nixos/ntfy-sh: use dynamic user and add defaults

2023-05-31 10:31:21 -04:00 · 2023-05-31 10:31:21 -04:00 · ee1c6053fb
commit ee1c6053fb
parent a88e75b4fd
2 changed files with 18 additions and 3 deletions
--- a/nixos/modules/services/misc/ntfy-sh.nix
+++ b/nixos/modules/services/misc/ntfy-sh.nix
@ -61,8 +61,17 @@ in

      services.ntfy-sh.settings = {
        auth-file = mkDefault "/var/lib/ntfy-sh/user.db";
+        listen-http = mkDefault "127.0.0.1:2586";
+        attachment-cache-dir = mkDefault "/var/lib/ntfy-sh/attachments";
+        cache-file = mkDefault "/var/lib/ntfy-sh/cache-file.db";
      };

+      systemd.tmpfiles.rules = [
+        "f ${cfg.settings.auth-file} 0600 ${cfg.user} ${cfg.group} - -"
+        "d ${cfg.settings.attachment-cache-dir} 0700 ${cfg.user} ${cfg.group} - -"
+        "f ${cfg.settings.cache-file} 0600 ${cfg.user} ${cfg.group} - -"
+      ];
+
      systemd.services.ntfy-sh = {
        description = "Push notifications server";

@ -74,6 +83,7 @@ in
          User = cfg.user;
          StateDirectory = "ntfy-sh";

+          DynamicUser = true;
          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
          PrivateTmp = true;
          NoNewPrivileges = true;
@ -88,6 +98,8 @@ in
          RestrictNamespaces = true;
          RestrictRealtime = true;
          MemoryDenyWriteExecute = true;
+          # Upstream Recommandation
+          LimitNOFILE = 20500;
        };
      };

--- a/nixos/tests/ntfy-sh.nix
+++ b/nixos/tests/ntfy-sh.nix
@ -3,6 +3,7 @@ import ./make-test-python.nix {

  nodes.machine = { ... }: {
    services.ntfy-sh.enable = true;
+    services.ntfy-sh.settings.base-url = "http://localhost:2586";
  };

  testScript = ''
@ -12,12 +13,14 @@ import ./make-test-python.nix {

    machine.wait_for_unit("multi-user.target")

-    machine.wait_for_open_port(80)
+    machine.wait_for_open_port(2586)

-    machine.succeed(f"curl -d '{msg}' localhost:80/test")
+    machine.succeed(f"curl -d '{msg}' localhost:2586/test")

-    notif = json.loads(machine.succeed("curl -s localhost:80/test/json?poll=1"))
+    notif = json.loads(machine.succeed("curl -s localhost:2586/test/json?poll=1"))

    assert msg == notif["message"], "Wrong message"
+
+    machine.succeed("ntfy user list")
  '';
 }