70 lines
1.9 KiB
Nix
70 lines
1.9 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.services.ntfy-sh;
|
|
settingsFormat = pkgs.formats.yaml { };
|
|
configFile = settingsFormat.generate "server.yml" cfg.settings;
|
|
in
|
|
{
|
|
# We don't use the upstream module because it's stupid; the author
|
|
# doesn't seem to understand `DynamicUser` (or at least be unaware of
|
|
# systemd credentials).
|
|
disabledModules = [ "services/misc/ntfy-sh.nix" ];
|
|
|
|
options.services.ntfy-sh = {
|
|
enable = lib.mkEnableOption "[ntfy-sh](https://ntfy.sh), a push notification service";
|
|
package = lib.mkPackageOption pkgs "ntfy-sh" { };
|
|
environmentFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.path;
|
|
default = null;
|
|
description = ''
|
|
Environment file; intended to be used for user provisioning.
|
|
'';
|
|
};
|
|
|
|
settings = lib.mkOption {
|
|
inherit (settingsFormat) type;
|
|
default = { };
|
|
description = ''
|
|
Configuration for ntfy.sh, supported values are [here](https://ntfy.sh/docs/config/#config-options).
|
|
'';
|
|
};
|
|
};
|
|
|
|
config.systemd.services.ntfy-sh = {
|
|
description = "Push notifications server";
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
|
|
serviceConfig = {
|
|
Type = "exec";
|
|
ExecReload = "kill --signal HUP $MAINPID";
|
|
ExecStart = "${lib.getExe' cfg.package "ntfy"} serve -c ${configFile}";
|
|
|
|
EnvironmentFile = cfg.environmentFile;
|
|
|
|
StateDirectory = "ntfy-sh";
|
|
|
|
DynamicUser = true;
|
|
PrivateTmp = true;
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "full";
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
PrivateDevices = true;
|
|
RestrictSUIDSGID = true;
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
MemoryDenyWriteExecute = true;
|
|
# Upstream Recommandation
|
|
LimitNOFILE = 20500;
|
|
};
|
|
};
|
|
}
|