From 9ddb680b5f1d7ff7782a0811f83ee2ae4a5e2693 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey?= <corey@x64.co>
Date: Mon, 13 Apr 2026 16:33:16 -0700
Subject: [PATCH] feat(glyph): expose ntfy on Tailscale interface

Bind ntfy to all interfaces and allow port 2586 on tailscale0 only,
so other hosts on the Tailscale network can publish notifications.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 hosts/glyph/services/ntfy.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hosts/glyph/services/ntfy.nix b/hosts/glyph/services/ntfy.nix
index b7926807..c6146a50 100644
--- a/hosts/glyph/services/ntfy.nix
+++ b/hosts/glyph/services/ntfy.nix
@@ -35,10 +35,12 @@ in {
     enable = true;
     settings = {
       base-url = "http://glyph:2586";
-      listen-http = "127.0.0.1:2586";
+      listen-http = ":2586";
     };
   };
 
+  networking.firewall.interfaces.tailscale0.allowedTCPPorts = [2586];
+
   systemd.services.ntfy-slack-relay = {
     description = "Forward ntfy notifications to Slack";
     after = ["ntfy-sh.service" "network.target"];