phase 2: promote services/, tests/, patches/, lib/, scripts/

services/ntfy/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./ntfy.nix
+    ./ntfy-alerts.nix
+  ];
+}

services/ntfy/ntfy-alerts.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  service_configs,
+  ...
+}:
+lib.mkIf config.services.ntfy-sh.enable {
+  services.ntfyAlerts = {
+    enable = true;
+    serverUrl = "https://${service_configs.ntfy.domain}";
+    topicFile = config.age.secrets.ntfy-alerts-topic.path;
+
+    tokenFile = config.age.secrets.ntfy-alerts-token.path;
+  };
+}

services/ntfy/ntfy.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  service_configs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "ntfy-sh" service_configs.zpool_ssds [
+      "/var/lib/private/ntfy-sh"
+    ])
+    (lib.serviceFilePerms "ntfy-sh" [
+      "Z /var/lib/private/ntfy-sh 0700 ${config.services.ntfy-sh.user} ${config.services.ntfy-sh.group}"
+    ])
+    (lib.mkCaddyReverseProxy {
+      domain = service_configs.ntfy.domain;
+      port = service_configs.ports.private.ntfy.port;
+    })
+  ];
+
+  services.ntfy-sh = {
+    enable = true;
+
+    settings = {
+      base-url = "https://${service_configs.ntfy.domain}";
+      listen-http = "127.0.0.1:${builtins.toString service_configs.ports.private.ntfy.port}";
+      behind-proxy = true;
+      auth-default-access = "deny-all";
+      enable-login = true;
+      enable-signup = false;
+    };
+  };
+
+}