRISE_CONFIG_LOCK: "no"
    volumes:
      - apprise_config:/config    # stores per-tag YAML notification configs
      - apprise_attach:/attach    # stores file attachments for notifications
    networks:
      - dokploy-network
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dokploy-network"
      - "traefik.http.routers.apprise.rule=Host(`notify.manohargupta.com`)"
      - "traefik.http.routers.apprise.entrypoints=websecure"
      - "traefik.http.routers.apprise.tls.certresolver=letsencrypt"
      - "traefik.http.services.apprise.loadbalancer.server.port=8000"
      # IP whitelist -- Tailscale CGNAT range only. Only your tailnet can call this API.
      # Without this, anyone who finds the URL can send notifications on your behalf.
      - "traefik.http.middlewares.apprise-ipallow.ipwhitelist.sourcerange=100.64.0.0/10"
      - "traefik.http.routers.apprise.middlewares=apprise-ipallow@docker"
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=dokploy-network"
        - "traefik.http.routers.apprise.rule=Host(`notify.manohargupta.com`)"
        - "traefik.http.routers.apprise.entrypoints=websecure"
        - "traefik.http.routers.apprise.tls.certresolver=letsencrypt"
        - "traefik.http.services.apprise.loadbalancer.server.port=8000"
        - "traefik.http.middlewares.apprise-ipallow.ipwhitelist.sourcerange=100.64.0.0/10"
        - "traefik.http.routers.apprise.middlewares=apprise-ipallow@docker"

volumes:
  apprise_config:
  apprise_attach:

networks:
  dokploy-network:
    external: true