{ config, ... }:
{
  services.ntfy-sh = {
    enable = true;
    settings = {
      base-url = "https://ntfy.hoyer.xyz";
      behind-proxy = true;
      auth-default-access = "deny-all";
    };
  };

  services.nginx.virtualHosts."ntfy.hoyer.xyz" = {
    useACMEHost = "hoyer.xyz";
    enableACME = false;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:2586";
      proxyWebsockets = true;
    };
  };

  metacfg.emailOnFailure.ntfy = {
    tokenFile = config.sops.secrets.ntfy.path;
    url = "http://127.0.0.1:2586";
    topic = "alerts";
  };
}