diff --git a/argocd/manifests/ntfy/deployment.yaml b/argocd/manifests/ntfy/deployment.yaml
index 90c1f11..55c27c7 100644
--- a/argocd/manifests/ntfy/deployment.yaml
+++ b/argocd/manifests/ntfy/deployment.yaml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: ntfy
-          image: binwiederhier/ntfy:v2.11.0
+          image: binwiederhier/ntfy:v2.17.0
           args: ["serve", "--config", "/etc/ntfy/server.yml"]
           ports:
             - containerPort: 80
diff --git a/docs/changelog.d/review-ntfy-v2.17.0.infra.md b/docs/changelog.d/review-ntfy-v2.17.0.infra.md
new file mode 100644
index 0000000..0e3020d
--- /dev/null
+++ b/docs/changelog.d/review-ntfy-v2.17.0.infra.md
@@ -0,0 +1 @@
+Upgrade ntfy from v2.11.0 to v2.17.0 and add ntfy and frigate reference docs.
diff --git a/docs/reference/reference.md b/docs/reference/reference.md
index 9576089..13a773c 100644
--- a/docs/reference/reference.md
+++ b/docs/reference/reference.md
@@ -1,6 +1,6 @@
 ---
 title: Reference
-modified: 2026-02-12
+modified: 2026-02-17
 tags:
   - reference
 ---
@@ -21,6 +21,7 @@ Individual service reference cards with URLs and configuration details.
 | [[caddy]] | Reverse proxy & TLS termination | indri |
 | [[1password]] | Secrets management | cloud + k8s |
 | [[forgejo]] | Git forge & CI/CD | indri |
+| [[frigate]] | Network video recorder | k8s |
 | [[grafana]] | Dashboards & visualization | k8s |
 | [[immich]] | Photo management | k8s |
 | [[jellyfin]] | Media server | indri |
@@ -28,6 +29,7 @@ Individual service reference cards with URLs and configuration details.
 | [[loki]] | Log aggregation | k8s |
 | [[miniflux]] | RSS feed reader | k8s |
 | [[navidrome]] | Music streaming | k8s |
+| [[ntfy]] | Push notifications | k8s |
 | [[postgresql]] | Database cluster | k8s |
 | [[prometheus]] | Metrics collection | k8s |
 | [[teslamate]] | Tesla data logger | k8s |
diff --git a/docs/reference/services/frigate.md b/docs/reference/services/frigate.md
new file mode 100644
index 0000000..27d4d09
--- /dev/null
+++ b/docs/reference/services/frigate.md
@@ -0,0 +1,80 @@
+---
+title: Frigate
+modified: 2026-02-17
+tags:
+  - service
+  - surveillance
+---
+
+# Frigate
+
+Open-source network video recorder (NVR) with object detection. Runs cloud-free with all video stored locally on [[sifaka]].
+
+## Quick Reference
+
+| Property | Value |
+|----------|-------|
+| **URL** | https://nvr.ops.eblu.me |
+| **Tailscale URL** | https://nvr.tail8d86e.ts.net |
+| **Namespace** | `frigate` |
+| **Image** | `ghcr.io/blakeblackshear/frigate:0.16.4-standard-arm64` |
+| **Upstream** | https://github.com/blakeblackshear/frigate |
+| **Manifests** | `argocd/manifests/frigate/` |
+
+## Architecture
+
+```
+ReoLink Camera (GableCam)
+    │ RTSP
+    ▼
+Frigate pod
+    ├── go2rtc        — RTSP restream proxy
+    ├── FFmpeg         — stream decoding
+    ├── ONNX detector  — object detection (YOLO-NAS-s, CPU)
+    ├── /media/frigate — NFS recordings (sifaka)
+    └── /db            — SQLite (local PVC)
+        │
+        └──→ MQTT (Mosquitto) → frigate-notify → ntfy → mobile
+```
+
+## Cameras
+
+| Camera | IP | Location | Objects Tracked |
+|--------|----|----------|-----------------|
+| GableCam | `192.168.1.159` | Front gable | person, car, dog, cat, bird |
+
+Camera credentials are stored in 1Password and synced via [[external-secrets]] to the `frigate-camera` Secret.
+
+## Detection
+
+Object detection uses ONNX with a YOLO-NAS-s model running on CPU (ARM64). The model file lives on the NFS recordings volume at `/media/frigate/models/yolo_nas_s.onnx`.
+
+A `driveway_entrance` zone is configured for alert filtering — only detections in this zone trigger review alerts.
+
+## Retention
+
+| Type | Duration | Mode |
+|------|----------|------|
+| Continuous recording | 3 days | all |
+| Alert clips | 30 days | active objects |
+| Detection clips | 14 days | motion |
+| Snapshots | 14 days | — |
+
+## Storage
+
+| Mount | Backend | Size |
+|-------|---------|------|
+| `/media/frigate` | NFS PV on [[sifaka]] (`/volume1/frigate`) | 2 Ti |
+| `/db` | Local PVC (`frigate-database`) | SQLite |
+| `/dev/shm` | Memory-backed `emptyDir` | 256 Mi |
+
+## Alerting (frigate-notify)
+
+A separate **frigate-notify** pod (`ghcr.io/0x2142/frigate-notify:v0.3.5`) subscribes to Frigate's MQTT events via Mosquitto and pushes alerts to [[ntfy]] on the `frigate-alerts` topic. Alert messages include action buttons linking back to the Frigate review UI.
+
+## Related
+
+- [[ntfy]] - Push notification delivery
+- [[sifaka]] - NAS storage for recordings
+- [[observability]] - Prometheus metrics at `/api/metrics`
+- [[operationalize-reolink-camera]] - Original deployment plan
diff --git a/docs/reference/services/ntfy.md b/docs/reference/services/ntfy.md
new file mode 100644
index 0000000..0504559
--- /dev/null
+++ b/docs/reference/services/ntfy.md
@@ -0,0 +1,63 @@
+---
+title: Ntfy
+modified: 2026-02-17
+tags:
+  - service
+  - notifications
+---
+
+# Ntfy
+
+Self-hosted push notification service. Ntfy receives HTTP POST messages and delivers them to subscribed clients (mobile apps, web UI, CLI).
+
+## Quick Reference
+
+| Property | Value |
+|----------|-------|
+| **URL** | https://ntfy.ops.eblu.me |
+| **Tailscale URL** | https://ntfy.tail8d86e.ts.net |
+| **Namespace** | `ntfy` |
+| **Image** | `binwiederhier/ntfy:v2.17.0` |
+| **Upstream** | https://github.com/binwiederhier/ntfy |
+| **Manifests** | `argocd/manifests/ntfy/` |
+
+## Architecture
+
+Ntfy runs as a single pod with no persistent storage — message cache and attachments use an `emptyDir` volume. This is intentional: ntfy is treated as an ephemeral delivery channel, not a message store. Messages lost on pod restart are acceptable.
+
+The upstream relay (`ntfy.sh`) is configured so mobile app clients can receive push notifications via Google FCM / Apple APNs without self-hosting those integrations.
+
+## Producers
+
+Currently the only producer is **frigate-notify**, which publishes camera detection alerts (person, vehicle, animal) from [[frigate|Frigate]] via MQTT to ntfy:
+
+```
+Frigate → MQTT (Mosquitto) → frigate-notify → ntfy → mobile clients
+```
+
+The frigate-notify config points to ntfy's cluster-internal address:
+
+```
+http://ntfy.ntfy.svc.cluster.local:80
+```
+
+Other services could publish to ntfy in the future — any HTTP client can POST to a topic.
+
+## Configuration
+
+Server config is in a ConfigMap (`ntfy-config`):
+
+| Setting | Value |
+|---------|-------|
+| `base-url` | `https://ntfy.ops.eblu.me` |
+| `upstream-base-url` | `https://ntfy.sh` |
+| `attachment-total-size-limit` | 1 GB |
+| `attachment-file-size-limit` | 10 MB |
+| `attachment-expiry-duration` | 24h |
+
+No authentication is configured — access is restricted by Tailscale ACLs (only tailnet clients can reach the service).
+
+## Related
+
+- [[routing]] - How ntfy is exposed via Caddy
+- [[observability]] - Monitoring and alerting infrastructure
diff --git a/service-versions.yaml b/service-versions.yaml
index 086379c..29530c2 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -40,8 +40,8 @@ services:
 
   - name: ntfy
     type: argocd
-    last-reviewed: null
-    current-version: null
+    last-reviewed: 2026-02-17
+    current-version: "v2.17.0"
     upstream-source: https://github.com/binwiederhier/ntfy/releases
 
   - name: homepage