{ config, lib, this, ... }: with lib; let cfg = config.nixfiles.modules.ntfy; in { options.nixfiles.modules.ntfy = { enable = mkEnableOption "ntfy"; port = mkOption { description = "Port."; type = types.port; default = 2586; }; domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; default = "ntfy.${config.networking.domain}"; }; prometheus = { enable = mkEnableOption "Prometheus exporter." // {default = true;}; address = mkOption { description = "Address."; type = with types; str; default = this.wireguard.ipv4.address; }; port = mkOption { description = "Port."; type = with types; port; default = 9289; }; }; }; config = mkIf cfg.enable { ark.files = [config.services.ntfy-sh.settings.auth-file]; nixfiles.modules.nginx = { enable = true; upstreams.ntfy.servers.${config.services.ntfy-sh.settings.listen-http} = {}; virtualHosts.${cfg.domain} = { locations = { "/" = { proxyPass = "http://ntfy"; proxyWebsockets = true; }; "/metrics".extraConfig = '' deny all; ''; }; extraConfig = nginxInternalOnly; }; }; services.ntfy-sh = { enable = true; settings = { listen-http = "127.0.0.1:${toString cfg.port}"; base-url = "https://${cfg.domain}"; cache-file = "/var/cache/ntfy/cache.db"; behind-proxy = true; attachment-cache-dir = "/var/cache/ntfy/attachments"; auth-file = "/var/lib/ntfy/user.db"; enable-metrics = cfg.prometheus.enable; metrics-listen-http = with cfg.prometheus; optionalString cfg.prometheus.enable "${address}:${toString port}"; }; }; systemd.tmpfiles.rules = with config.services.ntfy-sh; [ "d /var/lib/ntfy 0700 ${user} ${group} - -" "d /var/cache/ntfy 0700 ${user} ${group} - -" "d /var/cache/ntfy/attachments 0700 ${user} ${group} - -" ]; }; }