{ config, pkgs, lib, ... }:

{
  services.ntfy-sh = {
    enable = true;
    settings = {
      base-url = "https://ntfy.extremist.software";
      listen-http = ":2586";
      behind-proxy = true;
      auth-file = "/var/lib/ntfy-sh/user.db";
      auth-default-access = "deny-all";
      enable-login = true;
      auth-access = [
        "*:up*:write-only"
      ];
    };
  };

  # Patch the generated config at runtime to inject the admin bcrypt hash
  systemd.services.ntfy-sh = {
    serviceConfig.RuntimeDirectory = "ntfy-sh";
    serviceConfig.ExecStartPre = let
      script = pkgs.writeShellScript "ntfy-patch-config" ''
        cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml
        HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path})
        printf '\nauth-users:\n  - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml
      '';
    in [ "+${script}" ];
    serviceConfig.ExecStart = lib.mkForce "${pkgs.ntfy-sh}/bin/ntfy serve --config /run/ntfy-sh/server.yml";
  };
}