Add all 44 scripts, update CI: error severity baseline, PowerShell validation, multi-distro testing

Amp-Thread-ID: https://ampcode.com/threads/T-019cc404-c628-759e-a50b-f5eeea35b91f
Co-authored-by: Amp <amp@ampcode.com>

install-ntfy-server.sh

@@ -0,0 +1,189 @@
+#!/bin/bash
+
+#############################################################
+#### ntfy Push Notification Server Setup                 ####
+#### Install and configure ntfy as a systemd service     ####
+####                                                     ####
+#### Author: Phil Connor                                 ####
+#### Contact: contact@mylinux.work                       ####
+#### License: MIT                                        ####
+#### Version: 1.0                                        ####
+####                                                     ####
+#### Usage: sudo ./install-ntfy-server.sh                ####
+#############################################################
+
+set -euo pipefail
+
+# --- Configuration (edit these before running) ---
+NTFY_VERSION="2.8.0"
+DOMAIN="ntfy.example.com"
+
+NTFY_USER="ntfy"
+NTFY_DIR="/var/lib/ntfy"
+CONFIG_DIR="/etc/ntfy"
+
+# Ensure script is run as root
+if [[ $EUID -ne 0 ]]; then
+    echo "ERROR: This script must be run as root (use sudo)."
+    exit 1
+fi
+
+echo "=== Installing ntfy v${NTFY_VERSION} ==="
+
+# Create ntfy user
+if ! id "$NTFY_USER" &>/dev/null; then
+    echo "Creating ntfy user..."
+    useradd --system --no-create-home --shell /usr/sbin/nologin "$NTFY_USER"
+fi
+
+# Create directories
+echo "Creating directories..."
+mkdir -p "$NTFY_DIR" "$CONFIG_DIR"
+chown "$NTFY_USER:$NTFY_USER" "$NTFY_DIR"
+
+# Download and install ntfy
+echo "Downloading ntfy..."
+rm -rf /tmp/ntfy_extract
+mkdir -p /tmp/ntfy_extract
+wget -q -O /tmp/ntfy.tar.gz "https://github.com/binwiederhier/ntfy/releases/download/v${NTFY_VERSION}/ntfy_${NTFY_VERSION}_linux_amd64.tar.gz"
+tar -xzf /tmp/ntfy.tar.gz -C /tmp/ntfy_extract
+find /tmp/ntfy_extract -name "ntfy" -type f -exec mv {} /usr/local/bin/ntfy \;
+chmod +x /usr/local/bin/ntfy
+rm -rf /tmp/ntfy.tar.gz /tmp/ntfy_extract
+
+# Verify installation
+echo "Verifying installation..."
+if [ -x /usr/local/bin/ntfy ]; then
+    echo "✓ ntfy binary installed at /usr/local/bin/ntfy"
+else
+    echo "✗ ntfy binary not found"
+    exit 1
+fi
+
+# Create configuration
+echo "Installing configuration..."
+
+cat > "$CONFIG_DIR/server.yml" << EOF
+# ntfy server configuration
+# Location: /etc/ntfy/server.yml
+
+# Base URL for the server (used in notification links)
+base-url: "http://${DOMAIN}"
+
+# Listen address - use internal port, proxy externally
+listen-http: "127.0.0.1:8090"
+
+# Authentication - deny by default, require tokens
+auth-default-access: "deny-all"
+auth-file: "/var/lib/ntfy/user.db"
+
+# Cache for offline message delivery
+cache-file: "/var/lib/ntfy/cache.db"
+cache-duration: "24h"
+
+# Behind nginx/caddy reverse proxy
+behind-proxy: true
+
+# Attachment settings
+attachment-cache-dir: "/var/lib/ntfy/attachments"
+attachment-total-size-limit: "1G"
+attachment-file-size-limit: "10M"
+attachment-expiry-duration: "24h"
+
+# Logging
+log-level: "info"
+log-format: "json"
+
+# Rate limiting per visitor
+visitor-subscription-limit: 30
+visitor-request-limit-burst: 60
+visitor-request-limit-replenish: "5s"
+EOF
+
+cat > /etc/systemd/system/ntfy.service << 'EOF'
+# ntfy systemd service
+# Location: /etc/systemd/system/ntfy.service
+
+[Unit]
+Description=ntfy push notification server
+Documentation=https://ntfy.sh/docs/
+After=network.target
+
+[Service]
+Type=simple
+User=ntfy
+Group=ntfy
+
+ExecStart=/usr/local/bin/ntfy serve --config /etc/ntfy/server.yml
+Restart=always
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/var/lib/ntfy
+
+# Resource limits
+LimitNOFILE=65535
+MemoryMax=512M
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Enable and start service
+echo "Enabling ntfy service..."
+systemctl daemon-reload
+systemctl enable ntfy
+systemctl start ntfy
+
+# Wait for service to start
+sleep 2
+
+# Check status
+if systemctl is-active --quiet ntfy; then
+    echo "✓ ntfy service is running"
+else
+    echo "✗ ntfy service failed to start"
+    systemctl status ntfy
+    exit 1
+fi
+
+echo ""
+echo "=== Setting up authentication ==="
+echo ""
+
+# Create admin user (skip if exists)
+echo "Creating admin user..."
+if ntfy user list 2>/dev/null | grep -q "^admin "; then
+    echo "✓ admin user already exists"
+else
+    ntfy user add --role=admin admin
+fi
+echo ""
+
+# Set access permissions for alert topics
+echo "Setting access permissions for alert topics..."
+ntfy access admin 'alerts-*' rw
+echo "✓ admin has rw access to alerts-*"
+
+echo ""
+echo "=== Next Steps ==="
+echo ""
+echo "1. Create user accounts for desktop clients:"
+echo "   ntfy user add --role=user <username>"
+echo "   ntfy token add <username>"
+echo ""
+echo "2. Grant topic access:"
+echo "   ntfy access <username> alerts-myapp ro     # Read-only to app alerts"
+echo "   ntfy access <username> alerts-critical ro  # Read-only to critical alerts"
+echo ""
+echo "3. Set up a reverse proxy (nginx/caddy) for ${DOMAIN}"
+echo "   pointing to 127.0.0.1:8090"
+echo ""
+echo "4. Test with:"
+echo "   curl -u admin:<password> -d 'Test notification' http://127.0.0.1:8090/alerts-test"
+echo ""
+echo "=== Installation complete ==="