From 9a56c24dbe417f7da5f96704d8f7f61921e1b866 Mon Sep 17 00:00:00 2001 From: Philipp Heckel Date: Wed, 8 Dec 2021 22:08:44 -0500 Subject: [PATCH] Make ntfy run as ntfy user/group, closes #38 --- .goreleaser.yml | 2 ++ Makefile | 2 +- config/config.yml | 3 +++ config/ntfy.service | 3 +++ scripts/postinst.sh | 15 +++++++++++++++ scripts/postrm.sh | 6 ++++-- 6 files changed, 28 insertions(+), 3 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index ae217ee5..7148ef61 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -52,6 +52,8 @@ nfpms: type: config - src: config/ntfy.service dst: /lib/systemd/system/ntfy.service + - dst: /var/cache/ntfy + type: dir scripts: postinstall: "scripts/postinst.sh" preremove: "scripts/prerm.sh" diff --git a/Makefile b/Makefile index 5a88647e..d4da687c 100644 --- a/Makefile +++ b/Makefile @@ -143,4 +143,4 @@ install: install-deb: sudo systemctl stop ntfy || true sudo apt-get purge ntfy || true - sudo dpkg -i dist/*.deb + sudo dpkg -i dist/ntfy_*_linux_amd64.deb diff --git a/config/config.yml b/config/config.yml index 89f8ad55..dec13fbb 100644 --- a/config/config.yml +++ b/config/config.yml @@ -28,6 +28,9 @@ # If set, messages are cached in a local SQLite database instead of only in-memory. This # allows for service restarts without losing messages in support of the since= parameter. # +# Note: If you are running ntfy with systemd, make sure this cache file is owned by the +# ntfy user and group by running: chown ntfy.ntfy . +# # cache-file: # Duration for which messages will be buffered before they are deleted. diff --git a/config/ntfy.service b/config/ntfy.service index 21acea50..77899517 100644 --- a/config/ntfy.service +++ b/config/ntfy.service @@ -3,8 +3,11 @@ Description=ntfy server After=network.target [Service] +User=ntfy +Group=ntfy ExecStart=/usr/bin/ntfy Restart=on-failure +AmbientCapabilities=CAP_NET_BIND_SERVICE LimitNOFILE=10000 [Install] diff --git a/scripts/postinst.sh b/scripts/postinst.sh index 0a09edbf..2fa34e7c 100755 --- a/scripts/postinst.sh +++ b/scripts/postinst.sh @@ -7,6 +7,21 @@ set -e # TODO: This is only tested on Debian. # if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then + # Create ntfy user/group + id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy + chown ntfy.ntfy /var/cache/ntfy + chmod 700 /var/cache/ntfy + + # Hack to change permissions on cache file + configfile="/etc/ntfy/config.yml" + if [ -f "$configfile" ]; then + cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: (.+)/ && print $1')" + if [ -n "$cachefile" ]; then + chown ntfy.ntfy "$cachefile" || true + fi + fi + + # Restart service systemctl --system daemon-reload >/dev/null || true if systemctl is-active -q ntfy.service; then echo "Restarting ntfy.service ..." diff --git a/scripts/postrm.sh b/scripts/postrm.sh index 1eac8a71..78db62e8 100755 --- a/scripts/postrm.sh +++ b/scripts/postrm.sh @@ -3,6 +3,8 @@ set -e # Delete the config if package is purged if [ "$1" = "purge" ]; then - echo "Deleting /etc/ntfy ..." - rm -rf /etc/ntfy || true + id ntfy >/dev/null 2>&1 && userdel ntfy + rm -f /etc/ntfy/config.yml + rmdir /etc/ntfy || true fi +