diff --git a/bundles/ntfy/files/server.yml b/bundles/ntfy/files/server.yml
index f4693a8..babb90b 100644
--- a/bundles/ntfy/files/server.yml
+++ b/bundles/ntfy/files/server.yml
@@ -85,7 +85,11 @@ cache-startup-queries: |
 #   ntfy user and group by running: chown ntfy.ntfy <filename>.
 #
 auth-file: "/var/lib/ntfy/user.db"
+% if node.metadata.get('ntfy/allow_unauthorized_write'):
 auth-default-access: "write-only"
+% else:
+auth-default-access: "deny-all"
+% endif
 
 # If set, the X-Forwarded-For header is used to determine the visitor IP address
 # instead of the remote address of the connection.
diff --git a/bundles/ntfy/metadata.py b/bundles/ntfy/metadata.py
index a49ae55..f2e303f 100644
--- a/bundles/ntfy/metadata.py
+++ b/bundles/ntfy/metadata.py
@@ -19,6 +19,9 @@ defaults = {
             "/var/opt/ntfy",
         },
     },
+    'ntfy': {
+        'allow_unauthorized_write': False,
+    },
     'zfs': {
         'datasets': {
             'tank/ntfy': {},
diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py
index ff82059..3d4d33e 100644
--- a/nodes/htz-cloud/miniserver.py
+++ b/nodes/htz-cloud/miniserver.py
@@ -225,6 +225,7 @@ nodes['htz-cloud.miniserver'] = {
         },
         'ntfy': {
             'domain': 'ntfy.sophies-kitchen.eu',
+            'allow_unauthorized_write': True,
         },
         'postgresql': {
             'version': '11',