Add ntfy

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

hosts/jupiter/configs/wireguard/default.nix

@@ -36,13 +36,9 @@ in
         privateKeyFile = config.sops.secrets."wireguard".path;
         table = "wireguard";
 
-        postSetup = [
+        postSetup = [ "${ip} rule add from ${jupiterPublicIPv4} table ${table}" ];
-          "${ip} rule add from ${jupiterPublicIPv4} table ${table}"
-        ];
 
-        postShutdown = [
+        postShutdown = [ "${ip} rule del from ${jupiterPublicIPv4} table ${table}" ];
-          "${ip} rule del from ${jupiterPublicIPv4} table ${table}"
-        ];
 
         peers = [
           {

hosts/jupiter/users/storm/configs/console/podman/default.nix

@@ -8,6 +8,7 @@ let
 in
 {
   imports = [
+    (import ./ntfy { inherit user home; })
     (import ./traefik { inherit user home; })
     (import ./whoami { inherit user home; })
   ];

hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix

@@ -0,0 +1,128 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ config, pkgs, ... }:
+let
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) volumes networks;
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "ntfy/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "ntfy/webPush/publicKey".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "ntfy/webPush/privateKey".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "ntfy/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml;
+      };
+
+      templates = {
+        "ntfy-server.yml".content =
+          let
+            dbStartupQueries = ''
+              pragma journal_mode = WAL;
+              pragma synchronous = normal;
+              pragma temp_store = memory;
+              vacuum;
+            '';
+          in
+          builtins.readFile (
+            (pkgs.formats.yaml { }).generate "server.yml" {
+              base-url = "https://ntfy.karaolidis.com";
+
+              cache-file = "/var/lib/ntfy/cache.db";
+              cache-duration = "48h";
+              cache-startup-queries = dbStartupQueries;
+
+              auth-file = "/var/lib/ntfy/auth.db";
+              auth-default-access = "deny-all";
+              auth-startup-queries = dbStartupQueries;
+
+              behind-proxy = true;
+
+              attachment-cache-dir = "/var/lib/ntfy/attachments";
+              attachment-total-size-limit = "50G";
+              attachment-file-size-limit = "1G";
+              attachment-expiry-duration = "14d";
+
+              smtp-sender-addr = "smtp.protonmail.ch:587";
+              smtp-sender-from = "jupiter@karaolidis.com";
+              smtp-sender-user = "jupiter@karaolidis.com";
+              smtp-sender-pass = hmConfig.sops.placeholder."ntfy/smtp";
+
+              web-push-public-key = hmConfig.sops.placeholder."ntfy/webPush/publicKey";
+              web-push-private-key = hmConfig.sops.placeholder."ntfy/webPush/privateKey";
+              web-push-file = "/var/lib/ntfy/webpush.db";
+              web-push-email-address = "jupiter@karaolidis.com";
+              web-push-startup-queries = dbStartupQueries;
+
+              web-root = "";
+
+              enable-signup = false;
+              enable-login = true;
+              enable-reservations = false;
+
+              enable-metrics = true;
+              metrics-listen-http = ":8080";
+            }
+          );
+
+        # FIXME: https://github.com/binwiederhier/ntfy/issues/464
+        "ntfy-init.sh" = {
+          content = ''
+            #!/bin/sh
+
+            PIPE=$(mktemp -u)
+            mkfifo "$PIPE"
+            trap 'rm -f "$PIPE"' EXIT
+
+            ntfy serve > "$PIPE" 2>&1 &
+
+            NTFY_PID=$!
+            grep -q "INFO Listening on :80\[http\]" < "$PIPE"
+            kill "$NTFY_PID"
+            wait "$NTFY_PID" || true
+
+            NTFY_PASSWORD=${hmConfig.sops.placeholder."ntfy/users/karaolidis"} ntfy user add karaolidis || true
+            NTFY_PASSWORD=${hmConfig.sops.placeholder."ntfy/users/karaolidis"} ntfy user change-pass karaolidis
+            ntfy user change-role karaolidis admin
+
+            exec ntfy serve
+          '';
+          mode = "0500";
+        };
+      };
+    };
+
+    virtualisation.quadlet = {
+      volumes.ntfy = { };
+
+      containers.ntfy = {
+        containerConfig = {
+          autoUpdate = "registry";
+          image = "docker.io/binwiederhier/ntfy:latest";
+          networks = [ networks.traefik.ref ];
+          volumes = [
+            "${volumes.ntfy.ref}:/var/lib/ntfy"
+            "${hmConfig.sops.templates."ntfy-server.yml".path}:/etc/ntfy/server.yml:ro"
+            "${hmConfig.sops.templates."ntfy-init.sh".path}:/entrypoint.sh:ro"
+          ];
+          entrypoint = "/entrypoint.sh";
+          labels = [
+            "traefik.enable=true"
+
+            "traefik.http.routers.ntfy-public.rule=Host(`ntfy.karaolidis.com`)"
+            "traefik.http.routers.ntfy-public.entrypoints=websecure"
+            "traefik.http.routers.ntfy-public.tls.certresolver=letsencrypt"
+
+            "traefik.http.routers.ntfy-local.rule=Host(`ntfy.karaolidis.local`)"
+            "traefik.http.routers.ntfy-local.entrypoints=websecure"
+          ];
+        };
+
+        unitConfig.After = [ "sops-nix.service" ];
+      };
+    };
+  };
+}

hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix

@@ -67,9 +67,7 @@ in
           ];
           networks = [ networks.traefik.ref ];
           # TODO: Remove
-          publishPorts = [
+          publishPorts = [ "0.0.0.0:8080:8080" ];
-            "0.0.0.0:8080:8080"
-          ];
           volumes = [
             "/run/user/${
               builtins.toString config.users.users.${user}.uid