feat(ntfy-sh): Self-host ntfy-sh

configuration/services/ntfy-sh/default.nix

@@ -0,0 +1,189 @@
+{
+  pkgs,
+  config,
+  flake-inputs,
+  ...
+}:
+let
+  domain = "ntfy.${config.services.nginx.domain}";
+in
+{
+  imports = [ ./downstream-module.nix ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  services.ntfy-sh = {
+    enable = true;
+    package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.ntfy-sh;
+
+    environmentFile = config.sops.secrets."ntfy/users".path;
+
+    settings = {
+      base-url = "https://${domain}";
+      listen-http = "127.0.0.1:2586";
+      behind-proxy = true;
+
+      # Paths
+      attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
+      cache-file = "/var/lib/ntfy-sh/cache-file.db";
+      auth-file = "/var/lib/ntfy-sh/user.db";
+      auth-default-access = "deny-all";
+      auth-access = [ "*:local-*:wo" ];
+
+      # Don't want to host the front-end
+      web-root = "disable";
+    };
+  };
+
+  services.nginx.virtualHosts."ntfy.${config.services.nginx.domain}" = {
+    forceSSL = true;
+    useACMEHost = "tlater.net";
+    enableHSTS = true;
+
+    locations."/" = {
+      proxyWebsockets = true;
+      proxyPass = "http://${config.services.ntfy-sh.settings.listen-http}";
+      extraConfig = ''
+        client_max_body_size 0; # Stream request body to backend
+      '';
+    };
+
+    # Don't allow writing to topics with the local prefix, *including*
+    # webhook writes, since they are set to write-only access from
+    # anyone.
+    locations."/local" = {
+      proxyWebsockets = true;
+      proxyPass = "http://${config.services.ntfy-sh.settings.listen-http}";
+      extraConfig = ''
+        client_max_body_size 0; # Stream request body to backend
+
+        limit_except GET OPTIONS {
+          deny all;
+        }
+
+        location ~ /trigger$ {
+          deny all;
+        }
+      '';
+    };
+  };
+
+  sops.secrets."ntfy/users" = { };
+
+  serviceTests = {
+    testNtfyConfig = pkgs.testers.runNixOSTest {
+      name = "test-ntfy-config";
+
+      node.specialArgs = { inherit flake-inputs; };
+      nodes = {
+        testHost =
+          { lib, ... }:
+          {
+            imports = [
+              ./.
+              ../../nginx
+              ../../../modules/serviceTests/mocks.nix
+            ];
+
+            services.nginx.domain = "testHost";
+
+            # Don't care for testing SSL here
+            services.nginx.virtualHosts."ntfy.testHost" = {
+              forceSSL = lib.mkForce false;
+              enableHSTS = lib.mkForce false;
+            };
+          };
+
+        client =
+          { pkgs, ... }:
+          {
+            environment.systemPackages = [ pkgs.curl ];
+            networking.hosts."192.168.1.2" = [ "ntfy.testHost" ];
+          };
+      };
+
+      testScript = ''
+        import json
+        import time
+        from contextlib import contextmanager
+
+        def read_client_messages():
+            client.wait_for_unit("messages.service")
+            messages = [json.loads(line) for line in client.succeed("cat messages").split()]
+            client.succeed("systemctl stop messages.service")
+            client.succeed("rm messages")
+
+            print(messages)
+
+            return messages
+
+        @contextmanager
+        def client_subscribe(topic: str, timeout: int = 2):
+            systemd_invocation = [
+                "systemd-run",
+                "--unit messages",
+                "--property=Type=oneshot",
+                "--property=SuccessExitStatus=28",
+                "--remain-after-exit",
+                "--setenv=PATH=$PATH",
+                "--same-dir",
+                "--no-block",
+                "/bin/sh -c"
+            ]
+
+            curl = [
+                "curl",
+                "--silent",
+                "--show-error",
+                f"--max-time {timeout}",
+                "-u tlater:insecure",
+                f"http://ntfy.testHost/{topic}/json",
+                "> messages"
+            ]
+
+            client.succeed(f'{" ".join(systemd_invocation)} "{" ".join(curl)}"')
+
+            # Give some slack so the host doesn't send messages before
+            # we're listening
+            time.sleep(1)
+
+            yield
+
+
+        start_all()
+        testHost.wait_for_unit("ntfy-sh.service")
+        client.wait_until_succeeds("curl http://ntfy.testHost")
+
+        with subtest("subscribing and writing to local topics works"):
+            with client_subscribe("local-test"):
+                testHost.succeed("curl --fail --silent --show-error --data test http://127.0.0.1:2586/local-test")
+
+            messages = read_client_messages()
+            t.assertEqual(len(messages), 2)
+            t.assertEqual(messages[1].get("message"), "test")
+
+        with subtest("writing to non-local topics without auth fails"):
+            testHost.fail("curl --fail --silent --show-error --data test http://127.0.0.1:2586/test")
+
+        with subtest("writing to *any* topics from outside localhost fails"):
+            client.fail("curl --fail --silent --show-error --data test http://ntfy.testHost/test")
+            client.fail("curl --fail --silent --show-error --data test http://ntfy.testHost/local-test")
+            # GET requests work by default because websocket shenanigans
+            client.fail("curl --fail --silent --show-error http://ntfy.testHost/local-test/trigger?message=test")
+
+        with subtest("authenticated messaging works from outside localhost"):
+            with client_subscribe("test", 10):
+                client.succeed("curl -u tlater:insecure --fail --silent --show-error --data test http://ntfy.testHost/test")
+                client.succeed("curl -u tlater:insecure --fail --silent --show-error http://ntfy.testHost/test/trigger?message=test2")
+
+            messages = read_client_messages()
+            t.assertEqual(len(messages), 3)
+            t.assertEqual(messages[1].get("message"), "test")
+            t.assertEqual(messages[2].get("message"), "test2")
+      '';
+    };
+  };
+}

configuration/services/ntfy-sh/downstream-module.nix

@@ -0,0 +1,70 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.services.ntfy-sh;
+  settingsFormat = pkgs.formats.yaml { };
+  configFile = settingsFormat.generate "server.yml" cfg.settings;
+in
+{
+  # We don't use the upstream module because it's stupid; the author
+  # doesn't seem to understand `DynamicUser` (or at least be unaware of
+  # systemd credentials).
+  disabledModules = [ "services/misc/ntfy-sh.nix" ];
+
+  options.services.ntfy-sh = {
+    enable = lib.mkEnableOption "[ntfy-sh](https://ntfy.sh), a push notification service";
+    package = lib.mkPackageOption pkgs "ntfy-sh" { };
+    environmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = ''
+        Environment file; intended to be used for user provisioning.
+      '';
+    };
+
+    settings = lib.mkOption {
+      inherit (settingsFormat) type;
+      default = { };
+      description = ''
+        Configuration for ntfy.sh, supported values are [here](https://ntfy.sh/docs/config/#config-options).
+      '';
+    };
+  };
+
+  config.systemd.services.ntfy-sh = {
+    description = "Push notifications server";
+
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    serviceConfig = {
+      Type = "exec";
+      ExecReload = "kill --signal HUP $MAINPID";
+      ExecStart = "${lib.getExe' cfg.package "ntfy"} serve -c ${configFile}";
+
+      EnvironmentFile = cfg.environmentFile;
+
+      StateDirectory = "ntfy-sh";
+
+      DynamicUser = true;
+      PrivateTmp = true;
+      NoNewPrivileges = true;
+      ProtectSystem = "full";
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      PrivateDevices = true;
+      RestrictSUIDSGID = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      MemoryDenyWriteExecute = true;
+      # Upstream Recommandation
+      LimitNOFILE = 20500;
+    };
+  };
+}