From 95d5c0cfc81ba099473d90eadd6de17b5d028193 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 12:09:28 +0200 Subject: [PATCH] bundles/ntfy: update config to more recent version --- bundles/ntfy/files/server.yml | 69 ++++++++++++++++++++++++++++---- bundles/ntfy/items.py | 74 ++++++++++++++++++++--------------- 2 files changed, 104 insertions(+), 39 deletions(-) diff --git a/bundles/ntfy/files/server.yml b/bundles/ntfy/files/server.yml index 8add6f3..f4693a8 100644 --- a/bundles/ntfy/files/server.yml +++ b/bundles/ntfy/files/server.yml @@ -11,7 +11,7 @@ # - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic) # - Matrix Push Gateway (to validate that the pushkey is correct) # -base-url: "https://${node.metadata.get('ntfy/domain', 'ntfy')}" +base-url: "https://${node.metadata.get('ntfy/domain')}" # Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also # set "key-file" and "cert-file". Format: []:, e.g. "1.2.3.4:8080". @@ -93,7 +93,7 @@ auth-default-access: "write-only" # WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited # as if they are one. # -# behind-proxy: false +behind-proxy: true # If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments # are "attachment-cache-dir" and "base-url". @@ -153,6 +153,17 @@ manager-interval: "1m" # # web-root: app +# Various feature flags used to control the web app, and API access, mainly around user and +# account management. +# +# - enable-signup allows users to sign up via the web app, or API +# - enable-login allows users to log in via the web app, or API +# - enable-reservations allows users to reserve topics (if their tier allows it) +# +enable-signup: false +enable-login: true +enable-reservations: false + # Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh"). # # iOS users: @@ -181,7 +192,7 @@ visitor-subscription-limit: 64 # visitor-request-limit-burst: 60 visitor-request-limit-replenish: "5s" -visitor-request-limit-exempt-hosts: "localhost" +visitor-request-limit-exempt-hosts: "${','.join(sorted(ratelimit_exempt_hosts))}" # Rate limiting: Allowed emails per visitor: # - visitor-email-limit-burst is the initial bucket of emails each visitor has @@ -190,12 +201,54 @@ visitor-request-limit-exempt-hosts: "localhost" # visitor-email-limit-burst: 16 # visitor-email-limit-replenish: "1h" -# Rate limiting: Attachment size and bandwidth limits per visitor: -# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor -# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor +# Rate limiting: Enable subscriber-based rate limiting (mostly used for UnifiedPush) # -# visitor-attachment-total-size-limit: "100M" -# visitor-attachment-daily-bandwidth-limit: "500M" +# If enabled, subscribers may opt to have published messages counted against their own rate limits, as opposed +# to the publisher's rate limits. This is especially useful to increase the amount of messages that high-volume +# publishers (e.g. Matrix/Mastodon servers) are allowed to send. +# +# Once enabled, a client may send a "Rate-Topics: ,,..." header when subscribing to topics via +# HTTP stream, or websockets, thereby registering itself as the "rate visitor", i.e. the visitor whose rate limits +# to use when publishing on this topic. Note: Setting the rate visitor requires READ-WRITE permission on the topic. +# +# UnifiedPush only: If this setting is enabled, publishing to UnifiedPush topics will lead to a HTTP 507 response if +# no "rate visitor" has been previously registered. This is to avoid burning the publisher's "visitor-message-daily-limit". +# +# visitor-subscriber-rate-limiting: false + +# Payments integration via Stripe +# +# - stripe-secret-key is the key used for the Stripe API communication. Setting this values +# enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys. +# - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe. +# Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks. +# - billing-contact is an email address or website displayed in the "Upgrade tier" dialog to let people reach +# out with billing questions. If unset, nothing will be displayed. +# +# stripe-secret-key: +# stripe-webhook-key: +# billing-contact: + +# Metrics +# +# ntfy can expose Prometheus-style metrics via a /metrics endpoint, or on a dedicated listen IP/port. +# Metrics may be considered sensitive information, so before you enable them, be sure you know what you are +# doing, and/or secure access to the endpoint in your reverse proxy. +# +# - enable-metrics enables the /metrics endpoint for the default ntfy server (i.e. HTTP, HTTPS and/or Unix socket) +# - metrics-listen-http exposes the metrics endpoint via a dedicated [IP]:port. If set, this option implicitly +# enables metrics as well, e.g. "10.0.1.1:9090" or ":9090" +# +# enable-metrics: false +# metrics-listen-http: + +# Profiling +# +# ntfy can expose Go's net/http/pprof endpoints to support profiling of the ntfy server. If enabled, ntfy will listen +# on a dedicated listen IP/port, which can be accessed via the web browser on http://:/debug/pprof/. +# This can be helpful to expose bottlenecks, and visualize call flows. See https://pkg.go.dev/net/http/pprof for details. +# +# profile-listen-http: # Log level, can be TRACE, DEBUG, INFO, WARN or ERROR # This option can be hot-reloaded by calling "kill -HUP $pid" or "systemctl reload ntfy". diff --git a/bundles/ntfy/items.py b/bundles/ntfy/items.py index d9a93bb..c3437be 100644 --- a/bundles/ntfy/items.py +++ b/bundles/ntfy/items.py @@ -1,43 +1,55 @@ +ratelimit_exempt_hosts = set() -files = { - '/etc/ntfy/server.yml': { - 'content_type': 'mako', - 'needs': { - 'pkg_apt:ntfy', - }, - 'triggers': { - 'svc_systemd:ntfy:restart', - }, +for identifier in node.metadata.get('ntfy/ratelimit-exempt-hosts', set()): + ips = repo.libs.tools.resolve_identifier(repo, identifier) + ratelimit_exempt_hosts |= {str(ip) for ip in ips['ipv4']} + ratelimit_exempt_hosts |= {str(ip) for ip in ips['ipv6']} + + +files['/etc/ntfy/server.yml'] = { + 'content_type': 'mako', + 'context': { + 'ratelimit_exempt_hosts': ratelimit_exempt_hosts, + }, + 'after': { + 'pkg_apt:ntfy', + }, + 'triggers': { + 'svc_systemd:ntfy:restart', }, } -directories = { - '/opt/ntfy': {}, - '/var/lib/ntfy': { - 'owner': 'ntfy', - 'group': 'ntfy', - }, - '/var/cache/ntfy': { - 'owner': 'ntfy', - 'group': 'ntfy', - }, - '/var/opt/ntfy': { - 'owner': 'ntfy', - 'group': 'ntfy', +directories['/var/lib/ntfy'] = { + 'owner': 'ntfy', + 'group': 'ntfy', + 'before': { + 'pkg_apt:ntfy', }, } -svc_systemd = { - 'ntfy': { - 'needs': { - 'file:/etc/ntfy/server.yml', - 'pkg_apt:ntfy', - }, +directories['/var/cache/ntfy'] = { + 'owner': 'ntfy', + 'group': 'ntfy', + 'before': { + 'pkg_apt:ntfy', }, } -users = { - 'ntfy': { - 'home': '/opt/ntfy', +directories['/var/opt/ntfy'] = { + 'owner': 'ntfy', + 'group': 'ntfy', + 'before': { + 'pkg_apt:ntfy', }, } + +svc_systemd['ntfy'] = { + 'needs': { + 'file:/etc/ntfy/server.yml', + 'pkg_apt:ntfy', + }, +} + +users['ntfy'] = { + 'home': '/var/lib/ntfy', +}