ntfy – with a bit more structure
A brief summary of how I plan to get ntfy into a “production-ready” state so it can be exposed to the internet.
- Access control
- Deny by default
- User(s) and/or access token(s) for:
- Read-only use cases (i.e., mobile client)
- Read-write use cases (i.e., alertmanager, alert scripts)
- Fail2ban
- Configuration to look for failed login attempts in /var/log/nginx/access.log
- Block by IP – 24 hours
- Websockets over HTTPS
I'll tackle these in order: ACL is required, fail2ban is necessary but not strictly required for day 1, and websockets are a nice-to-have.