Modules/Sops: Add ntfy secrets

system/servenix/default.nix

@@ -32,6 +32,7 @@
     ../services/kiwix.nix
     ../services/kopia.nix
     ../services/nextcloud.nix
+    ../services/ntfy.nix
     ../services/nginx-proxy-manager.nix
     ../services/paperless.nix
     # ../services/plex.nix # Their monetization strategy is absolutely atrocious
@@ -110,6 +111,8 @@
       "kopia-server-password"
       "kopia-user-password"
       "paperless-nextcloud-sync-password"
+      "ntfy-auth-users"
+      "ntfy-auth-tokens"
     ];
   };
 

system/services/ntfy.nix

@@ -0,0 +1,79 @@
+{
+  mylib,
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  ntfyVersion = "v2.21";
+in {
+  # If we need to pass secrets to containers we can't use plain env variables.
+  sops.templates."ntfy_secrets.env".content = ''
+    NTFY_AUTH_USERS=${config.sops.placeholder.ntfy-auth-users}
+    NTFY_AUTH_TOKENS=${config.sops.placeholder.ntfy-auth-tokens}
+  '';
+
+  virtualisation.oci-containers.containers = {
+    #     NTFY_AUTH_USERS='admin:$2b$10$13iMkFcSNXcb/DKlUSS03OM25saLd8/hDlKkowFtXYctu2fQBoLJK:admin,christoph:$2b$10$8jgrgBltBXj/Qw0BxBWf1eIfH53VV6wTdlJZEqWBIH3htwEP9PKgq:user'
+    #     NTFY_AUTH_TOKENS="christoph:tk_rx8fd6hojuz4ekcb72j7juugkbmga:FAIL*-Notif"
+
+    #     NTFY_BASE_URL="https://ntfy.vps.chriphost.de"
+    #     NTFY_BEHIND_PROXY="true"
+    #     NTFY_AUTH_FILE="/var/lib/ntfy/auth.db"
+    #     NTFY_AUTH_DEFAULT_ACCESS="deny-all"
+    #     NTFY_ENABLE_LOGIN="true"
+    #     NTFY_REQUIRE_LOGIN="true"
+    #     NTFY_ATTACHMENT_CACHE_DIR="/var/cache/ntfy/attachments"
+    #     NTFY_CACHE_FILE="/var/cache/ntfy/cache.db"
+    #     NTFY_UPSTREAM_BASE_URL="https://ntfy.sh"
+    #     NTFY_AUTH_ACCESS="christoph:*:read-write"
+    ntfy = {
+      image = "binwiederhier/ntfy:${ntfyVersion}";
+      autoStart = true;
+
+      login = mylib.containers.mkDockerLogin config;
+
+      dependsOn = [];
+
+      ports = [
+        # "80:80"
+      ];
+
+      volumes = [
+        "ntfy_cache:/var/cache/ntfy"
+        "ntfy_attachments:/var/cache/ntfy/attachments"
+        "ntfy_lib:/var/lib/ntfy"
+        "ntfy_etc:/etc/ntfy"
+      ];
+
+      cmd = ["serve"];
+
+      environment = {
+        PUID = "1000";
+        PGID = "1000";
+        TZ = "Europe/Berlin";
+
+        NTFY_BASE_URL = "https://ntfy.vps.chriphost.de";
+        NTFY_BEHIND_PROXY = "true";
+        NTFY_AUTH_FILE = "/var/lib/ntfy/auth.db";
+        NTFY_AUTH_DEFAULT_ACCESS = "deny-all";
+        NTFY_ENABLE_LOGIN = "true";
+        NTFY_REQUIRE_LOGIN = "true";
+        NTFY_ATTACHMENT_CACHE_DIR = "/var/cache/ntfy/attachments";
+        NTFY_CACHE_FILE = "/var/cache/ntfy/cache.db";
+        NTFY_UPSTREAM_BASE_URL = "https://ntfy.sh";
+        NTFY_AUTH_ACCESS = "christoph:*:read-write";
+      };
+
+      environmentFiles = [
+        config.sops.templates."ntfy_secrets.env".path
+      ];
+
+      extraOptions = [
+        # "--privileged"
+        # "--device=nvidia.com/gpu=all"
+        "--net=behind-nginx"
+      ];
+    };
+  };
+}

system/systemmodules/sops-nix/secrets.yaml

@@ -19,6 +19,8 @@ kopia-server-username: ENC[AES256_GCM,data:4onewFkWpi9g,iv:aA4WSS8T6KUcGbAIHDd8B
 kopia-server-password: ENC[AES256_GCM,data:6nMnhRA=,iv:Qz9qP+m0obzL+eHFmW1qVmc/0TR4Iw4X1GL4zACOSMk=,tag:v3v+33+g4y6se5q+b4e8mA==,type:str]
 kopia-user-password: ENC[AES256_GCM,data:jPWeru4e2w9qzA==,iv:WpZS3Qmx8v12v3q1Lq1YrPnWw7BY0FhxurXYuaOdfwA=,tag:+8bQAnHRh55rUMdyoK6N8w==,type:str]
 paperless-nextcloud-sync-password: ENC[AES256_GCM,data:pfLg3OVBqLsM4R7mSgLQEachj9gMkexPjBMSyzU=,iv:XBe1cdwlTjPfQW70NIEjD8CikK58iGErI9ZTlLWtCA4=,tag:qO35GdjljgS3/z5/1fCOFg==,type:str]
+ntfy-auth-users: ENC[AES256_GCM,data:IHnJJgUL9RqkEAoJ2Q9Oo0RkfgLXG7vih5NFPrPNBoIzMafdLXxHqNOAd1oRaOUd6AKmWdQ3uKAZINj7oGZEKMsMxUEv1WW6IXUuPnDeJe5EthINWCuaW2Z64PJl+uqgnWr4wDi7QT0zwjb/oL3gYfjH1xtfMadTzkWbmnxQ9jlP/nXe9JR1/oCrHv3dio5uU017cA==,iv:JmWnu25ZB/qqI2RsgHQ0bcat69V7p5MJ6cf5eFcSsns=,tag:6Z2LseCav/qyLh2nn+7uuw==,type:str]
+ntfy-auth-tokens: ENC[AES256_GCM,data:C23r9djvEukUgDDloFGm52spwcW1DB5Jcwt9kxghLjL3vNiQ9HzGrvlSl5oEppoNa23BF0+t,iv:O9LepUKGbyXTHMvwn1avdJEhcMgtr2Sb1imIJ8ALMYY=,tag:o3g6f7YZL2VfgfeymzJK1g==,type:str]
 #
 #ENC[AES256_GCM,data:Gdh/hjCaOuAE,iv:XjPXn3SskpUPUkDIEDl5701/g9QhuS83fACMaoPMiIM=,tag:Q7s8xZG/GsOtQrasekBnkQ==,type:comment]
 #
@@ -34,7 +36,7 @@ sops:
             SURMTmh1TGIrRmtENzc0Sk4rNFJNUE0KOpjN6jkEHO+lvdWdp4P++r9SNSPWaT0h
             FAbbvZZ/EdIk/njLEcayFN7B4ftTcD/f4XJZiyosilZnIkk76bMOHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-26T19:30:04Z"
+    lastmodified: "2026-04-17T12:17:23Z"
-    mac: ENC[AES256_GCM,data:DGsz+TNyYXuX45Go4fkFDoWePhx1KUzq94awp+1bQtmq2MC+bPJrTNqvhBDx/I2OWFUNSh/0lXJVvaz4gfeYT9z8YCniJeb3z53ui7ldFL0BNnA6ua1iIViWbJvYARgWlSiuU7wTsb8om57Kainkpm9C9pp2U+vQqQ4suxLmrko=,iv:sUibX01AHDrscPqz+gIPyJhLRJYkyW4DPcQ3QtUGha0=,tag:8yuSGHMg1Z7kDMo2Bx4QlA==,type:str]
+    mac: ENC[AES256_GCM,data:YEHM2ebPhV6ycj8OxNy7mOlpy6VrvV6Gz9sHEWc9alnrwZ0qLzp5m4AUMuWBSfFTMtVgeAFdJ8Nf4X5b+AzQXahlHWJVAwiMiE8KqhRLGWF21OyDN2aIdwd4ue2vYyPDGYP43mC+19v9SW5isF901G28e5Q9SxmGJjNOkiVuiCI=,iv:WFvCN/7YGQnCSqjXBkkfiuPoNQ37bpxHx9jreZDc3EM=,tag:AUjFpbJ6//eScnn6P2QMgA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2