diff --git a/PORT_MAP.md b/PORT_MAP.md index 05ea28d..1be4b18 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -46,6 +46,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22070 | paperless-ng | gunicorn | | 22080 | netbox | gunicorn | | 22090 | openhab | http | +| 22091 | ntfy | http | | 22999 | nginx | stub_status | ## UDP diff --git a/bundles/hedgedoc/items.py b/bundles/hedgedoc/items.py index a295391..ac66fcb 100644 --- a/bundles/hedgedoc/items.py +++ b/bundles/hedgedoc/items.py @@ -1,9 +1,5 @@ repo.libs.tools.require_bundle(node, 'nodejs') -directories = { - '/opt/hedgedoc': {} -} - git_deploy = { '/opt/hedgedoc': { 'rev': node.metadata.get('hedgedoc/version'), diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index b59137b..bccff8c 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -118,7 +118,7 @@ server { % endif proxy_buffering off; proxy_read_timeout ${options.get('proxy_read_timeout', 60)}; - client_max_body_size ${options.get('max_body_size', '5M')}; + client_max_body_size ${options.get('max_body_size', '5m')}; % elif 'redirect' in options: return ${options.get('mode', 308)} ${options['redirect']}; % elif 'return' in options: diff --git a/bundles/ntfy/files/server.yml b/bundles/ntfy/files/server.yml new file mode 100644 index 0000000..a8ce98a --- /dev/null +++ b/bundles/ntfy/files/server.yml @@ -0,0 +1,206 @@ +# ntfy server config file +# +# Please refer to the documentation at https://ntfy.sh/docs/config/ for details. +# All options also support underscores (_) instead of dashes (-) to comply with the YAML spec. + +# Public facing base URL of the service (e.g. https://ntfy.sh or https://ntfy.example.com) +# +# This setting is required for any of the following features: +# - attachments (to return a download URL) +# - e-mail sending (for the topic URL in the email footer) +# - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic) +# - Matrix Push Gateway (to validate that the pushkey is correct) +# +base-url: "${metadata.get['ntfy/baseurl']}" + +# Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also +# set "key-file" and "cert-file". Format: []:, e.g. "1.2.3.4:8080". +# +# To listen on all interfaces, you may omit the IP address, e.g. ":443". +# To disable HTTP, set "listen-http" to "-". +# +listen-http: "127.0.0.1:22091" +# listen-https: + +# Listen on a Unix socket, e.g. /var/lib/ntfy/ntfy.sock +# This can be useful to avoid port issues on local systems, and to simplify permissions. +# +# listen-unix: +# listen-unix-mode: + +# Path to the private key & cert file for the HTTPS web server. Not used if "listen-https" is not set. +# +# key-file: +# cert-file: + +# If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app. +# This is optional and only required to save battery when using the Android app. +# +# firebase-key-file: + +# If "cache-file" is set, messages are cached in a local SQLite database instead of only in-memory. +# This allows for service restarts without losing messages in support of the since= parameter. +# +# The "cache-duration" parameter defines the duration for which messages will be buffered +# before they are deleted. This is required to support the "since=..." and "poll=1" parameter. +# To disable the cache entirely (on-disk/in-memory), set "cache-duration" to 0. +# The cache file is created automatically, provided that the correct permissions are set. +# +# The "cache-startup-queries" parameter allows you to run commands when the database is initialized, +# e.g. to enable WAL mode (see https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)). +# Example: +# cache-startup-queries: | +# pragma journal_mode = WAL; +# pragma synchronous = normal; +# pragma temp_store = memory; +# +# Debian/RPM package users: +# Use /var/cache/ntfy/cache.db as cache file to avoid permission issues. The package +# creates this folder for you. +# +# Check your permissions: +# If you are running ntfy with systemd, make sure this cache file is owned by the +# ntfy user and group by running: chown ntfy.ntfy . +# +cache-file: "/var/cache/ntfy/cache.db" +cache-duration: "12h" +cache-startup-queries: | + pragma journal_mode = WAL; + pragma synchronous = normal; + pragma temp_store = memory; + +# If set, access to the ntfy server and API can be controlled on a granular level using +# the 'ntfy user' and 'ntfy access' commands. See the --help pages for details, or check the docs. +# +# - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist +# - auth-default-access defines the default/fallback access if no access control entry is found; it can be +# set to "read-write" (default), "read-only", "write-only" or "deny-all". +# +# Debian/RPM package users: +# Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package +# creates this folder for you. +# +# Check your permissions: +# If you are running ntfy with systemd, make sure this user database file is owned by the +# ntfy user and group by running: chown ntfy.ntfy . +# +auth-file: "/var/lib/ntfy/user.db" +auth-default-access: "deny-all" + +# If set, the X-Forwarded-For header is used to determine the visitor IP address +# instead of the remote address of the connection. +# +# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited +# as if they are one. +# +# behind-proxy: false + +# If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments +# are "attachment-cache-dir" and "base-url". +# +# - attachment-cache-dir is the cache directory for attached files +# - attachment-total-size-limit is the limit of the on-disk attachment cache directory (total size) +# - attachment-file-size-limit is the per-file attachment size limit (e.g. 300k, 2M, 100M) +# - attachment-expiry-duration is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h) +# +attachment-cache-dir: "/var/opt/ntfy" +attachment-total-size-limit: "5G" +attachment-file-size-limit: "15M" +attachment-expiry-duration: "12h" + +# If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set, +# messages will additionally be sent out as e-mail using an external SMTP server. As of today, only +# SMTP servers with plain text auth and STARTLS are supported. Please also refer to the rate limiting settings +# below (visitor-email-limit-burst & visitor-email-limit-burst). +# +# - smtp-sender-addr is the hostname:port of the SMTP server +# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user +# - smtp-sender-from is the e-mail address of the sender +# +# smtp-sender-addr: +# smtp-sender-user: +# smtp-sender-pass: +# smtp-sender-from: + +# If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send +# emails to a topic e-mail address to publish messages to a topic. +# +# - smtp-server-listen defines the IP address and port the SMTP server will listen on, e.g. :25 or 1.2.3.4:25 +# - smtp-server-domain is the e-mail domain, e.g. ntfy.sh +# - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-", +# for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to +# $topic@ntfy.sh will be accepted (which may obviously be a spam problem). +# +# smtp-server-listen: +# smtp-server-domain: +# smtp-server-addr-prefix: + +# Interval in which keepalive messages are sent to the client. This is to prevent +# intermediaries closing the connection for inactivity. +# +# Note that the Android app has a hardcoded timeout at 77s, so it should be less than that. +# +keepalive-interval: "45s" + +# Interval in which the manager prunes old messages, deletes topics +# and prints the stats. +# +manager-interval: "1m" + +# Defines if the root route (/) is pointing to the landing page (as on ntfy.sh) or the +# web app. If you self-host, you don't want to change this. +# Can be "app" (default), "home" or "disable" to disable the web app entirely. +# +# web-root: app + +# Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh"). +# +# iOS users: +# If you use the iOS ntfy app, you MUST configure this to receive timely notifications. You'll like want this: +# upstream-base-url: "https://ntfy.sh" +# +# If set, all incoming messages will publish a "poll_request" message to the configured upstream server, containing +# the message ID of the original message, instructing the iOS app to poll this server for the actual message contents. +# This is to prevent the upstream server and Firebase/APNS from being able to read the message. +# +# upstream-base-url: + +# Rate limiting: Total number of topics before the server rejects new topics. +# +global-topic-limit: 15000 + +# Rate limiting: Number of subscriptions per visitor (IP address) +# +visitor-subscription-limit: 64 + +# Rate limiting: Allowed GET/PUT/POST requests per second, per visitor: +# - visitor-request-limit-burst is the initial bucket of requests each visitor has +# - visitor-request-limit-replenish is the rate at which the bucket is refilled +# - visitor-request-limit-exempt-hosts is a comma-separated list of hostnames and IPs to be +# exempt from request rate limiting; hostnames are resolved at the time the server is started +# +visitor-request-limit-burst: 60 +visitor-request-limit-replenish: "5s" +visitor-request-limit-exempt-hosts: "localhost" + +# Rate limiting: Allowed emails per visitor: +# - visitor-email-limit-burst is the initial bucket of emails each visitor has +# - visitor-email-limit-replenish is the rate at which the bucket is refilled +# +# visitor-email-limit-burst: 16 +# visitor-email-limit-replenish: "1h" + +# Rate limiting: Attachment size and bandwidth limits per visitor: +# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor +# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor +# +# visitor-attachment-total-size-limit: "100M" +# visitor-attachment-daily-bandwidth-limit: "500M" + +# Log level, can be TRACE, DEBUG, INFO, WARN or ERROR +# This option can be hot-reloaded by calling "kill -HUP $pid" or "systemctl reload ntfy". +# +# Be aware that DEBUG (and particularly TRACE) can be VERY CHATTY. Only turn them on for +# debugging purposes, or your disk will fill up quickly. +# +log-level: INFO diff --git a/bundles/ntfy/items.py b/bundles/ntfy/items.py new file mode 100644 index 0000000..d9a93bb --- /dev/null +++ b/bundles/ntfy/items.py @@ -0,0 +1,43 @@ + +files = { + '/etc/ntfy/server.yml': { + 'content_type': 'mako', + 'needs': { + 'pkg_apt:ntfy', + }, + 'triggers': { + 'svc_systemd:ntfy:restart', + }, + }, +} + +directories = { + '/opt/ntfy': {}, + '/var/lib/ntfy': { + 'owner': 'ntfy', + 'group': 'ntfy', + }, + '/var/cache/ntfy': { + 'owner': 'ntfy', + 'group': 'ntfy', + }, + '/var/opt/ntfy': { + 'owner': 'ntfy', + 'group': 'ntfy', + }, +} + +svc_systemd = { + 'ntfy': { + 'needs': { + 'file:/etc/ntfy/server.yml', + 'pkg_apt:ntfy', + }, + }, +} + +users = { + 'ntfy': { + 'home': '/opt/ntfy', + }, +} diff --git a/bundles/ntfy/metadata.py b/bundles/ntfy/metadata.py new file mode 100644 index 0000000..0ec6bfc --- /dev/null +++ b/bundles/ntfy/metadata.py @@ -0,0 +1,83 @@ + +defaults = { + 'apt': { + 'repos': { + 'ntfy': { + 'items': { + 'deb [arch=amd64] https://archive.heckel.io/apt debian main', + }, + }, + }, + 'packages': { + 'ntfy': {}, + }, + }, + 'backups': { + 'paths': { + "/var/cache/ntfy" + "/var/lib/ntfy" + "/var/opt/ntfy" + }, + }, + 'zfs': { + 'datasets': { + 'tank/ntfy': {}, + 'tank/ntfy/cache': { + 'mountpoint': '/var/cache/ntfy', + 'needed_by': { + 'directory:/var/cache/ntfy', + }, + }, + 'tank/ntfy/lib': { + 'mountpoint': '/var/lib/ntfy', + 'needed_by': { + 'directory:/var/lib/ntfy', + }, + }, + 'tank/ntfy/attachmetns': { + 'mountpoint': '/var/opt/ntfy', + 'needed_by': { + 'directory:/var/opt/ntfy', + }, + }, + }, + }, +} + +@metadata_reactor.provides( + 'nginx/vhosts', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + locations = { + '/': { + 'target': 'http://127.0.0.1:22091', + 'proxy_set_header': { + 'X-Real-IP': '$remote_addr', + }, + 'websockets': True, + 'proxy_read_timeout': '3m', + 'max_body_size': '20m', + 'additional_config': { + 'proxy_connect_timeout 3m', + 'proxy_send_timeout 3m', + } + }, + } + + vhosts = { + 'ntfy': { + 'domain': metadata.get('ntfy/baseurl'), + 'locations': locations, + 'website_check_path': '/', + 'website_check_string': 'ntfy', + }, + } + + return { + 'nginx': { + 'vhosts': vhosts + }, + } diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 57c9629..49a59f4 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -8,6 +8,7 @@ nodes['htz-cloud.miniserver'] = { 'matrix-media-repo', 'matrix-synapse', 'nodejs', + 'ntfy', 'mautrix-telegram', 'postgresql', }, @@ -218,6 +219,9 @@ nodes['htz-cloud.miniserver'] = { }, }, }, + 'ntfy': { + 'baseurl': 'https://ntfy.sophies-kitchen.eu', + }, 'postgresql': { 'version': '11', },