catvayor
ec050d0323
All checks were successful
Check meta / check_meta (pull_request) Successful in 14s
Check meta / check_dns (push) Successful in 16s
Check meta / check_meta (push) Successful in 16s
Check meta / check_dns (pull_request) Successful in 17s
Check workflows / check_workflows (pull_request) Successful in 17s
Run pre-commit on all files / pre-commit (push) Successful in 29s
Run pre-commit on all files / pre-commit (pull_request) Successful in 30s
Build all the nodes / ap01 (pull_request) Successful in 42s
Build all the nodes / geo01 (pull_request) Successful in 53s
Build all the nodes / cof02 (pull_request) Successful in 55s
Build all the nodes / bridge01 (pull_request) Successful in 58s
Build all the nodes / geo02 (pull_request) Successful in 56s
Build all the nodes / build01 (pull_request) Successful in 1m0s
Build all the nodes / hypervisor02 (pull_request) Successful in 58s
Build all the nodes / hypervisor03 (pull_request) Successful in 58s
Build all the nodes / hypervisor01 (pull_request) Successful in 59s
Build all the nodes / netaccess01 (pull_request) Successful in 22s
Build all the nodes / netcore00 (pull_request) Successful in 22s
Build all the nodes / netcore02 (pull_request) Successful in 23s
Build all the nodes / netcore01 (pull_request) Successful in 23s
Build all the nodes / iso (pull_request) Successful in 1m6s
Build all the nodes / compute01 (pull_request) Successful in 1m22s
Build all the nodes / lab-router01 (pull_request) Successful in 45s
Build the shell / build-shell (pull_request) Successful in 23s
Build all the nodes / krz01 (pull_request) Successful in 1m37s
Build all the nodes / tower01 (pull_request) Successful in 46s
Build all the nodes / web02 (pull_request) Successful in 48s
Build all the nodes / rescue01 (pull_request) Successful in 1m7s
Build all the nodes / web03 (pull_request) Successful in 58s
Build all the nodes / vault01 (pull_request) Successful in 1m10s
Build all the nodes / web01 (pull_request) Successful in 1m9s
Build all the nodes / storage01 (pull_request) Successful in 1m43s
154 lines
4.1 KiB
Nix
154 lines
4.1 KiB
Nix
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
|
#
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib)
|
|
getExe'
|
|
mapAttrsToList
|
|
mkEnableOption
|
|
mkIf
|
|
mkOption
|
|
xor
|
|
;
|
|
inherit (lib.types)
|
|
attrsOf
|
|
enum
|
|
listOf
|
|
nullOr
|
|
path
|
|
str
|
|
submodule
|
|
;
|
|
|
|
cfg = config.services.ntfy-sh.accessControl;
|
|
|
|
inherit (config.services.ntfy-sh) settings;
|
|
|
|
acl_file = (pkgs.formats.json { }).generate "acl.json" { inherit (cfg) access users; };
|
|
|
|
ntfy-acl = pkgs.substituteAll {
|
|
inherit (pkgs) python3;
|
|
inherit acl_file;
|
|
|
|
user_db = settings.auth-file;
|
|
ntfy = getExe' config.services.ntfy-sh.package "ntfy";
|
|
|
|
name = "ntfy-acl";
|
|
src = ./ntfy-acl.py;
|
|
dir = "bin";
|
|
isExecutable = true;
|
|
};
|
|
in
|
|
|
|
{
|
|
options.services.ntfy-sh.accessControl = {
|
|
enable = mkEnableOption "declarative management of users and acl for ntfy.sh";
|
|
|
|
users = mkOption {
|
|
type = attrsOf (submodule {
|
|
options = {
|
|
role = mkOption {
|
|
type = enum [
|
|
"admin"
|
|
"user"
|
|
];
|
|
description = "Role of the user.";
|
|
default = "user";
|
|
};
|
|
passwordFile = mkOption {
|
|
type = nullOr path;
|
|
description = ''
|
|
Path to a file containing the password of the user.
|
|
|
|
Conflicts with `hashedPassword`.
|
|
'';
|
|
default = null;
|
|
};
|
|
hashedPassword = mkOption {
|
|
type = nullOr str;
|
|
description = ''
|
|
Hashed password of the user.
|
|
|
|
Conflicts with `passwordFile`.
|
|
'';
|
|
default = null;
|
|
};
|
|
};
|
|
});
|
|
description = ''
|
|
Attribute set defining users of the ntfy.sh instance.
|
|
'';
|
|
default = { };
|
|
};
|
|
|
|
access = mkOption {
|
|
type = listOf (submodule {
|
|
options = {
|
|
username = mkOption {
|
|
type = str;
|
|
description = ''
|
|
A USERNAME is an existing user, as created with ntfy user add (see users and roles),
|
|
or the anonymous user everyone or *, which represents clients that access the API
|
|
without username/password.
|
|
'';
|
|
default = "*";
|
|
};
|
|
topic = mkOption {
|
|
type = str;
|
|
description = ''
|
|
A TOPIC is either a specific topic name (e.g. mytopic, or phil_alerts),
|
|
or a wildcard pattern that matches any number of topics (e.g. alerts_* or ben-*).
|
|
Only the wildcard character * is supported.
|
|
It stands for zero to any number of characters.
|
|
'';
|
|
};
|
|
permission = mkOption {
|
|
type = enum [
|
|
"rw"
|
|
"ro"
|
|
"wo"
|
|
"none"
|
|
];
|
|
description = ''
|
|
Permission for this access.
|
|
- rw: Allows publishing messages to the given topic, as well as subscribing and reading messages
|
|
- ro: Allows only subscribing and reading messages, but not publishing to the topic
|
|
- wo: Allows only publishing to the topic, but not subscribing to it
|
|
- none: Allows neither publishing nor subscribing to a topic
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
description = "List of access control rules.";
|
|
default = [ ];
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
assertions = mapAttrsToList (name: user: {
|
|
assertion = xor (user.hashedPassword != null) (user.passwordFile != null);
|
|
message = ''
|
|
Exactly one of `services.ntfy-sh.accessControl.users.<name>.hashedPassword`
|
|
and `services.ntfy-sh.accessControl.users.<name>.passwordFile`
|
|
is required for `name` = `${name}`.
|
|
'';
|
|
}) cfg.users;
|
|
|
|
services.ntfy-sh.settings = {
|
|
enable-signup = false;
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"f /var/lib/ntfy-sh/.acl-path 0600 ${config.services.ntfy-sh.user} ${config.services.ntfy-sh.group} - -"
|
|
];
|
|
systemd.services.ntfy-sh.preStart = "${ntfy-acl}/bin/ntfy-acl";
|
|
};
|
|
}
|