ntfy

configuration.nix

@@ -52,6 +52,8 @@
     ./services/ssh.nix
 
     ./services/syncthing.nix
+
+    ./services/ntfy.nix
   ];
 
   services.kmscon.enable = true;

flake.nix

@@ -122,6 +122,7 @@
           matrix_federation = 8448;
           coturn = 3478;
           coturn_tls = 5349;
+          ntfy = 2586;
         };
 
         https = {
@@ -177,6 +178,10 @@
           domain = "matrix.${https.domain}";
         };
 
+        ntfy = {
+          domain = "ntfy.${https.domain}";
+        };
+
         syncthing = {
           dataDir = services_dir + "/syncthing";
           signalBackupDir = "/${zpool_ssds}/bak/signal";

services/ntfy.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  service_configs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "ntfy-sh" service_configs.zpool_ssds [
+      "/var/lib/ntfy-sh"
+    ])
+  ];
+
+  services.ntfy-sh = {
+    enable = true;
+
+    settings = {
+      base-url = "https://${service_configs.ntfy.domain}";
+      listen-http = "127.0.0.1:${builtins.toString service_configs.ports.ntfy}";
+      behind-proxy = true;
+      auth-default-access = "deny-all";
+    };
+  };
+
+  services.caddy.virtualHosts."${service_configs.ntfy.domain}".extraConfig = ''
+    reverse_proxy :${builtins.toString service_configs.ports.ntfy}
+  '';
+
+  systemd.tmpfiles.rules = [
+    "Z /var/lib/ntfy-sh 0700 ${config.services.ntfy-sh.user} ${config.services.ntfy-sh.group}"
+  ];
+}