commit 3dcca62a5ed895d84482875be94d0d8256fda503 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

nixos/ntfy-sh: add defaults, use dynamic user

authored by happysalada and committed by Yt 2 years ago 3dcca62a 4a04b823

+13 -24

2 changed files

expand all

unified split

nixos

modules

services

misc

ntfy-sh.nix

tests

ntfy-sh.nix

+11 -24

nixos/modules/services/misc/ntfy-sh.nix

··· 19 description = mdDoc "The ntfy.sh package to use."; 20 }; 21 22 - user = mkOption { 23 - default = "ntfy-sh"; 24 - type = types.str; 25 - description = lib.mdDoc "User the ntfy-sh server runs under."; 26 - }; 27 - 28 - group = mkOption { 29 - default = "ntfy-sh"; 30 - type = types.str; 31 - description = lib.mdDoc "Primary group of ntfy-sh user."; 32 - }; 33 - 34 settings = mkOption { 35 type = types.submodule { freeformType = settingsFormat.type; }; 36 ··· 61 62 services.ntfy-sh.settings = { 63 auth-file = mkDefault "/var/lib/ntfy-sh/user.db"; 64 }; 65 66 systemd.services.ntfy-sh = { ··· 70 after = [ "network.target" ]; 71 72 serviceConfig = { 73 ExecStart = "${cfg.package}/bin/ntfy serve -c ${configuration}"; 74 - User = cfg.user; 75 StateDirectory = "ntfy-sh"; 76 77 AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 78 PrivateTmp = true; 79 NoNewPrivileges = true; ··· 88 RestrictNamespaces = true; 89 RestrictRealtime = true; 90 MemoryDenyWriteExecute = true; 91 - }; 92 - }; 93 - 94 - users.groups = optionalAttrs (cfg.group == "ntfy-sh") { 95 - ntfy-sh = { }; 96 - }; 97 - 98 - users.users = optionalAttrs (cfg.user == "ntfy-sh") { 99 - ntfy-sh = { 100 - isSystemUser = true; 101 - group = cfg.group; 102 }; 103 }; 104 };

··· 19 description = mdDoc "The ntfy.sh package to use."; 20 }; 21 22 settings = mkOption { 23 type = types.submodule { freeformType = settingsFormat.type; }; 24 ··· 49 50 services.ntfy-sh.settings = { 51 auth-file = mkDefault "/var/lib/ntfy-sh/user.db"; 52 + listen-http = mkDefault "127.0.0.1:2586"; 53 + attachment-cache-dir = mkDefault "/var/lib/ntfy-sh/attachments"; 54 + cache-file = mkDefault "/var/lib/ntfy-sh/cache-file.db"; 55 }; 56 57 systemd.services.ntfy-sh = { ··· 61 after = [ "network.target" ]; 62 63 serviceConfig = { 64 + ExecStartPre = [ 65 + "${pkgs.coreutils}/bin/touch ${cfg.settings.auth-file}" 66 + "${pkgs.coreutils}/bin/mkdir -p ${cfg.settings.attachment-cache-dir}" 67 + "${pkgs.coreutils}/bin/touch ${cfg.settings.cache-file}" 68 + ]; 69 ExecStart = "${cfg.package}/bin/ntfy serve -c ${configuration}"; 70 StateDirectory = "ntfy-sh"; 71 72 + DynamicUser = true; 73 AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 74 PrivateTmp = true; 75 NoNewPrivileges = true; ··· 84 RestrictNamespaces = true; 85 RestrictRealtime = true; 86 MemoryDenyWriteExecute = true; 87 + # Upstream Requirements 88 + LimitNOFILE = 20500; 89 }; 90 }; 91 };

nixos/tests/ntfy-sh.nix

··· 19 notif = json.loads(machine.succeed("curl -s localhost:80/test/json?poll=1")) 20 21 assert msg == notif["message"], "Wrong message" 22 ''; 23 }

··· 19 notif = json.loads(machine.succeed("curl -s localhost:80/test/json?poll=1")) 20 21 assert msg == notif["message"], "Wrong message" 22 + 23 + machine.succeed("ntfy user list") 24 ''; 25 }