{ secret, ... }:

{
  services.ntfy-sh = {
    enable = true;

    settings = {
      base-url = secret.ntfy.baseUrl;
      listen-unix = "/run/ntfy-sh/ntfy.socket";
      behind-proxy = true;

      auth-file = "/var/lib/ntfy-sh/user.db";
      auth-default-access = "deny-all";

      cache-file = "/var/lib/ntfy-sh/cache.db";
      attachment-cache-dir = "/var/cache/ntfy/attachments";

      keepalive-interval = "45s";
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."${secret.ntfy.web-domain}" = {
      listen = [
        {
          addr = "127.0.0.1";
          port = 80;
        }
      ];

      forceSSL = false;
      enableACME = false;

      locations."/" = {
        tryFiles = "$uri @proxy";
      };

      locations."@proxy" = {
        proxyWebsockets = true;
        recommendedProxySettings = true;
        proxyPass = "http://unix:/run/ntfy-sh/ntfy.socket";
      };
    };
  };
}