38 lines
1,022 B
Nix
38 lines
1,022 B
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
{
|
|
services.ntfy-sh = {
|
|
enable = true;
|
|
settings = {
|
|
base-url = "https://ntfy.extremist.software";
|
|
listen-http = ":2586";
|
|
behind-proxy = true;
|
|
auth-file = "/var/lib/ntfy-sh/user.db";
|
|
auth-default-access = "deny-all";
|
|
enable-login = true;
|
|
auth-access = [
|
|
"*:up*:write-only"
|
|
];
|
|
};
|
|
};
|
|
|
|
# Patch the generated config at runtime to inject the admin bcrypt hash
|
|
systemd.services.ntfy-sh = {
|
|
serviceConfig.RuntimeDirectory = "ntfy-sh";
|
|
serviceConfig.ExecStartPre =
|
|
let
|
|
script = pkgs.writeShellScript "ntfy-patch-config" ''
|
|
cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml
|
|
HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path})
|
|
printf '\nauth-users:\n - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml
|
|
'';
|
|
in
|
|
[ "+${script}" ];
|
|
serviceConfig.ExecStart = lib.mkForce "${pkgs.ntfy-sh}/bin/ntfy serve --config /run/ntfy-sh/server.yml";
|
|
};
|
|
}
|