{ config, pkgs, lib, ... }:
{
  services.ntfy-sh = {
    enable = true;
    settings = {
      base-url = "https://ntfy.hoyer.xyz";
      behind-proxy = true;
      auth-default-access = "deny-all";
    };
  };

  services.nginx.virtualHosts."ntfy.hoyer.xyz" = {
    useACMEHost = "hoyer.xyz";
    enableACME = false;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:2586";
      proxyWebsockets = true;
    };
  };

  # Notify via ntfy on any service failure (alongside email)
  systemd.services."ntfy-failure@" = {
    description = "Send ntfy notification on service failure";
    onFailure = lib.mkForce [ ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = pkgs.writeShellScript "ntfy-failure-notify" ''
        TOKEN=$(cat ${config.sops.secrets.ntfy.path})
        UNIT="$1"
        ${pkgs.curl}/bin/curl -s \
          -H "Authorization: Bearer $TOKEN" \
          -H "Title: Service failed: $UNIT" \
          -H "Priority: urgent" \
          -H "Tags: rotating_light" \
          -d "$(systemctl status --full "$UNIT" 2>&1 | head -40)" \
          http://127.0.0.1:2586/alerts
      '';
    };
    scriptArgs = "%i";
  };

  systemd.services = lib.mkOption {
    type = lib.types.attrsOf (lib.types.submodule {
      config.onFailure = [ "ntfy-failure@%n.service" ];
    });
  };
}