From 9299842ce092c07bbe1d17e2eb27c149f8e7dcf6 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Thu, 15 Jan 2026 22:21:25 +0100
Subject: [PATCH] vps-monitor: Only allow writes to ntfy over vpn

---
 hosts/vps-monitor/default.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix
index a86ae4f..f4d95e4 100644
--- a/hosts/vps-monitor/default.nix
+++ b/hosts/vps-monitor/default.nix
@@ -40,6 +40,14 @@
       nebula.enable = true;
       sshd.enable = true;
       dns.enable = true;
+
+      caddy.virtualHosts."alerts.sprouted.cloud" = {
+        inherit (config.custom.web-services.ntfy) port;
+        extraConfig = ''
+          @putpost method PUT POST
+          respond @putpost "Access denied" 403 { close }
+        '';
+      };
     };
 
     web-services =
@@ -59,7 +67,7 @@
 
         ntfy = {
           enable = true;
-          domain = "alerts.sprouted.cloud";
+          domain = "alerts.${privateDomain}";
         };
 
         grafana = {