{ config, lib, ... }: with lib; let cfg = config.nixfiles.modules.ntfy; in { options.nixfiles.modules.ntfy = { enable = mkEnableOption "ntfy"; port = mkOption { description = "Port."; type = types.port; default = 2586; }; domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; default = "ntfy.${config.networking.domain}"; }; }; config = mkIf cfg.enable { nixfiles.modules.nginx = { enable = true; upstreams.ntfy.servers.${config.services.ntfy-sh.settings.listen-http} = {}; virtualHosts.${cfg.domain} = { locations."/" = { proxyPass = "http://ntfy"; proxyWebsockets = true; }; extraConfig = nginxInternalOnly; }; }; services.ntfy-sh = { enable = true; settings = { listen-http = "127.0.0.1:${toString cfg.port}"; base-url = "https://${cfg.domain}"; cache-file = "/var/cache/ntfy/cache.db"; behind-proxy = true; attachment-cache-dir = "/var/cache/ntfy/attachments"; auth-file = "/var/lib/ntfy/user.db"; auth-default-access = "deny-all"; }; }; systemd.tmpfiles.rules = with config.services.ntfy-sh; [ "d /var/lib/ntfy 0700 ${user} ${group} - -" "d /var/cache/ntfy 0700 ${user} ${group} - -" "d /var/cache/ntfy/attachments 0700 ${user} ${group} - -" ]; }; }