un container

2025-10-09 17:48:27 -05:00
parent ef22231dd7
commit 76c0cd98d8
9 changed files with 388 additions and 147 deletions
--- a/modules/nixos/services/ntfy/default.nix
+++ b/modules/nixos/services/ntfy/default.nix
@@ -19,62 +19,52 @@ let
          base-url = "https://${cfg.reverseProxy.subdomain}.mjallen.dev";
          enable-login = true;
          listen-http = ":${toString cfg.port}";
-          cache-file = "/var/lib/ntfy-sh/cache.db";
-          attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
+          cache-file = "${cfg.dataDir}/cache.db";
+          attachment-cache-dir = "/${cfg.dataDir}/attachments";
          behind-proxy = true;
          auth-default-access = "deny-all";
-          auth-file = "/var/lib/ntfy-sh/user.db";
+          auth-file = "${cfg.dataDir}/user.db";
          auth-users = [
            "mjallen:$2a$10$g4TqI8UiKKVaKTmrwnXIw.wtajiLBM6oc3UCfJ//lPZFilJnBirn.:admin"
          ];
        };
      };
    };
-    # Create and set permissions for required directories
-    system.activationScripts.ntfy-dirs = ''
-      mkdir -p /var/lib/ntfy-sh

-      chown -R ntfy-sh:ntfy-sh /var/lib/ntfy-sh
-
-      chmod -R 775 /var/lib/ntfy-sh
-    '';
-  };
-
-  bindMounts = {
-    "/var/lib/ntfy-sh" = {
-      hostPath = cfg.dataDir;
-      isReadOnly = false;
+    systemd.services = {
+      ntfy-sh = {
+        serviceConfig = {
+          WorkingDirectory = lib.mkForce cfg.dataDir;
+          StateDirectory = lib.mkForce cfg.dataDir;
+          StateDirectoryMode = lib.mkForce 700;
+          DynamicUser = lib.mkForce false;
+          ProtectSystem = lib.mkForce null;
+        };
+      };
    };
-    "/run/.env" = {
-      hostPath = ntfyEnvFile;
-      isReadOnly = true;
+
+    users.users.ntfy-sh = {
+      isSystemUser = true;
+      group = "ntfy-sh";
+      home = cfg.dataDir;
    };
+    users.groups.ntfy-sh = {};
  };

  # Create reverse proxy configuration using mkReverseProxy
  reverseProxyConfig = lib.${namespace}.mkReverseProxy {
    name = "ntfy";
    subdomain = cfg.reverseProxy.subdomain;
-    url = "http://${cfg.localAddress}:${toString cfg.port}";
+    url = "http://10.0.1.3:${toString cfg.port}";
    middlewares = cfg.reverseProxy.middlewares;
  };

-  ntfyContainer =
-    (lib.${namespace}.mkContainer {
-      name = "ntfy";
-      localAddress = cfg.localAddress;
-      ports = [ cfg.port ];
-      bindMounts = bindMounts;
-      config = ntfyConfig;
-    })
-      { inherit lib; };
-
  fullConfig = {
-    ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
+    "${namespace}".services.traefik = lib.mkIf cfg.reverseProxy.enable {
      reverseProxies = [ reverseProxyConfig ];
    };
  }
-  // ntfyContainer;
+  // ntfyConfig;
 in
 with lib;
 {