feat: Adds access control configuration for ntfy (#15932)

Co-authored-by: ilyam8 <ilya@netdata.cloud>

4 files changed, 77 insertions, 0 deletions

diff --git a/health/notifications/alarm-notify.sh.in b/health/notifications/alarm-notify.sh.in
index e8dfe45d0d..73a767e699 100755
--- a/health/notifications/alarm-notify.sh.in
+++ b/health/notifications/alarm-notify.sh.in
@@ -2450,9 +2450,23 @@ send_ntfy() {
     *) priority="default" ;;
   esac
 
+  # Adding ntfy header generation logic
+  # Heavily inspired by https://github.com/nickexyz/ntfy-shellscripts/blob/main/sabnzbd.sh
+  tmp_header=""
+  if [[ -n "${NTFY_USERNAME}" ]] && [[ -n "${NTFY_PASSWORD}" ]]; then
+    ntfy_base64=$( echo -n "$NTFY_USERNAME:$NTFY_PASSWORD" | base64 )
+    tmp_header="Authorization: Basic ${ntfy_base64}"
+  elif [ -n "${NTFY_ACCESS_TOKEN}" ]; then
+    tmp_header="Authorization: Bearer ${NTFY_ACCESS_TOKEN}"
+  fi
+  ntfy_auth_header=()
+  if [ -n "${tmp_header}" ]; then
+    ntfy_auth_header=("-H" "${tmp_header}")
+  fi
   for recipient in ${recipients}; do
     msg="${host} ${status_message}: ${alarm} - ${info}"
     httpcode=$(docurl -X POST \
+                      "${ntfy_auth_header[@]}" \
                       -H "Icon: https://raw.githubusercontent.com/netdata/netdata/master/web/gui/dashboard/images/favicon-196x196.png" \
                       -H "Title: ${host}: ${name//_/ }" \
                       -H "Tags: ${emoji}" \
diff --git a/health/notifications/health_alarm_notify.conf b/health/notifications/health_alarm_notify.conf
index ddbb8ab59c..eb93246770 100755
--- a/health/notifications/health_alarm_notify.conf
+++ b/health/notifications/health_alarm_notify.conf
@@ -860,6 +860,15 @@ DEFAULT_RECIPIENT_MATRIX=""
 # enable/disable sending ntfy notifications
 SEND_NTFY="YES"
 
+# optional NTFY username
+NTFY_USERNAME=""
+
+# optional NTFY password
+NTFY_PASSWORD=""
+
+# optional NTFY access token
+NTFY_ACCESS_TOKEN=""
+
 # if a role's recipients are not configured, a notification will be sent to
 # this ntfy server / topic combination (empty = do not send a notification for 
 # unconfigured roles). 
diff --git a/health/notifications/ntfy/README.md b/health/notifications/ntfy/README.md
index b37a0db7e6..b2875ad081 100644
--- a/health/notifications/ntfy/README.md
+++ b/health/notifications/ntfy/README.md
@@ -17,6 +17,7 @@ This is what you will get:
 You will need:
 
 - (Optional) A [self-hosted ntfy server](https://docs.ntfy.sh/faq/#can-i-self-host-it), in case you don't want to use https://ntfy.sh
+- (Optional) [Credentials](https://docs.ntfy.sh/config/?h=token#access-control) to publish to a private topic
 - A new [topic](https://ntfy.sh/#subscribe) for the notifications to be published to
 - terminal access to the Agent you wish to configure
 
@@ -39,6 +40,38 @@ Edit `health_alarm_notify.conf`, changes to this file do not require restarting
     You can define multiple recipient URLs like this: `https://SERVER1/TOPIC1 https://SERVER2/TOPIC2`  
     All roles will default to this variable if it is not configured.
 
+> ### Authentication
+> If you have access to a self hosted instance of ntfy, you can send notifications to private topics provided you have valid credentials to do so
+> 
+
+An example of a working configuration utilizing username `netdata` and password `PASSWORD` and a private topic `netdata` on `YOUR_PRIVATE_INSTANCE` would be:
+
+```conf
+SEND_NFTY="YES"
+DEFAULT_RECIPIENT_NTFY="https://YOUR_PRIVATE_INSTANCE/netdata"
+NTFY_USERNAME="netdata"
+NTFY_PASSWORD="PASSWORD"
+```
+
+> ### Note
+> Be sure that user `netdata` has `rw` permissions for the topic `netdata`
+>
+
+An example of a working configuration utilizing token `f650986d-566b-45c0-9a63-5ca394dce359` geneated by ntfy for user `netdata` would be:
+
+```conf
+SEND_NFTY="YES"
+DEFAULT_RECIPIENT_NTFY="https://YOUR_PRIVATE_INSTANCE/netdata"
+NTFY_ACCESS_TOKEN="f650986d-566b-45c0-9a63-5ca394dce359"
+```
+
+> ### Note
+> Tokens are generated by ntfy. You will need to utilize a token provided by ntfy. **Do not specify a custom token here**
+> 
+> Ensure the user `netdata` has `rw` permission for the topic `netdata`
+>
+> If a token and username/password credentials are provided, the token will be used as opposed to the username/password credentials
+
 > ### Warning
 > All topics published on https://ntfy.sh are public, so anyone can subscribe to them and follow your notifications. To avoid that, ensure the topic is unique enough using a long, randomly generated ID, like in the following examples.
 > 
diff --git a/health/notifications/ntfy/metadata.yaml b/health/notifications/ntfy/metadata.yaml
index cde57fd4d2..0d6c0beac6 100644
--- a/health/notifications/ntfy/metadata.yaml
+++ b/health/notifications/ntfy/metadata.yaml
@@ -53,6 +53,27 @@
               role_recipients_ntfy[proxyadmin]="https://SERVER5/TOPIC5"
               role_recipients_ntfy[sitemgr]="https://SERVER6/TOPIC6"
               ```
+          - name: 'NTFY_USERNAME'
+            default_value: ''
+            description: "The username for netdata to use to authenticate with an ntfy server."
+            required: false
+            detailed_description: |
+              Only useful on self-hosted ntfy instances. See [users and roles](https://docs.ntfy.sh/config/#users-and-roles) for details.
+              Ensure that your user has proper read/write access to the provided topic in `DEFAULT_RECIPIENT_NTFY`
+          - name: 'NTFY_PASSWORD'
+            default_value: ''
+            description: "The password for netdata to use to authenticate with an ntfy server."
+            required: false
+            detailed_description: |
+              Only useful on self-hosted ntfy instances. See [users and roles](https://docs.ntfy.sh/config/#users-and-roles) for details.
+              Ensure that your user has proper read/write access to the provided topic in `DEFAULT_RECIPIENT_NTFY`
+          - name: 'NTFY_ACCESS_TOKEN'
+            default_value: ''
+            description: "The access token for netdata to use to authenticate with an ntfy server."
+            required: false
+            detailed_description: |
+              This can be used in place of `NTFY_USERNAME` and `NTFY_PASSWORD` to authenticate with a self-hosted ntfy instance. See [access tokens](https://docs.ntfy.sh/config/?h=access+to#access-tokens) for details.
+              Ensure that the token user has proper read/write access to the provided topic in `DEFAULT_RECIPIENT_NTFY`
       examples:
         folding:
           enabled: true