1 { config, lib, pkgs, ... }:
6 cfg = config.services.ntfy-sh;
8 settingsFormat = pkgs.formats.yaml { };
12 options.services.ntfy-sh = {
13 enable = mkEnableOption (mdDoc "[ntfy-sh](https://ntfy.sh), a push notification service");
17 default = pkgs.ntfy-sh;
18 defaultText = literalExpression "pkgs.ntfy-sh";
19 description = mdDoc "The ntfy.sh package to use.";
25 description = lib.mdDoc "User the ntfy-sh server runs under.";
31 description = lib.mdDoc "Primary group of ntfy-sh user.";
35 type = types.submodule { freeformType = settingsFormat.type; };
39 example = literalExpression ''
41 listen-http = ":8080";
45 description = mdDoc ''
46 Configuration for ntfy.sh, supported values are [here](https://ntfy.sh/docs/config/#config-options).
53 configuration = settingsFormat.generate "server.yml" cfg.settings;
56 # to configure access control via the cli
58 etc."ntfy/server.yml".source = configuration;
59 systemPackages = [ cfg.package ];
62 systemd.services.ntfy-sh = {
63 description = "Push notifications server";
65 wantedBy = [ "multi-user.target" ];
66 after = [ "network.target" ];
69 ExecStart = "${cfg.package}/bin/ntfy serve -c ${configuration}";
72 AmbientCapabilities = "CAP_NET_BIND_SERVICE";
74 NoNewPrivileges = true;
75 CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
76 ProtectSystem = "full";
77 ProtectKernelTunables = true;
78 ProtectKernelModules = true;
79 ProtectKernelLogs = true;
80 ProtectControlGroups = true;
81 PrivateDevices = true;
82 RestrictSUIDSGID = true;
83 RestrictNamespaces = true;
84 RestrictRealtime = true;
85 MemoryDenyWriteExecute = true;
89 users.groups = optionalAttrs (cfg.group == "ntfy-sh") {
93 users.users = optionalAttrs (cfg.user == "ntfy-sh") {