diff --git a/nixos/hosts/suwako-vie0/default.nix b/nixos/hosts/suwako-vie0/default.nix
index f64b2ab..d27d46c 100644
--- a/nixos/hosts/suwako-vie0/default.nix
+++ b/nixos/hosts/suwako-vie0/default.nix
@@ -9,6 +9,7 @@
     suites.server
     ++ (with profiles; [
       services.caddy
+      services.ntfy
       services.postgresql
     ])
     ++ (mylib.path.scanPaths ./. "default.nix");
diff --git a/nixos/modules/networking/ports.nix b/nixos/modules/networking/ports.nix
index 9c97b60..03c8818 100644
--- a/nixos/modules/networking/ports.nix
+++ b/nixos/modules/networking/ports.nix
@@ -16,6 +16,7 @@ in
 
       # local ports
       enthalpy-gost = 3000;
+      ntfy = 4000;
 
       # public ports
       enthalpy-ipsec = 13000;
diff --git a/nixos/profiles/services/ntfy/default.nix b/nixos/profiles/services/ntfy/default.nix
new file mode 100644
index 0000000..8bfbd7e
--- /dev/null
+++ b/nixos/profiles/services/ntfy/default.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  mylib,
+  ...
+}:
+{
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      base-url = "https://ntfy.rebmit.moe";
+      listen-http = "[::1]:${toString config.networking.ports.ntfy}";
+      auth-default-access = "deny-all";
+      behind-proxy = true;
+    };
+  };
+
+  systemd.services.ntfy-sh.serviceConfig = mylib.misc.serviceHardened // {
+    DynamicUser = lib.mkForce false;
+  };
+
+  services.caddy.virtualHosts."ntfy.rebmit.moe" = {
+    extraConfig = ''
+      reverse_proxy ${config.services.ntfy-sh.settings.listen-http}
+    '';
+  };
+
+  services.restic.backups.b2.paths = [ "/var/lib/ntfy-sh" ];
+}