From 417453f2f3c8f8723a3efd4f1f0d66cdf18426c5 Mon Sep 17 00:00:00 2001
From: Yan Lin <github@yanlincs.com>
Date: Tue, 2 Dec 2025 03:19:52 +0100
Subject: [PATCH] add ntfy module

---
 hosts/nixos/vps/proxy.nix  | 23 +++++++++++++++++-
 hosts/nixos/vps/system.nix |  1 +
 modules/ntfy.nix           | 49 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 modules/ntfy.nix

diff --git a/hosts/nixos/vps/proxy.nix b/hosts/nixos/vps/proxy.nix
index 501f0b3..035c56a 100644
--- a/hosts/nixos/vps/proxy.nix
+++ b/hosts/nixos/vps/proxy.nix
@@ -66,6 +66,18 @@
           };
         };
 
+        # ntfy notification service
+        ntfy = {
+          rule = "Host(`ntfy.yanlincs.com`)";
+          service = "ntfy";
+          tls = {
+            certResolver = "cloudflare";
+            domains = [{
+              main = "*.yanlincs.com";
+            }];
+          };
+        };
+
       };
 
       services = {
@@ -106,7 +118,7 @@
           };
         };
 
-        # Radarr backend 
+        # Radarr backend
         radarr = {
           loadBalancer = {
             servers = [{
@@ -115,6 +127,15 @@
           };
         };
 
+        # ntfy backend
+        ntfy = {
+          loadBalancer = {
+            servers = [{
+              url = "http://localhost:8080";
+            }];
+          };
+        };
+
       };
 
     };
diff --git a/hosts/nixos/vps/system.nix b/hosts/nixos/vps/system.nix
index a8a04e4..70cbf10 100644
--- a/hosts/nixos/vps/system.nix
+++ b/hosts/nixos/vps/system.nix
@@ -9,6 +9,7 @@
     ../../../modules/traefik.nix
     ../../../modules/borg/client.nix
     ../../../modules/login-display.nix
+    ../../../modules/ntfy.nix
   ];
 
   # GRUB bootloader with UEFI support
diff --git a/modules/ntfy.nix b/modules/ntfy.nix
new file mode 100644
index 0000000..c158047
--- /dev/null
+++ b/modules/ntfy.nix
@@ -0,0 +1,49 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.ntfy-custom;
+in
+{
+  options.services.ntfy-custom = {
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 8080;
+      description = "Port for ntfy to listen on";
+    };
+
+    baseUrl = lib.mkOption {
+      type = lib.types.str;
+      default = "https://ntfy.yanlincs.com";
+      description = "Base URL for ntfy server";
+    };
+  };
+
+  config = {
+    services.ntfy-sh = {
+      enable = true;
+      settings = {
+        listen-http = ":${toString cfg.port}";
+        base-url = cfg.baseUrl;
+
+        # Authentication
+        auth-file = "/var/lib/ntfy-sh/user.db";
+        auth-default-access = "deny-all";
+
+        # File attachments
+        attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
+      };
+    };
+
+    # Ensure required directories exist
+    systemd.tmpfiles.rules = [
+      "d /var/lib/ntfy-sh 0755 ntfy-sh ntfy-sh -"
+      "d /var/lib/ntfy-sh/attachments 0755 ntfy-sh ntfy-sh -"
+    ];
+  };
+}
+
+# NOTE: After deployment, manage users via ntfy CLI:
+#   sudo ntfy user add <username>
+#   sudo ntfy user change-pass <username>
+#   sudo ntfy access <username> <topic> <read-write|read-only|write-only|deny-all>
+#   Example: sudo ntfy access alice "*" read-write