From b1e15b64ff4036f86d4f0865663a66ca892558e6 Mon Sep 17 00:00:00 2001
From: Guanran Wang <guanran928@outlook.com>
Date: Mon, 30 Sep 2024 23:45:38 +0800
Subject: [PATCH] tyo0/ntfy: fine grain unix socket permission

---
 hosts/aws/tyo0/default.nix       | 5 ++++-
 hosts/aws/tyo0/services/ntfy.nix | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/hosts/aws/tyo0/default.nix b/hosts/aws/tyo0/default.nix
index a001277..214b4f6 100644
--- a/hosts/aws/tyo0/default.nix
+++ b/hosts/aws/tyo0/default.nix
@@ -63,7 +63,10 @@
     listen = [ ":443" ];
   };
 
-  systemd.services."caddy".serviceConfig.SupplementaryGroups = [ "forgejo" ];
+  systemd.services."caddy".serviceConfig.SupplementaryGroups = [
+    "forgejo"
+    "ntfy-sh"
+  ];
 
   services.caddy.settings.apps.http.servers.srv0.routes = [
     {
diff --git a/hosts/aws/tyo0/services/ntfy.nix b/hosts/aws/tyo0/services/ntfy.nix
index eebe031..eaef8c8 100644
--- a/hosts/aws/tyo0/services/ntfy.nix
+++ b/hosts/aws/tyo0/services/ntfy.nix
@@ -6,7 +6,7 @@
       base-url = "https://ntfy.ny4.dev";
       listen-http = "";
       listen-unix = "/run/ntfy-sh/ntfy.sock";
-      listen-unix-mode = 511; # 0777
+      listen-unix-mode = 432; # 0660
       behind-proxy = true;
     };
   };