From 273704b10f9d0e958f359678d417674eec66d4d1 Mon Sep 17 00:00:00 2001
From: wo2wz <189177184+wo2wz@users.noreply.github.com>
Date: Tue, 7 Oct 2025 22:07:56 -0400
Subject: [PATCH] ntfy: init

---
 modules/nixos/services/homeserver/default.nix |  1 +
 modules/nixos/services/homeserver/ntfy.nix    | 43 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 modules/nixos/services/homeserver/ntfy.nix

diff --git a/modules/nixos/services/homeserver/default.nix b/modules/nixos/services/homeserver/default.nix
index 82a0b09..7f4259e 100755
--- a/modules/nixos/services/homeserver/default.nix
+++ b/modules/nixos/services/homeserver/default.nix
@@ -6,6 +6,7 @@
     ./caddy.nix
     ./cloudflared.nix
     ./nextcloud.nix
+    ./ntfy.nix
     ./restic.nix
     ./sops.nix
     ./uptime-kuma.nix
diff --git a/modules/nixos/services/homeserver/ntfy.nix b/modules/nixos/services/homeserver/ntfy.nix
new file mode 100644
index 0000000..0b6af1c
--- /dev/null
+++ b/modules/nixos/services/homeserver/ntfy.nix
@@ -0,0 +1,43 @@
+{ config, ... }:
+
+{
+
+  services.caddy.virtualHosts."ntfy.taild5f7e6.ts.net".extraConfig =
+  assert config.services.caddy.enable;
+  ''
+    import default-settings
+
+    bind tailscale/ntfy
+
+    reverse_proxy localhost:8006
+  '';
+
+  users = {
+    users.ntfy-sh = {
+      isSystemUser = true;
+      group = "ntfy-sh";
+    };
+    groups.ntfy-sh = {};
+  };
+
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      base-url = "https://ntfy.taild5f7e6.ts.net";
+      listen-http = ":8006";
+      behind-proxy = true;
+      proxy-trusted-hosts = "127.0.0.1";
+
+      auth-default-access = "deny-all";
+      enable-login = true;
+      require-login = true;
+      auth-access = [
+        "wo2w:*:rw"
+        "*:*:none"
+      ];
+
+      attachment-file-size-limit = "20G";
+      attachment-total-size-limit = "200G";
+    };
+  };
+}