add-ntfy #54

Merged
sophie merged 5 commits from add-ntfy into main 2022-10-23 13:15:12 +00:00
8 changed files with 384 additions and 5 deletions

View file

@ -47,6 +47,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
| 22080 | netbox | gunicorn | | 22080 | netbox | gunicorn |
| 22090 | openhab | http | | 22090 | openhab | http |
| 22999 | nginx | stub_status | | 22999 | nginx | stub_status |
Outdated
Review

Bisher hatten wir für Anwendungen immer 10 Ports reserviert, die Anwendung müsste also auf 22100 laufen.

Bisher hatten wir für Anwendungen immer 10 Ports reserviert, die Anwendung müsste also auf 22100 laufen.
| 22100 | ntfy | http |
## UDP ## UDP
| Port | bundle | usage | | Port | bundle | usage |

View file

@ -1,9 +1,5 @@
repo.libs.tools.require_bundle(node, 'nodejs') repo.libs.tools.require_bundle(node, 'nodejs')
directories = {
'/opt/hedgedoc': {}
Outdated
Review

Huch?

Huch?

Das war doppelt. Ist weiter unten nochmal definiert.

Das war doppelt. Ist weiter unten nochmal definiert.
}
git_deploy = { git_deploy = {
'/opt/hedgedoc': { '/opt/hedgedoc': {
'rev': node.metadata.get('hedgedoc/version'), 'rev': node.metadata.get('hedgedoc/version'),

View file

@ -118,7 +118,7 @@ server {
% endif % endif
proxy_buffering off; proxy_buffering off;
proxy_read_timeout ${options.get('proxy_read_timeout', 60)}; proxy_read_timeout ${options.get('proxy_read_timeout', 60)};
client_max_body_size ${options.get('max_body_size', '5M')}; client_max_body_size ${options.get('max_body_size', '5m')};
% elif 'redirect' in options: % elif 'redirect' in options:
return ${options.get('mode', 308)} ${options['redirect']}; return ${options.get('mode', 308)} ${options['redirect']};
% elif 'return' in options: % elif 'return' in options:

View file

@ -0,0 +1,206 @@
# ntfy server config file
#
# Please refer to the documentation at https://ntfy.sh/docs/config/ for details.
# All options also support underscores (_) instead of dashes (-) to comply with the YAML spec.
# Public facing base URL of the service (e.g. https://ntfy.sh or https://ntfy.example.com)
#
# This setting is required for any of the following features:
# - attachments (to return a download URL)
# - e-mail sending (for the topic URL in the email footer)
# - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic)
# - Matrix Push Gateway (to validate that the pushkey is correct)
#
base-url: "https://${node.metadata.get('ntfy/domain', 'ntfy')}"
# Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also
# set "key-file" and "cert-file". Format: [<ip>]:<port>, e.g. "1.2.3.4:8080".
#
# To listen on all interfaces, you may omit the IP address, e.g. ":443".
# To disable HTTP, set "listen-http" to "-".
#
listen-http: "127.0.0.1:22100"
# listen-https:
# Listen on a Unix socket, e.g. /var/lib/ntfy/ntfy.sock
# This can be useful to avoid port issues on local systems, and to simplify permissions.
#
# listen-unix: <socket-path>
# listen-unix-mode: <linux permissions, e.g. 0700>
# Path to the private key & cert file for the HTTPS web server. Not used if "listen-https" is not set.
#
# key-file: <filename>
# cert-file: <filename>
# If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app.
# This is optional and only required to save battery when using the Android app.
#
# firebase-key-file: <filename>
# If "cache-file" is set, messages are cached in a local SQLite database instead of only in-memory.
# This allows for service restarts without losing messages in support of the since= parameter.
#
# The "cache-duration" parameter defines the duration for which messages will be buffered
# before they are deleted. This is required to support the "since=..." and "poll=1" parameter.
# To disable the cache entirely (on-disk/in-memory), set "cache-duration" to 0.
# The cache file is created automatically, provided that the correct permissions are set.
#
# The "cache-startup-queries" parameter allows you to run commands when the database is initialized,
# e.g. to enable WAL mode (see https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)).
# Example:
# cache-startup-queries: |
# pragma journal_mode = WAL;
# pragma synchronous = normal;
# pragma temp_store = memory;
#
# Debian/RPM package users:
# Use /var/cache/ntfy/cache.db as cache file to avoid permission issues. The package
# creates this folder for you.
#
# Check your permissions:
# If you are running ntfy with systemd, make sure this cache file is owned by the
# ntfy user and group by running: chown ntfy.ntfy <filename>.
#
cache-file: "/var/cache/ntfy/cache.db"
cache-duration: "12h"
cache-startup-queries: |
pragma journal_mode = WAL;
pragma synchronous = normal;
pragma temp_store = memory;
# If set, access to the ntfy server and API can be controlled on a granular level using
# the 'ntfy user' and 'ntfy access' commands. See the --help pages for details, or check the docs.
#
# - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist
# - auth-default-access defines the default/fallback access if no access control entry is found; it can be
# set to "read-write" (default), "read-only", "write-only" or "deny-all".
#
# Debian/RPM package users:
# Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package
# creates this folder for you.
#
# Check your permissions:
# If you are running ntfy with systemd, make sure this user database file is owned by the
# ntfy user and group by running: chown ntfy.ntfy <filename>.
#
auth-file: "/var/lib/ntfy/user.db"
auth-default-access: "write-only"
# If set, the X-Forwarded-For header is used to determine the visitor IP address
# instead of the remote address of the connection.
#
# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited
# as if they are one.
#
# behind-proxy: false
# If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments
# are "attachment-cache-dir" and "base-url".
#
# - attachment-cache-dir is the cache directory for attached files
# - attachment-total-size-limit is the limit of the on-disk attachment cache directory (total size)
# - attachment-file-size-limit is the per-file attachment size limit (e.g. 300k, 2M, 100M)
# - attachment-expiry-duration is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h)
#
attachment-cache-dir: "/var/opt/ntfy"
attachment-total-size-limit: "5G"
attachment-file-size-limit: "15M"
attachment-expiry-duration: "12h"
# If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set,
# messages will additionally be sent out as e-mail using an external SMTP server. As of today, only
# SMTP servers with plain text auth and STARTLS are supported. Please also refer to the rate limiting settings
# below (visitor-email-limit-burst & visitor-email-limit-burst).
#
# - smtp-sender-addr is the hostname:port of the SMTP server
# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user
# - smtp-sender-from is the e-mail address of the sender
#
# smtp-sender-addr:
# smtp-sender-user:
# smtp-sender-pass:
# smtp-sender-from:
# If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send
# emails to a topic e-mail address to publish messages to a topic.
#
# - smtp-server-listen defines the IP address and port the SMTP server will listen on, e.g. :25 or 1.2.3.4:25
# - smtp-server-domain is the e-mail domain, e.g. ntfy.sh
# - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-",
# for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to
# $topic@ntfy.sh will be accepted (which may obviously be a spam problem).
#
# smtp-server-listen:
# smtp-server-domain:
# smtp-server-addr-prefix:
# Interval in which keepalive messages are sent to the client. This is to prevent
# intermediaries closing the connection for inactivity.
#
# Note that the Android app has a hardcoded timeout at 77s, so it should be less than that.
#
keepalive-interval: "45s"
# Interval in which the manager prunes old messages, deletes topics
# and prints the stats.
#
manager-interval: "1m"
# Defines if the root route (/) is pointing to the landing page (as on ntfy.sh) or the
# web app. If you self-host, you don't want to change this.
# Can be "app" (default), "home" or "disable" to disable the web app entirely.
#
# web-root: app
# Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh").
#
# iOS users:
# If you use the iOS ntfy app, you MUST configure this to receive timely notifications. You'll like want this:
# upstream-base-url: "https://ntfy.sh"
#
# If set, all incoming messages will publish a "poll_request" message to the configured upstream server, containing
# the message ID of the original message, instructing the iOS app to poll this server for the actual message contents.
# This is to prevent the upstream server and Firebase/APNS from being able to read the message.
#
# upstream-base-url:
# Rate limiting: Total number of topics before the server rejects new topics.
#
global-topic-limit: 15000
# Rate limiting: Number of subscriptions per visitor (IP address)
#
visitor-subscription-limit: 64
# Rate limiting: Allowed GET/PUT/POST requests per second, per visitor:
# - visitor-request-limit-burst is the initial bucket of requests each visitor has
# - visitor-request-limit-replenish is the rate at which the bucket is refilled
# - visitor-request-limit-exempt-hosts is a comma-separated list of hostnames and IPs to be
# exempt from request rate limiting; hostnames are resolved at the time the server is started
#
visitor-request-limit-burst: 60
visitor-request-limit-replenish: "5s"
visitor-request-limit-exempt-hosts: "localhost"
# Rate limiting: Allowed emails per visitor:
# - visitor-email-limit-burst is the initial bucket of emails each visitor has
# - visitor-email-limit-replenish is the rate at which the bucket is refilled
#
# visitor-email-limit-burst: 16
# visitor-email-limit-replenish: "1h"
# Rate limiting: Attachment size and bandwidth limits per visitor:
# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor
# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor
#
# visitor-attachment-total-size-limit: "100M"
# visitor-attachment-daily-bandwidth-limit: "500M"
# Log level, can be TRACE, DEBUG, INFO, WARN or ERROR
# This option can be hot-reloaded by calling "kill -HUP $pid" or "systemctl reload ntfy".
#
# Be aware that DEBUG (and particularly TRACE) can be VERY CHATTY. Only turn them on for
# debugging purposes, or your disk will fill up quickly.
#
log-level: INFO

43
bundles/ntfy/items.py Normal file
View file

@ -0,0 +1,43 @@
files = {
'/etc/ntfy/server.yml': {
'content_type': 'mako',
'needs': {
'pkg_apt:ntfy',
},
'triggers': {
'svc_systemd:ntfy:restart',
},
},
}
directories = {
'/opt/ntfy': {},
'/var/lib/ntfy': {
'owner': 'ntfy',
'group': 'ntfy',
},
'/var/cache/ntfy': {
'owner': 'ntfy',
'group': 'ntfy',
},
'/var/opt/ntfy': {
'owner': 'ntfy',
'group': 'ntfy',
},
}
svc_systemd = {
'ntfy': {
'needs': {
'file:/etc/ntfy/server.yml',
'pkg_apt:ntfy',
},
},
}
users = {
'ntfy': {
'home': '/opt/ntfy',
},
}

85
bundles/ntfy/metadata.py Normal file
View file

@ -0,0 +1,85 @@
defaults = {
'apt': {
'repos': {
'ntfy': {
'items': {
'deb [arch=amd64] https://archive.heckel.io/apt debian main',
},
},
},
'packages': {
'ntfy': {},
},
},
'backups': {
'paths': {
"/var/cache/ntfy",
"/var/lib/ntfy",
"/var/opt/ntfy",
},
},
'zfs': {
'datasets': {
'tank/ntfy': {},
'tank/ntfy/cache': {
'mountpoint': '/var/cache/ntfy',
'needed_by': {
'directory:/var/cache/ntfy',
},
},
'tank/ntfy/lib': {
'mountpoint': '/var/lib/ntfy',
'needed_by': {
'directory:/var/lib/ntfy',
},
},
'tank/ntfy/attachments': {
Outdated
Review

Typo?

Typo?
'mountpoint': '/var/opt/ntfy',
'needed_by': {
'directory:/var/opt/ntfy',
},
},
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
if not node.has_bundle('nginx'):
raise DoNotRunAgain
locations = {
'/': {
'target': 'http://127.0.0.1:22100',
'proxy_set_header': {
'X-Real-IP': '$remote_addr',
},
'websockets': True,
'proxy_read_timeout': '3m',
'max_body_size': '20m',
'additional_config': {
'proxy_connect_timeout 3m',
'proxy_send_timeout 3m',
'proxy_request_buffering off',
'proxy_redirect off',
}
},
}
vhosts = {
'ntfy': {
'domain': metadata.get('ntfy/domain'),
'locations': locations,
'website_check_path': '/',
'website_check_string': 'ntfy',
},
}
return {
'nginx': {
'vhosts': vhosts
},
}

View file

@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBF/s8c4BCADYjQMKxdvlx4UxNim0go6J/OL7DuTmoQkkTDtOoBFhQMe3xpkc
tS1v+Hio1odIoT+fXOzgLJ7VGw5Cr3LCoGfpopHMEWnFWBo8HvNxjKCvmVC6PLux
LJFWvhIB2UsBQVAsLcSViIpkZMr1oyY6c8Vk1Xih1FwWsygapQnAAGYXoBoTpgtX
PAFKd5h85hzEv62SM88PdJn3Q8cfi11H0yWQVfOUKVqN6rfjXJMufNsOooXA6/VN
wT0ysyKkq5hPZ56olb41BxlLHNJRksVtvZnldTLebJ8dKUFwp/Y0cQRPSo+yuOg2
bZsyhYGoFnN4J5QYsszd2zLxZCL37rs8ArbtABEBAAG0LFBoaWxpcHAgQy4gSGVj
a2VsIDxwaGlsaXBwLmhlY2tlbEBnbWFpbC5jb20+iQE4BBMBAgAiBQJf7PHOAhsD
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAdW47fskduU/M4CADOOdoF/VJT
iPLeL4wr8ZYLV1rsFQ9ieNWhaKThUntVEDZWaJ+2qrzqhmUlLbNfS1XHm0Yzz+7U
x2Mxcw1PXW/g/RxdhtVdQGQK4g5E3zRR1jdp6CoTc46gMnRYrDksC3C3ZwiTtRaY
RDnkqGwBqhmnix/khYsnyrtbTi5khKkXLjrairfO4QIptRNVY2yRmzrF8vfTRDP2
SVybD7+xTb5jwFcgvNJdKhOA0NNm4YFnPn7Jx22lNzGVvbht4Ll1watWJxhKN/co
UeW5u3EpRpzxaaXQ5wsGAYRgm7/z9/kdFPk4XPGFbEcZd5ujO3VlGc8xQ/X7MaiB
YPI8DzLy+IYHuQENBF/s8c4BCADVDmrGRXkwBxO/GsUXhtDZlPHYGpZkFUapziwU
Zqrd2w/Bl/9dgkEnclayAa5d72Htw8gQCglRmd2Sb5Z500+KvvcbGxmkyhMPWEUQ
aF8j/UJJ0/Ij9rfTcjRWRpolMkq2vFI3S+lu9TLahQuml84Uj3beLnX5kH/7EQh3
ReeDh9VHMXAqZ3UP3vyXYtavO8NqTH9ytqppRALDAopYv/QZI+1jegiR1E+oUhqy
ADQwrQRLtkxb/UwjLFfeeji5pK3A7l8WkQcBIISAcEHKC4ETfEEA8RPVupf4K884
w0n5bC2HGXQbUCc0vmEOWViS279VYDsnaeaJSWwexqHopQbPABEBAAGJAR8EGAEC
AAkFAl/s8c4CGwwACgkQHVuO37JHblMZTQgAso3rvTf00VLJOwQvS9QRnvuOPJVP
d/w0Lfoo4SL1yPpDUcc3tTdGtbOY4wUsJlGaMYVVseXy6W/gJmORjutAVDEou2CP
g7BYl+HGAZCgESvWc9Dn4nx2MvKGJG8GDtWxgsCWRm2lSTgRU4H390saA9iibz7m
eJOI5yzrL6ZdBK9avXLldnsXn667nbyhkxgZUaEXkhcRm/Zh9fw6vaJ2PR9UzLQm
SotJqLlV9yZP6usmiQ8NF0o3MsFuDVk0Ae7XvGtKTBuMMZUSwy9BMudSLsoFMd53
5Obby3ETwi4QUamDlz3StJQhBhTiFSYY+9nvGW5VsLYpGVGaXlAElk4KcA==
=ztKz
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -8,8 +8,10 @@ nodes['htz-cloud.miniserver'] = {
'matrix-media-repo', 'matrix-media-repo',
'matrix-synapse', 'matrix-synapse',
'nodejs', 'nodejs',
'ntfy',
'mautrix-telegram', 'mautrix-telegram',
'postgresql', 'postgresql',
'zfs',
}, },
'groups': { 'groups': {
'debian-bullseye', 'debian-bullseye',
@ -218,6 +220,9 @@ nodes['htz-cloud.miniserver'] = {
}, },
}, },
}, },
'ntfy': {
'domain': 'ntfy.sophies-kitchen.eu',
},
'postgresql': { 'postgresql': {
'version': '11', 'version': '11',
}, },
@ -240,5 +245,18 @@ nodes['htz-cloud.miniserver'] = {
], ],
}, },
}, },
'zfs': {
'pools': {
'tank': {
'when_creating': {
'config': [{
'devices': {
'/dev/disk/by-id/scsi-0HC_Volume_23952298',
},
}]
},
},
},
},
}, },
} }