hosts/kazuki/ntfy: set up users declaratively

2024-02-25 23:02:15 +01:00 · 2024-02-25 23:02:15 +01:00 · f7e385d696
commit f7e385d696
parent 6558fdb739
17 changed files with 122 additions and 59 deletions
--- a/hosts/kazuki/ntfy.nix
+++ b/hosts/kazuki/ntfy.nix
@ -1,14 +1,27 @@
-{ config, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
  age.secrets.nrab-lol-cf = {
    file = ../../secrets/nrab-lol-cf.age;
    owner = config.services.nginx.user;
  };
+  age.secrets.ntfy-niko-pass = {
+    file = ../../secrets/ntfy-niko-pass.age;
+    owner = config.services.ntfy-sh.user;
+  };
+  age.secrets.ntfy-alert-pass = {
+    file = ../../secrets/ntfy-alert-pass.age;
+    owner = config.services.ntfy-sh.user;
+  };

  services.ntfy-sh = {
    enable = true;
    settings = {
-      base-url = "ntfy.nrab.lol";
+      base-url = "https://ntfy.nrab.lol";
      listen-http = "127.0.0.1:9800";
      behind-proxy = true;
      upstream-base-url = "https://ntfy.sh";
@ -16,6 +29,27 @@
    };
  };

+  systemd.services.ntfy-sh.postStart =
+    let
+      ntfy = lib.getExe' config.services.ntfy-sh.package "ntfy";
+      script = pkgs.writeShellScript "ntfy-setup-users.sh" ''
+        ${ntfy} access everyone '*' deny
+
+        if ! ${ntfy} user list | grep -q 'user alert'; then
+          NTFY_PASSWORD="$(cat ${config.age.secrets.ntfy-alert-pass.path})" \
+            ${ntfy} user add alert
+          ${ntfy} access alert '*' write-only
+        fi
+
+        if ! ${ntfy} user list | grep -q 'user niko'; then
+          NTFY_PASSWORD="$(cat ${config.age.secrets.ntfy-niko-pass.path})" \
+            ${ntfy} user add niko
+          ${ntfy} access niko '*' read-only
+        fi
+      '';
+    in
+    toString script;
+
  users.users.nginx.extraGroups = [ "acme" ];
  networking.firewall.allowedTCPPorts = [
    80
--- a/secrets/alert-nrab-lol-pass.age
+++ b/secrets/alert-nrab-lol-pass.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw E/UAAPU36fEbTLcJqSHuXLkT9gM9SKJc69lHYZ6vsxA
-qtW5rBrMVMZlB9QAl1dJQW5wlXL9Xzzb6v0TgsVUH+I
-> ssh-ed25519 GKhvwg LVyoMAJOOeyBUUDvehyKVCMyaECs5f5nFiWFIWVcXlM
-zvoD1iS6LkgcuBwRlq8I7dL0js/881Flutn+aiWk4x8
--- qQutAtaqLW7+tjxs/t34QquhxIg+OZiGTmjGW4okQc8
-œ£0N“G%…*m²Ž]~§°<C2A7>½óŒ›T¹P]CšÓšÃL‹³fŒaãÃ¬‡–To÷T”•ÒEçû¨ž{Ã€ºµX‡´}¬9ª¬_€
ÞåØ	nÏ<6E>|(fé-„ 
+-> ssh-ed25519 84j9mw 4n/zqW5iLJrCV7DkJjWVLqznKo5tCAtS3Ps42D3pGlA
+DikYMkhNvvXqVpuzLbKYrILImwYow6yS9zHHBEQbEi8
+-> ssh-ed25519 GKhvwg ZQmLaXauWbnXb/4/MSbYB5h9usBY02oowXNEkixBgRc
+LEV0jDifVtosFZYVOk5jBrd+koAh/B0uXnYO18HDU4g
+--- Uwt3RGREkK2dHLhhhjz+kGzAL8ik/mA3oPWnEuocXhk
+MÌeÍ5~#ézBØ]îåFâ¿€Ýk¼7Œ5ò%÷·Ã!t|ÝTßëë¾ãÉ–ÑÜù"cüõKÏ8éI<01>áëÁÑniÀè§SÚÏØ™ÉýÉaìÁ¬]ˆºœ¶¬Ó8ï
--- a/secrets/alert-plain-pass.age
+++ b/secrets/alert-plain-pass.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 ioPMHA bzpHiPf01dn6o2RorgjHtJLxEXTdX2vk5gzqeurKYWY
-PCZiMqJOHaVUfTmQAxfSi4R4K9EJv9lRlvzifcZBdlg
-> ssh-ed25519 GKhvwg 9LIgHkI9ai9sG5105/cckINKLZG1ZDLJoK4VseW4+Vo
-cRJkPh2P1qIeLiC8FBMaf3Q0mdcH6KMmhKIZ8AE7oxk
--- ak5uMosvoFn03re13Wvb5izecSpHrrtmJ21YdWAvNs0
-ç¿tû<0C2×QÏ¾äG„(´¥þ$½ÿ”GGwBƒÈç H3±•Â<1A>rK²†’
+-> ssh-ed25519 ioPMHA 631XxPesBw0DC687j0Du8gyvwHuN8DrRMtVVVPJ3kEA
+A0zq6X8YgNVGMUBtpozcwXmy8pVQwtJRpelSPVywJ+Q
+-> ssh-ed25519 GKhvwg NPPNc8ZreWcjYkriM0fn76AoYO5HSFmGY2Dnbhjchlg
+fpchA60ze8fx3ooQlyRk9lapL+m90NLn+p6eKRoyy64
+--- KYS9LOiN9+RIlzyPZ71iqQ0c6I7MptxKzjfZzrEeAhs
+z	[´i‚è_»1x¯ >Ž®ÏG7ì2ÖLžØ!¨K,”™ãê[7ô¦Qì˜ì
--- a/secrets/attic-creds.age
+++ b/secrets/attic-creds.age
--- a/secrets/github-token.age
+++ b/secrets/github-token.age
@ -1,14 +1,14 @@
 age-encryption.org/v1
-> ssh-ed25519 IFuY+w BRVOB+nGZJ/43pUOJBXtYN9x65vGz+PeFBpUta4E7kM
-an/9NC1sk2IzT+YdaPYvGfdn5ZR8eU21/h5OjL4yddE
-> ssh-ed25519 84j9mw ndRBUsTQo3k/MQeQALBWZ8ZV86I+TjXbImDqm/ogMwU
-eTyKCxGOLdq+mVq88cqSn5Y8tPQx3tcOk2B41uCf3KM
-> ssh-ed25519 ioPMHA He7pM+kv7Mix/TsjevaXNnFt+a6uKAHdgqi/crJeIWQ
-0YWZf3na17QYViOVG3D7h7S/jgXWwZrslYHD+uFq3U4
-> ssh-ed25519 5A7peQ lNXbVWvO6oJyvuYZBzJOsgSSCW3jKqKU/FHiVStKfGw
-DckkP45wQ6i6vOqknKKoEYnERzBydM8Mgjt/17bPKc0
-> ssh-ed25519 GKhvwg Y+VUXd0xlQ5FdCb+cWDO8Gb6ATHRpxrnJqsh5FXWnzU
-q/g44328iKsulGNpZXW0FIPL59JBjJLVV8bH+WuNKkg
--- P6ctzFyIxW72c+hxF6UaR3J8bCUHPql0IsNI6TktKxg
-¶
âŒYÐûGl^iÕ½eg÷«öT<t]YaJ|uY>ßÓw‰{äçy—
r&p!vu¬“µ:Vüú=
-CïLj<4C>žž£gáO‡@b
+-> ssh-ed25519 IFuY+w G6FFvEMeBtfhAyS2FxF+uxxd3DlYAGepXDEPR9NdBEA
+ClECByd51Kby8eoJFWbzbVedoH/ouz+BMehRKMVOQqw
+-> ssh-ed25519 84j9mw b4eFV+AZ3ubWWoRGTF6IFOxsoAuBkCTyz5QzsVDsagA
+k+rDZ8aFgDRvqIyWGFiKkYPePBWbMERWGPDYUfwWZTc
+-> ssh-ed25519 ioPMHA W4jTnofv9qZxft/PlGbH9uS+KBgUXL86vB1B2MEO8Cg
+7/ZcbO2YqMCJX9NGuyG4t0+svkGxkE9MaylmpGuIQKQ
+-> ssh-ed25519 5A7peQ 7AzjFajaowcZCLrASPJbYbV+OPSZ8UZyxzy8B0kCqj8
+LNWG6lA5XRp25bBj/OJ6591780BM56tS8Cb85QcbdQw
+-> ssh-ed25519 GKhvwg f5gR3WtCGEk/7XpB6Ah3Ns4TegcTFq8+2JuWCC0pU2U
+tG1C60WknYYWwYe23pxlud1hT9uBEHaVYjF4sX5sTYg
+--- yMoAb6D7Q9IOOR9l3gnQnbxuKoCZI0HR5+PZLGjYmKk
+ßœYbq¸7»(®$²§•¾Q Äá÷|î2û<32>cAó·EÕ¹Ìï?ª·‹o<E280B9>²‘QZßˆ>,î
+q¦W5Aaª–3Žf¬“%F 
--- a/secrets/hercules-cache.age
+++ b/secrets/hercules-cache.age
--- a/secrets/hercules-secrets.age
+++ b/secrets/hercules-secrets.age
@ -1,15 +1,14 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw SzwJ0Fb3oan5QQXr10AEQzdg1Q4LNgUxPpYDftHywwo
-lt+uQHpu9u1wu1UEq3aSJZ++sBpoeX/PhCRqNoZ3vN8
-> ssh-ed25519 ioPMHA OQe9Skg2JjtWT/YnOlOexhxifueYp4sMMCuokxg0NEQ
-g2AaKoA8KBkpl7twrn/CL5YipDZ2vKiHCjF72D0dVYE
-> ssh-ed25519 IFuY+w exr87EhCeLY9Zlrxi10d9K5a2WtLXZYSbxSKUvAJ7ys
-GK9FiOWDtOWBfck0BoWt4GiCPhMysDyiUu2zDcminII
-> ssh-ed25519 5A7peQ FI5uoSKhGYWXnZyA9rcKK5N0x7+8wrHY/pCoYdOCY1g
-JRJc8uz5GgVkHCLdxfQdPFEEaRVHAzL791bYAw4DePM
-> ssh-ed25519 GKhvwg ffDs2wAJAgQt9s2R4v1UAWg5vxC5c+TnfjYJ6RRw53s
-BjF6ExVMjFmdc3WizPsH2XRqdI3vOjz9ffnsLvGeJws
--- hiMPtBqjjdtSDBXaG+ZPlKr3l75B3vS0m98y3yemh4E
-6è
Ú¥®dÐ‘ëXø,/œ`ê>Ì-ÆaÖe ÍÆË`Yƒ¥phz:™ŒVl<56>&kJ{¸UðmM—)ŠÒóÛ»k’tÑ`$+QuëBAÛXE¢IOP~Én)<29>¢hÈáÈÑÁv-/xNÐíkÅ4ÞÂÐp>}ÐÅv0å¹<C3A5>Ök%ÕíôA¶R+³Iò.¯-
-1<EFBFBD>Ñ·>Œ6gÚ3„Vâæ˜<1B>ähÈ0>ÑèŸ'šð‰N8<4E><1B>ÏY62*«ŠÖ‚ÙåµW“Ö™£ÁÖ¯{Š</-
->ÆLI{uì?[&S¶¤jcSáKEœÙ2žkUì~b™5<E284A2>(B3Ûð~ÌT)’ÑA&€ì<E282AC>¸¿yþ^ÎžŒÏé#ùÊÇÚyE9mçd”µâ¤rÍ£Ü£`{®Ý+c
+-> ssh-ed25519 84j9mw vY3nxZWjk7h4F4hZBkp2NJrC9HULrOJ4b9nVcix3LAA
+G9PQPGVI8g61fAFUs8FWKajmPOti5hCgNladdAlo0h0
+-> ssh-ed25519 ioPMHA Y/qWQGVvQhri80M7Ci+CF85VCbKJRVZ1AF3ueQzVTCo
+gcjYjXLqxvnD12wV5zhl9ELvaX987EyBAHL7nuUmdEE
+-> ssh-ed25519 IFuY+w bl9m9HfnL/aGEe0TrjJMChNgFS1Ox2NsffazhmA4ZUU
+p4PqXZGk1pNF6Bdbh504I324OErbiwZgwKI1+bwUCJg
+-> ssh-ed25519 5A7peQ h6kXKa9g0WbUbAExL53Z3KO/8J3q/75ERJqpTj0kGCA
+nSKw2+ehVY9ZAFYLHGNPtykSn7GpYm5hSHWrosZtsAM
+-> ssh-ed25519 GKhvwg KOG4A6BbJdE95hHbUTlSGz+VleTXDzPjmlPGFMtrPls
+/mGzr+PynGrELwJsV+KTupzLfbG+eLisOtwWvOL2ZfY
+--- iioMB0ae1QZccJnjieAjCxIbbj7SPfiMu+G99WjEM/o
+&6µiôTýąŹŤaů#<VëfGZŇ!:Ĺč bÄŘŔ·-ĄE¸)~+z«Ů!}±Äľš˝,ďöĄZŘ4IpúZKĂ<ńĽs˝ˇű07YćśfBňYniŐxď<78>>ÎÔŮţËł}ŮĎpAxc{÷HH<48>ŮîŽńcA-°í–-âë4žŽ˙ŕő§©.Cigŕ0kD>±‚WRˇĐ
+$'~üm<C3BC>dŔJč“JŞ<˝!ě#Ôę”Îm¦PóűĂJCŢT˝<¨—ňŢqZcń6™¨˙Eôä9~î&šCôÓB—jOŕ®O…’ÄÂxşé˛XdžÓłź—ŠěŻ{n«¬Y‚Ú„Ĺe’Öv˝y•SÚ¶·ŽČţ.ź|´8É˝érTĹö ‘Ëş«ÓŻo@«ˇ~
--- a/secrets/hercules-token.age
+++ b/secrets/hercules-token.age
--- a/secrets/leet-nrab-lol-pass.age
+++ b/secrets/leet-nrab-lol-pass.age
--- a/secrets/legion-niko-pass.age
+++ b/secrets/legion-niko-pass.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 ioPMHA pWCwNDvXfVMuPXbMw4cvdz8iztUdPcJZcYBUU6Hfg34
-NW49fnk6FjLMbkDBeXnGylXpdOecHxrFjlkv+4lSde0
-> ssh-ed25519 GKhvwg bqVjtgocY6+SPikUfDOn/7gUmEIsMG7Rq0A0dyxdcn8
-EHbB9KLG3S/skQOKCKtJC4VXL2bz9sO0Lym9uI+hz6c
--- EUFvmoeavLuLPnufqmgtwEPKoK3HEgMhgBKCaD4FDho
-;ÄëõD¸ãÃ9ÃŒ{*X¤˜ùÄ©UfhÓÆy»¦¡C²RØhÚZ~·k¥F‰¡)UP<Dj½+q®
"'éÞµùº¹®„öÝà(b;<3B>4é»¨)>}È–à£ªÊS+"ØlmÉÕKý¾<C3BD>[<5B>H¥
+-> ssh-ed25519 ioPMHA jkLofh/bWIQ2C6GuMO2rj3txFSZqbygxmw2Wqf6BRnI
+cEN5l7MtRup7CrcvErWqQkjoswJhHVSwLYHlwbVHHGU
+-> ssh-ed25519 GKhvwg sLzHoAm6XHQnOdZLNkjyMgNcV1LCzH5JoYprzu0bgEs
+uDrJR546WgW8PBoKRg+hZYzNwRtwUErT6jWFj9pDHlo
+--- N8Tmhynh1k7quJdAgqNPnsa7tjkt/Ev5LrdhojbiM9E
+¤´A hWÜÍó”€Â+¯Xå²†G•*Ó<>ŸLŠ¢¶Možµ¥U+mÌ/%zP¨õ¦¾.ûœo¤î‰ö%þmcŠU;¹~[¤gáÏ°5ï82O¨-\ L•°ÿ2MX£JÃ2nÏfÎôþ?O
--- a/secrets/nrab-lol-cf.age
+++ b/secrets/nrab-lol-cf.age
@ -1,7 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw meAuaVxNefi92UFGVqX2tKHu5XSIWDykpmiM7zjtMlM
-wcI5WePiDt9IuC9RH06PH30Sn7wbkDDk9ZEt/iQkeTA
-> ssh-ed25519 GKhvwg 6AcyxHMd2g99rdhd/s4e95LU7PtMesyD2kd7Rt6u3yg
-KXPAV17yyq94pTJdmNGVowO6DVoDLhC9UlCyAmSk59I
--- mR8BQg3dMF2IqUqDmrWIvD7hOfTeJYCpR5QlPXNcgzM
-bŒqI¼£l	_ïAˆ<41>;‘ÆÚ~<7E>O<C2AD>4„noÝ³*;“[<;{í<>Ì›¥·Žð-Z`°*ÿò!ív<C3AD>†îÒmx£-VÍÉôl¬ÐÔ«]|¥%%¡ºxŠžš;5
+-> ssh-ed25519 84j9mw J8KF1LlgpFaq/LBh5/4H+RZ6et86bdDFOvi8+kpZXRA
+gs3mQE2r0uizPXVhiOv93DpIWFkQ8KkmNqEZ71p8KFk
+-> ssh-ed25519 GKhvwg xh1ZHY499FomptXCxj5a1NO3j0KtIKXpsYZFF5erXik
+bmDBVcJLUzrDPEGzZO0kVgXDaWXbm5RpyCq8/A+Zk4I
+--- TIKd5u8wRwrMAeDIkm9sIzeW2m+jXuzBewAVd5w5iqk
+<EFBFBD>Èâ1I¥È4œçqÓÔ™?b¡oUÔÇ2ùÙ<C3B9>eC:Ôû«PšÃî±žè›
+‡ªL#ÐYž+°R…,<2C>ö·CbŸö‡X„EuRD i,Ø1ÀÀoùZìx&
--- a/secrets/ntfy-alert-pass.age
+++ b/secrets/ntfy-alert-pass.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 H0Rg/A JBVUqzrPx6XwOHdMl5Qp/doUyJUwchW/GeXu50f24Fo
+ISVMQtq9mpkRshvwamwmWwYeyKZFgtyWtw+IiaQYuB4
+-> ssh-ed25519 84j9mw XiH+tWfMOZQFJmS0QyQxOe9VjTaMo9kvU3rDSu4kdyM
+dZ5P8ndFUR2yU5J8D1m3eaGQd1CVzNKtT4VowXdFtrQ
+-> ssh-ed25519 5A7peQ UytC66TWuyHd5TepfV6EIvYuyUXKXoFBctYB8cfgU1M
+sWIqvAqUJvN0J+Je3WBFFYRAff2+CexAagd4+VR37Yw
+-> ssh-ed25519 ioPMHA 7QcH5Wyljwhoj0jLMQz977gFggfehG7f2ugmnfX+tCI
+Dfe6BwfLoDRmfV8O5COBMqBYWaanC2I32OU3+ldaKig
+-> ssh-ed25519 g2vRWw 1pnce+XKob7qrB0ufkdZvHucvk9NiXATRUmczvNGMhA
+zf0ak4p+qYCtsdnWZwHtTnfjn75WPzdc+hEHk7H0exw
+-> ssh-ed25519 IFuY+w 6ujRC18VThMj4ocX3loqq2DISxS68aVu9T2w7kiKhhw
+j8ZgoMH0DIS21bDeLdRPeCRO01hX+MAv6YYpvNMLkFk
+-> ssh-ed25519 GKhvwg O+JfpLfrxaIl8PL+StLA8hb2fADlgUTOn0lujlu4k2M
+YZ03palVRAtSvldZQatrl45EvuIIkdd45IZZKjZO7js
+--- 40DpLeXN4B2bpTfcakCZ8CdUzOGREmAba4atOzsyGiM
+f_õE®šòd>÷"ežyÃLšþ¥{šlnÆÆüæÙ5W3·-IÿÒÏBƒO7}9'î#=Uü˜‘áA5±))¸
--- a/secrets/ntfy-niko-pass.age
+++ b/secrets/ntfy-niko-pass.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw 9fO0Uss0X8+FmibHo84aRYKDB+Mavp9X2Cg9lqGTixc
+SnOdbe+GzL01jJ4rSSh+4Xb/CIJ/23bb0/+D686TnTU
+-> ssh-ed25519 GKhvwg u3V5o3Mtk5YiwzETseVfBYlPT29HS1mwheCUCyJUh2M
+jko5Sdf+4E61I5dpjH4bUth60B8BnnOsOcAIdcMzBFw
+--- CO2Ky/1xxfSu/Tb3f0a8ORtCoRkfeh1cDtJiaP/1MDI
+l*[—'ïA™Ùu27¢ý#uè¶¶³IQmå,XC7°|Ùž/Î‰rÿ¾æ-¢<
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -67,4 +67,9 @@ in
    keys.system.kazuki
    keys.other.bootstrap
  ];
+  "ntfy-niko-pass.age".publicKeys = [
+    keys.system.kazuki
+    keys.other.bootstrap
+  ];
+  "ntfy-alert-pass.age".publicKeys = (builtins.attrValues keys.system) ++ [ keys.other.bootstrap ];
 }
--- a/secrets/storage-box-creds.age
+++ b/secrets/storage-box-creds.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw g6s+z6YHbfOvZI7ZDp18eMu5Cjz+BoFXMx51+2lxUFY
-3q/ymTUaBQz1ZzexbPOyfIuqDa6RaXpjECfVo5wfXak
-> ssh-ed25519 GKhvwg F/e+lEu0+0pKBRRrbZJV3Dd2OaKcAwHrQAAtABrezRQ
-LcWXLsWe+izfAkA1CI6l1672SPhaEk4Kp/rHjIQtJCQ
--- YxR7bdc//u/axG37zmoSav5YBwhBqjti1aKLF4l4X2o
-í<EFBFBD>0á¨¾ªÞ©’Ì¢°Ÿÿªè-çA%V2Ÿ1ÅÎz ~š¥Æ˜Ì’Äh’õšfóñ†y<>±·	D¿šŒ™ c="QnC14l§£
+-> ssh-ed25519 84j9mw cEEM1sFBEx0VLeOpToON4hb6d21gJEYMMn/vlHu/wBs
+khAgpAFxFGKBIG2z0f5qqh122KGsrlkt5FM+5daqQcY
+-> ssh-ed25519 GKhvwg Zac7w0M77F9n0QjqEFe/mpyjanhH6YH2fc1UPPapx2o
+6AvDBxnlMZhQ/6inLj7d72k1P0EI43wBniwa5ieTgYk
+--- zEz2LeBNXbH433jUfugEYHVMeEB64yq2/01Xd18tPgg
+€åg„]ººi°7‹±ŽËRñl4åõ÷p	ö¿C&<26>)oÅ^Ê…IsÄi¨:««[É¥7w ŽïyeXàš6$
¢¬åÙ—´°
--- a/secrets/storage-box-webdav.age
+++ b/secrets/storage-box-webdav.age
--- a/secrets/vault-cert-env.age
+++ b/secrets/vault-cert-env.age