hosts/kazuki/ntfy: set up users declaratively

2024-02-25 23:02:15 +01:00 · 2024-02-25 23:02:15 +01:00 · f7e385d696
commit f7e385d696
parent 6558fdb739
17 changed files with 122 additions and 59 deletions
--- a/hosts/kazuki/ntfy.nix
+++ b/hosts/kazuki/ntfy.nix
@ -1,14 +1,27 @@
-{ config, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
  age.secrets.nrab-lol-cf = {
    file = ../../secrets/nrab-lol-cf.age;
    owner = config.services.nginx.user;
  };
+  age.secrets.ntfy-niko-pass = {
+    file = ../../secrets/ntfy-niko-pass.age;
+    owner = config.services.ntfy-sh.user;
+  };
+  age.secrets.ntfy-alert-pass = {
+    file = ../../secrets/ntfy-alert-pass.age;
+    owner = config.services.ntfy-sh.user;
+  };

  services.ntfy-sh = {
    enable = true;
    settings = {
-      base-url = "ntfy.nrab.lol";
+      base-url = "https://ntfy.nrab.lol";
      listen-http = "127.0.0.1:9800";
      behind-proxy = true;
      upstream-base-url = "https://ntfy.sh";
@ -16,6 +29,27 @@
    };
  };

+  systemd.services.ntfy-sh.postStart =
+    let
+      ntfy = lib.getExe' config.services.ntfy-sh.package "ntfy";
+      script = pkgs.writeShellScript "ntfy-setup-users.sh" ''
+        ${ntfy} access everyone '*' deny
+
+        if ! ${ntfy} user list | grep -q 'user alert'; then
+          NTFY_PASSWORD="$(cat ${config.age.secrets.ntfy-alert-pass.path})" \
+            ${ntfy} user add alert
+          ${ntfy} access alert '*' write-only
+        fi
+
+        if ! ${ntfy} user list | grep -q 'user niko'; then
+          NTFY_PASSWORD="$(cat ${config.age.secrets.ntfy-niko-pass.path})" \
+            ${ntfy} user add niko
+          ${ntfy} access niko '*' read-only
+        fi
+      '';
+    in
+    toString script;
+
  users.users.nginx.extraGroups = [ "acme" ];
  networking.firewall.allowedTCPPorts = [
    80