From 5566bc36777f864442242e476ffbd2abd7e5cf83 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Thu, 6 Mar 2025 13:33:37 +0000 Subject: [PATCH] Add ntfy Signed-off-by: Nikolaos Karaolidis --- hosts/jupiter/configs/wireguard/default.nix | 8 +- .../storm/configs/console/podman/default.nix | 1 + .../configs/console/podman/ntfy/default.nix | 128 ++++++++++++++++++ .../console/podman/traefik/default.nix | 4 +- 4 files changed, 132 insertions(+), 9 deletions(-) create mode 100644 hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix diff --git a/hosts/jupiter/configs/wireguard/default.nix b/hosts/jupiter/configs/wireguard/default.nix index 26f548c..450f654 100644 --- a/hosts/jupiter/configs/wireguard/default.nix +++ b/hosts/jupiter/configs/wireguard/default.nix @@ -36,13 +36,9 @@ in privateKeyFile = config.sops.secrets."wireguard".path; table = "wireguard"; - postSetup = [ - "${ip} rule add from ${jupiterPublicIPv4} table ${table}" - ]; + postSetup = [ "${ip} rule add from ${jupiterPublicIPv4} table ${table}" ]; - postShutdown = [ - "${ip} rule del from ${jupiterPublicIPv4} table ${table}" - ]; + postShutdown = [ "${ip} rule del from ${jupiterPublicIPv4} table ${table}" ]; peers = [ { diff --git a/hosts/jupiter/users/storm/configs/console/podman/default.nix b/hosts/jupiter/users/storm/configs/console/podman/default.nix index 89a7d4e..cd86598 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix @@ -8,6 +8,7 @@ let in { imports = [ + (import ./ntfy { inherit user home; }) (import ./traefik { inherit user home; }) (import ./whoami { inherit user home; }) ]; diff --git a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix new file mode 100644 index 0000000..a903f59 --- /dev/null +++ b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix @@ -0,0 +1,128 @@ +{ + user ? throw "user argument is required", + home ? throw "home argument is required", +}: +{ config, pkgs, ... }: +let + hmConfig = config.home-manager.users.${user}; + inherit (hmConfig.virtualisation.quadlet) volumes networks; +in +{ + home-manager.users.${user} = { + sops = { + secrets = { + "ntfy/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; + "ntfy/webPush/publicKey".sopsFile = ../../../../../../secrets/secrets.yaml; + "ntfy/webPush/privateKey".sopsFile = ../../../../../../secrets/secrets.yaml; + "ntfy/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml; + }; + + templates = { + "ntfy-server.yml".content = + let + dbStartupQueries = '' + pragma journal_mode = WAL; + pragma synchronous = normal; + pragma temp_store = memory; + vacuum; + ''; + in + builtins.readFile ( + (pkgs.formats.yaml { }).generate "server.yml" { + base-url = "https://ntfy.karaolidis.com"; + + cache-file = "/var/lib/ntfy/cache.db"; + cache-duration = "48h"; + cache-startup-queries = dbStartupQueries; + + auth-file = "/var/lib/ntfy/auth.db"; + auth-default-access = "deny-all"; + auth-startup-queries = dbStartupQueries; + + behind-proxy = true; + + attachment-cache-dir = "/var/lib/ntfy/attachments"; + attachment-total-size-limit = "50G"; + attachment-file-size-limit = "1G"; + attachment-expiry-duration = "14d"; + + smtp-sender-addr = "smtp.protonmail.ch:587"; + smtp-sender-from = "jupiter@karaolidis.com"; + smtp-sender-user = "jupiter@karaolidis.com"; + smtp-sender-pass = hmConfig.sops.placeholder."ntfy/smtp"; + + web-push-public-key = hmConfig.sops.placeholder."ntfy/webPush/publicKey"; + web-push-private-key = hmConfig.sops.placeholder."ntfy/webPush/privateKey"; + web-push-file = "/var/lib/ntfy/webpush.db"; + web-push-email-address = "jupiter@karaolidis.com"; + web-push-startup-queries = dbStartupQueries; + + web-root = ""; + + enable-signup = false; + enable-login = true; + enable-reservations = false; + + enable-metrics = true; + metrics-listen-http = ":8080"; + } + ); + + # FIXME: https://github.com/binwiederhier/ntfy/issues/464 + "ntfy-init.sh" = { + content = '' + #!/bin/sh + + PIPE=$(mktemp -u) + mkfifo "$PIPE" + trap 'rm -f "$PIPE"' EXIT + + ntfy serve > "$PIPE" 2>&1 & + + NTFY_PID=$! + grep -q "INFO Listening on :80\[http\]" < "$PIPE" + kill "$NTFY_PID" + wait "$NTFY_PID" || true + + NTFY_PASSWORD=${hmConfig.sops.placeholder."ntfy/users/karaolidis"} ntfy user add karaolidis || true + NTFY_PASSWORD=${hmConfig.sops.placeholder."ntfy/users/karaolidis"} ntfy user change-pass karaolidis + ntfy user change-role karaolidis admin + + exec ntfy serve + ''; + mode = "0500"; + }; + }; + }; + + virtualisation.quadlet = { + volumes.ntfy = { }; + + containers.ntfy = { + containerConfig = { + autoUpdate = "registry"; + image = "docker.io/binwiederhier/ntfy:latest"; + networks = [ networks.traefik.ref ]; + volumes = [ + "${volumes.ntfy.ref}:/var/lib/ntfy" + "${hmConfig.sops.templates."ntfy-server.yml".path}:/etc/ntfy/server.yml:ro" + "${hmConfig.sops.templates."ntfy-init.sh".path}:/entrypoint.sh:ro" + ]; + entrypoint = "/entrypoint.sh"; + labels = [ + "traefik.enable=true" + + "traefik.http.routers.ntfy-public.rule=Host(`ntfy.karaolidis.com`)" + "traefik.http.routers.ntfy-public.entrypoints=websecure" + "traefik.http.routers.ntfy-public.tls.certresolver=letsencrypt" + + "traefik.http.routers.ntfy-local.rule=Host(`ntfy.karaolidis.local`)" + "traefik.http.routers.ntfy-local.entrypoints=websecure" + ]; + }; + + unitConfig.After = [ "sops-nix.service" ]; + }; + }; + }; +} diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix index d9d0bde..c76df12 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix @@ -67,9 +67,7 @@ in ]; networks = [ networks.traefik.ref ]; # TODO: Remove - publishPorts = [ - "0.0.0.0:8080:8080" - ]; + publishPorts = [ "0.0.0.0:8080:8080" ]; volumes = [ "/run/user/${ builtins.toString config.users.users.${user}.uid