diff --git a/configuration/services/ntfy-sh/default.nix b/configuration/services/ntfy-sh/default.nix
index 1ed5c3d..acce04d 100644
--- a/configuration/services/ntfy-sh/default.nix
+++ b/configuration/services/ntfy-sh/default.nix
@@ -48,7 +48,6 @@ in
       proxyPass = "http://${config.services.ntfy-sh.settings.listen-http}";
       extraConfig = ''
         client_max_body_size 0; # Stream request body to backend
-        add_header Access-Control-Allow-Origin https://ntfy.sh;
       '';
     };
 
@@ -62,7 +61,6 @@ in
       proxyPass = "http://${config.services.ntfy-sh.settings.listen-http}";
       extraConfig = ''
         client_max_body_size 0; # Stream request body to backend
-        add_header Access-Control-Allow-Origin https://ntfy.sh;
 
         limit_except GET {
           deny all;
diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix
index e8daeaf..9ab841d 100644
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@@ -32,6 +32,7 @@ in
       Type = "exec";
       LoadCredential = "ntfy-topic:/run/secrets/tlaternet/ntfy-topic";
 
+      NotifyAccess = "main";
       DynamicUser = true;
       ProtectHome = true; # Override the default (read-only)
       PrivateDevices = true;
diff --git a/pkgs/packages/webserver/Cargo.lock b/pkgs/packages/webserver/Cargo.lock
index a6db6ec..fbf02ae 100644
--- a/pkgs/packages/webserver/Cargo.lock
+++ b/pkgs/packages/webserver/Cargo.lock
@@ -2139,6 +2139,15 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
+[[package]]
+name = "sd-notify"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b943eadf71d8b69e661330cb0e2656e31040acf21ee7708e2c238a0ec6af2bf4"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.11.1"
@@ -2601,6 +2610,7 @@ dependencies = [
  "leptos_router",
  "markdown_view_leptos",
  "reqwest",
+ "sd-notify",
  "serde",
  "thiserror 2.0.17",
  "tokio",
diff --git a/pkgs/packages/webserver/Cargo.toml b/pkgs/packages/webserver/Cargo.toml
index 6b53991..4fe2685 100644
--- a/pkgs/packages/webserver/Cargo.toml
+++ b/pkgs/packages/webserver/Cargo.toml
@@ -16,6 +16,7 @@ leptos_meta = "0.8.3"
 leptos_router = "0.8.3"
 markdown_view_leptos = "0.1.3"
 reqwest = "0.12.24"
+sd-notify = "0.4.5"
 serde = { version = "1.0.228", features = ["derive"] }
 thiserror = "2.0.17"
 tokio = { version = "1.48.0", features = ["rt-multi-thread"], optional = true }
diff --git a/pkgs/packages/webserver/src/main.rs b/pkgs/packages/webserver/src/main.rs
index a5aac95..de9e099 100644
--- a/pkgs/packages/webserver/src/main.rs
+++ b/pkgs/packages/webserver/src/main.rs
@@ -1,3 +1,5 @@
+use sd_notify;
+
 #[cfg(feature = "ssr")]
 #[tokio::main]
 async fn main() {
@@ -40,6 +42,7 @@ async fn main() {
     // run our app with hyper
     // `axum::Server` is a re-export of `hyper::Server`
     log!("listening on http://{}", &addr);
+    let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]);
     let listener = tokio::net::TcpListener::bind(&addr).await.unwrap();
     axum::serve(listener, app.into_make_service())
         .await