biotite: move all services to biotite except kanidm

machines/thorite/default.nix

@@ -3,6 +3,7 @@
     ./hardware-configurations.nix
     ./monitoring.nix
     ./restic.nix
+    ./ntfy.nix
   ];
 
   config = {

machines/thorite/monitoring.nix

@@ -10,7 +10,8 @@ let
     minifluxUrl
     gotosocialUrl
     hedgedocDomain
-    forgejoDomain
+    grafanaUrl
+    ntfyUrl
     ;
   removeHttps = s: lib.removePrefix "https://" s;
 in
@@ -44,7 +45,7 @@ in
       promtail.enable = true;
     };
 
-    services.caddy.virtualHosts."https://grafana.xinyang.life".extraConfig =
+    services.caddy.virtualHosts.${grafanaUrl}.extraConfig =
       with config.services.grafana.settings.server; ''
         reverse_proxy http://${http_addr}:${toString http_port}
       '';
@@ -98,17 +99,13 @@ in
           name = "hedgedoc";
           address = hedgedocDomain;
         }
-        {
-          name = "forgejo";
-          address = forgejoDomain;
-        }
         {
           name = "ntfy";
-          address = "ntfy.xinyang.life";
+          address = removeHttps ntfyUrl;
         }
         {
           name = "grafana-eu";
-          address = "grafana.xinyang.life";
+          address = removeHttps grafanaUrl;
         }
         {
           name = "loki";

machines/thorite/ntfy.nix

@@ -0,0 +1,29 @@
+{ config, ... }:
+let
+  inherit (config.my-lib.settings) ntfyUrl;
+in
+{
+
+  services.ntfy-sh = {
+    enable = true;
+    group = "caddy";
+    settings = {
+      listen-unix = "/var/run/ntfy-sh/ntfy.sock";
+      listen-unix-mode = 432; # octal 0660
+      base-url = ntfyUrl;
+    };
+  };
+
+  systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh";
+
+  services.caddy.virtualHosts.${ntfyUrl}.extraConfig = ''
+    reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
+    @httpget {
+      protocol http
+      method GET
+      path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
+    }
+    redir @httpget https://{host}{uri}
+  '';
+
+}