Make ntfy run as ntfy user/group, closes #38

2024-05-10 23:44:03 +12:00 · 2021-12-08 22:08:44 -05:00 · 2021-12-08 22:08:44 -05:00 · 9a56c24dbe
parent 808b63eaa1
commit 9a56c24dbe
6 changed files with 28 additions and 3 deletions
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -52,6 +52,8 @@ nfpms:
        type: config
      - src: config/ntfy.service
        dst: /lib/systemd/system/ntfy.service
+      - dst: /var/cache/ntfy
+        type: dir
    scripts:
      postinstall: "scripts/postinst.sh"
      preremove: "scripts/prerm.sh"
--- a/2
+++ b/2
@ -143,4 +143,4 @@ install:
 install-deb:
 	sudo systemctl stop ntfy || true
 	sudo apt-get purge ntfy || true
-	sudo dpkg -i dist/*.deb
+	sudo dpkg -i dist/ntfy_*_linux_amd64.deb
--- a/config/config.yml
+++ b/config/config.yml
@ -28,6 +28,9 @@
 # If set, messages are cached in a local SQLite database instead of only in-memory. This
 # allows for service restarts without losing messages in support of the since= parameter.
 #
+# Note: If you are running ntfy with systemd, make sure this cache file is owned by the
+#       ntfy user and group by running: chown ntfy.ntfy <filename>.
+#
 # cache-file: <filename>

 # Duration for which messages will be buffered before they are deleted.
--- a/config/ntfy.service
+++ b/config/ntfy.service
@ -3,8 +3,11 @@ Description=ntfy server
 After=network.target

 [Service]
+User=ntfy
+Group=ntfy
 ExecStart=/usr/bin/ntfy
 Restart=on-failure
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 LimitNOFILE=10000

 [Install]
--- a/scripts/postinst.sh
+++ b/scripts/postinst.sh
@ -7,6 +7,21 @@ set -e
 # TODO: This is only tested on Debian.
 #
 if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then
+  # Create ntfy user/group
+  id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy
+  chown ntfy.ntfy /var/cache/ntfy
+  chmod 700 /var/cache/ntfy
+
+  # Hack to change permissions on cache file
+  configfile="/etc/ntfy/config.yml"
+  if [ -f "$configfile" ]; then
+    cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: (.+)/ && print $1')"
+    if [ -n "$cachefile" ]; then
+      chown ntfy.ntfy "$cachefile" || true
+    fi
+  fi
+
+  # Restart service
  systemctl --system daemon-reload >/dev/null || true
  if systemctl is-active -q ntfy.service; then
    echo "Restarting ntfy.service ..."
--- a/scripts/postrm.sh
+++ b/scripts/postrm.sh
@ -3,6 +3,8 @@ set -e

 # Delete the config if package is purged
 if [ "$1" = "purge" ]; then
-  echo "Deleting /etc/ntfy ..."
-  rm -rf /etc/ntfy || true
+  id ntfy >/dev/null 2>&1 && userdel ntfy
+  rm -f /etc/ntfy/config.yml
+  rmdir /etc/ntfy || true
 fi
+