nixos/modules/services/misc/ntfy-sh.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / ntfy-sh.nix
at 23.05-pre 2.6 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.ntfy-sh;
  7
  8  settingsFormat = pkgs.formats.yaml { };
  9in
 10
 11{
 12  options.services.ntfy-sh = {
 13    enable = mkEnableOption (mdDoc "[ntfy-sh](https://ntfy.sh), a push notification service");
 14
 15    package = mkOption {
 16      type = types.package;
 17      default = pkgs.ntfy-sh;
 18      defaultText = literalExpression "pkgs.ntfy-sh";
 19      description = mdDoc "The ntfy.sh package to use.";
 20    };
 21
 22    user = mkOption {
 23      default = "ntfy-sh";
 24      type = types.str;
 25      description = lib.mdDoc "User the ntfy-sh server runs under.";
 26    };
 27
 28    group = mkOption {
 29      default = "ntfy-sh";
 30      type = types.str;
 31      description = lib.mdDoc "Primary group of ntfy-sh user.";
 32    };
 33
 34    settings = mkOption {
 35      type = types.submodule { freeformType = settingsFormat.type; };
 36
 37      default = { };
 38
 39      example = literalExpression ''
 40        {
 41          listen-http = ":8080";
 42        }
 43      '';
 44
 45      description = mdDoc ''
 46        Configuration for ntfy.sh, supported values are [here](https://ntfy.sh/docs/config/#config-options).
 47      '';
 48    };
 49  };
 50
 51  config =
 52    let
 53      configuration = settingsFormat.generate "server.yml" cfg.settings;
 54    in
 55    mkIf cfg.enable {
 56      # to configure access control via the cli
 57      environment = {
 58        etc."ntfy/server.yml".source = configuration;
 59        systemPackages = [ cfg.package ];
 60      };
 61
 62      systemd.services.ntfy-sh = {
 63        description = "Push notifications server";
 64
 65        wantedBy = [ "multi-user.target" ];
 66        after = [ "network.target" ];
 67
 68        serviceConfig = {
 69          ExecStart = "${cfg.package}/bin/ntfy serve -c ${configuration}";
 70          User = cfg.user;
 71
 72          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
 73          PrivateTmp = true;
 74          NoNewPrivileges = true;
 75          CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
 76          ProtectSystem = "full";
 77          ProtectKernelTunables = true;
 78          ProtectKernelModules = true;
 79          ProtectKernelLogs = true;
 80          ProtectControlGroups = true;
 81          PrivateDevices = true;
 82          RestrictSUIDSGID = true;
 83          RestrictNamespaces = true;
 84          RestrictRealtime = true;
 85          MemoryDenyWriteExecute = true;
 86        };
 87      };
 88
 89      users.groups = optionalAttrs (cfg.group == "ntfy-sh") {
 90        ntfy-sh = { };
 91      };
 92
 93      users.users = optionalAttrs (cfg.user == "ntfy-sh") {
 94        ntfy-sh = {
 95          isSystemUser = true;
 96          group = cfg.group;
 97        };
 98      };
 99    };
100}