From e8ebde9a6c26fd323448ac2b274c275f7727c03c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorben=20G=C3=BCnther?= Date: Mon, 20 Feb 2023 23:20:56 +0100 Subject: [PATCH] ntfy_server: Update config 2.0.0 release. --- roles/ntfy_server/README.md | 26 ++++++- roles/ntfy_server/templates/server.yml.j2 | 82 +++++++++++++++++++++-- 2 files changed, 101 insertions(+), 7 deletions(-) diff --git a/roles/ntfy_server/README.md b/roles/ntfy_server/README.md index 45c67ee..18d0a75 100644 --- a/roles/ntfy_server/README.md +++ b/roles/ntfy_server/README.md @@ -2,8 +2,30 @@ Users need to be manually created: ``` ntfy user add --role=admin xenrox -ntfy user add infrastructure -ntfy access infrastructure infrastructure write-only +``` + +Other users: + +``` +ntfy user add foobar +ntfy access foobar 'up*' read-only +ntfy user change-tier foobar friend +``` + +Create tier: + +``` +ntfy tier add \ + --name="Friend" \ + --message-limit=10000 \ + --message-expiry-duration=24h \ + --email-limit=50 \ + --reservation-limit=10 \ + --attachment-file-size-limit=15M \ + --attachment-total-size-limit=1G \ + --attachment-expiry-duration=48h \ + --attachment-bandwidth-limit=5G \ + friend ``` Check access control: diff --git a/roles/ntfy_server/templates/server.yml.j2 b/roles/ntfy_server/templates/server.yml.j2 index 0a64359..6c24507 100644 --- a/roles/ntfy_server/templates/server.yml.j2 +++ b/roles/ntfy_server/templates/server.yml.j2 @@ -85,6 +85,8 @@ cache-startup-queries: | # - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist # - auth-default-access defines the default/fallback access if no access control entry is found; it can be # set to "read-write" (default), "read-only", "write-only" or "deny-all". +# - auth-startup-queries allows you to run commands when the database is initialized, e.g. to enable +# WAL mode. This is similar to cache-startup-queries. See above for details. # # Debian/RPM package users: # Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package @@ -96,6 +98,12 @@ cache-startup-queries: | # auth-file: /var/lib/ntfy/user.db auth-default-access: "deny-all" +auth-startup-queries: | + pragma journal_mode = WAL; + pragma synchronous = normal; + pragma temp_store = memory; + pragma busy_timeout = 15000; + vacuum; # If set, the X-Forwarded-For header is used to determine the visitor IP address # instead of the remote address of the connection. @@ -157,12 +165,34 @@ smtp-sender-from: noreply@xenrox.net # # manager-interval: "1m" +# Defines topic names that are not allowed, because they are otherwise used. There are a few default topics +# that cannot be used (e.g. app, account, settings, ...). To extend the default list, define them here. +# +# Example: +# disallowed-topics: +# - about +# - pricing +# - contact +# +# disallowed-topics: + # Defines if the root route (/) is pointing to the landing page (as on ntfy.sh) or the # web app. If you self-host, you don't want to change this. # Can be "app" (default), "home" or "disable" to disable the web app entirely. # # web-root: app +# Various feature flags used to control the web app, and API access, mainly around user and +# account management. +# +# - enable-signup allows users to sign up via the web app, or API +# - enable-login allows users to log in via the web app, or API +# - enable-reservations allows users to reserve topics (if their tier allows it) +# +# enable-signup: false +enable-login: true +enable-reservations: true + # Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh"). # # iOS users: @@ -194,6 +224,12 @@ smtp-sender-from: noreply@xenrox.net # visitor-request-limit-replenish: "5s" # visitor-request-limit-exempt-hosts: "" +# Rate limiting: Hard daily limit of messages per visitor and day. The limit is reset +# every day at midnight UTC. If the limit is not set (or set to zero), the request +# limit (see above) governs the upper limit. +# +# visitor-message-daily-limit: 0 + # Rate limiting: Allowed emails per visitor: # - visitor-email-limit-burst is the initial bucket of emails each visitor has # - visitor-email-limit-replenish is the rate at which the bucket is refilled @@ -208,10 +244,46 @@ smtp-sender-from: noreply@xenrox.net # visitor-attachment-total-size-limit: "100M" # visitor-attachment-daily-bandwidth-limit: "500M" -# Log level, can be TRACE, DEBUG, INFO, WARN or ERROR -# This option can be hot-reloaded by calling "kill -HUP $pid" or "systemctl reload ntfy". +# Payments integration via Stripe # -# Be aware that DEBUG (and particularly TRACE) can be VERY CHATTY. Only turn them on for -# debugging purposes, or your disk will fill up quickly. +# - stripe-secret-key is the key used for the Stripe API communication. Setting this values +# enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys. +# - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe. +# Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks. # -# log-level: INFO +# stripe-secret-key: +# stripe-webhook-key: + +# Logging options +# +# By default, ntfy logs to the console (stderr), with an "info" log level, and in a human-readable text format. +# ntfy supports five different log levels, can also write to a file, log as JSON, and even supports granular +# log level overrides for easier debugging. Some options (log-level and log-level-overrides) can be hot reloaded +# by calling "kill -HUP $pid" or "systemctl reload ntfy". +# +# - log-format defines the output format, can be "text" (default) or "json" +# - log-file is a filename to write logs to. If this is not set, ntfy logs to stderr. +# - log-level defines the default log level, can be one of "trace", "debug", "info" (default), "warn" or "error". +# Be aware that "debug" (and particularly "trace") can be VERY CHATTY. Only turn them on briefly for debugging purposes. +# - log-level-overrides lets you override the log level if certain fields match. This is incredibly powerful +# for debugging certain parts of the system (e.g. only the account management, or only a certain visitor). +# This is an array of strings in the format: +# - "field=value -> level" to match a value exactly, e.g. "tag=manager -> trace" +# - "field -> level" to match any value, e.g. "time_taken_ms -> debug" +# Warning: Using log-level-overrides has a performance penalty. Only use it for temporary debugging. +# +# Example (good for production): +# log-level: info +# log-format: json +# log-file: /var/log/ntfy.log +# +# Example level overrides (for debugging, only use temporarily): +# log-level-overrides: +# - "tag=manager -> trace" +# - "visitor_ip=1.2.3.4 -> debug" +# - "time_taken_ms -> debug" +# +# log-level: info +# log-level-overrides: +# log-format: text +# log-file: -- 2.44.0