From ee1c6053fb6f86bdfd6d23f27b1531e43948d259 Mon Sep 17 00:00:00 2001
From: happysalada <raphael@megzari.com>
Date: Wed, 31 May 2023 10:31:21 -0400
Subject: [PATCH] nixos/ntfy-sh: use dynamic user and add defaults

---
 nixos/modules/services/misc/ntfy-sh.nix | 12 ++++++++++++
 nixos/tests/ntfy-sh.nix                 |  9 ++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/misc/ntfy-sh.nix b/nixos/modules/services/misc/ntfy-sh.nix
index d66b47a2d68a..3258f91f7044 100644
--- a/nixos/modules/services/misc/ntfy-sh.nix
+++ b/nixos/modules/services/misc/ntfy-sh.nix
@@ -61,8 +61,17 @@ in
 
       services.ntfy-sh.settings = {
         auth-file = mkDefault "/var/lib/ntfy-sh/user.db";
+        listen-http = mkDefault "127.0.0.1:2586";
+        attachment-cache-dir = mkDefault "/var/lib/ntfy-sh/attachments";
+        cache-file = mkDefault "/var/lib/ntfy-sh/cache-file.db";
       };
 
+      systemd.tmpfiles.rules = [
+        "f ${cfg.settings.auth-file} 0600 ${cfg.user} ${cfg.group} - -"
+        "d ${cfg.settings.attachment-cache-dir} 0700 ${cfg.user} ${cfg.group} - -"
+        "f ${cfg.settings.cache-file} 0600 ${cfg.user} ${cfg.group} - -"
+      ];
+
       systemd.services.ntfy-sh = {
         description = "Push notifications server";
 
@@ -74,6 +83,7 @@ in
           User = cfg.user;
           StateDirectory = "ntfy-sh";
 
+          DynamicUser = true;
           AmbientCapabilities = "CAP_NET_BIND_SERVICE";
           PrivateTmp = true;
           NoNewPrivileges = true;
@@ -88,6 +98,8 @@ in
           RestrictNamespaces = true;
           RestrictRealtime = true;
           MemoryDenyWriteExecute = true;
+          # Upstream Recommandation
+          LimitNOFILE = 20500;
         };
       };
 
diff --git a/nixos/tests/ntfy-sh.nix b/nixos/tests/ntfy-sh.nix
index 4492fb44cedc..ec2e645bacb5 100644
--- a/nixos/tests/ntfy-sh.nix
+++ b/nixos/tests/ntfy-sh.nix
@@ -3,6 +3,7 @@ import ./make-test-python.nix {
 
   nodes.machine = { ... }: {
     services.ntfy-sh.enable = true;
+    services.ntfy-sh.settings.base-url = "http://localhost:2586";
   };
 
   testScript = ''
@@ -12,12 +13,14 @@ import ./make-test-python.nix {
 
     machine.wait_for_unit("multi-user.target")
 
-    machine.wait_for_open_port(80)
+    machine.wait_for_open_port(2586)
 
-    machine.succeed(f"curl -d '{msg}' localhost:80/test")
+    machine.succeed(f"curl -d '{msg}' localhost:2586/test")
 
-    notif = json.loads(machine.succeed("curl -s localhost:80/test/json?poll=1"))
+    notif = json.loads(machine.succeed("curl -s localhost:2586/test/json?poll=1"))
 
     assert msg == notif["message"], "Wrong message"
+
+    machine.succeed("ntfy user list")
   '';
 }