From d64c02e3da8903ab1fcf03751cf1bdffbc6e9b49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= <nikodem@rabulinski.com>
Date: Sun, 25 Feb 2024 19:03:20 +0100
Subject: [PATCH] hosts/kazuki: ntfy init

---
 hosts/kazuki/default.nix |  1 +
 hosts/kazuki/ntfy.nix    | 46 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 hosts/kazuki/ntfy.nix

diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix
index 15395d1..8995938 100644
--- a/hosts/kazuki/default.nix
+++ b/hosts/kazuki/default.nix
@@ -14,6 +14,7 @@
       ./vault.nix
       ./storage.nix
       ./attic.nix
+      ./ntfy.nix
     ];
 
     nixpkgs.hostPlatform = "aarch64-linux";
diff --git a/hosts/kazuki/ntfy.nix b/hosts/kazuki/ntfy.nix
new file mode 100644
index 0000000..4a08114
--- /dev/null
+++ b/hosts/kazuki/ntfy.nix
@@ -0,0 +1,46 @@
+{config, ...}: {
+  age.secrets.nrab-lol-cf = {
+    file = ../../secrets/nrab-lol-cf.age;
+    owner = config.services.nginx.user;
+  };
+
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      base-url = "ntfy.nrab.lol";
+      listen-http = "127.0.0.1:9800";
+      behind-proxy = true;
+      upstream-base-url = "https://ntfy.sh";
+      auth-default-access = "deny-all";
+    };
+  };
+
+  users.users.nginx.extraGroups = ["acme"];
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    virtualHosts."ntfy.nrab.lol" = {
+      forceSSL = true;
+      enableACME = true;
+      acmeRoot = null;
+      locations."/" = {
+        proxyPass = "http://ntfy";
+        proxyWebsockets = true;
+      };
+    };
+
+    upstreams.ntfy.servers = {
+      "localhost:9800" = {};
+    };
+  };
+
+  security.acme.certs."ntfy.nrab.lol" = {
+    dnsProvider = "cloudflare";
+    credentialsFile = config.age.secrets.nrab-lol-cf.path;
+  };
+}