fix: user systemd

roles/ntfy/README.md

@@ -5,6 +5,7 @@ Deploys [ntfy](https://ntfy.sh/) - a simple HTTP-based pub-sub notification serv
 ## Security Model
 
 **Secure by default:**
+
 - `auth-default-access: deny-all` - No anonymous access
 - `enable-signup: false` - No public registration
 - `enable-login: true` - Authentication required
@@ -19,7 +20,7 @@ All notifications require authentication to send or receive.
 Set in inventory or vault:
 
 ```yaml
-ntfy_admin_password: "your-secure-password-here"  # Min 12 chars
+ntfy_admin_password: "your-secure-password-here" # Min 12 chars
 ```
 
 ### Optional Variables
@@ -44,21 +45,25 @@ ntfy_nginx_hostname: ntfy.nas.local
 ### Managing Users
 
 List users:
+
 ```bash
 podman exec ntfy ntfy user list
 ```
 
 Add user:
+
 ```bash
 podman exec ntfy ntfy user add <username>
 ```
 
 Change password:
+
 ```bash
 podman exec -i ntfy ntfy user change-pass <username>
 ```
 
 Remove user:
+
 ```bash
 podman exec ntfy ntfy user remove <username>
 ```
@@ -66,6 +71,7 @@ podman exec ntfy ntfy user remove <username>
 ### Managing Topic Access
 
 Grant access to topic:
+
 ```bash
 podman exec ntfy ntfy access <username> <topic> <permission>
 ```
@@ -73,6 +79,7 @@ podman exec ntfy ntfy access <username> <topic> <permission>
 Permissions: `read-write`, `read-only`, `write-only`, `deny`
 
 Example:
+
 ```bash
 # Allow user to publish and subscribe to "alerts" topic
 podman exec ntfy ntfy access alice alerts read-write
@@ -82,6 +89,7 @@ podman exec ntfy ntfy access bob monitoring write-only
 ```
 
 List access control:
+
 ```bash
 podman exec ntfy ntfy access
 ```
@@ -89,11 +97,13 @@ podman exec ntfy ntfy access
 ### Publishing Notifications
 
 Using curl with authentication:
+
 ```bash
 curl -u admin:password -d "Backup completed" http://localhost:8080/backups
 ```
 
 Using ntfy CLI:
+
 ```bash
 ntfy publish --token <access-token> ntfy.nas.local mytopic "Hello World"
 ```
@@ -103,6 +113,7 @@ ntfy publish --token <access-token> ntfy.nas.local mytopic "Hello World"
 Web UI: https://ntfy.nas.local (if nginx enabled)
 
 CLI:
+
 ```bash
 ntfy subscribe --token <access-token> ntfy.nas.local mytopic
 ```

roles/ntfy/defaults/main.yml

@@ -23,9 +23,9 @@ ntfy_timezone: UTC
 # Server configuration
 ntfy_base_url: http://localhost:{{ ntfy_port }}
 ntfy_behind_proxy: false
-ntfy_enable_signup: false  # Disable public signup for security
-ntfy_enable_login: true    # Enable authentication
-ntfy_enable_reservations: true  # Only authenticated users can reserve topics
+ntfy_enable_signup: false # Disable public signup for security
+ntfy_enable_login: true # Enable authentication
+ntfy_enable_reservations: true # Only authenticated users can reserve topics
 
 # Nginx reverse proxy configuration
 ntfy_nginx_enabled: false

roles/ntfy/handlers/main.yml

@@ -3,11 +3,15 @@
   ansible.builtin.systemd:
     daemon_reload: true
 
+- name: Reload systemd user
+  ansible.builtin.command: "systemctl --user daemon-reload"
+  become: true
+  become_user: "{{ ansible_user }}"
+
 - name: Restart ntfy
-  ansible.builtin.systemd:
-    name: ntfy
-    state: restarted
-    daemon_reload: true
+  ansible.builtin.command: "systemctl --user restart ntfy.service"
+  become: true
+  become_user: "{{ ansible_user }}"
 
 - name: Reload nginx
   ansible.builtin.systemd:

roles/ntfy/tasks/main.yml

@@ -46,21 +46,39 @@
     mode: "0644"
   notify: Restart ntfy
 
-- name: Create systemd service for ntfy
+- name: Get home directory for {{ ansible_user }}
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ ansible_user }}"
+
+- name: Set user home directory fact
+  ansible.builtin.set_fact:
+    user_home_dir: "{{ getent_passwd[ansible_user][4] }}"
+
+- name: Create systemd user directory for ntfy
+  ansible.builtin.file:
+    path: "{{ user_home_dir }}/.config/systemd/user"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+
+- name: Create systemd service for ntfy (user scope)
   ansible.builtin.template:
     src: ntfy.service.j2
-    dest: /etc/systemd/system/ntfy.service
-    owner: root
-    group: root
+    dest: "{{ user_home_dir }}/.config/systemd/user/ntfy.service"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
     mode: "0644"
-  notify: Reload systemd
+  notify: Reload systemd user
 
-- name: Enable and start ntfy service
-  ansible.builtin.systemd:
-    name: ntfy
-    enabled: true
-    state: started
-    daemon_reload: true
+- name: Enable lingering for user {{ ansible_user }}
+  ansible.builtin.command: "loginctl enable-linger {{ ansible_user }}"
+  when: ansible_user != 'root'
+
+- name: Enable and start ntfy service (user scope)
+  ansible.builtin.command: "systemctl --user enable --now ntfy.service"
+  become_user: "{{ ansible_user }}"
 
 - name: Wait for ntfy to be ready
   ansible.builtin.wait_for:

roles/ntfy/templates/ntfy.service.j2

@@ -1,13 +1,9 @@
 [Unit]
 Description=Ntfy Notification Service
-Requires=network-online.target
-After=network-online.target
 
 [Service]
 Type=oneshot
 RemainAfterExit=true
-User={{ ansible_user }}
-Group={{ ansible_user }}
 WorkingDirectory={{ podman_projects_dir | default('/opt/podman') }}/ntfy
 ExecStart=/usr/bin/podman play kube --replace ntfy.yaml
 ExecStop=/usr/bin/podman play kube --down ntfy.yaml
@@ -15,4 +11,4 @@ Restart=on-failure
 RestartSec=10
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=default.target