bundles/ntfy: first draft

PORT_MAP.md

@@ -46,6 +46,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
 | 22070       | paperless-ng         | gunicorn |
 | 22080       | netbox               | gunicorn |
 | 22090       | openhab              | http |
+| 22091       | ntfy                 | http |
 | 22999       | nginx                | stub_status |
 
 ## UDP

bundles/hedgedoc/items.py

@@ -1,9 +1,5 @@
 repo.libs.tools.require_bundle(node, 'nodejs')
 
-directories = {
-    '/opt/hedgedoc': {}
-}
-
 git_deploy = {
     '/opt/hedgedoc': {
         'rev': node.metadata.get('hedgedoc/version'),

bundles/nginx/files/site_template

@@ -118,7 +118,7 @@ server {
 %    endif
         proxy_buffering      off;
         proxy_read_timeout   ${options.get('proxy_read_timeout', 60)};
-        client_max_body_size ${options.get('max_body_size', '5M')};
+        client_max_body_size ${options.get('max_body_size', '5m')};
 %   elif 'redirect' in options:
         return ${options.get('mode', 308)} ${options['redirect']};
 %   elif 'return' in options:

bundles/ntfy/files/server.yml

@@ -0,0 +1,206 @@
+# ntfy server config file
+#
+# Please refer to the documentation at https://ntfy.sh/docs/config/ for details.
+# All options also support underscores (_) instead of dashes (-) to comply with the YAML spec.
+
+# Public facing base URL of the service (e.g. https://ntfy.sh or https://ntfy.example.com)
+#
+# This setting is required for any of the following features:
+# - attachments (to return a download URL)
+# - e-mail sending (for the topic URL in the email footer)
+# - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic)
+# - Matrix Push Gateway (to validate that the pushkey is correct)
+#
+base-url: "${metadata.get['ntfy/baseurl']}"
+
+# Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also
+# set "key-file" and "cert-file". Format: [<ip>]:<port>, e.g. "1.2.3.4:8080".
+#
+# To listen on all interfaces, you may omit the IP address, e.g. ":443".
+# To disable HTTP, set "listen-http" to "-".
+#
+listen-http: "127.0.0.1:22091"
+# listen-https:
+
+# Listen on a Unix socket, e.g. /var/lib/ntfy/ntfy.sock
+# This can be useful to avoid port issues on local systems, and to simplify permissions.
+#
+# listen-unix: <socket-path>
+# listen-unix-mode: <linux permissions, e.g. 0700>
+
+# Path to the private key & cert file for the HTTPS web server. Not used if "listen-https" is not set.
+#
+# key-file: <filename>
+# cert-file: <filename>
+
+# If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app.
+# This is optional and only required to save battery when using the Android app.
+#
+# firebase-key-file: <filename>
+
+# If "cache-file" is set, messages are cached in a local SQLite database instead of only in-memory.
+# This allows for service restarts without losing messages in support of the since= parameter.
+#
+# The "cache-duration" parameter defines the duration for which messages will be buffered
+# before they are deleted. This is required to support the "since=..." and "poll=1" parameter.
+# To disable the cache entirely (on-disk/in-memory), set "cache-duration" to 0.
+# The cache file is created automatically, provided that the correct permissions are set.
+#
+# The "cache-startup-queries" parameter allows you to run commands when the database is initialized,
+# e.g. to enable WAL mode (see https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)).
+# Example:
+#    cache-startup-queries: |
+#       pragma journal_mode = WAL;
+#       pragma synchronous = normal;
+#       pragma temp_store = memory;
+#
+# Debian/RPM package users:
+#   Use /var/cache/ntfy/cache.db as cache file to avoid permission issues. The package
+#   creates this folder for you.
+#
+# Check your permissions:
+#   If you are running ntfy with systemd, make sure this cache file is owned by the
+#   ntfy user and group by running: chown ntfy.ntfy <filename>.
+#
+cache-file: "/var/cache/ntfy/cache.db"
+cache-duration: "12h"
+cache-startup-queries: |
+   pragma journal_mode = WAL;
+   pragma synchronous = normal;
+   pragma temp_store = memory;
+
+# If set, access to the ntfy server and API can be controlled on a granular level using
+# the 'ntfy user' and 'ntfy access' commands. See the --help pages for details, or check the docs.
+#
+# - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist
+# - auth-default-access defines the default/fallback access if no access control entry is found; it can be
+#   set to "read-write" (default), "read-only", "write-only" or "deny-all".
+#
+# Debian/RPM package users:
+#   Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package
+#   creates this folder for you.
+#
+# Check your permissions:
+#   If you are running ntfy with systemd, make sure this user database file is owned by the
+#   ntfy user and group by running: chown ntfy.ntfy <filename>.
+#
+auth-file: "/var/lib/ntfy/user.db"
+auth-default-access: "deny-all"
+
+# If set, the X-Forwarded-For header is used to determine the visitor IP address
+# instead of the remote address of the connection.
+#
+# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited
+#          as if they are one.
+#
+# behind-proxy: false
+
+# If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments
+# are "attachment-cache-dir" and "base-url".
+#
+# - attachment-cache-dir is the cache directory for attached files
+# - attachment-total-size-limit is the limit of the on-disk attachment cache directory (total size)
+# - attachment-file-size-limit is the per-file attachment size limit (e.g. 300k, 2M, 100M)
+# - attachment-expiry-duration is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h)
+#
+attachment-cache-dir: "/var/opt/ntfy"
+attachment-total-size-limit: "5G"
+attachment-file-size-limit: "15M"
+attachment-expiry-duration: "12h"
+
+# If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set,
+# messages will additionally be sent out as e-mail using an external SMTP server. As of today, only
+# SMTP servers with plain text auth and STARTLS are supported. Please also refer to the rate limiting settings
+# below (visitor-email-limit-burst & visitor-email-limit-burst).
+#
+# - smtp-sender-addr is the hostname:port of the SMTP server
+# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user
+# - smtp-sender-from is the e-mail address of the sender
+#
+# smtp-sender-addr:
+# smtp-sender-user:
+# smtp-sender-pass:
+# smtp-sender-from:
+
+# If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send
+# emails to a topic e-mail address to publish messages to a topic.
+#
+# - smtp-server-listen defines the IP address and port the SMTP server will listen on, e.g. :25 or 1.2.3.4:25
+# - smtp-server-domain is the e-mail domain, e.g. ntfy.sh
+# - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-",
+#   for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to
+#   $topic@ntfy.sh will be accepted (which may obviously be a spam problem).
+#
+# smtp-server-listen:
+# smtp-server-domain:
+# smtp-server-addr-prefix:
+
+# Interval in which keepalive messages are sent to the client. This is to prevent
+# intermediaries closing the connection for inactivity.
+#
+# Note that the Android app has a hardcoded timeout at 77s, so it should be less than that.
+#
+keepalive-interval: "45s"
+
+# Interval in which the manager prunes old messages, deletes topics
+# and prints the stats.
+#
+manager-interval: "1m"
+
+# Defines if the root route (/) is pointing to the landing page (as on ntfy.sh) or the
+# web app. If you self-host, you don't want to change this.
+# Can be "app" (default), "home" or "disable" to disable the web app entirely.
+#
+# web-root: app
+
+# Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh").
+#
+# iOS users:
+#   If you use the iOS ntfy app, you MUST configure this to receive timely notifications. You'll like want this:
+#   upstream-base-url: "https://ntfy.sh"
+#
+# If set, all incoming messages will publish a "poll_request" message to the configured upstream server, containing
+# the message ID of the original message, instructing the iOS app to poll this server for the actual message contents.
+# This is to prevent the upstream server and Firebase/APNS from being able to read the message.
+#
+# upstream-base-url:
+
+# Rate limiting: Total number of topics before the server rejects new topics.
+#
+global-topic-limit: 15000
+
+# Rate limiting: Number of subscriptions per visitor (IP address)
+#
+visitor-subscription-limit: 64
+
+# Rate limiting: Allowed GET/PUT/POST requests per second, per visitor:
+# - visitor-request-limit-burst is the initial bucket of requests each visitor has
+# - visitor-request-limit-replenish is the rate at which the bucket is refilled
+# - visitor-request-limit-exempt-hosts is a comma-separated list of hostnames and IPs to be
+#   exempt from request rate limiting; hostnames are resolved at the time the server is started
+#
+visitor-request-limit-burst: 60
+visitor-request-limit-replenish: "5s"
+visitor-request-limit-exempt-hosts: "localhost"
+
+# Rate limiting: Allowed emails per visitor:
+# - visitor-email-limit-burst is the initial bucket of emails each visitor has
+# - visitor-email-limit-replenish is the rate at which the bucket is refilled
+#
+# visitor-email-limit-burst: 16
+# visitor-email-limit-replenish: "1h"
+
+# Rate limiting: Attachment size and bandwidth limits per visitor:
+# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor
+# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor
+#
+# visitor-attachment-total-size-limit: "100M"
+# visitor-attachment-daily-bandwidth-limit: "500M"
+
+# Log level, can be TRACE, DEBUG, INFO, WARN or ERROR
+# This option can be hot-reloaded by calling "kill -HUP $pid" or "systemctl reload ntfy".
+#
+# Be aware that DEBUG (and particularly TRACE) can be VERY CHATTY. Only turn them on for
+# debugging purposes, or your disk will fill up quickly.
+#
+log-level: INFO

bundles/ntfy/items.py

@@ -0,0 +1,43 @@
+
+files = {
+    '/etc/ntfy/server.yml': {
+        'content_type': 'mako',
+        'needs': {
+            'pkg_apt:ntfy',
+        },
+        'triggers': {
+            'svc_systemd:ntfy:restart',
+        },
+    },
+}
+
+directories = {
+    '/opt/ntfy': {},
+    '/var/lib/ntfy': {
+        'owner': 'ntfy',
+        'group': 'ntfy',
+    },
+    '/var/cache/ntfy': {
+        'owner': 'ntfy',
+        'group': 'ntfy',
+    },
+    '/var/opt/ntfy': {
+        'owner': 'ntfy',
+        'group': 'ntfy',
+    },
+}
+
+svc_systemd = {
+    'ntfy': {
+        'needs': {
+            'file:/etc/ntfy/server.yml',
+            'pkg_apt:ntfy',
+        },
+    },
+}
+
+users = {
+    'ntfy': {
+        'home': '/opt/ntfy',
+    },
+}

bundles/ntfy/metadata.py

@@ -0,0 +1,83 @@
+
+defaults = {
+    'apt': {
+        'repos': {
+            'ntfy': {
+                'items': {
+                    'deb [arch=amd64] https://archive.heckel.io/apt debian main',
+                },
+            },
+        },
+        'packages': {
+            'ntfy': {},
+        },
+    },
+    'backups': {
+        'paths': {
+            "/var/cache/ntfy"
+            "/var/lib/ntfy"
+            "/var/opt/ntfy"
+        },
+    },
+    'zfs': {
+        'datasets': {
+            'tank/ntfy': {},
+            'tank/ntfy/cache': {
+                'mountpoint': '/var/cache/ntfy',
+                'needed_by': {
+                    'directory:/var/cache/ntfy',
+                },
+            },
+            'tank/ntfy/lib': {
+                'mountpoint': '/var/lib/ntfy',
+                'needed_by': {
+                    'directory:/var/lib/ntfy',
+                },
+            },
+            'tank/ntfy/attachmetns': {
+                'mountpoint': '/var/opt/ntfy',
+                'needed_by': {
+                    'directory:/var/opt/ntfy',
+                },
+            },
+        },
+    },
+}
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    if not node.has_bundle('nginx'):
+        raise DoNotRunAgain
+
+    locations = {
+        '/': {
+            'target': 'http://127.0.0.1:22091',
+            'proxy_set_header': {
+                'X-Real-IP': '$remote_addr',
+            },
+            'websockets': True,
+            'proxy_read_timeout': '3m',
+            'max_body_size': '20m',
+            'additional_config': { 
+                'proxy_connect_timeout 3m',
+                'proxy_send_timeout 3m',
+            }
+        },
+    }
+
+    vhosts = {
+        'ntfy': {
+            'domain': metadata.get('ntfy/baseurl'),
+            'locations': locations,
+            'website_check_path': '/',
+            'website_check_string': 'ntfy',
+        },
+    }
+
+    return {
+        'nginx': {
+            'vhosts': vhosts
+        },
+    }

nodes/htz-cloud/miniserver.py

@@ -8,6 +8,7 @@ nodes['htz-cloud.miniserver'] = {
         'matrix-media-repo',
         'matrix-synapse',
         'nodejs',
+        'ntfy',
         'mautrix-telegram',
         'postgresql',
     },
@@ -218,6 +219,9 @@ nodes['htz-cloud.miniserver'] = {
                 },
             },
         },
+        'ntfy': {
+            'baseurl': 'https://ntfy.sophies-kitchen.eu',
+        },
         'postgresql': {
             'version': '11',
         },