nixos-config/nixos/profiles/services/ntfy/default.nix

{
  config,
  lib,
  mylib,
  data,
  ...
}:
{
  sops.secrets."cloudflare_origin_ntfy_private_key" = {
    opentofu = {
      enable = true;
    };
    restartUnits = [ "caddy.service" ];
  };

  services.ntfy-sh = {
    enable = true;
    settings = {
      base-url = "https://ntfy.rebmit.workers.moe";
      listen-http = "127.0.0.1:${toString config.networking.ports.ntfy}";
      auth-default-access = "deny-all";
      behind-proxy = true;
    };
  };

  systemd.services.ntfy-sh.serviceConfig = mylib.misc.serviceHardened // {
    AmbientCapabilities = lib.mkForce [ "" ];
    CapabilityBoundingSet = lib.mkForce [ "" ];
    DynamicUser = lib.mkForce false;
  };

  systemd.services.caddy.serviceConfig = {
    LoadCredential = [
      "cloudflare_aop_ntfy_ca_cert:${builtins.toFile "cloudflare_aop_ca_certificate" data.cloudflare_aop_ca_certificate}"
      "cloudflare_origin_ntfy_cert:${builtins.toFile "cloudflare_origin_ntfy_certificate" data.cloudflare_origin_ntfy_certificate}"
      "cloudflare_origin_ntfy_key:${config.sops.secrets."cloudflare_origin_ntfy_private_key".path}"
    ];
  };

  services.caddy.virtualHosts."ntfy.rebmit.workers.moe" =
    let
      credentialPath = "/run/credentials/caddy.service";
    in
    {
      extraConfig = ''
        tls ${credentialPath}/cloudflare_origin_ntfy_cert ${credentialPath}/cloudflare_origin_ntfy_key {
          client_auth {
            mode require_and_verify
            trust_pool file ${credentialPath}/cloudflare_aop_ntfy_ca_cert
          }
        }
        reverse_proxy ${config.services.ntfy-sh.settings.listen-http}
      '';
    };

  services.restic.backups.b2.paths = [ "/var/lib/ntfy-sh" ];
}
services/ntfy: init 2024-12-15 01:20:55 +08:00			`{`
			`config,`
			`lib,`
			`mylib,`
infra: init authenticated origin pulls for ntfy 2024-12-22 02:49:43 +08:00			`data,`
services/ntfy: init 2024-12-15 01:20:55 +08:00			`...`
			`}:`
			`{`
infra: init authenticated origin pulls for ntfy 2024-12-22 02:49:43 +08:00			`sops.secrets."cloudflare_origin_ntfy_private_key" = {`
			`opentofu = {`
			`enable = true;`
			`};`
			`restartUnits = [ "caddy.service" ];`
			`};`

services/ntfy: init 2024-12-15 01:20:55 +08:00			`services.ntfy-sh = {`
			`enable = true;`
			`settings = {`
infra: init authenticated origin pulls for ntfy 2024-12-22 02:49:43 +08:00			`base-url = "https://ntfy.rebmit.workers.moe";`
services/keycloak: init 2024-12-15 02:52:27 +08:00			`listen-http = "127.0.0.1:${toString config.networking.ports.ntfy}";`
services/ntfy: init 2024-12-15 01:20:55 +08:00			`auth-default-access = "deny-all";`
			`behind-proxy = true;`
			`};`
			`};`

			`systemd.services.ntfy-sh.serviceConfig = mylib.misc.serviceHardened // {`
services/mail: hardening postfix and dovecot 2024-12-20 21:41:02 +08:00			`AmbientCapabilities = lib.mkForce [ "" ];`
			`CapabilityBoundingSet = lib.mkForce [ "" ];`
services/ntfy: init 2024-12-15 01:20:55 +08:00			`DynamicUser = lib.mkForce false;`
			`};`

infra: init authenticated origin pulls for ntfy 2024-12-22 02:49:43 +08:00			`systemd.services.caddy.serviceConfig = {`
			`LoadCredential = [`
infra: reverse proxy prometheus with cloudflare 2024-12-22 15:11:34 +08:00			`"cloudflare_aop_ntfy_ca_cert:${builtins.toFile "cloudflare_aop_ca_certificate" data.cloudflare_aop_ca_certificate}"`
infra: init authenticated origin pulls for ntfy 2024-12-22 02:49:43 +08:00			`"cloudflare_origin_ntfy_cert:${builtins.toFile "cloudflare_origin_ntfy_certificate" data.cloudflare_origin_ntfy_certificate}"`
			`"cloudflare_origin_ntfy_key:${config.sops.secrets."cloudflare_origin_ntfy_private_key".path}"`
			`];`
services/ntfy: init 2024-12-15 01:20:55 +08:00			`};`

infra: init authenticated origin pulls for ntfy 2024-12-22 02:49:43 +08:00			`services.caddy.virtualHosts."ntfy.rebmit.workers.moe" =`
			`let`
			`credentialPath = "/run/credentials/caddy.service";`
			`in`
			`{`
			`extraConfig = ''`
			`tls ${credentialPath}/cloudflare_origin_ntfy_cert ${credentialPath}/cloudflare_origin_ntfy_key {`
			`client_auth {`
			`mode require_and_verify`
infra: reverse proxy prometheus with cloudflare 2024-12-22 15:11:34 +08:00			`trust_pool file ${credentialPath}/cloudflare_aop_ntfy_ca_cert`
infra: init authenticated origin pulls for ntfy 2024-12-22 02:49:43 +08:00			`}`
			`}`
			`reverse_proxy ${config.services.ntfy-sh.settings.listen-http}`
			`'';`
			`};`

services/ntfy: init 2024-12-15 01:20:55 +08:00			`services.restic.backups.b2.paths = [ "/var/lib/ntfy-sh" ];`
			`}`