Derp

Review
Security reivew
2026-03-18 21:30:44 +01:00 · 2026-03-14 14:21:09 -04:00 · 2026-03-14 14:15:46 -04:00 · 2026-03-14 13:56:43 -04:00 · 2026-03-14 13:47:42 -04:00 · 2026-03-14 13:03:36 -04:00
52 changed files with 5890 additions and 1339 deletions
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -42,5 +42,3 @@ jobs:
        run: make checkv
      - name: Run coverage
        run: make coverage
-      - name: Upload coverage to codecov.io
-        run: make coverage-upload
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@ server/docs/
 server/site/
 tools/fbsend/fbsend
 tools/pgimport/pgimport
+tools/loadtest/loadtest
 playground/
 secrets/
 *.iml
--- a/10
+++ b/10
@@ -268,22 +268,22 @@ check: test web-fmt-check fmt-check vet web-lint lint staticcheck
 checkv: testv web-fmt-check fmt-check vet web-lint lint staticcheck

 test: .PHONY
-	go test -parallel 3 $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')

 testv: .PHONY
-	go test -v -parallel 3 $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test -v $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')

 race: .PHONY
-	go test -v -race $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test -v -race $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')

 coverage:
 	mkdir -p build/coverage
-	go test -v -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test -v -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools|web)')
 	go tool cover -func build/coverage/coverage.txt

 coverage-html:
 	mkdir -p build/coverage
-	go test -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')
 	go tool cover -html build/coverage/coverage.txt

 coverage-upload:
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -40,6 +40,7 @@ var flagsServe = append(
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "cert-file", Aliases: []string{"cert_file", "E"}, EnvVars: []string{"NTFY_CERT_FILE"}, Usage: "certificate file, if listen-https is set"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "firebase-key-file", Aliases: []string{"firebase_key_file", "F"}, EnvVars: []string{"NTFY_FIREBASE_KEY_FILE"}, Usage: "Firebase credentials file; if set additionally publish to FCM topic"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "database-url", Aliases: []string{"database_url"}, EnvVars: []string{"NTFY_DATABASE_URL"}, Usage: "PostgreSQL connection string for database-backed stores (e.g. postgres://user:pass@host:5432/ntfy)"}),
+	altsrc.NewStringSliceFlag(&cli.StringSliceFlag{Name: "database-replica-urls", Aliases: []string{"database_replica_urls"}, EnvVars: []string{"NTFY_DATABASE_REPLICA_URLS"}, Usage: "PostgreSQL read replica connection strings for offloading read queries"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-file", Aliases: []string{"cache_file", "C"}, EnvVars: []string{"NTFY_CACHE_FILE"}, Usage: "cache file used for message caching"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-duration", Aliases: []string{"cache_duration", "b"}, EnvVars: []string{"NTFY_CACHE_DURATION"}, Value: util.FormatDuration(server.DefaultCacheDuration), Usage: "buffer messages for this time to allow `since` requests"}),
 	altsrc.NewIntFlag(&cli.IntFlag{Name: "cache-batch-size", Aliases: []string{"cache_batch_size"}, EnvVars: []string{"NTFY_BATCH_SIZE"}, Usage: "max size of messages to batch together when writing to message cache (if zero, writes are synchronous)"}),
@@ -145,6 +146,7 @@ func execServe(c *cli.Context) error {
 	certFile := c.String("cert-file")
 	firebaseKeyFile := c.String("firebase-key-file")
 	databaseURL := c.String("database-url")
+	databaseReplicaURLs := c.StringSlice("database-replica-urls")
 	webPushPrivateKey := c.String("web-push-private-key")
 	webPushPublicKey := c.String("web-push-public-key")
 	webPushFile := c.String("web-push-file")
@@ -282,8 +284,12 @@ func execServe(c *cli.Context) error {
 	}

 	// Check values
-	if databaseURL != "" && (authFile != "" || cacheFile != "" || webPushFile != "") {
+	if databaseURL != "" && !strings.HasPrefix(databaseURL, "postgres://") {
+		return errors.New("if database-url is set, it must start with postgres://")
+	} else if databaseURL != "" && (authFile != "" || cacheFile != "" || webPushFile != "") {
 		return errors.New("if database-url is set, auth-file, cache-file, and web-push-file must not be set")
+	} else if len(databaseReplicaURLs) > 0 && databaseURL == "" {
+		return errors.New("database-replica-urls can only be used if database-url is also set")
 	} else if firebaseKeyFile != "" && !util.FileExists(firebaseKeyFile) {
 		return errors.New("if set, FCM key file must exist")
 	} else if firebaseKeyFile != "" && !server.FirebaseAvailable {
@@ -502,6 +508,7 @@ func execServe(c *cli.Context) error {
 	conf.MetricsListenHTTP = metricsListenHTTP
 	conf.ProfileListenHTTP = profileListenHTTP
 	conf.DatabaseURL = databaseURL
+	conf.DatabaseReplicaURLs = databaseReplicaURLs
 	conf.WebPushPrivateKey = webPushPrivateKey
 	conf.WebPushPublicKey = webPushPublicKey
 	conf.WebPushFile = webPushFile
--- a/cmd/user.go
+++ b/cmd/user.go
@@ -12,6 +12,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 	"heckel.io/ntfy/v2/server"
 	"heckel.io/ntfy/v2/user"
 	"heckel.io/ntfy/v2/util"
@@ -379,11 +380,11 @@ func createUserManager(c *cli.Context) (*user.Manager, error) {
 		QueueWriterInterval: user.DefaultUserStatsQueueWriterInterval,
 	}
 	if databaseURL != "" {
-		pool, dbErr := db.OpenPostgres(databaseURL)
+		host, dbErr := pg.Open(databaseURL)
 		if dbErr != nil {
 			return nil, dbErr
 		}
-		return user.NewPostgresManager(pool, authConfig)
+		return user.NewPostgresManager(db.New(host, nil), authConfig)
 	} else if authFile != "" {
 		if !util.FileExists(authFile) {
 			return nil, errors.New("auth-file does not exist; please start the server at least once to create it")
--- a/db/db.go
+++ b/db/db.go
@@ -1,93 +1,137 @@
 package db

 import (
+	"context"
 	"database/sql"
-	"fmt"
-	"net/url"
-	"strconv"
+	"sync/atomic"
 	"time"

-	_ "github.com/jackc/pgx/v5/stdlib" // PostgreSQL driver
+	"heckel.io/ntfy/v2/log"
 )

 const (
-	paramMaxOpenConns    = "pool_max_conns"
-	paramMaxIdleConns    = "pool_max_idle_conns"
-	paramConnMaxLifetime = "pool_conn_max_lifetime"
-	paramConnMaxIdleTime = "pool_conn_max_idle_time"
-
-	defaultMaxOpenConns = 10
+	tag                            = "db"
+	replicaHealthCheckInitialDelay = 5 * time.Second
+	replicaHealthCheckInterval     = 30 * time.Second
+	replicaHealthCheckTimeout      = 10 * time.Second
 )

-// OpenPostgres opens a PostgreSQL database connection pool from a DSN string. It supports custom
-// query parameters for pool configuration: pool_max_conns (default 10), pool_max_idle_conns,
-// pool_conn_max_lifetime, and pool_conn_max_idle_time. These parameters are stripped from
-// the DSN before passing it to the driver.
-func OpenPostgres(dsn string) (*sql.DB, error) {
-	u, err := url.Parse(dsn)
-	if err != nil {
-		return nil, fmt.Errorf("invalid database URL: %w", err)
-	}
-	q := u.Query()
-	maxOpenConns, err := extractIntParam(q, paramMaxOpenConns, defaultMaxOpenConns)
-	if err != nil {
-		return nil, err
-	}
-	maxIdleConns, err := extractIntParam(q, paramMaxIdleConns, 0)
-	if err != nil {
-		return nil, err
-	}
-	connMaxLifetime, err := extractDurationParam(q, paramConnMaxLifetime, 0)
-	if err != nil {
-		return nil, err
-	}
-	connMaxIdleTime, err := extractDurationParam(q, paramConnMaxIdleTime, 0)
-	if err != nil {
-		return nil, err
-	}
-	u.RawQuery = q.Encode()
-	db, err := sql.Open("pgx", u.String())
-	if err != nil {
-		return nil, err
-	}
-	db.SetMaxOpenConns(maxOpenConns)
-	if maxIdleConns > 0 {
-		db.SetMaxIdleConns(maxIdleConns)
-	}
-	if connMaxLifetime > 0 {
-		db.SetConnMaxLifetime(connMaxLifetime)
-	}
-	if connMaxIdleTime > 0 {
-		db.SetConnMaxIdleTime(connMaxIdleTime)
-	}
-	if err := db.Ping(); err != nil {
-		return nil, fmt.Errorf("ping failed: %w", err)
-	}
-	return db, nil
+// DB wraps a primary *sql.DB and optional read replicas. All standard query/exec methods
+// delegate to the primary. The ReadOnly() method returns a *sql.DB from a healthy replica
+// (round-robin), falling back to the primary if no replicas are configured or all are unhealthy.
+type DB struct {
+	primary  *Host
+	replicas []*Host
+	counter  atomic.Uint64
+	cancel   context.CancelFunc
 }

-func extractIntParam(q url.Values, key string, defaultValue int) (int, error) {
-	s := q.Get(key)
-	if s == "" {
-		return defaultValue, nil
+// New creates a new DB that wraps the given primary and optional replica connections.
+// If replicas is nil or empty, ReadOnly() simply returns the primary.
+// Replicas start unhealthy and are checked immediately by a background goroutine.
+func New(primary *Host, replicas []*Host) *DB {
+	ctx, cancel := context.WithCancel(context.Background())
+	d := &DB{
+		primary:  primary,
+		replicas: replicas,
+		cancel:   cancel,
 	}
-	q.Del(key)
-	v, err := strconv.Atoi(s)
-	if err != nil {
-		return 0, fmt.Errorf("invalid %s value %q: %w", key, s, err)
+	if len(d.replicas) > 0 {
+		go d.healthCheckLoop(ctx)
 	}
-	return v, nil
+	return d
 }

-func extractDurationParam(q url.Values, key string, defaultValue time.Duration) (time.Duration, error) {
-	s := q.Get(key)
-	if s == "" {
-		return defaultValue, nil
-	}
-	q.Del(key)
-	d, err := time.ParseDuration(s)
-	if err != nil {
-		return 0, fmt.Errorf("invalid %s value %q: %w", key, s, err)
-	}
-	return d, nil
+// Query delegates to the primary database.
+func (d *DB) Query(query string, args ...any) (*sql.Rows, error) {
+	return d.primary.DB.Query(query, args...)
+}
+
+// QueryRow delegates to the primary database.
+func (d *DB) QueryRow(query string, args ...any) *sql.Row {
+	return d.primary.DB.QueryRow(query, args...)
+}
+
+// Exec delegates to the primary database.
+func (d *DB) Exec(query string, args ...any) (sql.Result, error) {
+	return d.primary.DB.Exec(query, args...)
+}
+
+// Begin delegates to the primary database.
+func (d *DB) Begin() (*sql.Tx, error) {
+	return d.primary.DB.Begin()
+}
+
+// Ping delegates to the primary database.
+func (d *DB) Ping() error {
+	return d.primary.DB.Ping()
+}
+
+// Primary returns the underlying primary *sql.DB. This is only intended for
+// one-time schema setup during store initialization, not for regular queries.
+func (d *DB) Primary() *sql.DB {
+	return d.primary.DB
+}
+
+// ReadOnly returns a *sql.DB suitable for read-only queries. It round-robins across healthy
+// replicas. If all replicas are unhealthy or none are configured, the primary is returned.
+func (d *DB) ReadOnly() *sql.DB {
+	if len(d.replicas) == 0 {
+		return d.primary.DB
+	}
+	n := len(d.replicas)
+	start := int(d.counter.Add(1) - 1)
+	for i := 0; i < n; i++ {
+		r := d.replicas[(start+i)%n]
+		if r.healthy.Load() {
+			return r.DB
+		}
+	}
+	return d.primary.DB
+}
+
+// Close closes the primary database and all replicas, and stops the health-check goroutine.
+func (d *DB) Close() error {
+	d.cancel()
+	for _, r := range d.replicas {
+		r.DB.Close()
+	}
+	return d.primary.DB.Close()
+}
+
+// healthCheckLoop checks replicas immediately, then periodically on a ticker.
+func (d *DB) healthCheckLoop(ctx context.Context) {
+	select {
+	case <-ctx.Done():
+		return
+	case <-time.After(replicaHealthCheckInitialDelay):
+		d.checkReplicas(ctx)
+	}
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(replicaHealthCheckInterval):
+			d.checkReplicas(ctx)
+		}
+	}
+}
+
+// checkReplicas pings each replica with a timeout and updates its health status.
+func (d *DB) checkReplicas(ctx context.Context) {
+	for _, r := range d.replicas {
+		wasHealthy := r.healthy.Load()
+		pingCtx, cancel := context.WithTimeout(ctx, replicaHealthCheckTimeout)
+		err := r.DB.PingContext(pingCtx)
+		cancel()
+		if err != nil {
+			r.healthy.Store(false)
+			log.Tag(tag).Error("Database replica %s is unhealthy: %s", r.Addr, err)
+		} else {
+			r.healthy.Store(true)
+			if !wasHealthy {
+				log.Tag(tag).Info("Database replica %s is healthy", r.Addr)
+			}
+		}
+	}
 }
--- a/db/pg/pg.go
+++ b/db/pg/pg.go
@@ -0,0 +1,120 @@
+package pg
+
+import (
+	"database/sql"
+	"fmt"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	_ "github.com/jackc/pgx/v5/stdlib" // PostgreSQL driver
+
+	"heckel.io/ntfy/v2/db"
+)
+
+// Open opens a PostgreSQL connection pool for a primary database. It pings the database
+// to verify connectivity before returning.
+func Open(dsn string) (*db.Host, error) {
+	d, err := open(dsn)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open database: %w", err)
+	}
+	if err := d.DB.Ping(); err != nil {
+		return nil, fmt.Errorf("database ping failed on %v: %w", d.Addr, err)
+	}
+	return d, nil
+}
+
+// OpenReplica opens a PostgreSQL connection pool for a read replica. Unlike Open, it does
+// not ping the database, since replicas are health-checked in the background by db.DB.
+func OpenReplica(dsn string) (*db.Host, error) {
+	return open(dsn)
+}
+
+// open opens a PostgreSQL database connection pool from a DSN string. It supports custom
+// query parameters for pool configuration: pool_max_conns (default 10), pool_max_idle_conns,
+// pool_conn_max_lifetime, and pool_conn_max_idle_time. These parameters are stripped from
+// the DSN before passing it to the driver.
+func open(dsn string) (*db.Host, error) {
+	u, err := url.Parse(dsn)
+	if err != nil {
+		return nil, fmt.Errorf("invalid database URL: %w", err)
+	}
+	switch u.Scheme {
+	case "postgres", "postgresql":
+		// OK
+	default:
+		return nil, fmt.Errorf("invalid database URL scheme %q, must be \"postgres\" or \"postgresql\" (URL: %s)", u.Scheme, censorPassword(u))
+	}
+	q := u.Query()
+	maxOpenConns, err := extractIntParam(q, "pool_max_conns", 10)
+	if err != nil {
+		return nil, err
+	}
+	maxIdleConns, err := extractIntParam(q, "pool_max_idle_conns", 0)
+	if err != nil {
+		return nil, err
+	}
+	connMaxLifetime, err := extractDurationParam(q, "pool_conn_max_lifetime", 0)
+	if err != nil {
+		return nil, err
+	}
+	connMaxIdleTime, err := extractDurationParam(q, "pool_conn_max_idle_time", 0)
+	if err != nil {
+		return nil, err
+	}
+	u.RawQuery = q.Encode()
+	d, err := sql.Open("pgx", u.String())
+	if err != nil {
+		return nil, err
+	}
+	d.SetMaxOpenConns(maxOpenConns)
+	if maxIdleConns > 0 {
+		d.SetMaxIdleConns(maxIdleConns)
+	}
+	if connMaxLifetime > 0 {
+		d.SetConnMaxLifetime(connMaxLifetime)
+	}
+	if connMaxIdleTime > 0 {
+		d.SetConnMaxIdleTime(connMaxIdleTime)
+	}
+	return &db.Host{
+		Addr: u.Host,
+		DB:   d,
+	}, nil
+}
+
+func extractIntParam(q url.Values, key string, defaultValue int) (int, error) {
+	s := q.Get(key)
+	if s == "" {
+		return defaultValue, nil
+	}
+	q.Del(key)
+	v, err := strconv.Atoi(s)
+	if err != nil {
+		return 0, fmt.Errorf("invalid %s value %q: %w", key, s, err)
+	}
+	return v, nil
+}
+
+// censorPassword returns a string representation of the URL with the password replaced by "*****".
+func censorPassword(u *url.URL) string {
+	if password, hasPassword := u.User.Password(); hasPassword {
+		return strings.Replace(u.String(), ":"+password+"@", ":*****@", 1)
+	}
+	return u.String()
+}
+
+func extractDurationParam(q url.Values, key string, defaultValue time.Duration) (time.Duration, error) {
+	s := q.Get(key)
+	if s == "" {
+		return defaultValue, nil
+	}
+	q.Del(key)
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		return 0, fmt.Errorf("invalid %s value %q: %w", key, s, err)
+	}
+	return d, nil
+}
--- a/db/pg/pg_test.go
+++ b/db/pg/pg_test.go
@@ -0,0 +1,53 @@
+package pg
+
+import (
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestOpen_InvalidScheme(t *testing.T) {
+	_, err := Open("postgresql+psycopg2://user:pass@localhost/db")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), `invalid database URL scheme "postgresql+psycopg2"`)
+	require.Contains(t, err.Error(), "*****")
+	require.NotContains(t, err.Error(), "pass")
+}
+
+func TestOpen_InvalidURL(t *testing.T) {
+	_, err := Open("not a valid url\x00")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "invalid database URL")
+}
+
+func TestCensorPassword(t *testing.T) {
+	tests := []struct {
+		name     string
+		url      string
+		expected string
+	}{
+		{
+			name:     "with password",
+			url:      "postgres://user:secret@localhost/db",
+			expected: "postgres://user:*****@localhost/db",
+		},
+		{
+			name:     "without password",
+			url:      "postgres://localhost/db",
+			expected: "postgres://localhost/db",
+		},
+		{
+			name:     "user only",
+			url:      "postgres://user@localhost/db",
+			expected: "postgres://user@localhost/db",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u, err := url.Parse(tt.url)
+			require.NoError(t, err)
+			require.Equal(t, tt.expected, censorPassword(u))
+		})
+	}
+}
--- a/db/test/test.go
+++ b/db/test/test.go
@@ -1,7 +1,6 @@
 package dbtest

 import (
-	"database/sql"
 	"fmt"
 	"net/url"
 	"os"
@@ -9,6 +8,7 @@ import (

 	"github.com/stretchr/testify/require"
 	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 	"heckel.io/ntfy/v2/util"
 )

@@ -30,34 +30,35 @@ func CreateTestPostgresSchema(t *testing.T) string {
 	q.Set("pool_max_conns", testPoolMaxConns)
 	u.RawQuery = q.Encode()
 	dsn = u.String()
-	setupDB, err := db.OpenPostgres(dsn)
+	setupHost, err := pg.Open(dsn)
 	require.Nil(t, err)
-	_, err = setupDB.Exec(fmt.Sprintf("CREATE SCHEMA %s", schema))
+	_, err = setupHost.DB.Exec(fmt.Sprintf("CREATE SCHEMA %s", schema))
 	require.Nil(t, err)
-	require.Nil(t, setupDB.Close())
+	require.Nil(t, setupHost.DB.Close())
 	q.Set("search_path", schema)
 	u.RawQuery = q.Encode()
 	schemaDSN := u.String()
 	t.Cleanup(func() {
-		cleanDB, err := db.OpenPostgres(dsn)
+		cleanHost, err := pg.Open(dsn)
 		if err == nil {
-			cleanDB.Exec(fmt.Sprintf("DROP SCHEMA %s CASCADE", schema))
-			cleanDB.Close()
+			cleanHost.DB.Exec(fmt.Sprintf("DROP SCHEMA %s CASCADE", schema))
+			cleanHost.DB.Close()
 		}
 	})
 	return schemaDSN
 }

-// CreateTestPostgres creates a temporary PostgreSQL schema and returns an open *sql.DB connection to it.
+// CreateTestPostgres creates a temporary PostgreSQL schema and returns an open *db.DB connection to it.
 // It registers cleanup functions to close the DB and drop the schema when the test finishes.
 // If NTFY_TEST_DATABASE_URL is not set, the test is skipped.
-func CreateTestPostgres(t *testing.T) *sql.DB {
+func CreateTestPostgres(t *testing.T) *db.DB {
 	t.Helper()
 	schemaDSN := CreateTestPostgresSchema(t)
-	testDB, err := db.OpenPostgres(schemaDSN)
+	testHost, err := pg.Open(schemaDSN)
 	require.Nil(t, err)
+	d := db.New(testHost, nil)
 	t.Cleanup(func() {
-		testDB.Close()
+		d.Close()
 	})
-	return testDB
+	return d
 }
--- a/db/types.go
+++ b/db/types.go
@@ -0,0 +1,19 @@
+package db
+
+import (
+	"database/sql"
+	"sync/atomic"
+)
+
+// Beginner is an interface for types that can begin a database transaction.
+// Both *sql.DB and *DB implement this.
+type Beginner interface {
+	Begin() (*sql.Tx, error)
+}
+
+// Host pairs a *sql.DB with the host:port it was opened against.
+type Host struct {
+	Addr    string // "host:port"
+	DB      *sql.DB
+	healthy atomic.Bool
+}
--- a/db/util.go
+++ b/db/util.go
@@ -0,0 +1,36 @@
+package db
+
+import "database/sql"
+
+// ExecTx executes a function within a database transaction. If the function returns an error,
+// the transaction is rolled back. Otherwise, the transaction is committed.
+func ExecTx(db Beginner, f func(tx *sql.Tx) error) error {
+	tx, err := db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+	if err := f(tx); err != nil {
+		return err
+	}
+	return tx.Commit()
+}
+
+// QueryTx executes a function within a database transaction and returns the result. If the function
+// returns an error, the transaction is rolled back. Otherwise, the transaction is committed.
+func QueryTx[T any](db Beginner, f func(tx *sql.Tx) (T, error)) (T, error) {
+	tx, err := db.Begin()
+	if err != nil {
+		var zero T
+		return zero, err
+	}
+	defer tx.Rollback()
+	t, err := f(tx)
+	if err != nil {
+		return t, err
+	}
+	if err := tx.Commit(); err != nil {
+		return t, err
+	}
+	return t, nil
+}
--- a/docs/config.md
+++ b/docs/config.md
@@ -135,6 +135,264 @@ using Docker Compose (i.e. `docker-compose.yml`):
 	    command: serve
    ```

+## Config generator
+
+This generator helps you configure your self-hosted ntfy instance. It's not fully featured, but it is a good starting point. Please refer to the relevant sections in the doc for more details.
+
+<div style="text-align: center;">
+<button type="button" id="cg-open-btn" class="cg-open-btn">Open config generator</button>
+</div>
+
+<figure markdown style="padding-left: 50px; padding-right: 50px; cursor: pointer;" onclick="document.getElementById('cg-open-btn').click();">
+  <img src="../../static/img/config-generator.png"/>
+  <figcaption>The config generator helps you create a custom config for your self-hosted ntfy instance. Click to open.</figcaption>
+</figure>
+
+<div id="cg-modal" class="cg-modal" style="display:none">
+<div class="cg-modal-backdrop"></div>
+<div class="cg-modal-dialog">
+<div class="cg-modal-header">
+<div class="cg-modal-header-left">
+<span class="cg-modal-title">Config generator</span><span class="cg-badge-beta">BETA</span>
+<span class="cg-modal-desc">This generator helps you configure your self-hosted ntfy instance. It's not fully featured, but it is a good starting point.</span>
+</div>
+<div class="cg-modal-header-actions">
+<button type="button" id="cg-reset-btn" class="cg-modal-reset" title="Reset all values">Reset</button>
+<button type="button" id="cg-close-btn" class="cg-modal-close" title="Close">&times;</button>
+</div>
+</div>
+<div class="cg-modal-body">
+<div id="cg-left">
+<div class="cg-nav">
+<div class="cg-nav-tab active" data-panel="cg-panel-general">General</div>
+<div class="cg-nav-tab cg-hidden" data-panel="cg-panel-database" id="cg-nav-database">Database</div>
+<div class="cg-nav-tab cg-hidden" data-panel="cg-panel-auth" id="cg-nav-auth">Users</div>
+<div class="cg-nav-tab cg-hidden" data-panel="cg-panel-cache" id="cg-nav-cache">Message Cache</div>
+<div class="cg-nav-tab cg-hidden" data-panel="cg-panel-attach" id="cg-nav-attach">Attachments</div>
+<div class="cg-nav-tab cg-hidden" data-panel="cg-panel-webpush" id="cg-nav-webpush">Web Push</div>
+<div class="cg-nav-tab cg-hidden" data-panel="cg-panel-email" id="cg-nav-email">Email</div>
+</div>
+<div class="cg-panels">
+<div class="cg-panel active" id="cg-panel-general">
+<div class="cg-field cg-inline-field">
+<label>What URL will ntfy be reachable on?</label>
+<input type="text" data-key="base-url" placeholder="https://ntfy.example.com">
+</div>
+<div class="cg-field cg-inline-field">
+<label>Will ntfy run behind a proxy (e.g. nginx, Caddy)? <a href="/config/#behind-a-proxy-tls-etc" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<div class="cg-btn-group">
+<label><input type="radio" name="cg-proxy" value="no" checked><span>No</span></label>
+<label><input type="radio" name="cg-proxy" value="yes"><span>Yes</span></label>
+</div>
+</div>
+<div class="cg-field cg-inline-field">
+<label>Will this ntfy server be open or private? <a href="/config/#access-control" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<div class="cg-btn-group">
+<label><input type="radio" name="cg-server-type" value="open" checked><span>Open</span></label>
+<label><input type="radio" name="cg-server-type" value="private"><span>Private</span></label>
+<label><input type="radio" name="cg-server-type" value="custom"><span>Custom</span></label>
+</div>
+</div>
+<div class="cg-field cg-inline-field">
+<label>Will iOS/iPhone users use this server? <a href="/config/#ios-instant-notifications" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<div class="cg-btn-group">
+<label><input type="radio" name="cg-ios" value="no" checked><span>No</span></label>
+<label><input type="radio" name="cg-ios" value="yes"><span>Yes</span></label>
+</div>
+</div>
+<div class="cg-field cg-inline-field">
+<label>Do you want to use ntfy as a UnifiedPush distributor? <a href="/config/#example-unifiedpush" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<div class="cg-btn-group">
+<label><input type="radio" name="cg-unifiedpush" value="no" checked><span>No</span></label>
+<label><input type="radio" name="cg-unifiedpush" value="yes"><span>Yes</span></label>
+</div>
+</div>
+<div class="cg-field">
+<label>Which features do you want to enable?</label>
+<div class="cg-feature-grid">
+<div class="cg-feature-row"><label><input type="checkbox" id="cg-feat-auth"> User management and access control</label><button type="button" class="cg-btn-configure cg-hidden" data-panel="cg-panel-auth">Configure</button></div>
+<div class="cg-feature-row"><label><input type="checkbox" id="cg-feat-cache"> Persistent message cache</label><button type="button" class="cg-btn-configure cg-hidden" data-panel="cg-panel-cache">Configure</button></div>
+<div class="cg-feature-row"><label><input type="checkbox" id="cg-feat-attach"> Attachments</label><button type="button" class="cg-btn-configure cg-hidden" data-panel="cg-panel-attach">Configure</button></div>
+<div class="cg-feature-row"><label><input type="checkbox" id="cg-feat-webpush"> Web push</label><button type="button" class="cg-btn-configure cg-hidden" data-panel="cg-panel-webpush">Configure</button></div>
+<div class="cg-feature-row"><label><input type="checkbox" id="cg-feat-smtp-out"> Email notifications</label><button type="button" class="cg-btn-configure cg-hidden" data-panel="cg-panel-email">Configure</button></div>
+<div class="cg-feature-row"><label><input type="checkbox" id="cg-feat-smtp-in"> Email publishing</label><button type="button" class="cg-btn-configure cg-hidden" data-panel="cg-panel-email">Configure</button></div>
+</div>
+</div>
+<div class="cg-field cg-inline-field cg-hidden" id="cg-wizard-db">
+<label>Which database backend would you like to use? <a href="/config/#database-options" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<div class="cg-btn-group">
+<label><input type="radio" name="cg-db-type" value="sqlite" checked><span>SQLite</span></label>
+<label><input type="radio" name="cg-db-type" value="postgres"><span>PostgreSQL</span></label>
+</div>
+</div>
+</div>
+<div class="cg-panel" id="cg-panel-auth">
+<div class="cg-panel-desc">Configure user management, access control, and provisioned users/ACLs. See <a href="/config/#access-control" target="_blank">access control</a> for details.</div>
+<div class="cg-field cg-inline-field">
+<label>Where should the user database be stored?</label>
+<input type="text" data-key="auth-file" placeholder="/var/lib/ntfy/auth.db">
+</div>
+<div class="cg-field cg-inline-field">
+<label>What should the default access policy be? <a href="/config/#access-control" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<select id="cg-default-access-select">
+<option value="read-write" selected>Read &amp; Write</option>
+<option value="read-only">Read Only</option>
+<option value="write-only">Write Only</option>
+<option value="deny-all">Deny All</option>
+</select>
+</div>
+<div class="cg-field cg-inline-field">
+<label>Should login to the web app be enabled?</label>
+<div class="cg-btn-group">
+<label><input type="radio" name="cg-login-mode" value="disabled" checked><span>Disabled</span></label>
+<label><input type="radio" name="cg-login-mode" value="enabled"><span>Enabled</span></label>
+<label><input type="radio" name="cg-login-mode" value="required"><span>Required</span></label>
+</div>
+</div>
+<div class="cg-field cg-inline-field">
+<label>Should it be possible to sign up via the web app?</label>
+<div class="cg-btn-group">
+<label><input type="radio" name="cg-enable-signup" value="no" checked><span>No</span></label>
+<label><input type="radio" name="cg-enable-signup" value="yes"><span>Yes</span></label>
+</div>
+</div>
+<input type="hidden" data-key="auth-default-access">
+<input type="checkbox" data-key="enable-login" id="cg-enable-login-hidden" style="display:none">
+<input type="checkbox" data-key="require-login" id="cg-require-login-hidden" style="display:none">
+<input type="checkbox" data-key="enable-signup" id="cg-enable-signup-hidden" style="display:none">
+<div class="cg-field">
+<label>Provisioned users <a href="/config/#users-and-roles" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<div class="cg-repeatable-container" id="cg-auth-users-container"></div>
+<button type="button" class="cg-btn-add" data-add-type="user">+ Add user</button>
+</div>
+<div class="cg-field">
+<label>Provisioned ACLs <a href="/config/#access-control-list-acl" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<div class="cg-repeatable-container" id="cg-auth-acls-container"></div>
+<button type="button" class="cg-btn-add" data-add-type="acl">+ Add ACL</button>
+</div>
+<div class="cg-field">
+<label>Provisioned tokens <a href="/config/#access-tokens" target="_blank" class="cg-help"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0M5.496 6.033h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286a.237.237 0 0 0 .241.247m2.325 6.443c.61 0 1.029-.394 1.029-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94 0 .533.425.927 1.01.927z"/></svg></a></label>
+<div class="cg-repeatable-container" id="cg-auth-tokens-container"></div>
+<button type="button" class="cg-btn-add" data-add-type="token">+ Add token</button>
+</div>
+</div>
+<div class="cg-panel" id="cg-panel-cache">
+<div class="cg-panel-desc">Configure the message cache to allow devices to retrieve missed notifications. See <a href="/config/#message-cache" target="_blank">message cache</a> for details.</div>
+<div class="cg-field cg-inline-field" id="cg-cache-file-field">
+<label>Where should the cache be stored?</label>
+<input type="text" data-key="cache-file" placeholder="/var/cache/ntfy/cache.db">
+</div>
+<div class="cg-field cg-inline-field">
+<label>How long should messages be cached?</label>
+<input type="text" data-key="cache-duration" placeholder="12h">
+</div>
+</div>
+<div class="cg-panel" id="cg-panel-attach">
+<div class="cg-panel-desc">Allow users to upload and attach files to notifications. See <a href="/config/#attachments" target="_blank">attachments</a> for details.</div>
+<div class="cg-field cg-inline-field">
+<label>Where should attachments be stored?</label>
+<input type="text" data-key="attachment-cache-dir" placeholder="/var/cache/ntfy/attachments">
+</div>
+<div class="cg-field cg-inline-field">
+<label>Max file size per attachment?</label>
+<input type="text" data-key="attachment-file-size-limit" placeholder="15M">
+</div>
+<div class="cg-field cg-inline-field">
+<label>Total attachment storage limit?</label>
+<input type="text" data-key="attachment-total-size-limit" placeholder="5G">
+</div>
+<div class="cg-field cg-inline-field">
+<label>How long before attachments expire?</label>
+<input type="text" data-key="attachment-expiry-duration" placeholder="3h">
+</div>
+</div>
+<div class="cg-panel" id="cg-panel-webpush">
+<div class="cg-panel-desc">Enable browser push notifications via the Web Push API. VAPID keys are generated automatically. See <a href="/config/#web-push" target="_blank">web push</a> for details.</div>
+<div class="cg-field cg-inline-field">
+<label>Where should web push data be stored?</label>
+<input type="text" data-key="web-push-file" placeholder="/var/lib/ntfy/webpush.db">
+</div>
+<div class="cg-field cg-inline-field">
+<label>Contact email address</label>
+<input type="text" data-key="web-push-email-address" placeholder="admin@example.com">
+</div>
+<div class="cg-field cg-inline-field">
+<label>Private key</label>
+<input type="text" data-key="web-push-private-key" placeholder="Auto-generated" readonly>
+</div>
+<div class="cg-field cg-inline-field">
+<label>Public key</label>
+<input type="text" data-key="web-push-public-key" placeholder="Auto-generated" readonly>
+</div>
+<div class="cg-field cg-inline-field">
+<label></label>
+<button type="button" id="cg-regen-keys" class="cg-btn-add">Regenerate keys</button>
+</div>
+</div>
+<div class="cg-panel" id="cg-panel-email">
+<div class="cg-panel-desc">Configure outgoing email notifications and/or incoming email publishing. See <a href="/config/#e-mail-notifications" target="_blank">email notifications</a> and <a href="/config/#e-mail-publishing" target="_blank">email publishing</a> for details.</div>
+<div id="cg-email-out-section" class="cg-hidden">
+<div class="cg-field"><label><strong>Outgoing (notifications)</strong></label></div>
+<div class="cg-field cg-inline-field">
+<label>SMTP server address</label>
+<input type="text" data-key="smtp-sender-addr" placeholder="smtp.example.com:587">
+</div>
+<div class="cg-field cg-inline-field">
+<label>Sender email</label>
+<input type="text" data-key="smtp-sender-from" placeholder="ntfy@example.com">
+</div>
+<div class="cg-field cg-inline-field">
+<label>SMTP username</label>
+<input type="text" data-key="smtp-sender-user" placeholder="Username">
+</div>
+<div class="cg-field cg-inline-field">
+<label>SMTP password</label>
+<input type="password" data-key="smtp-sender-pass" placeholder="Password">
+</div>
+</div>
+<div id="cg-email-in-section" class="cg-hidden">
+<div class="cg-field"><label><strong>Incoming (publishing)</strong></label></div>
+<div class="cg-field cg-inline-field">
+<label>Listen address</label>
+<input type="text" data-key="smtp-server-listen" placeholder=":25">
+</div>
+<div class="cg-field cg-inline-field">
+<label>Domain</label>
+<input type="text" data-key="smtp-server-domain" placeholder="ntfy.example.com">
+</div>
+<div class="cg-field cg-inline-field">
+<label>Address prefix</label>
+<input type="text" data-key="smtp-server-addr-prefix" placeholder="ntfy-">
+</div>
+</div>
+</div>
+<div class="cg-panel" id="cg-panel-database">
+<div class="cg-panel-desc">Configure the PostgreSQL connection. See <a href="/config/#postgresql-experimental" target="_blank">PostgreSQL</a> for details.</div>
+<div class="cg-field">
+<label>Database URL</label>
+<input type="text" data-key="database-url" placeholder="postgres://user:pass@host:5432/ntfy">
+</div>
+</div>
+<input type="hidden" data-key="upstream-base-url">
+<input type="checkbox" data-key="behind-proxy" id="cg-behind-proxy" style="display:none">
+</div>
+</div>
+<div id="cg-right">
+<div class="cg-output-tabs">
+<div class="cg-output-tab active" data-format="server-yml">server.yml</div>
+<div class="cg-output-tab" data-format="docker-compose">docker-compose.yml</div>
+<div class="cg-output-tab" data-format="env-vars">Env variables</div>
+<button type="button" id="cg-copy-btn" class="cg-btn-copy" title="Copy to clipboard"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><rect x="9" y="9" width="13" height="13" rx="2" ry="2"></rect><path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"></path></svg></button>
+</div>
+<div class="cg-output-wrap">
+<pre><code id="cg-code"><span class="cg-empty-msg">Configure options on the left to generate your config...</span></code></pre>
+<div id="cg-warnings" class="cg-hidden"></div>
+</div>
+</div>
+</div>
+</div>
+</div>
+
 ## Database options
 ntfy uses a database for storing messages ([message cache](#message-cache)), users and [access control](#access-control), and [web push](#web-push) subscriptions.
 You can choose between **SQLite** and **PostgreSQL** as the database backend.
@@ -149,11 +407,7 @@ no external dependencies:

 ### PostgreSQL (EXPERIMENTAL)
 As an alternative, you can configure ntfy to use PostgreSQL for **all** database-backed stores by setting the
-`database-url` option to a PostgreSQL connection string:
-
-```yaml
-database-url: "postgres://user:pass@host:5432/ntfy"
-```
+`database-url` option to a PostgreSQL connection string.

 When `database-url` is set, ntfy will use PostgreSQL for the [message cache](#message-cache),
 [access control](#access-control), and [web push](#web-push) subscriptions instead of SQLite. The `cache-file`,
@@ -165,11 +419,44 @@ topics. To restrict access, set `auth-default-access` to `deny-all` (see [access

 You can also set this via the environment variable `NTFY_DATABASE_URL` or the command line flag `--database-url`.

+To offload read-heavy queries from the primary database, you can optionally configure one or more read replicas
+using the `database-replica-urls` option. When configured, non-critical read-only queries (e.g. fetching messages, checking access permissions, etc)
+are distributed across the replicas using round-robin, while all writes and correctness-critical reads continue to go
+to the primary. If a replica becomes unhealthy, ntfy automatically falls back to the primary until the replica recovers.
+You can also set this via the environment variable `NTFY_DATABASE_REPLICA_URLS` (comma-separated) or the command line
+flag `--database-replica-urls`.
+
+Examples:
+
+=== "Simple"
+    ```yaml
+    database-url: "postgres://user:pass@host:5432/ntfy"
+    ```
+    
+=== "With SSL and pool tuning"
+    ```yaml
+    database-url: "postgres://user:pass@host:5432/ntfy?sslmode=require&pool_max_conns=50&pool_conn_max_idle_time=5m"
+    ```
+    
+=== "With CA certificate"
+    ```yaml
+    database-url: "postgres://user:pass@host:25060/ntfy?sslmode=require&sslrootcert=/etc/ntfy/db-ca-cert.pem&pool_max_conns=30"
+    ```
+
+=== "With read replicas"
+    ```yaml
+    database-url: "postgres://user:pass@primary:5432/ntfy?sslmode=require&sslrootcert=/etc/ntfy/db-ca-cert.pem&pool_max_conns=30"
+    database-replica-urls:
+      - "postgres://user:pass@replica1:5432/ntfy?sslmode=require&sslrootcert=/etc/ntfy/db-ca-cert.pem&pool_max_conns=30"
+      - "postgres://user:pass@replica2:5432/ntfy?sslmode=require&sslrootcert=/etc/ntfy/db-ca-cert.pem&pool_max_conns=30"
+    ```
+
 The database URL supports the standard [PostgreSQL connection parameters](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS)
 as query parameters, such as `sslmode`, `connect_timeout`, `sslcert`, `sslkey`, `sslrootcert`, and `application_name`.
 See the [pgx driver documentation](https://pkg.go.dev/github.com/jackc/pgx/v5) for the full list of supported parameters.

-In addition, ntfy supports the following custom query parameters to tune the connection pool:
+In addition, ntfy supports the following custom query parameters to tune the connection pool (these apply to both
+the primary and replica URLs):

 | Parameter                 | Default | Description                                                                      |
 |---------------------------|---------|----------------------------------------------------------------------------------|
@@ -178,11 +465,6 @@ In addition, ntfy supports the following custom query parameters to tune the con
 | `pool_conn_max_lifetime`  | -       | Maximum amount of time a connection may be reused (Go duration, e.g. `5m`, `1h`) |
 | `pool_conn_max_idle_time` | -       | Maximum amount of time a connection may be idle (Go duration, e.g. `30s`, `5m`)  |

-Example:
-
-```yaml
-database-url: "postgres://user:pass@host:5432/ntfy?sslmode=require&pool_max_conns=50&pool_conn_max_idle_time=5m"
-```

 ## Message cache
 If desired, ntfy can temporarily keep notifications in an in-memory or an on-disk cache. Caching messages for a short period
@@ -512,7 +794,7 @@ Here's an example:
    ```
    # Comma-separated list
    NTFY_AUTH_FILE='/var/lib/ntfy/user.db'
-    NTFY_AUTH_USERS='phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin,ben:$2a$10$NKbrNb7HPMjtQXWJ0f1pouw03LDLT/WzlO9VAv44x84bRCkh19h6m:user'
+    NTFY_AUTH_USERS='phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin,backup-service:$2a$10$NKbrNb7HPMjtQXWJ0f1pouw03LDLT/WzlO9VAv44x84bRCkh19h6m:user'
    NTFY_AUTH_TOKENS='phil:tk_3gd7d2yftt4b8ixyfe9mnmro88o76,backup-service:tk_f099we8uzj7xi5qshzajwp6jffvkz:Backup script'
    ```

@@ -528,7 +810,8 @@ and access tokens in the `auth-tokens` section (see [access tokens via the confi

 Here's an example that defines a single admin user `phil` with the password `mypass`, and a regular user `backup-script`
 with the password `backup-script`. The admin user has full access to all topics, while regular user can only
-access the `backups` topic with read-write permissions. The `auth-default-access` is set to `deny-all`, which means
+access the `backups` topic with read-write permissions. `phil` has a token `tk_3gd7d2yftt4b8ixyfe9mnmro88o76` 
+with the label "My personal token". The `auth-default-access` is set to `deny-all`, which means
 that all other users and anonymous access are denied by default.

 === "Config via /etc/ntfy/server.yml"
@@ -539,7 +822,7 @@ that all other users and anonymous access are denied by default.
      - "phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin"
      - "backup-script:$2a$10$/ehiQt.w7lhTmHXq.RNsOOkIwiPPeWFIzWYO3DRxNixnWKLX8.uj.:user"
    auth-access:
-      - "backup-service:backups:rw"
+      - "backup-script:backups:rw"
    auth-tokens:
      - "phil:tk_3gd7d2yftt4b8ixyfe9mnmro88o76:My personal token"
    ```
@@ -549,7 +832,7 @@ that all other users and anonymous access are denied by default.
    NTFY_AUTH_FILE='/var/lib/ntfy/user.db'
    NTFY_AUTH_DEFAULT_ACCESS='deny-all'
    NTFY_AUTH_USERS='phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin,backup-script:$2a$10$/ehiQt.w7lhTmHXq.RNsOOkIwiPPeWFIzWYO3DRxNixnWKLX8.uj.:user'
-    NTFY_AUTH_ACCESS='backup-service:backups:rw'
+    NTFY_AUTH_ACCESS='backup-script:backups:rw'
    NTFY_AUTH_TOKENS='phil:tk_3gd7d2yftt4b8ixyfe9mnmro88o76:My personal token'
    ```

@@ -1818,6 +2101,7 @@ variable before running the `ntfy` command (e.g. `export NTFY_LISTEN_HTTP=:80`).
 | `cert-file`                                | `NTFY_CERT_FILE`                                | *filename*                                          | -                 | HTTPS/TLS certificate file, only used if `listen-https` is set.                                                                                                                                                                 |
 | `firebase-key-file`                        | `NTFY_FIREBASE_KEY_FILE`                        | *filename*                                          | -                 | If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app. This is optional and only required to save battery when using the Android app. See [Firebase (FCM)](#firebase-fcm).                       |
 | `database-url`                             | `NTFY_DATABASE_URL`                             | *string (connection URL)*                           | -                 | PostgreSQL connection string (e.g. `postgres://user:pass@host:5432/ntfy`). If set, uses PostgreSQL for all database-backed stores (message cache, user manager, web push) instead of SQLite. See [database options](#database-options). |
+| `database-replica-urls`                    | `NTFY_DATABASE_REPLICA_URLS`                    | *list of strings (connection URLs)*                 | -                 | PostgreSQL read replica connection strings. Non-critical read-only queries are distributed across replicas (round-robin) with automatic fallback to primary. Requires `database-url`. See [read replicas](#read-replicas). |
 | `cache-file`                               | `NTFY_CACHE_FILE`                               | *filename*                                          | -                 | If set, messages are cached in a local SQLite database instead of only in-memory. This allows for service restarts without losing messages in support of the since= parameter. See [message cache](#message-cache).             |
 | `cache-duration`                           | `NTFY_CACHE_DURATION`                           | *duration*                                          | 12h               | Duration for which messages will be buffered before they are deleted. This is required to support the `since=...` and `poll=1` parameter. Set this to `0` to disable the cache entirely.                                        |
 | `cache-startup-queries`                    | `NTFY_CACHE_STARTUP_QUERIES`                    | *string (SQL queries)*                              | -                 | SQL queries to run during database startup; this is useful for tuning and [enabling WAL mode](#message-cache)                                                                                                                   |
--- a/docs/install.md
+++ b/docs/install.md
@@ -30,37 +30,37 @@ deb/rpm packages.

 === "x86_64/amd64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_amd64.tar.gz
-    tar zxvf ntfy_2.17.0_linux_amd64.tar.gz
-    sudo cp -a ntfy_2.17.0_linux_amd64/ntfy /usr/local/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.17.0_linux_amd64/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_amd64.tar.gz
+    tar zxvf ntfy_2.18.0_linux_amd64.tar.gz
+    sudo cp -a ntfy_2.18.0_linux_amd64/ntfy /usr/local/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.18.0_linux_amd64/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "armv6"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv6.tar.gz
-    tar zxvf ntfy_2.17.0_linux_armv6.tar.gz
-    sudo cp -a ntfy_2.17.0_linux_armv6/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.17.0_linux_armv6/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv6.tar.gz
+    tar zxvf ntfy_2.18.0_linux_armv6.tar.gz
+    sudo cp -a ntfy_2.18.0_linux_armv6/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.18.0_linux_armv6/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "armv7/armhf"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv7.tar.gz
-    tar zxvf ntfy_2.17.0_linux_armv7.tar.gz
-    sudo cp -a ntfy_2.17.0_linux_armv7/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.17.0_linux_armv7/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv7.tar.gz
+    tar zxvf ntfy_2.18.0_linux_armv7.tar.gz
+    sudo cp -a ntfy_2.18.0_linux_armv7/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.18.0_linux_armv7/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "arm64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_arm64.tar.gz
-    tar zxvf ntfy_2.17.0_linux_arm64.tar.gz
-    sudo cp -a ntfy_2.17.0_linux_arm64/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.17.0_linux_arm64/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_arm64.tar.gz
+    tar zxvf ntfy_2.18.0_linux_arm64.tar.gz
+    sudo cp -a ntfy_2.18.0_linux_arm64/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.18.0_linux_arm64/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

@@ -116,7 +116,7 @@ Manually installing the .deb file:

 === "x86_64/amd64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_amd64.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_amd64.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -124,7 +124,7 @@ Manually installing the .deb file:

 === "armv6"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv6.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv6.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -132,7 +132,7 @@ Manually installing the .deb file:

 === "armv7/armhf"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv7.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv7.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -140,7 +140,7 @@ Manually installing the .deb file:

 === "arm64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_arm64.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_arm64.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -150,28 +150,28 @@ Manually installing the .deb file:

 === "x86_64/amd64"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_amd64.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_amd64.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```

 === "armv6"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv6.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv6.rpm
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
    ```

 === "armv7/armhf"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv7.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv7.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```

 === "arm64"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_arm64.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_arm64.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```
@@ -213,18 +213,18 @@ pkg install go-ntfy

 ## macOS
 The [ntfy CLI](subscribe/cli.md) (`ntfy publish` and `ntfy subscribe` only) is supported on macOS as well. 
-To install, please [download the tarball](https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_darwin_all.tar.gz), 
+To install, please [download the tarball](https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_darwin_all.tar.gz), 
 extract it and place it somewhere in your `PATH` (e.g. `/usr/local/bin/ntfy`). 

 If run as `root`, ntfy will look for its config at `/etc/ntfy/client.yml`. For all other users, it'll look for it at 
 `~/Library/Application Support/ntfy/client.yml` (sample included in the tarball).

 ```bash
-curl -L https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_darwin_all.tar.gz > ntfy_2.17.0_darwin_all.tar.gz
-tar zxvf ntfy_2.17.0_darwin_all.tar.gz
-sudo cp -a ntfy_2.17.0_darwin_all/ntfy /usr/local/bin/ntfy
+curl -L https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_darwin_all.tar.gz > ntfy_2.18.0_darwin_all.tar.gz
+tar zxvf ntfy_2.18.0_darwin_all.tar.gz
+sudo cp -a ntfy_2.18.0_darwin_all/ntfy /usr/local/bin/ntfy
 mkdir ~/Library/Application\ Support/ntfy 
-cp ntfy_2.17.0_darwin_all/client/client.yml ~/Library/Application\ Support/ntfy/client.yml
+cp ntfy_2.18.0_darwin_all/client/client.yml ~/Library/Application\ Support/ntfy/client.yml
 ntfy --help
 ```

@@ -245,7 +245,7 @@ brew install ntfy
 The ntfy server and CLI are fully supported on Windows. You can run the ntfy server directly or as a Windows service.
 To install, you can either

-* [Download the latest ZIP](https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_windows_amd64.zip),
+* [Download the latest ZIP](https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_windows_amd64.zip),
 extract it and place the `ntfy.exe` binary somewhere in your `%Path%`. 
 * Or install ntfy from the [Scoop](https://scoop.sh) main repository via `scoop install ntfy`

--- a/docs/integrations.md
+++ b/docs/integrations.md
@@ -306,7 +306,7 @@ ntfy community. Thanks to everyone running a public server. **You guys rock!**
 | URL                                               | Country            |
 |---------------------------------------------------|--------------------|
 | [ntfy.sh](https://ntfy.sh/) (*Official*)          | 🇺🇸 United States |
-| [ntfy.tedomum.net](https://ntfy.tedomum.net/)     | 🇫🇷 France        |
+| [ntfy.tedomum.fr](https://ntfy.tedomum.fr/)     | 🇫🇷 France        |
 | [ntfy.jae.fi](https://ntfy.jae.fi/)               | 🇫🇮 Finland       |
 | [ntfy.adminforge.de](https://ntfy.adminforge.de/) | 🇩🇪 Germany       |
 | [ntfy.envs.net](https://ntfy.envs.net)            | 🇩🇪 Germany       |
--- a/docs/releases.md
+++ b/docs/releases.md
@@ -6,12 +6,48 @@ and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/release

 | Component        | Version | Release date |
 |------------------|---------|--------------|
-| ntfy server      | v2.17.0 | Feb 8, 2026  |
-| ntfy Android app | v1.23.0 | Deb 22, 2026 |
+| ntfy server      | v2.18.0 | Mar 7, 2026  |
+| ntfy Android app | v1.24.0 | Mar 5, 2026  |
 | ntfy iOS app     | v1.3    | Nov 26, 2023 |

 Please check out the release notes for [upcoming releases](#not-released-yet) below.

+## ntfy server v2.18.0
+Released March 7, 2026
+
+This is the biggest release I've ever done on the server. It's 14,997 added lines of code, and 10,202 lines removed, all from
+one [pull request](https://github.com/binwiederhier/ntfy/pull/1619) that adds [PostgreSQL support](config.md#postgresql-experimental).
+
+The code was written by Cursor and Claude, but reviewed and heavily tested over 2-3 weeks by me. I created comparison documents,
+went through all queries multiple times and reviewed the logic over and over again. I also did load tests and manual regression tests,
+which took lots of evenings.
+
+I'll not instantly switch ntfy.sh over. Instead, I'm kindly asking the community to test the Postgres support and report back to me
+if things are working (or not working). There is a [one-off migration tool](https://github.com/binwiederhier/ntfy/tree/main/tools/pgimport) (entirely written by AI) that you can use to migrate.
+
+**Features:**
+
+* Add experimental [PostgreSQL support](config.md#postgresql-experimental) as an alternative database backend (message cache, user manager, web push subscriptions) via `database-url` config option ([#1114](https://github.com/binwiederhier/ntfy/issues/1114)/[#1619](https://github.com/binwiederhier/ntfy/pull/1619), thanks to [@brettinternet](https://github.com/brettinternet) for reporting)
+
+**Bug fixes + maintenance:**
+
+* Preserve `<br>` line breaks in HTML-only emails received via SMTP ([#690](https://github.com/binwiederhier/ntfy/issues/690), [#1620](https://github.com/binwiederhier/ntfy/pull/1620), thanks to [@uzkikh](https://github.com/uzkikh) for the fix and to [@teastrainer](https://github.com/teastrainer) for reporting)
+
+## ntfy Android v1.24.0
+Released March 5, 2026
+
+This is a tiny release that will revert the "reconnecting ..." behavior of the foreground notification. Lots of people
+have complained about it, so I'm replacing it with a notification that shows up when the server connection has failed
+for >15 minutes, hoping that people will be less annoyed by that.
+
+**Features:**
+
+* Show notification when connection to server has been lost for 15+ minutes, with dismiss, snooze and never-show-again actions
+
+**Bug fixes + maintenance:**
+
+* Fix crash in settings when fragment is detached during backup/restore or log operations
+
 ## ntfy Android v1.23.0
 Released February 22, 2026

@@ -1719,18 +1755,13 @@ and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/release

 ## Not released yet

-### ntfy server v2.18.x (UNRELEASED)
+### ntfy server v2.19.x (UNRELEASED)

 **Features:**

-* Add experimental [PostgreSQL support](config.md#postgresql-experimental) as an alternative database backend (message cache, user manager, web push subscriptions) via `database-url` config option ([#1114](https://github.com/binwiederhier/ntfy/issues/1114), thanks to [@brettinternet](https://github.com/brettinternet) for reporting)
+* Support PostgreSQL read replicas for offloading non-critical read queries via `database-replica-urls` config option

 **Bug fixes + maintenance:**

-* Preserve `<br>` line breaks in HTML-only emails received via SMTP ([#690](https://github.com/binwiederhier/ntfy/issues/690), [#1620](https://github.com/binwiederhier/ntfy/pull/1620), thanks to [@uzkikh](https://github.com/uzkikh) for the fix and to [@teastrainer](https://github.com/teastrainer) for reporting)
-
-### ntfy Android v1.24.x (UNRELEASED)
-
-**Bug fixes + maintenance:**
-
-* Fix crash in settings when fragment is detached during backup/restore or log operations
+* Web: Throttle notification sound in web app to play at most once every 2 seconds (similar to [#1550](https://github.com/binwiederhier/ntfy/issues/1550), thanks to [@jlaffaye](https://github.com/jlaffaye) for reporting)
+* Web: Add hover tooltips to icon buttons in web app account and preferences pages ([#1565](https://github.com/binwiederhier/ntfy/issues/1565), thanks to [@jermanuts](https://github.com/jermanuts) for reporting)
--- a/docs/static/css/config-generator.css
+++ b/docs/static/css/config-generator.css
@@ -0,0 +1,764 @@
+/* Config Generator */
+
+/* Hidden utility */
+.cg-hidden {
+    display: none !important;
+}
+
+/* Open button */
+.cg-open-btn {
+    display: inline-block;
+    padding: 8px 20px;
+    background: var(--md-primary-fg-color);
+    color: #fff;
+    border: none;
+    border-radius: 4px;
+    font-size: 0.85rem;
+    font-weight: 500;
+    cursor: pointer;
+    font-family: inherit;
+    transition: opacity 0.15s;
+}
+
+.cg-open-btn:hover {
+    opacity: 0.85;
+}
+
+/* Modal overlay */
+.cg-modal {
+    position: fixed;
+    inset: 0;
+    z-index: 1000;
+}
+
+.cg-modal-backdrop {
+    position: absolute;
+    inset: 0;
+    background: rgba(0, 0, 0, 0.5);
+}
+
+.cg-modal-dialog {
+    position: absolute;
+    inset: 24px;
+    display: flex;
+    flex-direction: column;
+    background: #fff;
+    border-radius: 10px;
+    box-shadow: 0 8px 32px rgba(0, 0, 0, 0.25);
+    overflow: hidden;
+    font-size: 0.78rem;
+}
+
+.cg-modal-header {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding: 12px 20px;
+    border-bottom: 1px solid #ddd;
+    flex-shrink: 0;
+}
+
+.cg-modal-header-left {
+    display: flex;
+    align-items: baseline;
+    gap: 12px;
+    min-width: 0;
+}
+
+.cg-modal-title {
+    font-weight: 600;
+    font-size: 0.95rem;
+    white-space: nowrap;
+}
+
+.cg-badge-beta {
+    display: inline-block;
+    padding: 1px 8px;
+    margin-left: 8px;
+    background: var(--md-primary-fg-color);
+    color: #fff;
+    font-size: 0.6rem;
+    font-weight: 600;
+    border-radius: 10px;
+    letter-spacing: 0.5px;
+    vertical-align: middle;
+}
+
+.cg-modal-desc {
+    font-size: 0.75rem;
+    color: #888;
+}
+
+.cg-modal-header-actions {
+    display: flex;
+    align-items: center;
+    gap: 8px;
+}
+
+.cg-modal-reset {
+    background: none;
+    border: 1px solid #ccc;
+    border-radius: 4px;
+    font-size: 0.75rem;
+    color: #777;
+    cursor: pointer;
+    padding: 4px 12px;
+    font-family: inherit;
+    transition: color 0.15s, border-color 0.15s;
+}
+
+.cg-modal-reset:hover {
+    color: #333;
+    border-color: #999;
+}
+
+.cg-modal-close {
+    background: none;
+    border: none;
+    font-size: 1.4rem;
+    color: #999;
+    cursor: pointer;
+    padding: 0 4px;
+    line-height: 1;
+}
+
+.cg-modal-close:hover {
+    color: #333;
+}
+
+/* Modal body: left + right */
+.cg-modal-body {
+    display: flex;
+    flex: 1;
+    min-height: 0;
+    overflow: hidden;
+}
+
+/* Left panel */
+#cg-left {
+    flex: 1;
+    display: flex;
+    flex-direction: column;
+    border-right: 1px solid #ddd;
+    min-width: 0;
+}
+
+.cg-nav {
+    display: flex;
+    flex-wrap: wrap;
+    gap: 0;
+    border-bottom: 1px solid #ddd;
+    flex-shrink: 0;
+    padding: 0 16px;
+}
+
+.cg-nav-tab {
+    padding: 9px 14px;
+    cursor: pointer;
+    font-size: 0.78rem;
+    font-weight: 500;
+    color: #777;
+    border-bottom: 2px solid transparent;
+    margin-bottom: -1px;
+    user-select: none;
+    transition: color 0.15s, border-color 0.15s;
+    white-space: nowrap;
+}
+
+.cg-nav-tab:hover {
+    color: #444;
+}
+
+.cg-nav-tab.active {
+    color: var(--md-primary-fg-color);
+    border-bottom-color: var(--md-primary-fg-color);
+}
+
+.cg-panels {
+    flex: 1;
+    overflow-y: auto;
+    padding: 16px 20px;
+}
+
+.cg-panel {
+    display: none;
+}
+
+.cg-panel.active {
+    display: block;
+}
+
+.cg-panel-desc {
+    font-size: 0.75rem;
+    color: #888;
+    margin-bottom: 12px;
+    line-height: 1.5;
+}
+
+.cg-panel-desc a {
+    color: var(--md-primary-fg-color);
+}
+
+.cg-help {
+    color: var(--md-primary-fg-color);
+    text-decoration: none;
+    margin-left: 4px;
+    vertical-align: middle;
+    flex-shrink: 0;
+    transition: color 0.15s;
+}
+
+.cg-help:hover {
+    color: var(--md-primary-fg-color--dark, #2a6e5f);
+}
+
+/* Right panel */
+#cg-right {
+    flex: 1;
+    display: flex;
+    flex-direction: column;
+    min-width: 0;
+}
+
+.cg-output-tabs {
+    display: flex;
+    border-bottom: 1px solid #ddd;
+    flex-shrink: 0;
+    padding: 0 16px;
+}
+
+.cg-output-tab {
+    padding: 9px 14px;
+    cursor: pointer;
+    font-size: 0.78rem;
+    font-weight: 500;
+    border-bottom: 2px solid transparent;
+    margin-bottom: -1px;
+    color: #777;
+    transition: color 0.15s, border-color 0.15s;
+    user-select: none;
+    white-space: nowrap;
+}
+
+.cg-output-tab:hover {
+    color: #444;
+}
+
+.cg-output-tab.active {
+    color: var(--md-primary-fg-color);
+    border-bottom-color: var(--md-primary-fg-color);
+}
+
+.cg-btn-copy {
+    margin-left: auto;
+    background: none;
+    color: #777;
+    border: none;
+    border-bottom: 2px solid transparent;
+    margin-bottom: -1px;
+    padding: 9px 10px;
+    cursor: pointer;
+    line-height: 1;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    transition: color 0.15s;
+}
+
+.cg-btn-copy:hover {
+    color: #333;
+}
+
+.cg-output-wrap {
+    flex: 1;
+    overflow: auto;
+    padding: 16px 20px;
+    display: flex;
+    flex-direction: column;
+}
+
+.cg-output-wrap pre {
+    margin: 0;
+    padding: 8px 10px;
+    background: #f5f5f5;
+    color: #333;
+    border: 1px solid #ddd;
+    border-radius: 6px;
+    overflow-x: auto;
+    font-size: 0.76rem;
+    line-height: 1.5;
+    flex: 1;
+    white-space: pre;
+}
+
+.cg-empty-msg {
+    color: #888;
+    font-style: italic;
+}
+
+.cg-warning {
+    padding: 6px 10px;
+    margin-top: 8px;
+    background: #fff3cd;
+    color: #856404;
+    border: 1px solid #ffc107;
+    border-radius: 4px;
+    font-size: 0.76rem;
+}
+
+/* Form fields */
+.cg-field {
+    margin-bottom: 0;
+    padding: 8px 12px;
+}
+
+.cg-field:nth-child(odd) {
+    background: #f8f8f8;
+}
+
+.cg-field:nth-child(even) {
+    background: #fff;
+}
+
+.cg-field > label {
+    display: block;
+    font-weight: 500;
+    margin-bottom: 4px;
+    font-size: 0.78rem;
+    color: #555;
+}
+
+.cg-field input[type="text"],
+.cg-field input[type="password"],
+.cg-field select {
+    width: 100%;
+    padding: 6px 8px;
+    border: 1px solid #ccc;
+    border-radius: 4px;
+    font-size: 0.78rem;
+    font-family: inherit;
+    box-sizing: border-box;
+    background: #fff;
+}
+
+.cg-field input[type="text"]:focus,
+.cg-field input[type="password"]:focus,
+.cg-field select:focus {
+    border-color: var(--md-primary-fg-color);
+    outline: none;
+    box-shadow: 0 0 0 2px rgba(51, 133, 116, 0.15);
+}
+
+.cg-checkbox {
+    display: flex;
+    align-items: center;
+    gap: 6px;
+    margin-bottom: 10px;
+}
+
+.cg-checkbox input[type="checkbox"] {
+    accent-color: var(--md-primary-fg-color);
+}
+
+.cg-checkbox label {
+    font-weight: 500;
+    font-size: 0.78rem;
+    margin: 0;
+    cursor: pointer;
+}
+
+.cg-radio-group {
+    display: flex;
+    flex-direction: column;
+    gap: 4px;
+}
+
+.cg-radio-group label {
+    display: flex;
+    align-items: center;
+    gap: 4px;
+    font-weight: 400;
+    font-size: 0.78rem;
+    cursor: pointer;
+}
+
+.cg-radio-group input[type="radio"] {
+    accent-color: var(--md-primary-fg-color);
+}
+
+/* Inline field: label + control side by side */
+.cg-inline-field {
+    display: flex;
+    align-items: center;
+    gap: 12px;
+}
+
+.cg-inline-field > label {
+    margin-bottom: 0;
+    width: 60%;
+    flex-shrink: 0;
+}
+
+.cg-panel:not(#cg-panel-general) .cg-inline-field > label {
+    width: 50%;
+}
+
+.cg-inline-field > input[type="text"],
+.cg-inline-field > select {
+    padding: 4px 10px;
+    border: 1px solid #ccc;
+    border-radius: 4px;
+    font-size: 0.75rem;
+    font-family: inherit;
+    box-sizing: border-box;
+    line-height: 1.4;
+    background: #fff;
+}
+
+.cg-inline-field > input[type="text"]:focus,
+.cg-inline-field > select:focus {
+    border-color: var(--md-primary-fg-color);
+    outline: none;
+    box-shadow: 0 0 0 2px rgba(51, 133, 116, 0.15);
+}
+
+#cg-email-in-section {
+    margin-top: 20px;
+}
+
+.cg-pg-label {
+    font-size: 0.75rem;
+    color: #888;
+    font-style: italic;
+}
+
+/* Button group toggle */
+.cg-btn-group {
+    display: flex;
+    flex-shrink: 0;
+}
+
+.cg-btn-group label {
+    cursor: pointer;
+    margin: 0;
+}
+
+.cg-btn-group input[type="radio"] {
+    display: none;
+}
+
+.cg-btn-group span {
+    display: block;
+    padding: 4px 14px;
+    font-size: 0.75rem;
+    font-weight: 500;
+    line-height: 1.4;
+    border: 1px solid #ccc;
+    color: #555;
+    background: #fff;
+    transition: background 0.15s, color 0.15s, border-color 0.15s;
+    user-select: none;
+}
+
+.cg-btn-group label:first-child span {
+    border-radius: 4px 0 0 4px;
+}
+
+.cg-btn-group label:last-child span {
+    border-radius: 0 4px 4px 0;
+}
+
+.cg-btn-group label + label span {
+    margin-left: -1px;
+}
+
+.cg-btn-group input[type="radio"]:checked + span {
+    background: var(--md-primary-fg-color);
+    color: #fff;
+    border-color: var(--md-primary-fg-color);
+    position: relative;
+    z-index: 1;
+}
+
+.cg-feature-grid {
+    display: flex;
+    flex-direction: column;
+    gap: 5px;
+}
+
+.cg-feature-row {
+    display: flex;
+    align-items: center;
+    gap: 8px;
+}
+
+.cg-feature-grid label {
+    display: flex;
+    align-items: center;
+    gap: 6px;
+    font-size: 0.78rem;
+    cursor: pointer;
+}
+
+.cg-feature-grid input[type="checkbox"] {
+    accent-color: var(--md-primary-fg-color);
+}
+
+.cg-btn-configure {
+    background: none;
+    border: 1px solid var(--md-primary-fg-color);
+    border-radius: 10px;
+    color: var(--md-primary-fg-color);
+    font-size: 0.68rem;
+    font-family: inherit;
+    padding: 1px 10px;
+    cursor: pointer;
+    white-space: nowrap;
+    transition: background 0.15s, color 0.15s;
+}
+
+.cg-btn-configure:hover {
+    background: var(--md-primary-fg-color);
+    color: #fff;
+}
+
+/* Repeatable rows */
+.cg-repeatable-row {
+    display: flex;
+    gap: 6px;
+    align-items: center;
+    margin-bottom: 6px;
+    flex-wrap: wrap;
+}
+
+.cg-repeatable-row input,
+.cg-repeatable-row select {
+    flex: 1;
+    min-width: 80px;
+    padding: 5px 6px;
+    border: 1px solid #ccc;
+    border-radius: 4px;
+    font-size: 0.75rem;
+    font-family: inherit;
+    box-sizing: border-box;
+}
+
+.cg-repeatable-row input:focus,
+.cg-repeatable-row select:focus {
+    border-color: var(--md-primary-fg-color);
+    outline: none;
+}
+
+.cg-repeatable-row input:disabled,
+.cg-repeatable-row select:disabled {
+    background: #eee;
+    color: #999;
+    cursor: not-allowed;
+}
+
+.cg-btn-remove {
+    background: none;
+    border: 1px solid #ccc;
+    border-radius: 4px;
+    cursor: pointer;
+    font-size: 0.9rem;
+    padding: 5px 8px;
+    color: #999;
+    line-height: 1;
+}
+
+.cg-btn-remove:hover {
+    background: #fee;
+    border-color: #c66;
+    color: #c33;
+}
+
+.cg-btn-add {
+    background: none;
+    border: 1px dashed #bbb;
+    border-radius: 4px;
+    cursor: pointer;
+    padding: 5px 10px;
+    font-size: 0.75rem;
+    color: #777;
+    margin-top: 2px;
+}
+
+.cg-btn-add:hover {
+    border-color: var(--md-primary-fg-color);
+    color: var(--md-primary-fg-color);
+}
+
+/* Dark mode */
+body[data-md-color-scheme="slate"] .cg-modal-dialog {
+    background: #1e1e2e;
+}
+
+body[data-md-color-scheme="slate"] .cg-modal-header {
+    border-bottom-color: #444;
+}
+
+body[data-md-color-scheme="slate"] .cg-modal-title {
+    color: #ddd;
+}
+
+body[data-md-color-scheme="slate"] .cg-modal-desc {
+    color: #777;
+}
+
+body[data-md-color-scheme="slate"] .cg-modal-reset {
+    border-color: #555;
+    color: #888;
+}
+
+body[data-md-color-scheme="slate"] .cg-modal-reset:hover {
+    border-color: #888;
+    color: #ddd;
+}
+
+body[data-md-color-scheme="slate"] .cg-modal-close {
+    color: #777;
+}
+
+body[data-md-color-scheme="slate"] .cg-modal-close:hover {
+    color: #ddd;
+}
+
+body[data-md-color-scheme="slate"] #cg-left {
+    border-right-color: #444;
+}
+
+body[data-md-color-scheme="slate"] .cg-nav {
+    border-bottom-color: #444;
+}
+
+body[data-md-color-scheme="slate"] .cg-nav-tab {
+    color: #888;
+}
+
+body[data-md-color-scheme="slate"] .cg-nav-tab:hover {
+    color: #bbb;
+}
+
+body[data-md-color-scheme="slate"] .cg-output-tabs {
+    border-bottom-color: #444;
+}
+
+body[data-md-color-scheme="slate"] .cg-output-tab {
+    color: #888;
+}
+
+body[data-md-color-scheme="slate"] .cg-output-tab:hover {
+    color: #bbb;
+}
+
+body[data-md-color-scheme="slate"] .cg-btn-copy {
+    color: #777;
+}
+
+body[data-md-color-scheme="slate"] .cg-btn-copy:hover {
+    color: #bbb;
+}
+
+body[data-md-color-scheme="slate"] .cg-output-wrap pre {
+    background: #161620;
+    color: #ddd;
+    border-color: #444;
+}
+
+body[data-md-color-scheme="slate"] .cg-field:nth-child(odd) {
+    background: #232334;
+}
+
+body[data-md-color-scheme="slate"] .cg-field:nth-child(even) {
+    background: #1e1e2e;
+}
+
+body[data-md-color-scheme="slate"] .cg-panel-desc {
+    color: #777;
+}
+
+body[data-md-color-scheme="slate"] .cg-field > label {
+    color: #aaa;
+}
+
+body[data-md-color-scheme="slate"] .cg-field input[type="text"],
+body[data-md-color-scheme="slate"] .cg-field input[type="password"],
+body[data-md-color-scheme="slate"] .cg-field select {
+    background: #2a2a3a;
+    border-color: #555;
+    color: #ddd;
+}
+
+body[data-md-color-scheme="slate"] .cg-btn-group span {
+    background: #2a2a3a;
+    border-color: #555;
+    color: #aaa;
+}
+
+body[data-md-color-scheme="slate"] .cg-btn-group input[type="radio"]:checked + span {
+    background: var(--md-primary-fg-color);
+    color: #fff;
+    border-color: var(--md-primary-fg-color);
+}
+
+body[data-md-color-scheme="slate"] .cg-checkbox label {
+    color: #ccc;
+}
+
+body[data-md-color-scheme="slate"] .cg-radio-group label {
+    color: #ccc;
+}
+
+body[data-md-color-scheme="slate"] .cg-feature-grid label {
+    color: #ccc;
+}
+
+body[data-md-color-scheme="slate"] .cg-repeatable-row input,
+body[data-md-color-scheme="slate"] .cg-repeatable-row select {
+    background: #2a2a3a;
+    border-color: #555;
+    color: #ddd;
+}
+
+body[data-md-color-scheme="slate"] .cg-repeatable-row input:disabled,
+body[data-md-color-scheme="slate"] .cg-repeatable-row select:disabled {
+    background: #1a1a28;
+    color: #666;
+}
+
+body[data-md-color-scheme="slate"] .cg-btn-remove {
+    border-color: #555;
+    color: #888;
+}
+
+body[data-md-color-scheme="slate"] .cg-btn-add {
+    border-color: #555;
+    color: #888;
+}
+
+body[data-md-color-scheme="slate"] .cg-warning {
+    background: #3a2e00;
+    color: #ffc107;
+    border-color: #665200;
+}
+
+/* Responsive */
+@media (max-width: 900px) {
+    .cg-modal-dialog {
+        inset: 8px;
+    }
+
+    .cg-modal-body {
+        flex-direction: column;
+    }
+
+    #cg-left {
+        border-right: none;
+        border-bottom: 1px solid #ddd;
+    }
+
+    #cg-right {
+        flex: 1;
+    }
+}
--- a/docs/static/img/config-generator.png
+++ b/docs/static/img/config-generator.png
--- a/docs/static/js/bcrypt.js
+++ b/docs/static/js/bcrypt.js
--- a/docs/static/js/config-generator.js
+++ b/docs/static/js/config-generator.js
--- a/go.mod
+++ b/go.mod
@@ -1,25 +1,25 @@
 module heckel.io/ntfy/v2

-go 1.24.6
+go 1.25.0

 require (
 	cloud.google.com/go/firestore v1.21.0 // indirect
-	cloud.google.com/go/storage v1.59.2 // indirect
+	cloud.google.com/go/storage v1.61.1 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/emersion/go-smtp v0.18.0
 	github.com/gabriel-vasile/mimetype v1.4.13
 	github.com/gorilla/websocket v1.5.3
-	github.com/mattn/go-sqlite3 v1.14.33
+	github.com/mattn/go-sqlite3 v1.14.34
 	github.com/olebedev/when v1.1.0
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli/v2 v2.27.7
-	golang.org/x/crypto v0.47.0
-	golang.org/x/oauth2 v0.34.0 // indirect
-	golang.org/x/sync v0.19.0
-	golang.org/x/term v0.39.0
-	golang.org/x/time v0.14.0
-	google.golang.org/api v0.265.0
+	golang.org/x/crypto v0.49.0
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/sync v0.20.0
+	golang.org/x/term v0.41.0
+	golang.org/x/time v0.15.0
+	google.golang.org/api v0.271.0
 	gopkg.in/yaml.v2 v2.4.0
 )

@@ -34,14 +34,14 @@ require (
 	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stripe/stripe-go/v74 v74.30.0
-	golang.org/x/sys v0.40.0
-	golang.org/x/text v0.33.0
+	golang.org/x/sys v0.42.0
+	golang.org/x/text v0.35.0
 )

 require (
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
-	cloud.google.com/go/auth v0.18.1 // indirect
+	cloud.google.com/go/auth v0.18.3-0.20260310051336-87cdcc9f7568 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
@@ -58,8 +58,8 @@ require (
 	github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 // indirect
-	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.37.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.3 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
@@ -69,8 +69,8 @@ require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
-	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
+	github.com/googleapis/gax-go/v2 v2.18.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
@@ -80,27 +80,27 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.5 // indirect
-	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/prometheus/procfs v0.20.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.40.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.42.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
+	go.opentelemetry.io/otel v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.4 // indirect
+	golang.org/x/net v0.52.0 // indirect
 	google.golang.org/appengine/v2 v2.0.6 // indirect
-	google.golang.org/genproto v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/genproto v0.0.0-20260311181403-84a4fc48630c // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260311181403-84a4fc48630c // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260311181403-84a4fc48630c // indirect
+	google.golang.org/grpc v1.79.2 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -2,8 +2,8 @@ cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
 cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
-cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
-cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
+cloud.google.com/go/auth v0.18.3-0.20260310051336-87cdcc9f7568 h1:PJt3KrySfZkKdcEV2wlyNkfAPbMZGjtnv5oLrT4tWPg=
+cloud.google.com/go/auth v0.18.3-0.20260310051336-87cdcc9f7568/go.mod h1:/Tt0rLCp4FHXEBtdyYqvIZPcJzbpJ/fmqtgIaXseDK4=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
@@ -12,14 +12,14 @@ cloud.google.com/go/firestore v1.21.0 h1:BhopUsx7kh6NFx77ccRsHhrtkbJUmDAxNY3uapW
 cloud.google.com/go/firestore v1.21.0/go.mod h1:1xH6HNcnkf/gGyR8udd6pFO4Z7GWJSwLKQMx/u6UrP4=
 cloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc=
 cloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU=
-cloud.google.com/go/logging v1.13.1 h1:O7LvmO0kGLaHY/gq8cV7T0dyp6zJhYAOtZPX4TF3QtY=
-cloud.google.com/go/logging v1.13.1/go.mod h1:XAQkfkMBxQRjQek96WLPNze7vsOmay9H5PqfsNYDqvw=
+cloud.google.com/go/logging v1.13.2 h1:qqlHCBvieJT9Cdq4QqYx1KPadCQ2noD4FK02eNqHAjA=
+cloud.google.com/go/logging v1.13.2/go.mod h1:zaybliM3yun1J8mU2dVQ1/qDzjbOqEijZCn6hSBtKak=
 cloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8=
 cloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk=
 cloud.google.com/go/monitoring v1.24.3 h1:dde+gMNc0UhPZD1Azu6at2e79bfdztVDS5lvhOdsgaE=
 cloud.google.com/go/monitoring v1.24.3/go.mod h1:nYP6W0tm3N9H/bOw8am7t62YTzZY+zUeQ+Bi6+2eonI=
-cloud.google.com/go/storage v1.59.2 h1:gmOAuG1opU8YvycMNpP+DvHfT9BfzzK5Cy+arP+Nocw=
-cloud.google.com/go/storage v1.59.2/go.mod h1:cMWbtM+anpC74gn6qjLh+exqYcfmB9Hqe5z6adx+CLI=
+cloud.google.com/go/storage v1.61.1 h1:VELCSvZKiSw0AS1k3so5mKGy3CB7bTCYD8EHhTF42bY=
+cloud.google.com/go/storage v1.61.1/go.mod h1:k30/hwYfd0M8aULYbPkQLgNf+SFcdjlRHvLMXggw18E=
 cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U=
 cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s=
 firebase.google.com/go/v4 v4.19.0 h1:f5NMlC2YHFsncz00c2+ecBr+ZYlRMhKIhj1z8Iz0lD8=
@@ -58,14 +58,14 @@ github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 h1:oP4q0fw+fOSWn3
 github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
 github.com/emersion/go-smtp v0.17.0 h1:tq90evlrcyqRfE6DSXaWVH54oX6OuZOQECEmhWBMEtI=
 github.com/emersion/go-smtp v0.17.0/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
-github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329 h1:K+fnvUM0VZ7ZFJf0n4L/BRlnsb9pL/GuDG6FqaH+PwM=
-github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329/go.mod h1:Alz8LEClvR7xKsrq3qzoc4N0guvVNSS8KmSChGYr9hs=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
+github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
+github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
+github.com/envoyproxy/go-control-plane/envoy v1.37.0 h1:u3riX6BoYRfF4Dr7dwSOroNfdSbEPe9Yyl09/B6wBrQ=
+github.com/envoyproxy/go-control-plane/envoy v1.37.0/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
-github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
-github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
+github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=
+github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
@@ -96,10 +96,10 @@ github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
-github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
-github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
+github.com/googleapis/gax-go/v2 v2.18.0 h1:jxP5Uuo3bxm3M6gGtV94P4lliVetoCB4Wk2x8QA86LI=
+github.com/googleapis/gax-go/v2 v2.18.0/go.mod h1:uSzZN4a356eRG985CzJ3WfbFSpqkLTjsnhWGJR6EwrE=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
@@ -120,8 +120,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/mattn/go-sqlite3 v1.14.33 h1:A5blZ5ulQo2AtayQ9/limgHEkFreKj1Dv226a1K73s0=
-github.com/mattn/go-sqlite3 v1.14.33/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.34 h1:3NtcvcUnFBPsuRcno8pUtupspG/GM+9nZ88zgJcp6Zk=
+github.com/mattn/go-sqlite3 v1.14.34/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
 github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -141,8 +141,8 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
 github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
-github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
-github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
+github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
@@ -165,36 +165,36 @@ github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342/go.mod h1:Ohn+xnUBi
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/detectors/gcp v1.40.0 h1:Awaf8gmW99tZTOWqkLCOl6aw1/rxAWVlHsHIZ3fT2sA=
-go.opentelemetry.io/contrib/detectors/gcp v1.40.0/go.mod h1:99OY9ZCqyLkzJLTh5XhECpLRSxcZl+ZDKBEO+jMBFR4=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 h1:XmiuHzgJt067+a6kwyAzkhXooYVv3/TOw9cM2VfJgUM=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0/go.mod h1:KDgtbWKTQs4bM+VPUr6WlL9m/WXcmkCcBlIzqxPGzmI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 h1:wm/Q0GAAykXv83wzcKzGGqAnnfLFyFe7RslekZuv+VI=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0/go.mod h1:ra3Pa40+oKjvYh+ZD3EdxFZZB0xdMfuileHAm4nNN7w=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/contrib/detectors/gcp v1.42.0 h1:kpt2PEJuOuqYkPcktfJqWWDjTEd/FNgrxcniL7kQrXQ=
+go.opentelemetry.io/contrib/detectors/gcp v1.42.0/go.mod h1:W9zQ439utxymRrXsUOzZbFX4JhLxXU4+ZnCt8GG7yA8=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
+go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
+go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0 h1:ZrPRak/kS4xI3AVXy8F7pipuDXmDsrO8Lg+yQjBLjw0=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0/go.mod h1:3y6kQCWztq6hyW8Z9YxQDDm0Je9AJoFar2G0yDcmhRk=
+go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
+go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
+go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
+go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
+go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
+go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
+go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
+go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
-go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
+go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -209,10 +209,10 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -220,8 +220,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -234,8 +234,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -245,8 +245,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -258,10 +258,10 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
@@ -272,18 +272,18 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.265.0 h1:FZvfUdI8nfmuNrE34aOWFPmLC+qRBEiNm3JdivTvAAU=
-google.golang.org/api v0.265.0/go.mod h1:uAvfEl3SLUj/7n6k+lJutcswVojHPp2Sp08jWCu8hLY=
+google.golang.org/api v0.271.0 h1:cIPN4qcUc61jlh7oXu6pwOQqbJW2GqYh5PS6rB2C/JY=
+google.golang.org/api v0.271.0/go.mod h1:CGT29bhwkbF+i11qkRUJb2KMKqcJ1hdFceEIRd9u64Q=
 google.golang.org/appengine/v2 v2.0.6 h1:LvPZLGuchSBslPBp+LAhihBeGSiRh1myRoYK4NtuBIw=
 google.golang.org/appengine/v2 v2.0.6/go.mod h1:WoEXGoXNfa0mLvaH5sV3ZSGXwVmy8yf7Z1JKf3J3wLI=
-google.golang.org/genproto v0.0.0-20260203192932-546029d2fa20 h1:/CU1zrxTpGylJJbe3Ru94yy6sZRbzALq2/oxl3pGB3U=
-google.golang.org/genproto v0.0.0-20260203192932-546029d2fa20/go.mod h1:Tt+08/KdKEt3l8x3Pby3HLQxMB3uk/MzaQ4ZIv0ORTs=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
-google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
-google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/genproto v0.0.0-20260311181403-84a4fc48630c h1:ZhFDeBMmFc/4g8/GwxnJ4rzB3O4GwQVNr+8Mh7Y5z4g=
+google.golang.org/genproto v0.0.0-20260311181403-84a4fc48630c/go.mod h1:hf4r/rBuzaTkLUWRO03771Xvcs6P5hwdQK3UUEJjqo0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260311181403-84a4fc48630c h1:OyQPd6I3pN/9gDxz6L13kYGJgqkpdrAohJRBeXyxlgI=
+google.golang.org/genproto/googleapis/api v0.0.0-20260311181403-84a4fc48630c/go.mod h1:X2gu9Qwng7Nn009s/r3RUxqkzQNqOrAy79bluY7ojIg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260311181403-84a4fc48630c h1:xgCzyF2LFIO/0X2UAoVRiXKU5Xg6VjToG4i2/ecSswk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260311181403-84a4fc48630c/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
+google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
--- a/message/cache.go
+++ b/message/cache.go
@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/log"
 	"heckel.io/ntfy/v2/model"
 	"heckel.io/ntfy/v2/util"
@@ -49,14 +50,14 @@ type queries struct {

 // Cache stores published messages
 type Cache struct {
-	db      *sql.DB
+	db      *db.DB
 	queue   *util.BatchingQueue[*model.Message]
 	nop     bool
 	mu      *sync.Mutex // nil for PostgreSQL (concurrent writes supported), set for SQLite (single writer)
 	queries queries
 }

-func newCache(db *sql.DB, queries queries, mu *sync.Mutex, batchSize int, batchTimeout time.Duration, nop bool) *Cache {
+func newCache(db *db.DB, queries queries, mu *sync.Mutex, batchSize int, batchTimeout time.Duration, nop bool) *Cache {
 	var queue *util.BatchingQueue[*model.Message]
 	if batchSize > 0 || batchTimeout > 0 {
 		queue = util.NewBatchingQueue[*model.Message](batchSize, batchTimeout)
@@ -200,10 +201,11 @@ func (c *Cache) Messages(topic string, since model.SinceMarker, scheduled bool)
 func (c *Cache) messagesSinceTime(topic string, since model.SinceMarker, scheduled bool) ([]*model.Message, error) {
 	var rows *sql.Rows
 	var err error
+	rdb := c.db.ReadOnly()
 	if scheduled {
-		rows, err = c.db.Query(c.queries.selectMessagesSinceTimeScheduled, topic, since.Time().Unix())
+		rows, err = rdb.Query(c.queries.selectMessagesSinceTimeScheduled, topic, since.Time().Unix())
 	} else {
-		rows, err = c.db.Query(c.queries.selectMessagesSinceTime, topic, since.Time().Unix())
+		rows, err = rdb.Query(c.queries.selectMessagesSinceTime, topic, since.Time().Unix())
 	}
 	if err != nil {
 		return nil, err
@@ -214,10 +216,11 @@ func (c *Cache) messagesSinceTime(topic string, since model.SinceMarker, schedul
 func (c *Cache) messagesSinceID(topic string, since model.SinceMarker, scheduled bool) ([]*model.Message, error) {
 	var rows *sql.Rows
 	var err error
+	rdb := c.db.ReadOnly()
 	if scheduled {
-		rows, err = c.db.Query(c.queries.selectMessagesSinceIDScheduled, topic, since.ID())
+		rows, err = rdb.Query(c.queries.selectMessagesSinceIDScheduled, topic, since.ID())
 	} else {
-		rows, err = c.db.Query(c.queries.selectMessagesSinceID, topic, since.ID())
+		rows, err = rdb.Query(c.queries.selectMessagesSinceID, topic, since.ID())
 	}
 	if err != nil {
 		return nil, err
@@ -226,7 +229,7 @@ func (c *Cache) messagesSinceID(topic string, since model.SinceMarker, scheduled
 }

 func (c *Cache) messagesLatest(topic string) ([]*model.Message, error) {
-	rows, err := c.db.Query(c.queries.selectMessagesLatest, topic)
+	rows, err := c.db.ReadOnly().Query(c.queries.selectMessagesLatest, topic)
 	if err != nil {
 		return nil, err
 	}
@@ -265,7 +268,7 @@ func (c *Cache) MessagesExpired() ([]string, error) {

 // Message returns the message with the given ID, or ErrMessageNotFound if not found
 func (c *Cache) Message(id string) (*model.Message, error) {
-	rows, err := c.db.Query(c.queries.selectMessagesByID, id)
+	rows, err := c.db.ReadOnly().Query(c.queries.selectMessagesByID, id)
 	if err != nil {
 		return nil, err
 	}
@@ -294,7 +297,7 @@ func (c *Cache) MarkPublished(m *model.Message) error {

 // MessagesCount returns the total number of messages in the cache
 func (c *Cache) MessagesCount() (int, error) {
-	rows, err := c.db.Query(c.queries.selectMessagesCount)
+	rows, err := c.db.ReadOnly().Query(c.queries.selectMessagesCount)
 	if err != nil {
 		return 0, err
 	}
@@ -311,7 +314,7 @@ func (c *Cache) MessagesCount() (int, error) {

 // Topics returns a list of all topics with messages in the cache
 func (c *Cache) Topics() ([]string, error) {
-	rows, err := c.db.Query(c.queries.selectTopics)
+	rows, err := c.db.ReadOnly().Query(c.queries.selectTopics)
 	if err != nil {
 		return nil, err
 	}
@@ -334,17 +337,14 @@ func (c *Cache) Topics() ([]string, error) {
 func (c *Cache) DeleteMessages(ids ...string) error {
 	c.maybeLock()
 	defer c.maybeUnlock()
-	tx, err := c.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	for _, id := range ids {
-		if _, err := tx.Exec(c.queries.deleteMessage, id); err != nil {
-			return err
+	return db.ExecTx(c.db, func(tx *sql.Tx) error {
+		for _, id := range ids {
+			if _, err := tx.Exec(c.queries.deleteMessage, id); err != nil {
+				return err
+			}
 		}
-	}
-	return tx.Commit()
+		return nil
+	})
 }

 // DeleteScheduledBySequenceID deletes unpublished (scheduled) messages with the given topic and sequence ID.
@@ -352,54 +352,43 @@ func (c *Cache) DeleteMessages(ids ...string) error {
 func (c *Cache) DeleteScheduledBySequenceID(topic, sequenceID string) ([]string, error) {
 	c.maybeLock()
 	defer c.maybeUnlock()
-	tx, err := c.db.Begin()
-	if err != nil {
-		return nil, err
-	}
-	defer tx.Rollback()
-	// First, get the message IDs of scheduled messages to be deleted
-	rows, err := tx.Query(c.queries.selectScheduledMessageIDsBySeqID, topic, sequenceID)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	ids := make([]string, 0)
-	for rows.Next() {
-		var id string
-		if err := rows.Scan(&id); err != nil {
+	return db.QueryTx(c.db, func(tx *sql.Tx) ([]string, error) {
+		rows, err := tx.Query(c.queries.selectScheduledMessageIDsBySeqID, topic, sequenceID)
+		if err != nil {
 			return nil, err
 		}
-		ids = append(ids, id)
-	}
-	if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	rows.Close() // Close rows before executing delete in same transaction
-	// Then delete the messages
-	if _, err := tx.Exec(c.queries.deleteScheduledBySequenceID, topic, sequenceID); err != nil {
-		return nil, err
-	}
-	if err := tx.Commit(); err != nil {
-		return nil, err
-	}
-	return ids, nil
+		defer rows.Close()
+		ids := make([]string, 0)
+		for rows.Next() {
+			var id string
+			if err := rows.Scan(&id); err != nil {
+				return nil, err
+			}
+			ids = append(ids, id)
+		}
+		if err := rows.Err(); err != nil {
+			return nil, err
+		}
+		rows.Close() // Close rows before executing delete in same transaction
+		if _, err := tx.Exec(c.queries.deleteScheduledBySequenceID, topic, sequenceID); err != nil {
+			return nil, err
+		}
+		return ids, nil
+	})
 }

 // ExpireMessages marks messages in the given topics as expired
 func (c *Cache) ExpireMessages(topics ...string) error {
 	c.maybeLock()
 	defer c.maybeUnlock()
-	tx, err := c.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	for _, t := range topics {
-		if _, err := tx.Exec(c.queries.updateMessagesForTopicExpiry, time.Now().Unix()-1, t); err != nil {
-			return err
+	return db.ExecTx(c.db, func(tx *sql.Tx) error {
+		for _, t := range topics {
+			if _, err := tx.Exec(c.queries.updateMessagesForTopicExpiry, time.Now().Unix()-1, t); err != nil {
+				return err
+			}
 		}
-	}
-	return tx.Commit()
+		return nil
+	})
 }

 // AttachmentsExpired returns message IDs with expired attachments that have not been deleted
@@ -427,22 +416,19 @@ func (c *Cache) AttachmentsExpired() ([]string, error) {
 func (c *Cache) MarkAttachmentsDeleted(ids ...string) error {
 	c.maybeLock()
 	defer c.maybeUnlock()
-	tx, err := c.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	for _, id := range ids {
-		if _, err := tx.Exec(c.queries.updateAttachmentDeleted, id); err != nil {
-			return err
+	return db.ExecTx(c.db, func(tx *sql.Tx) error {
+		for _, id := range ids {
+			if _, err := tx.Exec(c.queries.updateAttachmentDeleted, id); err != nil {
+				return err
+			}
 		}
-	}
-	return tx.Commit()
+		return nil
+	})
 }

 // AttachmentBytesUsedBySender returns the total size of active attachments sent by the given sender
 func (c *Cache) AttachmentBytesUsedBySender(sender string) (int64, error) {
-	rows, err := c.db.Query(c.queries.selectAttachmentsSizeBySender, sender, time.Now().Unix())
+	rows, err := c.db.ReadOnly().Query(c.queries.selectAttachmentsSizeBySender, sender, time.Now().Unix())
 	if err != nil {
 		return 0, err
 	}
@@ -451,7 +437,7 @@ func (c *Cache) AttachmentBytesUsedBySender(sender string) (int64, error) {

 // AttachmentBytesUsedByUser returns the total size of active attachments for the given user
 func (c *Cache) AttachmentBytesUsedByUser(userID string) (int64, error) {
-	rows, err := c.db.Query(c.queries.selectAttachmentsSizeByUserID, userID, time.Now().Unix())
+	rows, err := c.db.ReadOnly().Query(c.queries.selectAttachmentsSizeByUserID, userID, time.Now().Unix())
 	if err != nil {
 		return 0, err
 	}
@@ -482,7 +468,7 @@ func (c *Cache) UpdateStats(messages int64) error {

 // Stats returns the total message count statistic
 func (c *Cache) Stats() (messages int64, err error) {
-	rows, err := c.db.Query(c.queries.selectStats)
+	rows, err := c.db.ReadOnly().Query(c.queries.selectStats)
 	if err != nil {
 		return 0, err
 	}
--- a/message/cache_postgres.go
+++ b/message/cache_postgres.go
@@ -1,8 +1,9 @@
 package message

 import (
-	"database/sql"
 	"time"
+
+	"heckel.io/ntfy/v2/db"
 )

 // PostgreSQL runtime query constants
@@ -102,9 +103,9 @@ var postgresQueries = queries{
 }

 // NewPostgresStore creates a new PostgreSQL-backed message cache store using an existing database connection pool.
-func NewPostgresStore(db *sql.DB, batchSize int, batchTimeout time.Duration) (*Cache, error) {
-	if err := setupPostgres(db); err != nil {
+func NewPostgresStore(d *db.DB, batchSize int, batchTimeout time.Duration) (*Cache, error) {
+	if err := setupPostgres(d.Primary()); err != nil {
 		return nil, err
 	}
-	return newCache(db, postgresQueries, nil, batchSize, batchTimeout, false), nil
+	return newCache(d, postgresQueries, nil, batchSize, batchTimeout, false), nil
 }
--- a/message/cache_postgres_schema.go
+++ b/message/cache_postgres_schema.go
@@ -3,6 +3,8 @@ package message
 import (
 	"database/sql"
 	"fmt"
+
+	"heckel.io/ntfy/v2/db"
 )

 // Initial PostgreSQL schema
@@ -55,34 +57,29 @@ const (

 // PostgreSQL schema management queries
 const (
-	pgCurrentSchemaVersion           = 14
+	postgresCurrentSchemaVersion     = 14
 	postgresInsertSchemaVersionQuery = `INSERT INTO schema_version (store, version) VALUES ('message', $1)`
 	postgresSelectSchemaVersionQuery = `SELECT version FROM schema_version WHERE store = 'message'`
 )

 func setupPostgres(db *sql.DB) error {
 	var schemaVersion int
-	err := db.QueryRow(postgresSelectSchemaVersionQuery).Scan(&schemaVersion)
-	if err != nil {
+	if err := db.QueryRow(postgresSelectSchemaVersionQuery).Scan(&schemaVersion); err != nil {
 		return setupNewPostgresDB(db)
-	}
-	if schemaVersion > pgCurrentSchemaVersion {
-		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, pgCurrentSchemaVersion)
+	} else if schemaVersion > postgresCurrentSchemaVersion {
+		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, postgresCurrentSchemaVersion)
 	}
 	return nil
 }

-func setupNewPostgresDB(db *sql.DB) error {
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(postgresCreateTablesQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(postgresInsertSchemaVersionQuery, pgCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return tx.Commit()
+func setupNewPostgresDB(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(postgresCreateTablesQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(postgresInsertSchemaVersionQuery, postgresCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }
--- a/message/cache_sqlite.go
+++ b/message/cache_sqlite.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	_ "github.com/mattn/go-sqlite3" // SQLite driver
+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/util"
 )

@@ -110,14 +111,14 @@ func NewSQLiteStore(filename, startupQueries string, cacheDuration time.Duration
 	if !util.FileExists(parentDir) {
 		return nil, fmt.Errorf("cache database directory %s does not exist or is not accessible", parentDir)
 	}
-	db, err := sql.Open("sqlite3", filename)
+	d, err := sql.Open("sqlite3", filename)
 	if err != nil {
 		return nil, err
 	}
-	if err := setupSQLite(db, startupQueries, cacheDuration); err != nil {
+	if err := setupSQLite(d, startupQueries, cacheDuration); err != nil {
 		return nil, err
 	}
-	return newCache(db, sqliteQueries, &sync.Mutex{}, batchSize, batchTimeout, nop), nil
+	return newCache(db.New(&db.Host{DB: d}, nil), sqliteQueries, &sync.Mutex{}, batchSize, batchTimeout, nop), nil
 }

 // NewMemStore creates an in-memory cache
--- a/message/cache_sqlite_schema.go
+++ b/message/cache_sqlite_schema.go
@@ -5,13 +5,13 @@ import (
 	"fmt"
 	"time"

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/log"
 )

 // Initial SQLite schema
 const (
 	sqliteCreateTablesQuery = `
-		BEGIN;
 		CREATE TABLE IF NOT EXISTS messages (
 			id INTEGER PRIMARY KEY AUTOINCREMENT,
 			mid TEXT NOT NULL,
@@ -52,7 +52,6 @@ const (
 			value INT
 		);
 		INSERT INTO stats (key, value) VALUES ('messages', 0);
-		COMMIT;
 	`
 )

@@ -74,11 +73,9 @@ const (
 const (
 	// 0 -> 1
 	sqliteMigrate0To1AlterMessagesTableQuery = `
-		BEGIN;
 		ALTER TABLE messages ADD COLUMN title TEXT NOT NULL DEFAULT('');
 		ALTER TABLE messages ADD COLUMN priority INT NOT NULL DEFAULT(0);
 		ALTER TABLE messages ADD COLUMN tags TEXT NOT NULL DEFAULT('');
-		COMMIT;
 	`

 	// 1 -> 2
@@ -88,7 +85,6 @@ const (

 	// 2 -> 3
 	sqliteMigrate2To3AlterMessagesTableQuery = `
-		BEGIN;
 		ALTER TABLE messages ADD COLUMN click TEXT NOT NULL DEFAULT('');
 		ALTER TABLE messages ADD COLUMN attachment_name TEXT NOT NULL DEFAULT('');
 		ALTER TABLE messages ADD COLUMN attachment_type TEXT NOT NULL DEFAULT('');
@@ -96,7 +92,6 @@ const (
 		ALTER TABLE messages ADD COLUMN attachment_expires INT NOT NULL DEFAULT('0');
 		ALTER TABLE messages ADD COLUMN attachment_owner TEXT NOT NULL DEFAULT('');
 		ALTER TABLE messages ADD COLUMN attachment_url TEXT NOT NULL DEFAULT('');
-		COMMIT;
 	`
 	// 3 -> 4
 	sqliteMigrate3To4AlterMessagesTableQuery = `
@@ -105,7 +100,6 @@ const (

 	// 4 -> 5
 	sqliteMigrate4To5AlterMessagesTableQuery = `
-		BEGIN;
 		CREATE TABLE IF NOT EXISTS messages_new (
 			id INTEGER PRIMARY KEY AUTOINCREMENT,
 			mid TEXT NOT NULL,
@@ -137,7 +131,6 @@ const (
 			FROM messages;
 		DROP TABLE messages;
 		ALTER TABLE messages_new RENAME TO messages;
-		COMMIT;
 	`

 	// 5 -> 6
@@ -223,24 +216,13 @@ func setupSQLite(db *sql.DB, startupQueries string, cacheDuration time.Duration)
 		return err
 	}
 	// If 'messages' table does not exist, this must be a new database
-	rowsMC, err := db.Query(sqliteSelectMessagesCountQuery)
-	if err != nil {
+	var messagesCount int
+	if err := db.QueryRow(sqliteSelectMessagesCountQuery).Scan(&messagesCount); err != nil {
 		return setupNewSQLite(db)
 	}
-	rowsMC.Close()
-	// If 'messages' table exists, check 'schemaVersion' table
-	schemaVersion := 0
-	rowsSV, err := db.Query(sqliteSelectSchemaVersionQuery)
-	if err == nil {
-		defer rowsSV.Close()
-		if !rowsSV.Next() {
-			return fmt.Errorf("cannot determine schema version: cache file may be corrupt")
-		}
-		if err := rowsSV.Scan(&schemaVersion); err != nil {
-			return err
-		}
-		rowsSV.Close()
-	}
+	// If 'messages' table exists (schema >= 0), check 'schemaVersion' table
+	var schemaVersion int
+	db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion) // Error means schema version is zero!
 	// Do migrations
 	if schemaVersion == sqliteCurrentSchemaVersion {
 		return nil
@@ -258,17 +240,19 @@ func setupSQLite(db *sql.DB, startupQueries string, cacheDuration time.Duration)
 	return nil
 }

-func setupNewSQLite(db *sql.DB) error {
-	if _, err := db.Exec(sqliteCreateTablesQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteCreateSchemaVersionTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return nil
+func setupNewSQLite(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteCreateTablesQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteCreateSchemaVersionTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }

 func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
@@ -280,187 +264,190 @@ func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
 	return nil
 }

-func sqliteMigrateFrom0(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom0(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 0 to 1")
-	if _, err := db.Exec(sqliteMigrate0To1AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteCreateSchemaVersionTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteInsertSchemaVersionQuery, 1); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate0To1AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteCreateSchemaVersionTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, 1); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom1(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom1(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 1 to 2")
-	if _, err := db.Exec(sqliteMigrate1To2AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 2); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate1To2AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 2); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom2(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom2(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 2 to 3")
-	if _, err := db.Exec(sqliteMigrate2To3AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 3); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate2To3AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 3); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom3(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom3(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 3 to 4")
-	if _, err := db.Exec(sqliteMigrate3To4AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 4); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate3To4AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 4); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom4(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom4(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 4 to 5")
-	if _, err := db.Exec(sqliteMigrate4To5AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 5); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate4To5AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 5); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom5(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom5(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 5 to 6")
-	if _, err := db.Exec(sqliteMigrate5To6AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 6); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate5To6AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 6); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom6(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom6(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 6 to 7")
-	if _, err := db.Exec(sqliteMigrate6To7AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 7); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate6To7AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 7); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom7(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom7(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 7 to 8")
-	if _, err := db.Exec(sqliteMigrate7To8AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 8); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate7To8AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 8); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom8(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom8(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 8 to 9")
-	if _, err := db.Exec(sqliteMigrate8To9AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 9); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate8To9AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 9); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom9(db *sql.DB, cacheDuration time.Duration) error {
+func sqliteMigrateFrom9(sqlDB *sql.DB, cacheDuration time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 9 to 10")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate9To10AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteMigrate9To10UpdateMessageExpiryQuery, int64(cacheDuration.Seconds())); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 10); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate9To10AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteMigrate9To10UpdateMessageExpiryQuery, int64(cacheDuration.Seconds())); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 10); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom10(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom10(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 10 to 11")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate10To11AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 11); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate10To11AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 11); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom11(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom11(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 11 to 12")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate11To12AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 12); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate11To12AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 12); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom12(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom12(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 12 to 13")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate12To13AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 13); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate12To13AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 13); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom13(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom13(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 13 to 14")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate13To14AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 14); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate13To14AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 14); err != nil {
+			return err
+		}
+		return nil
+	})
 }
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -42,8 +42,11 @@ extra:
      link: https://github.com/binwiederhier
 extra_javascript:
  - static/js/extra.js
+  - static/js/bcrypt.js
+  - static/js/config-generator.js
 extra_css:
  - static/css/extra.css
+  - static/css/config-generator.css

 markdown_extensions:
  - admonition
--- a/server/config.go
+++ b/server/config.go
@@ -95,7 +95,8 @@ type Config struct {
 	ListenUnixMode                       fs.FileMode
 	KeyFile                              string
 	CertFile                             string
-	DatabaseURL                          string // PostgreSQL connection string (e.g. "postgres://user:pass@host:5432/ntfy")
+	DatabaseURL                          string   // PostgreSQL connection string (e.g. "postgres://user:pass@host:5432/ntfy")
+	DatabaseReplicaURLs                  []string // PostgreSQL read replica connection strings
 	FirebaseKeyFile                      string
 	CacheFile                            string
 	CacheDuration                        time.Duration
--- a/server/server.go
+++ b/server/server.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
-	"database/sql"
 	"embed"
 	"encoding/base64"
 	"encoding/json"
@@ -34,6 +33,7 @@ import (
 	"golang.org/x/sync/errgroup"
 	"gopkg.in/yaml.v2"
 	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 	"heckel.io/ntfy/v2/log"
 	"heckel.io/ntfy/v2/message"
 	"heckel.io/ntfy/v2/model"
@@ -47,7 +47,7 @@ import (
 // Server is the main server, providing the UI and API for ntfy
 type Server struct {
 	config            *Config
-	db                *sql.DB // Shared PostgreSQL connection pool, nil when using SQLite
+	db                *db.DB // Shared PostgreSQL connection pool (with optional replicas), nil when using SQLite
 	httpServer        *http.Server
 	httpsServer       *http.Server
 	httpMetricsServer *http.Server
@@ -178,14 +178,27 @@ func New(conf *Config) (*Server, error) {
 	if payments.Available && conf.StripeSecretKey != "" {
 		stripe = newStripeAPI()
 	}
-	// OpenPostgres shared PostgreSQL connection pool if configured
-	var pool *sql.DB
+	// Open shared PostgreSQL connection pool if configured
+	var pool *db.DB
 	if conf.DatabaseURL != "" {
-		var err error
-		pool, err = db.OpenPostgres(conf.DatabaseURL)
+		primary, err := pg.Open(conf.DatabaseURL)
 		if err != nil {
 			return nil, err
 		}
+		var replicas []*db.Host
+		for _, replicaURL := range conf.DatabaseReplicaURLs {
+			r, err := pg.OpenReplica(replicaURL)
+			if err != nil {
+				// Close already-opened replicas before returning
+				for _, opened := range replicas {
+					opened.DB.Close()
+				}
+				primary.DB.Close()
+				return nil, fmt.Errorf("failed to open database replica: %w", err)
+			}
+			replicas = append(replicas, r)
+		}
+		pool = db.New(primary, replicas)
 	}
 	messageCache, err := createMessageCache(conf, pool)
 	if err != nil {
@@ -277,7 +290,7 @@ func New(conf *Config) (*Server, error) {
 	return s, nil
 }

-func createMessageCache(conf *Config, pool *sql.DB) (*message.Cache, error) {
+func createMessageCache(conf *Config, pool *db.DB) (*message.Cache, error) {
 	if conf.CacheDuration == 0 {
 		return message.NewNopStore()
 	} else if pool != nil {
--- a/test/server.go
+++ b/test/server.go
@@ -3,7 +3,7 @@ package test
 import (
 	"fmt"
 	"heckel.io/ntfy/v2/server"
-	"math/rand"
+	"net"
 	"net/http"
 	"path/filepath"
 	"testing"
@@ -16,7 +16,7 @@ func StartServer(t *testing.T) (*server.Server, int) {

 // StartServerWithConfig starts a server.Server with a random port and waits for the server to be up
 func StartServerWithConfig(t *testing.T, conf *server.Config) (*server.Server, int) {
-	port := 10000 + rand.Intn(30000)
+	port := findAvailablePort(t)
 	conf.ListenHTTP = fmt.Sprintf(":%d", port)
 	conf.AttachmentCacheDir = t.TempDir()
 	conf.CacheFile = filepath.Join(t.TempDir(), "cache.db")
@@ -33,6 +33,17 @@ func StartServerWithConfig(t *testing.T, conf *server.Config) (*server.Server, i
 	return s, port
 }

+// findAvailablePort asks the OS for a free port by binding to :0
+func findAvailablePort(t *testing.T) int {
+	listener, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	port := listener.Addr().(*net.TCPAddr).Port
+	listener.Close()
+	return port
+}
+
 // StopServer stops the test server and waits for the port to be down
 func StopServer(t *testing.T, s *server.Server, port int) {
 	s.Stop()
--- a/tools/loadtest/go.mod
+++ b/tools/loadtest/go.mod
@@ -0,0 +1,5 @@
+module loadtest
+
+go 1.25.2
+
+require github.com/gorilla/websocket v1.5.3
--- a/tools/loadtest/go.sum
+++ b/tools/loadtest/go.sum
@@ -0,0 +1,2 @@
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
--- a/tools/loadtest/main.go
+++ b/tools/loadtest/main.go
@@ -0,0 +1,543 @@
+// Load test program for ntfy staging server.
+// Replicates production traffic patterns derived from access.log analysis.
+//
+// Traffic profile (from ~5M requests over 20 hours):
+//   ~71 req/sec average, ~4,300 req/min
+//   49.6% poll requests      (GET /TOPIC/json?poll=1&since=ID)
+//   21.4% publish POST       (POST /TOPIC with small body)
+//    6.2% subscribe stream   (GET /TOPIC/json?since=X, long-lived)
+//    4.1% config check       (GET /v1/config)
+//    2.3% other topic GET    (GET /TOPIC)
+//    2.2% account check      (GET /v1/account)
+//    1.9% websocket sub      (GET /TOPIC/ws?since=X)
+//    1.5% publish PUT        (PUT /TOPIC with small body)
+//    1.5% raw subscribe      (GET /TOPIC/raw?since=X)
+//    1.1% json subscribe     (GET /TOPIC/json, no since)
+//    0.7% SSE subscribe      (GET /TOPIC/sse?since=X)
+//    remaining: static, PATCH, OPTIONS, etc. (omitted)
+
+package main
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"flag"
+	"fmt"
+	"io"
+
+	"math/big"
+	mrand "math/rand"
+	"net/http"
+	"os"
+	"os/signal"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/gorilla/websocket"
+)
+
+var (
+	baseURL    string
+	username   string
+	password   string
+	rps        float64
+	scale      float64
+	numTopics  int
+	subStreams int
+	wsStreams  int
+	sseStreams int
+	rawStreams int
+	duration   time.Duration
+
+	totalRequests atomic.Int64
+	totalErrors   atomic.Int64
+	activeStreams atomic.Int64
+
+	// Error tracking by category
+	errMu        sync.Mutex
+	recentErrors []string // last N unique error messages
+	errorCounts  = make(map[string]int64)
+)
+
+func main() {
+	flag.StringVar(&baseURL, "url", "https://staging.ntfy.sh", "Base URL of ntfy server")
+	flag.StringVar(&username, "user", "", "Username for authentication")
+	flag.StringVar(&password, "pass", "", "Password for authentication")
+	flag.Float64Var(&rps, "rps", 71, "Target requests per second (default: prod average)")
+	flag.Float64Var(&scale, "scale", 1.0, "Scale factor for all load (0.5 = half load, 2.0 = double)")
+	flag.IntVar(&numTopics, "topics", 500, "Number of unique topics to use")
+	flag.IntVar(&subStreams, "sub-streams", 200, "Number of concurrent JSON streaming subscriptions")
+	flag.IntVar(&wsStreams, "ws-streams", 50, "Number of concurrent WebSocket subscriptions")
+	flag.IntVar(&sseStreams, "sse-streams", 20, "Number of concurrent SSE subscriptions")
+	flag.IntVar(&rawStreams, "raw-streams", 30, "Number of concurrent raw subscriptions")
+	flag.DurationVar(&duration, "duration", 10*time.Minute, "Test duration")
+	flag.Parse()
+
+	rps *= scale
+	subStreams = int(float64(subStreams) * scale)
+	wsStreams = int(float64(wsStreams) * scale)
+	sseStreams = int(float64(sseStreams) * scale)
+	rawStreams = int(float64(rawStreams) * scale)
+
+	topics := generateTopics(numTopics)
+
+	fmt.Printf("ntfy load test\n")
+	fmt.Printf("  Target:       %s\n", baseURL)
+	fmt.Printf("  RPS:          %.1f\n", rps)
+	fmt.Printf("  Scale:        %.1fx\n", scale)
+	fmt.Printf("  Topics:       %d\n", numTopics)
+	fmt.Printf("  Sub streams:  %d json, %d ws, %d sse, %d raw\n", subStreams, wsStreams, sseStreams, rawStreams)
+	fmt.Printf("  Duration:     %s\n", duration)
+	fmt.Println()
+
+	ctx, cancel := context.WithTimeout(context.Background(), duration)
+	defer cancel()
+
+	// Also handle Ctrl+C
+	sigCtx, sigCancel := signal.NotifyContext(ctx, os.Interrupt)
+	defer sigCancel()
+	ctx = sigCtx
+
+	client := &http.Client{
+		Timeout: 10 * time.Second,
+		Transport: &http.Transport{
+			MaxIdleConns:        1000,
+			MaxIdleConnsPerHost: 1000,
+			IdleConnTimeout:     90 * time.Second,
+		},
+	}
+
+	// Long-lived streaming client (no timeout)
+	streamClient := &http.Client{
+		Timeout: 0,
+		Transport: &http.Transport{
+			MaxIdleConns:        500,
+			MaxIdleConnsPerHost: 500,
+			IdleConnTimeout:     0,
+		},
+	}
+
+	var wg sync.WaitGroup
+
+	// Start long-lived streaming subscriptions
+	for i := 0; i < subStreams; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			streamSubscription(ctx, streamClient, topics, "json")
+		}()
+	}
+	for i := 0; i < wsStreams; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			wsSubscription(ctx, topics)
+		}()
+	}
+	for i := 0; i < sseStreams; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			streamSubscription(ctx, streamClient, topics, "sse")
+		}()
+	}
+	for i := 0; i < rawStreams; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			streamSubscription(ctx, streamClient, topics, "raw")
+		}()
+	}
+
+	// Start request generators based on traffic weights
+	// Weights from log analysis (normalized to sum ~100):
+	//   poll=49.6, publish_post=21.4, config=4.1, other_get=2.3, account=2.2, publish_put=1.5
+	//   Total short-lived weight ≈ 81.1
+	type requestType struct {
+		name   string
+		weight float64
+		fn     func(ctx context.Context, client *http.Client, topics []string)
+	}
+
+	types := []requestType{
+		{"poll", 49.6, doPoll},
+		{"publish_post", 21.4, doPublishPost},
+		{"config", 4.1, doConfig},
+		{"other_get", 2.3, doOtherGet},
+		{"account", 2.2, doAccountCheck},
+		{"publish_put", 1.5, doPublishPut},
+	}
+
+	totalWeight := 0.0
+	for _, t := range types {
+		totalWeight += t.weight
+	}
+
+	for _, t := range types {
+		t := t
+		typeRPS := rps * (t.weight / totalWeight)
+		if typeRPS < 0.1 {
+			continue
+		}
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			runAtRate(ctx, typeRPS, func() {
+				t.fn(ctx, client, topics)
+			})
+		}()
+	}
+
+	// Stats reporter
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		reportStats(ctx)
+	}()
+
+	wg.Wait()
+	fmt.Printf("\nDone. Total requests: %d, errors: %d\n", totalRequests.Load(), totalErrors.Load())
+}
+
+func trackError(category string, err error) {
+	totalErrors.Add(1)
+	key := fmt.Sprintf("%s: %s", category, truncateErr(err))
+	errMu.Lock()
+	errorCounts[key]++
+	errMu.Unlock()
+}
+
+func trackErrorMsg(category string, msg string) {
+	totalErrors.Add(1)
+	key := fmt.Sprintf("%s: %s", category, msg)
+	errMu.Lock()
+	errorCounts[key]++
+	errMu.Unlock()
+}
+
+func truncateErr(err error) string {
+	s := err.Error()
+	if len(s) > 120 {
+		s = s[:120] + "..."
+	}
+	return s
+}
+
+func setAuth(req *http.Request) {
+	if username != "" && password != "" {
+		req.SetBasicAuth(username, password)
+	}
+}
+
+func generateTopics(n int) []string {
+	topics := make([]string, n)
+	for i := 0; i < n; i++ {
+		b := make([]byte, 8)
+		rand.Read(b)
+		topics[i] = "loadtest-" + hex.EncodeToString(b)
+	}
+	return topics
+}
+
+func pickTopic(topics []string) string {
+	n, _ := rand.Int(rand.Reader, big.NewInt(int64(len(topics))))
+	return topics[n.Int64()]
+}
+
+func randomSince() string {
+	b := make([]byte, 6)
+	rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
+func randomMessage() string {
+	messages := []string{
+		"Test notification",
+		"Server backup completed successfully",
+		"Deployment finished",
+		"Alert: disk usage above 80%",
+		"Build #1234 passed",
+		"New order received",
+		"Temperature sensor reading: 72F",
+		"Cron job completed",
+	}
+	return messages[mrand.Intn(len(messages))]
+}
+
+// runAtRate executes fn at approximately the given rate per second
+func runAtRate(ctx context.Context, rate float64, fn func()) {
+	interval := time.Duration(float64(time.Second) / rate)
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			go fn()
+		}
+	}
+}
+
+// --- Short-lived request types ---
+
+func doPoll(ctx context.Context, client *http.Client, topics []string) {
+	topic := pickTopic(topics)
+	url := fmt.Sprintf("%s/%s/json?poll=1&since=%s", baseURL, topic, randomSince())
+	doGet(ctx, client, url)
+}
+
+func doPublishPost(ctx context.Context, client *http.Client, topics []string) {
+	topic := pickTopic(topics)
+	url := fmt.Sprintf("%s/%s", baseURL, topic)
+	req, err := http.NewRequestWithContext(ctx, "POST", url, strings.NewReader(randomMessage()))
+	if err != nil {
+		trackError("publish_post_req", err)
+		return
+	}
+	setAuth(req)
+	// Some messages have titles/priorities like real traffic
+	if mrand.Float32() < 0.3 {
+		req.Header.Set("X-Title", "Load Test")
+	}
+	if mrand.Float32() < 0.1 {
+		req.Header.Set("X-Priority", fmt.Sprintf("%d", mrand.Intn(5)+1))
+	}
+	resp, err := client.Do(req)
+	totalRequests.Add(1)
+	if err != nil {
+		trackError("publish_post", err)
+		return
+	}
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		trackErrorMsg("publish_post_http", fmt.Sprintf("status %d", resp.StatusCode))
+	}
+}
+
+func doPublishPut(ctx context.Context, client *http.Client, topics []string) {
+	topic := pickTopic(topics)
+	url := fmt.Sprintf("%s/%s", baseURL, topic)
+	req, err := http.NewRequestWithContext(ctx, "PUT", url, strings.NewReader(randomMessage()))
+	if err != nil {
+		trackError("publish_put_req", err)
+		return
+	}
+	setAuth(req)
+	resp, err := client.Do(req)
+	totalRequests.Add(1)
+	if err != nil {
+		trackError("publish_put", err)
+		return
+	}
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		trackErrorMsg("publish_put_http", fmt.Sprintf("status %d", resp.StatusCode))
+	}
+}
+
+func doConfig(ctx context.Context, client *http.Client, topics []string) {
+	url := fmt.Sprintf("%s/v1/config", baseURL)
+	doGet(ctx, client, url)
+}
+
+func doAccountCheck(ctx context.Context, client *http.Client, topics []string) {
+	url := fmt.Sprintf("%s/v1/account", baseURL)
+	doGet(ctx, client, url)
+}
+
+func doOtherGet(ctx context.Context, client *http.Client, topics []string) {
+	topic := pickTopic(topics)
+	url := fmt.Sprintf("%s/%s", baseURL, topic)
+	doGet(ctx, client, url)
+}
+
+func doGet(ctx context.Context, client *http.Client, url string) {
+	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+	if err != nil {
+		trackError("get_req", err)
+		return
+	}
+	setAuth(req)
+	resp, err := client.Do(req)
+	totalRequests.Add(1)
+	if err != nil {
+		trackError("get", err)
+		return
+	}
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		trackErrorMsg("get_http", fmt.Sprintf("status %d for %s", resp.StatusCode, url))
+	}
+}
+
+// --- Long-lived streaming subscriptions ---
+
+func streamSubscription(ctx context.Context, client *http.Client, topics []string, format string) {
+	for {
+		if ctx.Err() != nil {
+			return
+		}
+		topic := pickTopic(topics)
+		url := fmt.Sprintf("%s/%s/%s?since=all", baseURL, topic, format)
+		req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+		if err != nil {
+			time.Sleep(time.Second)
+			continue
+		}
+		setAuth(req)
+		activeStreams.Add(1)
+		resp, err := client.Do(req)
+		if err != nil {
+			activeStreams.Add(-1)
+			if ctx.Err() == nil {
+				trackError("stream_"+format+"_connect", err)
+			}
+			time.Sleep(time.Second)
+			continue
+		}
+		if resp.StatusCode >= 400 {
+			trackErrorMsg("stream_"+format+"_http", fmt.Sprintf("status %d", resp.StatusCode))
+			resp.Body.Close()
+			activeStreams.Add(-1)
+			time.Sleep(time.Second)
+			continue
+		}
+		// Read from stream until context cancelled or connection drops
+		buf := make([]byte, 4096)
+		for {
+			_, err := resp.Body.Read(buf)
+			if err != nil {
+				if ctx.Err() == nil {
+					trackError("stream_"+format+"_read", err)
+				}
+				break
+			}
+		}
+		resp.Body.Close()
+		activeStreams.Add(-1)
+		// Reconnect with small delay (like real clients do)
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(time.Duration(mrand.Intn(3000)) * time.Millisecond):
+		}
+	}
+}
+
+func wsSubscription(ctx context.Context, topics []string) {
+	wsURL := strings.Replace(baseURL, "https://", "wss://", 1)
+	wsURL = strings.Replace(wsURL, "http://", "ws://", 1)
+
+	for {
+		if ctx.Err() != nil {
+			return
+		}
+		topic := pickTopic(topics)
+		url := fmt.Sprintf("%s/%s/ws?since=all", wsURL, topic)
+
+		dialer := websocket.Dialer{
+			HandshakeTimeout: 10 * time.Second,
+		}
+		var wsHeader http.Header
+		if username != "" && password != "" {
+			wsHeader = http.Header{}
+			req, _ := http.NewRequest("GET", url, nil)
+			req.SetBasicAuth(username, password)
+			wsHeader.Set("Authorization", req.Header.Get("Authorization"))
+		}
+		activeStreams.Add(1)
+		conn, _, err := dialer.DialContext(ctx, url, wsHeader)
+		if err != nil {
+			activeStreams.Add(-1)
+			if ctx.Err() == nil {
+				trackError("ws_connect", err)
+			}
+			time.Sleep(time.Second)
+			continue
+		}
+
+		// Read messages until context cancelled or error
+		done := make(chan struct{})
+		go func() {
+			defer close(done)
+			for {
+				conn.SetReadDeadline(time.Now().Add(5 * time.Minute))
+				_, _, err := conn.ReadMessage()
+				if err != nil {
+					return
+				}
+			}
+		}()
+
+		select {
+		case <-ctx.Done():
+			conn.Close()
+			activeStreams.Add(-1)
+			return
+		case <-done:
+			conn.Close()
+			activeStreams.Add(-1)
+		}
+
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(time.Duration(mrand.Intn(3000)) * time.Millisecond):
+		}
+	}
+}
+
+func reportStats(ctx context.Context) {
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	var lastRequests, lastErrors int64
+	lastTime := time.Now()
+	reportCount := 0
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			now := time.Now()
+			currentRequests := totalRequests.Load()
+			currentErrors := totalErrors.Load()
+			elapsed := now.Sub(lastTime).Seconds()
+			currentRPS := float64(currentRequests-lastRequests) / elapsed
+			errorRate := float64(currentErrors-lastErrors) / elapsed
+
+			fmt.Printf("[%s] rps=%.1f err/s=%.1f total=%d errors=%d streams=%d\n",
+				now.Format("15:04:05"),
+				currentRPS,
+				errorRate,
+				currentRequests,
+				currentErrors,
+				activeStreams.Load(),
+			)
+
+			// Print error breakdown every 30 seconds
+			reportCount++
+			if reportCount%6 == 0 && currentErrors > 0 {
+				errMu.Lock()
+				fmt.Printf("  Error breakdown:\n")
+				for k, v := range errorCounts {
+					fmt.Printf("    %s: %d\n", k, v)
+				}
+				errMu.Unlock()
+			}
+
+			lastRequests = currentRequests
+			lastErrors = currentErrors
+			lastTime = now
+		}
+	}
+}
--- a/tools/pgimport/README.md
+++ b/tools/pgimport/README.md
@@ -1,6 +1,10 @@
 # pgimport

-Migrates ntfy data from SQLite to PostgreSQL.
+One-off migration script to import ntfy data from SQLite to PostgreSQL.
+
+This is **not** a generic migration tool. It only works with specific SQLite schema versions
+(message cache v14, user db v6, web push v1) and their corresponding PostgreSQL schemas.
+If your database versions differ, this tool will refuse to run.

 ## Build

@@ -18,13 +22,22 @@ pgimport \
  --auth-file /var/lib/ntfy/user.db \
  --web-push-file /var/lib/ntfy/webpush.db

+# Using --create-schema to set up PostgreSQL schema automatically
+pgimport \
+  --create-schema \
+  --database-url "postgres://user:pass@host:5432/ntfy?sslmode=require" \
+  --cache-file /var/cache/ntfy/cache.db \
+  --auth-file /var/lib/ntfy/user.db \
+  --web-push-file /var/lib/ntfy/webpush.db
+
 # Using server.yml (flags override config values)
 pgimport --config /etc/ntfy/server.yml
 ```

 ## Prerequisites

- PostgreSQL schema must already be set up (run ntfy with `database-url` once)
+- PostgreSQL schema must already be set up, either by running ntfy with `database-url` once,
+  or by passing `--create-schema` to pgimport to create the initial schema automatically
 - ntfy must not be running during the import
 - All three SQLite files are optional; only the ones specified will be imported

--- a/tools/pgimport/main.go
+++ b/tools/pgimport/main.go
@@ -1,3 +1,6 @@
+// pgimport is a one-off migration script to import ntfy data from SQLite to PostgreSQL.
+// It is not a generic migration tool. It expects specific schema versions for each database
+// (message cache v14, user db v6, web push v1) and will refuse to run if versions don't match.
 package main

 import (
@@ -11,7 +14,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"gopkg.in/yaml.v2"
-	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 )

 const (
@@ -20,6 +23,159 @@ const (
 	expectedMessageSchemaVersion = 14
 	expectedUserSchemaVersion    = 6
 	expectedWebPushSchemaVersion = 1
+
+	everyoneID = "u_everyone"
+
+	// Initial PostgreSQL schema for message store (from message/cache_postgres_schema.go)
+	createMessageSchemaQuery = `
+		CREATE TABLE IF NOT EXISTS message (
+			id BIGSERIAL PRIMARY KEY,
+			mid TEXT NOT NULL,
+			sequence_id TEXT NOT NULL,
+			time BIGINT NOT NULL,
+			event TEXT NOT NULL,
+			expires BIGINT NOT NULL,
+			topic TEXT NOT NULL,
+			message TEXT NOT NULL,
+			title TEXT NOT NULL,
+			priority INT NOT NULL,
+			tags TEXT NOT NULL,
+			click TEXT NOT NULL,
+			icon TEXT NOT NULL,
+			actions TEXT NOT NULL,
+			attachment_name TEXT NOT NULL,
+			attachment_type TEXT NOT NULL,
+			attachment_size BIGINT NOT NULL,
+			attachment_expires BIGINT NOT NULL,
+			attachment_url TEXT NOT NULL,
+			attachment_deleted BOOLEAN NOT NULL DEFAULT FALSE,
+			sender TEXT NOT NULL,
+			user_id TEXT NOT NULL,
+			content_type TEXT NOT NULL,
+			encoding TEXT NOT NULL,
+			published BOOLEAN NOT NULL DEFAULT FALSE
+		);
+		CREATE INDEX IF NOT EXISTS idx_message_mid ON message (mid);
+		CREATE INDEX IF NOT EXISTS idx_message_sequence_id ON message (sequence_id);
+		CREATE INDEX IF NOT EXISTS idx_message_topic_published_time ON message (topic, published, time, id);
+		CREATE INDEX IF NOT EXISTS idx_message_published_expires ON message (published, expires);
+		CREATE INDEX IF NOT EXISTS idx_message_sender_attachment_expires ON message (sender, attachment_expires) WHERE user_id = '';
+		CREATE INDEX IF NOT EXISTS idx_message_user_id_attachment_expires ON message (user_id, attachment_expires);
+		CREATE TABLE IF NOT EXISTS message_stats (
+			key TEXT PRIMARY KEY,
+			value BIGINT
+		);
+		INSERT INTO message_stats (key, value) VALUES ('messages', 0);
+		CREATE TABLE IF NOT EXISTS schema_version (
+			store TEXT PRIMARY KEY,
+			version INT NOT NULL
+		);
+		INSERT INTO schema_version (store, version) VALUES ('message', 14);
+	`
+
+	// Initial PostgreSQL schema for user store (from user/manager_postgres_schema.go)
+	createUserSchemaQuery = `
+		CREATE TABLE IF NOT EXISTS tier (
+			id TEXT PRIMARY KEY,
+			code TEXT NOT NULL,
+			name TEXT NOT NULL,
+			messages_limit BIGINT NOT NULL,
+			messages_expiry_duration BIGINT NOT NULL,
+			emails_limit BIGINT NOT NULL,
+			calls_limit BIGINT NOT NULL,
+			reservations_limit BIGINT NOT NULL,
+			attachment_file_size_limit BIGINT NOT NULL,
+			attachment_total_size_limit BIGINT NOT NULL,
+			attachment_expiry_duration BIGINT NOT NULL,
+			attachment_bandwidth_limit BIGINT NOT NULL,
+			stripe_monthly_price_id TEXT,
+			stripe_yearly_price_id TEXT,
+			UNIQUE(code),
+			UNIQUE(stripe_monthly_price_id),
+			UNIQUE(stripe_yearly_price_id)
+		);
+		CREATE TABLE IF NOT EXISTS "user" (
+		    id TEXT PRIMARY KEY,
+			tier_id TEXT REFERENCES tier(id),
+			user_name TEXT NOT NULL UNIQUE,
+			pass TEXT NOT NULL,
+			role TEXT NOT NULL CHECK (role IN ('anonymous', 'admin', 'user')),
+			prefs JSONB NOT NULL DEFAULT '{}',
+			sync_topic TEXT NOT NULL,
+			provisioned BOOLEAN NOT NULL,
+			stats_messages BIGINT NOT NULL DEFAULT 0,
+			stats_emails BIGINT NOT NULL DEFAULT 0,
+			stats_calls BIGINT NOT NULL DEFAULT 0,
+			stripe_customer_id TEXT UNIQUE,
+			stripe_subscription_id TEXT UNIQUE,
+			stripe_subscription_status TEXT,
+			stripe_subscription_interval TEXT,
+			stripe_subscription_paid_until BIGINT,
+			stripe_subscription_cancel_at BIGINT,
+			created BIGINT NOT NULL,
+			deleted BIGINT
+		);
+		CREATE TABLE IF NOT EXISTS user_access (
+			user_id TEXT NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
+			topic TEXT NOT NULL,
+			read BOOLEAN NOT NULL,
+			write BOOLEAN NOT NULL,
+			owner_user_id TEXT REFERENCES "user"(id) ON DELETE CASCADE,
+			provisioned BOOLEAN NOT NULL,
+			PRIMARY KEY (user_id, topic)
+		);
+		CREATE TABLE IF NOT EXISTS user_token (
+			user_id TEXT NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
+			token TEXT NOT NULL UNIQUE,
+			label TEXT NOT NULL,
+			last_access BIGINT NOT NULL,
+			last_origin TEXT NOT NULL,
+			expires BIGINT NOT NULL,
+			provisioned BOOLEAN NOT NULL,
+			PRIMARY KEY (user_id, token)
+		);
+		CREATE TABLE IF NOT EXISTS user_phone (
+			user_id TEXT NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
+			phone_number TEXT NOT NULL,
+			PRIMARY KEY (user_id, phone_number)
+		);
+		CREATE TABLE IF NOT EXISTS schema_version (
+			store TEXT PRIMARY KEY,
+			version INT NOT NULL
+		);
+		INSERT INTO "user" (id, user_name, pass, role, sync_topic, provisioned, created)
+		VALUES ('` + everyoneID + `', '*', '', 'anonymous', '', false, EXTRACT(EPOCH FROM NOW())::BIGINT)
+		ON CONFLICT (id) DO NOTHING;
+		INSERT INTO schema_version (store, version) VALUES ('user', 6);
+	`
+
+	// Initial PostgreSQL schema for web push store (from webpush/store_postgres.go)
+	createWebPushSchemaQuery = `
+		CREATE TABLE IF NOT EXISTS webpush_subscription (
+			id TEXT PRIMARY KEY,
+			endpoint TEXT NOT NULL UNIQUE,
+			key_auth TEXT NOT NULL,
+			key_p256dh TEXT NOT NULL,
+			user_id TEXT NOT NULL,
+			subscriber_ip TEXT NOT NULL,
+			updated_at BIGINT NOT NULL,
+			warned_at BIGINT NOT NULL DEFAULT 0
+		);
+		CREATE INDEX IF NOT EXISTS idx_webpush_subscriber_ip ON webpush_subscription (subscriber_ip);
+		CREATE INDEX IF NOT EXISTS idx_webpush_updated_at ON webpush_subscription (updated_at);
+		CREATE INDEX IF NOT EXISTS idx_webpush_user_id ON webpush_subscription (user_id);
+		CREATE TABLE IF NOT EXISTS webpush_subscription_topic (
+			subscription_id TEXT NOT NULL REFERENCES webpush_subscription (id) ON DELETE CASCADE,
+			topic TEXT NOT NULL,
+			PRIMARY KEY (subscription_id, topic)
+		);
+		CREATE INDEX IF NOT EXISTS idx_webpush_topic ON webpush_subscription_topic (topic);
+		CREATE TABLE IF NOT EXISTS schema_version (
+			store TEXT PRIMARY KEY,
+			version INT NOT NULL
+		);
+		INSERT INTO schema_version (store, version) VALUES ('webpush', 1);
+	`
 )

 var flags = []cli.Flag{
@@ -28,12 +184,13 @@ var flags = []cli.Flag{
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-file", Aliases: []string{"cache_file"}, Usage: "SQLite message cache file path"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"auth_file"}, Usage: "SQLite user/auth database file path"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "web-push-file", Aliases: []string{"web_push_file"}, Usage: "SQLite web push database file path"}),
+	&cli.BoolFlag{Name: "create-schema", Usage: "create initial PostgreSQL schema before importing"},
 }

 func main() {
 	app := &cli.App{
 		Name:      "pgimport",
-		Usage:     "SQLite to PostgreSQL migration tool for ntfy",
+		Usage:     "One-off SQLite to PostgreSQL migration script for ntfy",
 		UsageText: "pgimport [OPTIONS]",
 		Flags:     flags,
 		Before:    loadConfigFile("config", flags),
@@ -79,12 +236,19 @@ func execImport(c *cli.Context) error {
 	}
 	fmt.Println()

-	pgDB, err := db.OpenPostgres(databaseURL)
+	pgHost, err := pg.Open(databaseURL)
 	if err != nil {
 		return fmt.Errorf("cannot connect to PostgreSQL: %w", err)
 	}
+	pgDB := pgHost.DB
 	defer pgDB.Close()

+	if c.Bool("create-schema") {
+		if err := createSchema(pgDB, cacheFile, authFile, webPushFile); err != nil {
+			return fmt.Errorf("cannot create schema: %w", err)
+		}
+	}
+
 	if authFile != "" {
 		if err := verifySchemaVersion(pgDB, "user", expectedUserSchemaVersion); err != nil {
 			return err
@@ -136,6 +300,34 @@ func execImport(c *cli.Context) error {
 	return nil
 }

+func createSchema(pgDB *sql.DB, cacheFile, authFile, webPushFile string) error {
+	fmt.Println("Creating initial PostgreSQL schema ...")
+	// User schema must be created before message schema, because message_stats and
+	// schema_version use "INSERT INTO" without "ON CONFLICT", so user schema (which
+	// also creates the schema_version table) must come first.
+	if authFile != "" {
+		fmt.Println("  Creating user schema ...")
+		if _, err := pgDB.Exec(createUserSchemaQuery); err != nil {
+			return fmt.Errorf("creating user schema: %w", err)
+		}
+	}
+	if cacheFile != "" {
+		fmt.Println("  Creating message schema ...")
+		if _, err := pgDB.Exec(createMessageSchemaQuery); err != nil {
+			return fmt.Errorf("creating message schema: %w", err)
+		}
+	}
+	if webPushFile != "" {
+		fmt.Println("  Creating web push schema ...")
+		if _, err := pgDB.Exec(createWebPushSchemaQuery); err != nil {
+			return fmt.Errorf("creating web push schema: %w", err)
+		}
+	}
+	fmt.Println("  Schema creation complete.")
+	fmt.Println()
+	return nil
+}
+
 func loadConfigFile(configFlag string, flags []cli.Flag) cli.BeforeFunc {
 	return func(c *cli.Context) error {
 		configFile := c.String(configFlag)
--- a/user/manager.go
+++ b/user/manager.go
@@ -13,6 +13,7 @@ import (
 	"time"

 	"golang.org/x/crypto/bcrypt"
+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/log"
 	"heckel.io/ntfy/v2/payments"
 	"heckel.io/ntfy/v2/util"
@@ -48,7 +49,7 @@ var (
 // Manager handles user authentication, authorization, and management
 type Manager struct {
 	config     *Config
-	db         *sql.DB
+	db         *db.DB
 	queries    queries
 	statsQueue map[string]*Stats       // "Queue" to asynchronously write user stats to the database (UserID -> Stats)
 	tokenQueue map[string]*TokenUpdate // "Queue" to asynchronously write token access stats to the database (Token ID -> TokenUpdate)
@@ -57,7 +58,7 @@ type Manager struct {

 var _ Auther = (*Manager)(nil)

-func newManager(db *sql.DB, queries queries, config *Config) (*Manager, error) {
+func newManager(d *db.DB, queries queries, config *Config) (*Manager, error) {
 	if config.BcryptCost <= 0 {
 		config.BcryptCost = DefaultUserPasswordBcryptCost
 	}
@@ -66,7 +67,7 @@ func newManager(db *sql.DB, queries queries, config *Config) (*Manager, error) {
 	}
 	manager := &Manager{
 		config:     config,
-		db:         db,
+		db:         d,
 		statsQueue: make(map[string]*Stats),
 		tokenQueue: make(map[string]*TokenUpdate),
 		queries:    queries,
@@ -122,7 +123,7 @@ func (a *Manager) AddUser(username, password string, role Role, hashed bool) err
 	if err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.addUserTx(tx, username, hash, role, false)
 	})
 }
@@ -150,7 +151,7 @@ func (a *Manager) RemoveUser(username string) error {
 	if err := a.CanChangeUser(username); err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.removeUserTx(tx, username)
 	})
 }
@@ -173,7 +174,7 @@ func (a *Manager) MarkUserRemoved(user *User) error {
 	if !AllowedUsername(user.Name) {
 		return ErrInvalidArgument
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		if err := a.resetUserAccessTx(tx, user.Name); err != nil {
 			return err
 		}
@@ -205,7 +206,7 @@ func (a *Manager) ChangePassword(username, password string, hashed bool) error {
 	if err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.changePasswordHashTx(tx, username, hash)
 	})
 }
@@ -224,7 +225,7 @@ func (a *Manager) ChangeRole(username string, role Role) error {
 	if err := a.CanChangeUser(username); err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.changeRoleTx(tx, username, role)
 	})
 }
@@ -365,7 +366,7 @@ func (a *Manager) writeUserStatsQueue() error {
 	a.statsQueue = make(map[string]*Stats)
 	a.mu.Unlock()

-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		log.Tag(tag).Debug("Writing user stats queue for %d user(s)", len(statsQueue))
 		for userID, update := range statsQueue {
 			log.
@@ -414,45 +415,26 @@ func (a *Manager) userByToken(token string) (*User, error) {

 // UserByStripeCustomer returns the user with the given Stripe customer ID if it exists, or ErrUserNotFound otherwise
 func (a *Manager) UserByStripeCustomer(customerID string) (*User, error) {
-	rows, err := a.db.Query(a.queries.selectUserByStripeCustomerID, customerID)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectUserByStripeCustomerID, customerID)
 	if err != nil {
 		return nil, err
 	}
 	return a.readUser(rows)
 }

-// Users returns a list of users
+// Users returns a list of users. It loads all users in a single query
+// rather than one query per user to avoid N+1 performance issues.
 func (a *Manager) Users() ([]*User, error) {
-	rows, err := a.db.Query(a.queries.selectUsernames)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectUsers)
 	if err != nil {
 		return nil, err
 	}
-	defer rows.Close()
-	usernames := make([]string, 0)
-	for rows.Next() {
-		var username string
-		if err := rows.Scan(&username); err != nil {
-			return nil, err
-		} else if err := rows.Err(); err != nil {
-			return nil, err
-		}
-		usernames = append(usernames, username)
-	}
-	rows.Close()
-	users := make([]*User, 0)
-	for _, username := range usernames {
-		user, err := a.User(username)
-		if err != nil {
-			return nil, err
-		}
-		users = append(users, user)
-	}
-	return users, nil
+	return a.readUsers(rows)
 }

 // UsersCount returns the number of users in the database
 func (a *Manager) UsersCount() (int64, error) {
-	rows, err := a.db.Query(a.queries.selectUserCount)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectUserCount)
 	if err != nil {
 		return 0, err
 	}
@@ -469,14 +451,35 @@ func (a *Manager) UsersCount() (int64, error) {

 func (a *Manager) readUser(rows *sql.Rows) (*User, error) {
 	defer rows.Close()
+	if !rows.Next() {
+		return nil, ErrUserNotFound
+	}
+	user, err := a.scanUser(rows)
+	if err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+func (a *Manager) readUsers(rows *sql.Rows) ([]*User, error) {
+	defer rows.Close()
+	users := make([]*User, 0)
+	for rows.Next() {
+		user, err := a.scanUser(rows)
+		if err != nil {
+			return nil, err
+		}
+		users = append(users, user)
+	}
+	return users, nil
+}
+
+func (a *Manager) scanUser(rows *sql.Rows) (*User, error) {
 	var id, username, hash, role, prefs, syncTopic string
 	var provisioned bool
 	var stripeCustomerID, stripeSubscriptionID, stripeSubscriptionStatus, stripeSubscriptionInterval, stripeMonthlyPriceID, stripeYearlyPriceID, tierID, tierCode, tierName sql.NullString
 	var messages, emails, calls int64
 	var messagesLimit, messagesExpiryDuration, emailsLimit, callsLimit, reservationsLimit, attachmentFileSizeLimit, attachmentTotalSizeLimit, attachmentExpiryDuration, attachmentBandwidthLimit, stripeSubscriptionPaidUntil, stripeSubscriptionCancelAt, deleted sql.NullInt64
-	if !rows.Next() {
-		return nil, ErrUserNotFound
-	}
 	if err := rows.Scan(&id, &username, &hash, &role, &prefs, &syncTopic, &provisioned, &messages, &emails, &calls, &stripeCustomerID, &stripeSubscriptionID, &stripeSubscriptionStatus, &stripeSubscriptionInterval, &stripeSubscriptionPaidUntil, &stripeSubscriptionCancelAt, &deleted, &tierID, &tierCode, &tierName, &messagesLimit, &messagesExpiryDuration, &emailsLimit, &callsLimit, &reservationsLimit, &attachmentFileSizeLimit, &attachmentTotalSizeLimit, &attachmentExpiryDuration, &attachmentBandwidthLimit, &stripeMonthlyPriceID, &stripeYearlyPriceID); err != nil {
 		return nil, err
 	} else if err := rows.Err(); err != nil {
@@ -573,7 +576,7 @@ func (a *Manager) resolvePerms(base, perm Permission) error {
 // read/write access to a topic. The parameter topicPattern may include wildcards (*). The ACL entry
 // owner may either be a user (username), or the system (empty).
 func (a *Manager) AllowAccess(username string, topicPattern string, permission Permission) error {
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.allowAccessTx(tx, username, topicPattern, permission, false)
 	})
 }
@@ -591,7 +594,7 @@ func (a *Manager) allowAccessTx(tx *sql.Tx, username string, topicPattern string
 // ResetAccess removes an access control list entry for a specific username/topic, or (if topic is
 // empty) for an entire user. The parameter topicPattern may include wildcards (*).
 func (a *Manager) ResetAccess(username string, topicPattern string) error {
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.resetAccessTx(tx, username, topicPattern)
 	})
 }
@@ -657,7 +660,7 @@ func (a *Manager) authorizeTopicAccess(usernameOrEveryone, topic string) (read,

 // AllGrants returns all user-specific access control entries, mapped to their respective user IDs
 func (a *Manager) AllGrants() (map[string][]Grant, error) {
-	rows, err := a.db.Query(a.queries.selectUserAllAccess)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectUserAllAccess)
 	if err != nil {
 		return nil, err
 	}
@@ -685,7 +688,7 @@ func (a *Manager) AllGrants() (map[string][]Grant, error) {

 // Grants returns all user-specific access control entries
 func (a *Manager) Grants(username string) ([]Grant, error) {
-	rows, err := a.db.Query(a.queries.selectUserAccess, username)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectUserAccess, username)
 	if err != nil {
 		return nil, err
 	}
@@ -715,7 +718,7 @@ func (a *Manager) AddReservation(username string, topic string, everyone Permiss
 	if !AllowedUsername(username) || username == Everyone || !AllowedTopic(topic) {
 		return ErrInvalidArgument
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		if err := a.addReservationAccessTx(tx, username, topic, true, true, username); err != nil {
 			return err
 		}
@@ -735,7 +738,7 @@ func (a *Manager) RemoveReservations(username string, topics ...string) error {
 			return ErrInvalidArgument
 		}
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		for _, topic := range topics {
 			if err := a.resetTopicAccessTx(tx, username, topic); err != nil {
 				return err
@@ -750,7 +753,7 @@ func (a *Manager) RemoveReservations(username string, topics ...string) error {

 // Reservations returns all user-owned topics, and the associated everyone-access
 func (a *Manager) Reservations(username string) ([]Reservation, error) {
-	rows, err := a.db.Query(a.queries.selectUserReservations, Everyone, username)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectUserReservations, Everyone, username)
 	if err != nil {
 		return nil, err
 	}
@@ -793,7 +796,7 @@ func (a *Manager) HasReservation(username, topic string) (bool, error) {

 // ReservationsCount returns the number of reservations owned by this user
 func (a *Manager) ReservationsCount(username string) (int64, error) {
-	rows, err := a.db.Query(a.queries.selectUserReservationsCount, username)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectUserReservationsCount, username)
 	if err != nil {
 		return 0, err
 	}
@@ -874,7 +877,7 @@ func (a *Manager) resetTopicAccessTx(tx *sql.Tx, username, topicPattern string)
 // after a fixed duration unless ChangeToken is called. This function also prunes tokens for the
 // given user, if there are too many of them.
 func (a *Manager) CreateToken(userID, label string, expires time.Time, origin netip.Addr, provisioned bool) (*Token, error) {
-	return queryTx(a.db, func(tx *sql.Tx) (*Token, error) {
+	return db.QueryTx(a.db, func(tx *sql.Tx) (*Token, error) {
 		return a.createTokenTx(tx, userID, GenerateToken(), label, time.Now(), origin, expires, tokenMaxCount, provisioned)
 	})
 }
@@ -959,7 +962,7 @@ func (a *Manager) canChangeToken(userID, token string) error {

 // Token returns a specific token for a user
 func (a *Manager) Token(userID, token string) (*Token, error) {
-	rows, err := a.db.Query(a.queries.selectToken, userID, token)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectToken, userID, token)
 	if err != nil {
 		return nil, err
 	}
@@ -969,7 +972,7 @@ func (a *Manager) Token(userID, token string) (*Token, error) {

 // Tokens returns all existing tokens for the user with the given user ID
 func (a *Manager) Tokens(userID string) ([]*Token, error) {
-	rows, err := a.db.Query(a.queries.selectTokens, userID)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectTokens, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -988,7 +991,7 @@ func (a *Manager) Tokens(userID string) ([]*Token, error) {
 }

 func (a *Manager) allProvisionedTokens() ([]*Token, error) {
-	rows, err := a.db.Query(a.queries.selectAllProvisionedTokens)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectAllProvisionedTokens)
 	if err != nil {
 		return nil, err
 	}
@@ -1033,7 +1036,7 @@ func (a *Manager) writeTokenUpdateQueue() error {
 	a.tokenQueue = make(map[string]*TokenUpdate)
 	a.mu.Unlock()

-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		log.Tag(tag).Debug("Writing token update queue for %d token(s)", len(tokenQueue))
 		for tokenID, update := range tokenQueue {
 			log.Tag(tag).Trace("Updating token %s with last access time %v", tokenID, update.LastAccess.Unix())
@@ -1111,7 +1114,7 @@ func (a *Manager) RemoveTier(code string) error {

 // Tiers returns a list of all Tier structs
 func (a *Manager) Tiers() ([]*Tier, error) {
-	rows, err := a.db.Query(a.queries.selectTiers)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectTiers)
 	if err != nil {
 		return nil, err
 	}
@@ -1131,7 +1134,7 @@ func (a *Manager) Tiers() ([]*Tier, error) {

 // Tier returns a Tier based on the code, or ErrTierNotFound if it does not exist
 func (a *Manager) Tier(code string) (*Tier, error) {
-	rows, err := a.db.Query(a.queries.selectTierByCode, code)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectTierByCode, code)
 	if err != nil {
 		return nil, err
 	}
@@ -1141,7 +1144,7 @@ func (a *Manager) Tier(code string) (*Tier, error) {

 // TierByStripePrice returns a Tier based on the Stripe price ID, or ErrTierNotFound if it does not exist
 func (a *Manager) TierByStripePrice(priceID string) (*Tier, error) {
-	rows, err := a.db.Query(a.queries.selectTierByPriceID, priceID, priceID)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectTierByPriceID, priceID, priceID)
 	if err != nil {
 		return nil, err
 	}
@@ -1182,7 +1185,7 @@ func (a *Manager) readTier(rows *sql.Rows) (*Tier, error) {

 // PhoneNumbers returns all phone numbers for the user with the given user ID
 func (a *Manager) PhoneNumbers(userID string) ([]string, error) {
-	rows, err := a.db.Query(a.queries.selectPhoneNumbers, userID)
+	rows, err := a.db.ReadOnly().Query(a.queries.selectPhoneNumbers, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -1243,6 +1246,12 @@ func (a *Manager) maybeProvisionUsersAccessAndTokens() error {
 	if !a.config.ProvisionEnabled {
 		return nil
 	}
+	// If there is nothing to provision, remove any previously provisioned items using
+	// cheap targeted queries, avoiding the expensive Users() call that loads all users.
+	if len(a.config.Users) == 0 && len(a.config.Access) == 0 && len(a.config.Tokens) == 0 {
+		return a.removeAllProvisioned()
+	}
+	// If there are provisioned users, do it the slow way
 	existingUsers, err := a.Users()
 	if err != nil {
 		return err
@@ -1254,7 +1263,7 @@ func (a *Manager) maybeProvisionUsersAccessAndTokens() error {
 	if err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		if err := a.maybeProvisionUsers(tx, provisionUsernames, existingUsers); err != nil {
 			return fmt.Errorf("failed to provision users: %v", err)
 		}
@@ -1268,6 +1277,23 @@ func (a *Manager) maybeProvisionUsersAccessAndTokens() error {
 	})
 }

+// removeAllProvisioned removes all provisioned users, access entries, and tokens. This is the fast path
+// for when there is nothing to provision, avoiding the expensive Users() call.
+func (a *Manager) removeAllProvisioned() error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(a.queries.deleteUserAccessProvisioned); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(a.queries.deleteAllProvisionedTokens); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(a.queries.deleteUsersProvisioned); err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
 // maybeProvisionUsers checks if the users in the config are provisioned, and adds or updates them.
 // It also removes users that are provisioned, but not in the config anymore.
 func (a *Manager) maybeProvisionUsers(tx *sql.Tx, provisionUsernames []string, existingUsers []*User) error {
--- a/user/manager_postgres.go
+++ b/user/manager_postgres.go
@@ -1,12 +1,23 @@
 package user

 import (
-	"database/sql"
+	"heckel.io/ntfy/v2/db"
 )

 // PostgreSQL queries
 const (
 	// User queries
+	postgresSelectUsersQuery = `
+		SELECT u.id, u.user_name, u.pass, u.role, u.prefs, u.sync_topic, u.provisioned, u.stats_messages, u.stats_emails, u.stats_calls, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, u.deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.calls_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
+		FROM "user" u
+		LEFT JOIN tier t on t.id = u.tier_id
+		ORDER BY
+			CASE u.role
+				WHEN 'admin' THEN 1
+				WHEN 'anonymous' THEN 3
+				ELSE 2
+			END, u.user_name
+	`
 	postgresSelectUserByIDQuery = `
 		SELECT u.id, u.user_name, u.pass, u.role, u.prefs, u.sync_topic, u.provisioned, u.stats_messages, u.stats_emails, u.stats_calls, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, u.deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.calls_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
 		FROM "user" u
@@ -56,6 +67,7 @@ const (
 	postgresDeleteUserQuery               = `DELETE FROM "user" WHERE user_name = $1`
 	postgresDeleteUserTierQuery           = `UPDATE "user" SET tier_id = null WHERE user_name = $1`
 	postgresDeleteUsersMarkedQuery        = `DELETE FROM "user" WHERE deleted < $1`
+	postgresDeleteUsersProvisionedQuery   = `DELETE FROM "user" WHERE provisioned = true`

 	// Access queries
 	postgresSelectTopicPermsQuery = `
@@ -146,13 +158,14 @@ const (
 		ON CONFLICT (user_id, token)
 		DO UPDATE SET label = excluded.label, expires = excluded.expires, provisioned = excluded.provisioned
 	`
-	postgresUpdateTokenQuery            = `UPDATE user_token SET label = $1, expires = $2 WHERE user_id = $3 AND token = $4`
-	postgresUpdateTokenLastAccessQuery  = `UPDATE user_token SET last_access = $1, last_origin = $2 WHERE token = $3`
-	postgresDeleteTokenQuery            = `DELETE FROM user_token WHERE user_id = $1 AND token = $2`
-	postgresDeleteProvisionedTokenQuery = `DELETE FROM user_token WHERE token = $1`
-	postgresDeleteAllTokenQuery         = `DELETE FROM user_token WHERE user_id = $1`
-	postgresDeleteExpiredTokensQuery    = `DELETE FROM user_token WHERE expires > 0 AND expires < $1`
-	postgresDeleteExcessTokensQuery     = `
+	postgresUpdateTokenQuery                = `UPDATE user_token SET label = $1, expires = $2 WHERE user_id = $3 AND token = $4`
+	postgresUpdateTokenLastAccessQuery      = `UPDATE user_token SET last_access = $1, last_origin = $2 WHERE token = $3`
+	postgresDeleteTokenQuery                = `DELETE FROM user_token WHERE user_id = $1 AND token = $2`
+	postgresDeleteProvisionedTokenQuery     = `DELETE FROM user_token WHERE token = $1`
+	postgresDeleteAllProvisionedTokensQuery = `DELETE FROM user_token WHERE provisioned = true`
+	postgresDeleteAllTokenQuery             = `DELETE FROM user_token WHERE user_id = $1`
+	postgresDeleteExpiredTokensQuery        = `DELETE FROM user_token WHERE expires > 0 AND expires < $1`
+	postgresDeleteExcessTokensQuery         = `
 		DELETE FROM user_token
 		WHERE user_id = $1
 		  AND (user_id, token) NOT IN (
@@ -210,6 +223,7 @@ var postgresQueries = queries{
 	selectUserByToken:            postgresSelectUserByTokenQuery,
 	selectUserByStripeCustomerID: postgresSelectUserByStripeCustomerIDQuery,
 	selectUsernames:              postgresSelectUsernamesQuery,
+	selectUsers:                  postgresSelectUsersQuery,
 	selectUserCount:              postgresSelectUserCountQuery,
 	selectUserIDFromUsername:     postgresSelectUserIDFromUsernameQuery,
 	insertUser:                   postgresInsertUserQuery,
@@ -224,6 +238,7 @@ var postgresQueries = queries{
 	deleteUser:                   postgresDeleteUserQuery,
 	deleteUserTier:               postgresDeleteUserTierQuery,
 	deleteUsersMarked:            postgresDeleteUsersMarkedQuery,
+	deleteUsersProvisioned:       postgresDeleteUsersProvisionedQuery,
 	selectTopicPerms:             postgresSelectTopicPermsQuery,
 	selectUserAllAccess:          postgresSelectUserAllAccessQuery,
 	selectUserAccess:             postgresSelectUserAccessQuery,
@@ -246,6 +261,7 @@ var postgresQueries = queries{
 	updateTokenLastAccess:        postgresUpdateTokenLastAccessQuery,
 	deleteToken:                  postgresDeleteTokenQuery,
 	deleteProvisionedToken:       postgresDeleteProvisionedTokenQuery,
+	deleteAllProvisionedTokens:   postgresDeleteAllProvisionedTokensQuery,
 	deleteAllToken:               postgresDeleteAllTokenQuery,
 	deleteExpiredTokens:          postgresDeleteExpiredTokensQuery,
 	deleteExcessTokens:           postgresDeleteExcessTokensQuery,
@@ -262,9 +278,9 @@ var postgresQueries = queries{
 }

 // NewPostgresManager creates a new Manager backed by a PostgreSQL database
-func NewPostgresManager(db *sql.DB, config *Config) (*Manager, error) {
-	if err := setupPostgres(db); err != nil {
+func NewPostgresManager(d *db.DB, config *Config) (*Manager, error) {
+	if err := setupPostgres(d.Primary()); err != nil {
 		return nil, err
 	}
-	return newManager(db, postgresQueries, config)
+	return newManager(d, postgresQueries, config)
 }
--- a/user/manager_sqlite.go
+++ b/user/manager_sqlite.go
@@ -7,11 +7,23 @@ import (

 	_ "github.com/mattn/go-sqlite3" // SQLite driver

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/util"
 )

 const (
 	// User queries
+	sqliteSelectUsersQuery = `
+		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.provisioned, u.stats_messages, u.stats_emails, u.stats_calls, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.calls_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
+		FROM user u
+		LEFT JOIN tier t on t.id = u.tier_id
+		ORDER BY
+			CASE u.role
+				WHEN 'admin' THEN 1
+				WHEN 'anonymous' THEN 3
+				ELSE 2
+			END, u.user
+	`
 	sqliteSelectUserByIDQuery = `
 		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.provisioned, u.stats_messages, u.stats_emails, u.stats_calls, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.calls_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
 		FROM user u
@@ -61,6 +73,7 @@ const (
 	sqliteDeleteUserQuery               = `DELETE FROM user WHERE user = ?`
 	sqliteDeleteUserTierQuery           = `UPDATE user SET tier_id = null WHERE user = ?`
 	sqliteDeleteUsersMarkedQuery        = `DELETE FROM user WHERE deleted < ?`
+	sqliteDeleteUsersProvisionedQuery   = `DELETE FROM user WHERE provisioned = 1`

 	// Access queries
 	sqliteSelectTopicPermsQuery = `
@@ -144,13 +157,14 @@ const (
 		ON CONFLICT (user_id, token)
 		DO UPDATE SET label = excluded.label, expires = excluded.expires, provisioned = excluded.provisioned
 	`
-	sqliteUpdateTokenQuery            = `UPDATE user_token SET label = ?, expires = ? WHERE user_id = ? AND token = ?`
-	sqliteUpdateTokenLastAccessQuery  = `UPDATE user_token SET last_access = ?, last_origin = ? WHERE token = ?`
-	sqliteDeleteTokenQuery            = `DELETE FROM user_token WHERE user_id = ? AND token = ?`
-	sqliteDeleteProvisionedTokenQuery = `DELETE FROM user_token WHERE token = ?`
-	sqliteDeleteAllTokenQuery         = `DELETE FROM user_token WHERE user_id = ?`
-	sqliteDeleteExpiredTokensQuery    = `DELETE FROM user_token WHERE expires > 0 AND expires < ?`
-	sqliteDeleteExcessTokensQuery     = `
+	sqliteUpdateTokenQuery                = `UPDATE user_token SET label = ?, expires = ? WHERE user_id = ? AND token = ?`
+	sqliteUpdateTokenLastAccessQuery      = `UPDATE user_token SET last_access = ?, last_origin = ? WHERE token = ?`
+	sqliteDeleteTokenQuery                = `DELETE FROM user_token WHERE user_id = ? AND token = ?`
+	sqliteDeleteProvisionedTokenQuery     = `DELETE FROM user_token WHERE token = ?`
+	sqliteDeleteAllProvisionedTokensQuery = `DELETE FROM user_token WHERE provisioned = 1`
+	sqliteDeleteAllTokenQuery             = `DELETE FROM user_token WHERE user_id = ?`
+	sqliteDeleteExpiredTokensQuery        = `DELETE FROM user_token WHERE expires > 0 AND expires < ?`
+	sqliteDeleteExcessTokensQuery         = `
 		DELETE FROM user_token
 		WHERE user_id = ?
 		  AND (user_id, token) NOT IN (
@@ -207,6 +221,7 @@ var sqliteQueries = queries{
 	selectUserByToken:            sqliteSelectUserByTokenQuery,
 	selectUserByStripeCustomerID: sqliteSelectUserByStripeCustomerIDQuery,
 	selectUsernames:              sqliteSelectUsernamesQuery,
+	selectUsers:                  sqliteSelectUsersQuery,
 	selectUserCount:              sqliteSelectUserCountQuery,
 	selectUserIDFromUsername:     sqliteSelectUserIDFromUsernameQuery,
 	insertUser:                   sqliteInsertUserQuery,
@@ -221,6 +236,7 @@ var sqliteQueries = queries{
 	deleteUser:                   sqliteDeleteUserQuery,
 	deleteUserTier:               sqliteDeleteUserTierQuery,
 	deleteUsersMarked:            sqliteDeleteUsersMarkedQuery,
+	deleteUsersProvisioned:       sqliteDeleteUsersProvisionedQuery,
 	selectTopicPerms:             sqliteSelectTopicPermsQuery,
 	selectUserAllAccess:          sqliteSelectUserAllAccessQuery,
 	selectUserAccess:             sqliteSelectUserAccessQuery,
@@ -243,6 +259,7 @@ var sqliteQueries = queries{
 	updateTokenLastAccess:        sqliteUpdateTokenLastAccessQuery,
 	deleteToken:                  sqliteDeleteTokenQuery,
 	deleteProvisionedToken:       sqliteDeleteProvisionedTokenQuery,
+	deleteAllProvisionedTokens:   sqliteDeleteAllProvisionedTokensQuery,
 	deleteAllToken:               sqliteDeleteAllTokenQuery,
 	deleteExpiredTokens:          sqliteDeleteExpiredTokensQuery,
 	deleteExcessTokens:           sqliteDeleteExcessTokensQuery,
@@ -264,15 +281,15 @@ func NewSQLiteManager(filename, startupQueries string, config *Config) (*Manager
 	if !util.FileExists(parentDir) {
 		return nil, fmt.Errorf("user database directory %s does not exist or is not accessible", parentDir)
 	}
-	db, err := sql.Open("sqlite3", filename)
+	d, err := sql.Open("sqlite3", filename)
 	if err != nil {
 		return nil, err
 	}
-	if err := setupSQLite(db); err != nil {
+	if err := setupSQLite(d); err != nil {
 		return nil, err
 	}
-	if err := runSQLiteStartupQueries(db, startupQueries); err != nil {
+	if err := runSQLiteStartupQueries(d, startupQueries); err != nil {
 		return nil, err
 	}
-	return newManager(db, sqliteQueries, config)
+	return newManager(db.New(&db.Host{DB: d}, nil), sqliteQueries, config)
 }
--- a/user/manager_sqlite_schema.go
+++ b/user/manager_sqlite_schema.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"fmt"

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/log"
 	"heckel.io/ntfy/v2/util"
 )
@@ -11,7 +12,6 @@ import (
 // Initial SQLite schema
 const (
 	sqliteCreateTablesQueries = `
-		BEGIN;
 		CREATE TABLE IF NOT EXISTS tier (
 			id TEXT PRIMARY KEY,
 			code TEXT NOT NULL,
@@ -92,7 +92,6 @@ const (
 		INSERT INTO user (id, user, pass, role, sync_topic, provisioned, created)
 		VALUES ('` + everyoneID + `', '*', '', 'anonymous', '', false, UNIXEPOCH())
 		ON CONFLICT (id) DO NOTHING;
-		COMMIT;
 	`
 )

@@ -328,8 +327,7 @@ var (

 func setupSQLite(db *sql.DB) error {
 	var schemaVersion int
-	err := db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion)
-	if err != nil {
+	if err := db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion); err != nil {
 		return setupNewSQLite(db)
 	}
 	if schemaVersion == sqliteCurrentSchemaVersion {
@@ -348,14 +346,16 @@ func setupSQLite(db *sql.DB) error {
 	return nil
 }

-func setupNewSQLite(db *sql.DB) error {
-	if _, err := db.Exec(sqliteCreateTablesQueries); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return nil
+func setupNewSQLite(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteCreateTablesQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }

 func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
@@ -370,114 +370,96 @@ func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
 	return nil
 }

-func sqliteMigrateFrom1(db *sql.DB) error {
+func sqliteMigrateFrom1(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 1 to 2")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	// Rename user -> user_old, and create new tables
-	if _, err := tx.Exec(sqliteMigrate1To2CreateTablesQueries); err != nil {
-		return err
-	}
-	// Insert users from user_old into new user table, with ID and sync_topic
-	rows, err := tx.Query(sqliteMigrate1To2SelectAllOldUsernamesNoTxQuery)
-	if err != nil {
-		return err
-	}
-	defer rows.Close()
-	usernames := make([]string, 0)
-	for rows.Next() {
-		var username string
-		if err := rows.Scan(&username); err != nil {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		// Rename user -> user_old, and create new tables
+		if _, err := tx.Exec(sqliteMigrate1To2CreateTablesQueries); err != nil {
 			return err
 		}
-		usernames = append(usernames, username)
-	}
-	if err := rows.Close(); err != nil {
-		return err
-	}
-	for _, username := range usernames {
-		userID := util.RandomStringPrefix(userIDPrefix, userIDLength)
-		syncTopic := util.RandomStringPrefix(syncTopicPrefix, syncTopicLength)
-		if _, err := tx.Exec(sqliteMigrate1To2InsertUserNoTxQuery, userID, syncTopic, username); err != nil {
+		// Insert users from user_old into new user table, with ID and sync_topic
+		rows, err := tx.Query(sqliteMigrate1To2SelectAllOldUsernamesNoTxQuery)
+		if err != nil {
 			return err
 		}
-	}
-	// Migrate old "access" table to "user_access" and drop "access" and "user_old"
-	if _, err := tx.Exec(sqliteMigrate1To2InsertFromOldTablesAndDropNoTxQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 2); err != nil {
-		return err
-	}
-	if err := tx.Commit(); err != nil {
-		return err
-	}
-	return nil
+		defer rows.Close()
+		usernames := make([]string, 0)
+		for rows.Next() {
+			var username string
+			if err := rows.Scan(&username); err != nil {
+				return err
+			}
+			usernames = append(usernames, username)
+		}
+		if err := rows.Close(); err != nil {
+			return err
+		}
+		for _, username := range usernames {
+			userID := util.RandomStringPrefix(userIDPrefix, userIDLength)
+			syncTopic := util.RandomStringPrefix(syncTopicPrefix, syncTopicLength)
+			if _, err := tx.Exec(sqliteMigrate1To2InsertUserNoTxQuery, userID, syncTopic, username); err != nil {
+				return err
+			}
+		}
+		// Migrate old "access" table to "user_access" and drop "access" and "user_old"
+		if _, err := tx.Exec(sqliteMigrate1To2InsertFromOldTablesAndDropNoTxQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 2); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom2(db *sql.DB) error {
+func sqliteMigrateFrom2(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 2 to 3")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate2To3UpdateQueries); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 3); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate2To3UpdateQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 3); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom3(db *sql.DB) error {
+func sqliteMigrateFrom3(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 3 to 4")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate3To4UpdateQueries); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 4); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate3To4UpdateQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 4); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom4(db *sql.DB) error {
+func sqliteMigrateFrom4(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 4 to 5")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate4To5UpdateQueries); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 5); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate4To5UpdateQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 5); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom5(db *sql.DB) error {
+func sqliteMigrateFrom5(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 5 to 6")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate5To6UpdateQueries); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 6); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate5To6UpdateQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 6); err != nil {
+			return err
+		}
+		return nil
+	})
 }
--- a/user/manager_test.go
+++ b/user/manager_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
 	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 	dbtest "heckel.io/ntfy/v2/db/test"
 	"heckel.io/ntfy/v2/util"
 )
@@ -36,9 +37,9 @@ func forEachBackend(t *testing.T, f func(t *testing.T, newManager newManagerFunc
 	t.Run("postgres", func(t *testing.T) {
 		schemaDSN := dbtest.CreateTestPostgresSchema(t)
 		f(t, func(config *Config) *Manager {
-			pool, err := db.OpenPostgres(schemaDSN)
+			host, err := pg.Open(schemaDSN)
 			require.Nil(t, err)
-			a, err := NewPostgresManager(pool, config)
+			a, err := NewPostgresManager(db.New(host, nil), config)
 			require.Nil(t, err)
 			return a
 		})
@@ -1441,6 +1442,54 @@ func TestManager_UpdateNonProvisionedUsersToProvisionedUsers(t *testing.T) {
 	})
 }

+func TestManager_RemoveProvisionedOnEmptyConfig(t *testing.T) {
+	forEachBackend(t, func(t *testing.T, newManager newManagerFunc) {
+		// Start with provisioned users, access, and tokens
+		conf := &Config{
+			DefaultAccess:    PermissionReadWrite,
+			ProvisionEnabled: true,
+			BcryptCost:       bcrypt.MinCost,
+			Users: []*User{
+				{Name: "provuser", Hash: "$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C", Role: RoleUser},
+			},
+			Access: map[string][]*Grant{
+				"provuser": {
+					{TopicPattern: "stats", Permission: PermissionReadWrite},
+				},
+			},
+			Tokens: map[string][]*Token{
+				"provuser": {
+					{Value: "tk_op56p8lz5bf3cxkz9je99v9oc37lo", Label: "Provisioned token"},
+				},
+			},
+		}
+		a := newTestManagerFromConfig(t, newManager, conf)
+
+		// Also add a manual (non-provisioned) user
+		require.Nil(t, a.AddUser("manualuser", "manual", RoleUser, false))
+
+		// Verify initial state
+		users, err := a.Users()
+		require.Nil(t, err)
+		require.Len(t, users, 3) // provuser, manualuser, everyone
+
+		// Re-open with empty provisioning config (simulates config change)
+		require.Nil(t, a.Close())
+		conf.Users = nil
+		conf.Access = nil
+		conf.Tokens = nil
+		a = newTestManagerFromConfig(t, newManager, conf)
+
+		// Provisioned user should be removed, manual user should remain
+		users, err = a.Users()
+		require.Nil(t, err)
+		require.Len(t, users, 2)
+		require.Equal(t, "manualuser", users[0].Name)
+		require.False(t, users[0].Provisioned)
+		require.Equal(t, "*", users[1].Name) // everyone
+	})
+}
+
 func TestToFromSQLWildcard(t *testing.T) {
 	require.Equal(t, "up%", toSQLWildcard("up*"))
 	require.Equal(t, "up\\_%", toSQLWildcard("up_*"))
@@ -1686,8 +1735,8 @@ func TestMigrationFrom4(t *testing.T) {
 	require.Nil(t, a.Authorize(nil, "up", PermissionRead)) // % matches 0 or more characters
 }

-func checkSchemaVersion(t *testing.T, db *sql.DB) {
-	rows, err := db.Query(`SELECT version FROM schemaVersion`)
+func checkSchemaVersion(t *testing.T, d *db.DB) {
+	rows, err := d.Query(`SELECT version FROM schemaVersion`)
 	require.Nil(t, err)
 	require.True(t, rows.Next())

@@ -1723,7 +1772,7 @@ func newTestManagerFromConfig(t *testing.T, newManager newManagerFunc, conf *Con
 	return a
 }

-func testDB(a *Manager) *sql.DB {
+func testDB(a *Manager) *db.DB {
 	return a.db
 }

--- a/user/types.go
+++ b/user/types.go
@@ -283,6 +283,7 @@ type queries struct {
 	selectUserByToken            string
 	selectUserByStripeCustomerID string
 	selectUsernames              string
+	selectUsers                  string
 	selectUserCount              string
 	selectUserIDFromUsername     string
 	insertUser                   string
@@ -297,6 +298,7 @@ type queries struct {
 	deleteUser                   string
 	deleteUserTier               string
 	deleteUsersMarked            string
+	deleteUsersProvisioned       string

 	// Access queries
 	selectTopicPerms            string
@@ -323,6 +325,7 @@ type queries struct {
 	updateTokenLastAccess      string
 	deleteToken                string
 	deleteProvisionedToken     string
+	deleteAllProvisionedTokens string
 	deleteAllToken             string
 	deleteExpiredTokens        string
 	deleteExcessTokens         string
--- a/user/util.go
+++ b/user/util.go
@@ -113,35 +113,3 @@ func escapeUnderscore(s string) string {
 func unescapeUnderscore(s string) string {
 	return strings.ReplaceAll(s, "\\_", "_")
 }
-
-// execTx executes a function in a transaction. If the function returns an error, the transaction is rolled back.
-func execTx(db *sql.DB, f func(tx *sql.Tx) error) error {
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if err := f(tx); err != nil {
-		return err
-	}
-	return tx.Commit()
-}
-
-// queryTx executes a function in a transaction and returns the result. If the function
-// returns an error, the transaction is rolled back.
-func queryTx[T any](db *sql.DB, f func(tx *sql.Tx) (T, error)) (T, error) {
-	tx, err := db.Begin()
-	if err != nil {
-		var zero T
-		return zero, err
-	}
-	defer tx.Rollback()
-	t, err := f(tx)
-	if err != nil {
-		return t, err
-	}
-	if err := tx.Commit(); err != nil {
-		return t, err
-	}
-	return t, nil
-}
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/public/static/langs/hu.json
+++ b/web/public/static/langs/hu.json
@@ -215,5 +215,13 @@
    "alert_notification_permission_denied_title": "Az értesítések blokkolva vannak",
    "alert_notification_permission_denied_description": "Kérjük kapcsold őket vissza a böngésződben",
    "alert_notification_ios_install_required_title": "iOS telepítés szükséges",
-    "alert_not_supported_context_description": "Az értesítések kizárólag HTTPS-en keresztül támogatottak. Ez a <mdnLink>Notifications API</mdnLink> korlátozása."
+    "alert_not_supported_context_description": "Az értesítések kizárólag HTTPS-en keresztül támogatottak. Ez a <mdnLink>Notifications API</mdnLink> korlátozása.",
+    "signup_form_toggle_password_visibility": "Jelszó láthatóságának kapcsolása",
+    "signup_disabled": "A regisztráció le van tiltva",
+    "action_bar_reservation_add": "Téma fenntartása",
+    "action_bar_reservation_edit": "Foglalás módosítása",
+    "action_bar_reservation_delete": "Foglalás törlése",
+    "nav_upgrade_banner_label": "Frissítés ntfy Pro-ra",
+    "nav_upgrade_banner_description": "Témák, több üzenet és e-mail, valamint nagyobb mellékletek megőrzése",
+    "alert_notification_ios_install_required_description": "Kattintson a Megosztás ikonra, majd a Hozzáadás a kezdőképernyőhöz gombra, hogy engedélyezze az értesítéseket iOS rendszeren"
 }
--- a/web/public/static/langs/tr.json
+++ b/web/public/static/langs/tr.json
@@ -403,5 +403,7 @@
    "web_push_subscription_expiring_body": "Bildirimleri almaya devam etmek için ntfy'yi açın",
    "web_push_unknown_notification_title": "Sunucudan bilinmeyen bildirim alındı",
    "web_push_unknown_notification_body": "Web uygulamasını açarak ntfy'yi güncellemeniz gerekebilir",
-    "subscribe_dialog_subscribe_use_another_background_info": "Web uygulaması açık değilken diğer sunuculardan gelen bildirimler alınmayacaktır"
+    "subscribe_dialog_subscribe_use_another_background_info": "Web uygulaması açık değilken diğer sunuculardan gelen bildirimler alınmayacaktır",
+    "account_basics_cannot_edit_or_delete_provisioned_user": "Yetkilendirilmiş kullanıcı düzenlenemez veya silinemez",
+    "account_tokens_table_cannot_delete_or_edit_provisioned_token": "Sağlanmış belirteci düzenleyemez veya silemezsiniz"
 }
--- a/web/public/static/langs/zh_Hant.json
+++ b/web/public/static/langs/zh_Hant.json
@@ -361,7 +361,7 @@
    "publish_dialog_tags_placeholder": "英文逗號分隔標記列表，例如 warning, srv1-backup",
    "publish_dialog_title_label": "主題",
    "publish_dialog_title_no_topic": "發布通知",
-    "publish_dialog_title_placeholder": "主題標題，例如 磁碟空間警告",
+    "publish_dialog_title_placeholder": "主題標題，例如：磁碟空間警告",
    "publish_dialog_title_topic": "發布到 {{topic}}",
    "publish_dialog_topic_label": "主題名稱",
    "publish_dialog_topic_placeholder": "主題名稱，例如 phil_alerts",
--- a/web/src/app/Notifier.js
+++ b/web/src/app/Notifier.js
@@ -8,6 +8,8 @@ import routes from "../components/routes";
 * support this; most importantly, all iOS browsers do not support window.Notification.
 */
 class Notifier {
+  lastSoundPlayedAt = 0;
+
  async notify(subscription, notification) {
    if (!this.supported()) {
      return;
@@ -49,11 +51,17 @@ class Notifier {
  }

  async playSound() {
-    // Play sound
+    // Play sound, but not more than once every 2 seconds
+    const now = Date.now();
+    if (now - this.lastSoundPlayedAt < 2000) {
+      console.log(`[Notifier] Not playing notification sound, since it was last played <2s ago`, this.lastSoundPlayedAt);
+      return;
+    }
    const sound = await prefs.sound();
    if (sound && sound !== "none") {
      try {
        await playSound(sound);
+        this.lastSoundPlayedAt = Date.now();
      } catch (e) {
        console.log(`[Notifier] Error playing audio`, e);
      }
--- a/web/src/components/Account.jsx
+++ b/web/src/components/Account.jsx
@@ -136,9 +136,11 @@ const ChangePassword = () => {
          ⬤⬤⬤⬤⬤⬤⬤⬤⬤⬤
        </Typography>
        {!account?.provisioned ? (
-          <IconButton onClick={handleDialogOpen} aria-label={t("account_basics_password_description")}>
-            <EditIcon />
-          </IconButton>
+          <Tooltip title={t("account_basics_password_description")}>
+            <IconButton onClick={handleDialogOpen} aria-label={t("account_basics_password_description")}>
+              <EditIcon />
+            </IconButton>
+          </Tooltip>
        ) : (
          <Tooltip title={t("account_basics_cannot_edit_or_delete_provisioned_user")}>
            <span>
@@ -899,12 +901,16 @@ const TokensTable = (props) => {
            <TableCell align="right" sx={{ whiteSpace: "nowrap" }}>
              {token.token !== session.token() && !token.provisioned && (
                <>
-                  <IconButton onClick={() => handleEditClick(token)} aria-label={t("account_tokens_dialog_title_edit")}>
-                    <EditIcon />
-                  </IconButton>
-                  <IconButton onClick={() => handleDeleteClick(token)} aria-label={t("account_tokens_dialog_title_delete")}>
-                    <CloseIcon />
-                  </IconButton>
+                  <Tooltip title={t("account_tokens_dialog_title_edit")}>
+                    <IconButton onClick={() => handleEditClick(token)} aria-label={t("account_tokens_dialog_title_edit")}>
+                      <EditIcon />
+                    </IconButton>
+                  </Tooltip>
+                  <Tooltip title={t("account_tokens_dialog_title_delete")}>
+                    <IconButton onClick={() => handleDeleteClick(token)} aria-label={t("account_tokens_dialog_title_delete")}>
+                      <CloseIcon />
+                    </IconButton>
+                  </Tooltip>
                </>
              )}
              {token.token === session.token() && (
--- a/web/src/components/Preferences.jsx
+++ b/web/src/components/Preferences.jsx
@@ -385,12 +385,16 @@ const UserTable = (props) => {
            <TableCell align="right" sx={{ whiteSpace: "nowrap" }}>
              {(!session.exists() || user.baseUrl !== config.base_url) && (
                <>
-                  <IconButton onClick={() => handleEditClick(user)} aria-label={t("prefs_users_edit_button")}>
-                    <EditIcon />
-                  </IconButton>
-                  <IconButton onClick={() => handleDeleteClick(user)} aria-label={t("prefs_users_delete_button")}>
-                    <CloseIcon />
-                  </IconButton>
+                  <Tooltip title={t("prefs_users_edit_button")}>
+                    <IconButton onClick={() => handleEditClick(user)} aria-label={t("prefs_users_edit_button")}>
+                      <EditIcon />
+                    </IconButton>
+                  </Tooltip>
+                  <Tooltip title={t("prefs_users_delete_button")}>
+                    <IconButton onClick={() => handleDeleteClick(user)} aria-label={t("prefs_users_delete_button")}>
+                      <CloseIcon />
+                    </IconButton>
+                  </Tooltip>
                </>
              )}
              {session.exists() && user.baseUrl === config.base_url && (
@@ -738,12 +742,16 @@ const ReservationsTable = (props) => {
                  />
                </Tooltip>
              )}
-              <IconButton onClick={() => handleEditClick(reservation)} aria-label={t("prefs_reservations_edit_button")}>
-                <EditIcon />
-              </IconButton>
-              <IconButton onClick={() => handleDeleteClick(reservation)} aria-label={t("prefs_reservations_delete_button")}>
-                <CloseIcon />
-              </IconButton>
+              <Tooltip title={t("prefs_reservations_edit_button")}>
+                <IconButton onClick={() => handleEditClick(reservation)} aria-label={t("prefs_reservations_edit_button")}>
+                  <EditIcon />
+                </IconButton>
+              </Tooltip>
+              <Tooltip title={t("prefs_reservations_delete_button")}>
+                <IconButton onClick={() => handleDeleteClick(reservation)} aria-label={t("prefs_reservations_delete_button")}>
+                  <CloseIcon />
+                </IconButton>
+              </Tooltip>
            </TableCell>
          </TableRow>
        ))}
--- a/webpush/store.go
+++ b/webpush/store.go
@@ -6,6 +6,7 @@ import (
 	"net/netip"
 	"time"

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/util"
 )

@@ -23,7 +24,7 @@ var (

 // Store holds the database connection and queries for web push subscriptions.
 type Store struct {
-	db      *sql.DB
+	db      *db.DB
 	queries queries
 }

@@ -46,46 +47,43 @@ type queries struct {

 // UpsertSubscription adds or updates Web Push subscriptions for the given topics and user ID.
 func (s *Store) UpsertSubscription(endpoint string, auth, p256dh, userID string, subscriberIP netip.Addr, topics []string) error {
-	tx, err := s.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	// Read number of subscriptions for subscriber IP address
-	var subscriptionCount int
-	if err := tx.QueryRow(s.queries.selectSubscriptionCountBySubscriberIP, subscriberIP.String()).Scan(&subscriptionCount); err != nil {
-		return err
-	}
-	// Read existing subscription ID for endpoint (or create new ID)
-	var subscriptionID string
-	if err := tx.QueryRow(s.queries.selectSubscriptionIDByEndpoint, endpoint).Scan(&subscriptionID); errors.Is(err, sql.ErrNoRows) {
-		if subscriptionCount >= subscriptionEndpointLimitPerSubscriberIP {
-			return ErrWebPushTooManySubscriptions
-		}
-		subscriptionID = util.RandomStringPrefix(subscriptionIDPrefix, subscriptionIDLength)
-	} else if err != nil {
-		return err
-	}
-	// Insert or update subscription
-	updatedAt, warnedAt := time.Now().Unix(), 0
-	if _, err := tx.Exec(s.queries.upsertSubscription, subscriptionID, endpoint, auth, p256dh, userID, subscriberIP.String(), updatedAt, warnedAt); err != nil {
-		return err
-	}
-	// Replace all subscription topics
-	if _, err := tx.Exec(s.queries.deleteSubscriptionTopicAll, subscriptionID); err != nil {
-		return err
-	}
-	for _, topic := range topics {
-		if _, err = tx.Exec(s.queries.insertSubscriptionTopic, subscriptionID, topic); err != nil {
+	return db.ExecTx(s.db, func(tx *sql.Tx) error {
+		// Read number of subscriptions for subscriber IP address
+		var subscriptionCount int
+		if err := tx.QueryRow(s.queries.selectSubscriptionCountBySubscriberIP, subscriberIP.String()).Scan(&subscriptionCount); err != nil {
 			return err
 		}
-	}
-	return tx.Commit()
+		// Read existing subscription ID for endpoint (or create new ID)
+		var subscriptionID string
+		if err := tx.QueryRow(s.queries.selectSubscriptionIDByEndpoint, endpoint).Scan(&subscriptionID); errors.Is(err, sql.ErrNoRows) {
+			if subscriptionCount >= subscriptionEndpointLimitPerSubscriberIP {
+				return ErrWebPushTooManySubscriptions
+			}
+			subscriptionID = util.RandomStringPrefix(subscriptionIDPrefix, subscriptionIDLength)
+		} else if err != nil {
+			return err
+		}
+		// Insert or update subscription
+		updatedAt, warnedAt := time.Now().Unix(), 0
+		if _, err := tx.Exec(s.queries.upsertSubscription, subscriptionID, endpoint, auth, p256dh, userID, subscriberIP.String(), updatedAt, warnedAt); err != nil {
+			return err
+		}
+		// Replace all subscription topics
+		if _, err := tx.Exec(s.queries.deleteSubscriptionTopicAll, subscriptionID); err != nil {
+			return err
+		}
+		for _, topic := range topics {
+			if _, err := tx.Exec(s.queries.insertSubscriptionTopic, subscriptionID, topic); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
 }

 // SubscriptionsForTopic returns all subscriptions for the given topic.
 func (s *Store) SubscriptionsForTopic(topic string) ([]*Subscription, error) {
-	rows, err := s.db.Query(s.queries.selectSubscriptionsForTopic, topic)
+	rows, err := s.db.ReadOnly().Query(s.queries.selectSubscriptionsForTopic, topic)
 	if err != nil {
 		return nil, err
 	}
@@ -95,7 +93,7 @@ func (s *Store) SubscriptionsForTopic(topic string) ([]*Subscription, error) {

 // SubscriptionsExpiring returns all subscriptions that have not been updated for a given time period.
 func (s *Store) SubscriptionsExpiring(warnAfter time.Duration) ([]*Subscription, error) {
-	rows, err := s.db.Query(s.queries.selectSubscriptionsExpiringSoon, time.Now().Add(-warnAfter).Unix())
+	rows, err := s.db.ReadOnly().Query(s.queries.selectSubscriptionsExpiringSoon, time.Now().Add(-warnAfter).Unix())
 	if err != nil {
 		return nil, err
 	}
@@ -105,17 +103,14 @@ func (s *Store) SubscriptionsExpiring(warnAfter time.Duration) ([]*Subscription,

 // MarkExpiryWarningSent marks the given subscriptions as having received a warning about expiring soon.
 func (s *Store) MarkExpiryWarningSent(subscriptions []*Subscription) error {
-	tx, err := s.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	for _, subscription := range subscriptions {
-		if _, err := tx.Exec(s.queries.updateSubscriptionWarningSent, time.Now().Unix(), subscription.ID); err != nil {
-			return err
+	return db.ExecTx(s.db, func(tx *sql.Tx) error {
+		for _, subscription := range subscriptions {
+			if _, err := tx.Exec(s.queries.updateSubscriptionWarningSent, time.Now().Unix(), subscription.ID); err != nil {
+				return err
+			}
 		}
-	}
-	return tx.Commit()
+		return nil
+	})
 }

 // RemoveSubscriptionsByEndpoint removes the subscription for the given endpoint.
@@ -135,12 +130,13 @@ func (s *Store) RemoveSubscriptionsByUserID(userID string) error {

 // RemoveExpiredSubscriptions removes all subscriptions that have not been updated for a given time period.
 func (s *Store) RemoveExpiredSubscriptions(expireAfter time.Duration) error {
-	_, err := s.db.Exec(s.queries.deleteSubscriptionByAge, time.Now().Add(-expireAfter).Unix())
-	if err != nil {
+	return db.ExecTx(s.db, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(s.queries.deleteSubscriptionByAge, time.Now().Add(-expireAfter).Unix()); err != nil {
+			return err
+		}
+		_, err := tx.Exec(s.queries.deleteSubscriptionTopicWithoutSubscription)
 		return err
-	}
-	_, err = s.db.Exec(s.queries.deleteSubscriptionTopicWithoutSubscription)
-	return err
+	})
 }

 // SetSubscriptionUpdatedAt updates the updated_at timestamp for a subscription by endpoint. This is
--- a/webpush/store_postgres.go
+++ b/webpush/store_postgres.go
@@ -3,6 +3,8 @@ package webpush
 import (
 	"database/sql"
 	"fmt"
+
+	"heckel.io/ntfy/v2/db"
 )

 const (
@@ -71,12 +73,12 @@ const (
 )

 // NewPostgresStore creates a new PostgreSQL-backed web push store using an existing database connection pool.
-func NewPostgresStore(db *sql.DB) (*Store, error) {
-	if err := setupPostgres(db); err != nil {
+func NewPostgresStore(d *db.DB) (*Store, error) {
+	if err := setupPostgres(d.Primary()); err != nil {
 		return nil, err
 	}
 	return &Store{
-		db: db,
+		db: d,
 		queries: queries{
 			selectSubscriptionIDByEndpoint:             postgresSelectSubscriptionIDByEndpointQuery,
 			selectSubscriptionCountBySubscriberIP:      postgresSelectSubscriptionCountBySubscriberIPQuery,
@@ -95,11 +97,11 @@ func NewPostgresStore(db *sql.DB) (*Store, error) {
 	}, nil
 }

-func setupPostgres(db *sql.DB) error {
+func setupPostgres(d *sql.DB) error {
 	var schemaVersion int
-	err := db.QueryRow(postgresSelectSchemaVersionQuery).Scan(&schemaVersion)
+	err := d.QueryRow(postgresSelectSchemaVersionQuery).Scan(&schemaVersion)
 	if err != nil {
-		return setupNewPostgres(db)
+		return setupNewPostgres(d)
 	}
 	if schemaVersion > pgCurrentSchemaVersion {
 		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, pgCurrentSchemaVersion)
@@ -107,17 +109,14 @@ func setupPostgres(db *sql.DB) error {
 	return nil
 }

-func setupNewPostgres(db *sql.DB) error {
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(postgresCreateTablesQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(postgresInsertSchemaVersionQuery, pgCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return tx.Commit()
+func setupNewPostgres(d *sql.DB) error {
+	return db.ExecTx(d, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(postgresCreateTablesQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(postgresInsertSchemaVersionQuery, pgCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }
--- a/webpush/store_sqlite.go
+++ b/webpush/store_sqlite.go
@@ -5,6 +5,8 @@ import (
 	"fmt"

 	_ "github.com/mattn/go-sqlite3" // SQLite driver
+
+	"heckel.io/ntfy/v2/db"
 )

 const (
@@ -77,18 +79,18 @@ const (

 // NewSQLiteStore creates a new SQLite-backed web push store.
 func NewSQLiteStore(filename, startupQueries string) (*Store, error) {
-	db, err := sql.Open("sqlite3", filename)
+	d, err := sql.Open("sqlite3", filename)
 	if err != nil {
 		return nil, err
 	}
-	if err := setupSQLite(db); err != nil {
+	if err := setupSQLite(d); err != nil {
 		return nil, err
 	}
-	if err := runSQLiteStartupQueries(db, startupQueries); err != nil {
+	if err := runSQLiteStartupQueries(d, startupQueries); err != nil {
 		return nil, err
 	}
 	return &Store{
-		db: db,
+		db: db.New(&db.Host{DB: d}, nil),
 		queries: queries{
 			selectSubscriptionIDByEndpoint:             sqliteSelectSubscriptionIDByEndpointQuery,
 			selectSubscriptionCountBySubscriberIP:      sqliteSelectSubscriptionCountBySubscriberIPQuery,
@@ -109,29 +111,24 @@ func NewSQLiteStore(filename, startupQueries string) (*Store, error) {

 func setupSQLite(db *sql.DB) error {
 	var schemaVersion int
-	err := db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion)
-	if err != nil {
+	if err := db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion); err != nil {
 		return setupNewSQLite(db)
-	}
-	if schemaVersion > sqliteCurrentSchemaVersion {
+	} else if schemaVersion > sqliteCurrentSchemaVersion {
 		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, sqliteCurrentSchemaVersion)
 	}
 	return nil
 }

-func setupNewSQLite(db *sql.DB) error {
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteCreateTablesQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return tx.Commit()
+func setupNewSQLite(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteCreateTablesQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }

 func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
Author	SHA1	Message	Date
binwiederhier	22868f4742	Derp	2026-03-14 14:21:09 -04:00
binwiederhier	2bf8f6271b	Review	2026-03-14 14:15:46 -04:00
binwiederhier	13be9747e4	Security reivew	2026-03-14 13:56:43 -04:00
binwiederhier	26dd017401	Merge branch 'main' of github.com:binwiederhier/ntfy into config-generator	2026-03-14 13:47:42 -04:00
binwiederhier	d00cd64220	Add admin user	2026-03-14 13:03:36 -04:00
binwiederhier	fab08e862d	More refining for config generator	2026-03-14 12:56:26 -04:00
binwiederhier	143935b917	More refining	2026-03-14 08:42:07 -04:00
Philipp C. Heckel	a82ede8a14	Merge pull request #1648 from binwiederhier/postgres-replica Add PostgreSQL read-only replica support	2026-03-12 21:28:38 -04:00
binwiederhier	8a34dfe3f8	Move things, rename things	2026-03-12 21:17:30 -04:00
binwiederhier	270fec51a6	Bump	2026-03-11 22:12:10 -04:00
binwiederhier	9eaadd74cf	Log	2026-03-11 22:09:00 -04:00
binwiederhier	1f483dcbd3	Remove consts	2026-03-11 21:54:35 -04:00
binwiederhier	85bdfc61ce	Refine, log unhealthy replica	2026-03-11 21:07:58 -04:00
binwiederhier	ac65df1e83	Move auth queries to primary, redo health check loop	2026-03-11 20:26:29 -04:00
binwiederhier	ab33ac7ae5	Refine	2026-03-11 11:58:40 -04:00
binwiederhier	f1865749d7	WIP: Postgres read-only replica	2026-03-10 22:17:40 -04:00
binwiederhier	997e20fa3f	Better error message for database-url errors	2026-03-10 21:18:34 -04:00
binwiederhier	3402510b47	More config generator	2026-03-10 21:11:27 -04:00
binwiederhier	19d1618bb8	Continued	2026-03-08 22:00:08 -04:00
binwiederhier	612afb1435	Configurator	2026-03-08 19:32:54 -04:00
binwiederhier	2b36ad9eb9	config generator	2026-03-08 18:59:17 -04:00
binwiederhier	bcd07115c2	Add tooltips for edit/delete buttons	2026-03-08 18:30:11 -04:00
binwiederhier	109271a930	Avoid playing sound more than every 2s	2026-03-08 10:55:59 -04:00
binwiederhier	fcf95dc9b8	Fix release notes	2026-03-07 16:17:00 -05:00
binwiederhier	79c3ab9ecc	Bump version	2026-03-07 16:07:38 -05:00
binwiederhier	d51465fb6a	Release notes	2026-03-07 08:51:57 -05:00
binwiederhier	0b189f65ff	Loadtest username/pass	2026-03-06 15:52:53 -05:00
binwiederhier	0d4b1b00e6	Users() optimization to help with startup time	2026-03-06 14:46:53 -05:00
binwiederhier	28c3fd5cbe	BUmp	2026-03-06 12:50:49 -05:00
binwiederhier	62bb335675	Grr	2026-03-04 22:42:45 -05:00
binwiederhier	70fb2732af	Merge branch 'main' into postgres-support	2026-03-04 22:35:38 -05:00
binwiederhier	8e91e028a0	Fix coverage issue	2026-03-04 22:34:34 -05:00
binwiederhier	6d22f568f9	Merge branch 'main' into postgres-support	2026-03-04 21:07:40 -05:00
binwiederhier	59e6c16633	Fix cov test	2026-03-04 21:07:21 -05:00
binwiederhier	2e0b934bc2	Merge branch 'main' into postgres-support	2026-03-04 20:51:25 -05:00
binwiederhier	4f4a093f8d	Merge branch 'main' of https://hosted.weblate.org/git/ntfy/web	2026-03-04 20:50:28 -05:00
binwiederhier	5610b7c56d	Bump	2026-03-04 20:49:18 -05:00
binwiederhier	d4038f566c	Release notes	2026-03-04 20:48:30 -05:00
binwiederhier	bff2b47eb6	Simplify schema reading	2026-03-03 14:52:29 -05:00
binwiederhier	33b19814c7	Transactions	2026-03-03 14:42:36 -05:00
binwiederhier	fb26e7ef3a	BUmp	2026-03-03 09:42:59 -05:00
binwiederhier	66449bd19b	pgimport readme	2026-03-02 20:15:35 -05:00
binwiederhier	bedbb121e4	Remove codecov.io	2026-03-02 20:05:29 -05:00
binwiederhier	c4b8cfa756	Manual correction	2026-03-02 20:04:03 -05:00
binwiederhier	c864a9baeb	Put more things in tx	2026-03-02 19:58:26 -05:00
binwiederhier	8afeb813d9	Move OpenPostgres	2026-03-02 19:52:36 -05:00
binwiederhier	ea4739f79b	Extract ExecTx	2026-03-02 19:45:35 -05:00
Philipp C. Heckel	941c43c10b	Merge pull request #1622 from acress1/patch-1 Update ntfy.tedomum.net URL to ntfy.tedomum.fr	2026-03-01 12:19:44 -05:00
Philipp C. Heckel	af76aa011d	Merge pull request #1629 from azrikahar/docs-config-access-token docs: fix references in access token examples	2026-03-01 12:19:10 -05:00
azrikahar	b937b44f2d	undo unrelated formatting changes	2026-02-28 15:06:37 +08:00
azrikahar	e618cf1a39	mention token in private instance example	2026-02-28 15:03:09 +08:00
azrikahar	e9cf2b5523	align backup-script user references in private instance section	2026-02-28 14:56:40 +08:00
azrikahar	c49a8179cf	align backup-service user references in token via the config section	2026-02-28 14:55:25 +08:00
Bora Atıcı	a1cca7972d	Translated using Weblate (Turkish) Currently translated at 100.0% (407 of 407 strings) Translation: ntfy/Web app Translate-URL: https://hosted.weblate.org/projects/ntfy/web/tr/	2026-02-27 09:09:49 +01:00
ezn24	da1c7b1949	Translated using Weblate (Chinese (Traditional Han script)) Currently translated at 100.0% (407 of 407 strings) Translation: ntfy/Web app Translate-URL: https://hosted.weblate.org/projects/ntfy/web/zh_Hant/	2026-02-27 09:09:47 +01:00
acress1	0d375d3a08	Update ntfy.tedomum.net URL to ntfy.tedomum.fr	2026-02-23 09:22:38 +01:00
Gergő Mihály	390cff0604	Translated using Weblate (Hungarian) Currently translated at 55.2% (225 of 407 strings) Translation: ntfy/Web app Translate-URL: https://hosted.weblate.org/projects/ntfy/web/hu/	2026-02-22 13:09:46 +00:00