Fix release notes

Bump version
Release notes
2026-03-18 21:30:44 +01:00 · 2026-03-07 16:17:00 -05:00 · 2026-03-07 16:07:38 -05:00 · 2026-03-07 08:51:57 -05:00 · 2026-03-06 15:52:53 -05:00 · 2026-03-06 14:46:53 -05:00
36 changed files with 1858 additions and 1223 deletions
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -42,5 +42,3 @@ jobs:
        run: make checkv
      - name: Run coverage
        run: make coverage
-      - name: Upload coverage to codecov.io
-        run: make coverage-upload
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@ server/docs/
 server/site/
 tools/fbsend/fbsend
 tools/pgimport/pgimport
+tools/loadtest/loadtest
 playground/
 secrets/
 *.iml
--- a/10
+++ b/10
@@ -268,22 +268,22 @@ check: test web-fmt-check fmt-check vet web-lint lint staticcheck
 checkv: testv web-fmt-check fmt-check vet web-lint lint staticcheck

 test: .PHONY
-	go test -parallel 3 $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')

 testv: .PHONY
-	go test -v -parallel 3 $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test -v $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')

 race: .PHONY
-	go test -v -race $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test -v -race $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')

 coverage:
 	mkdir -p build/coverage
-	go test -v -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test -v -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools|web)')
 	go tool cover -func build/coverage/coverage.txt

 coverage-html:
 	mkdir -p build/coverage
-	go test -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list ./... | grep -vE 'ntfy/(test|examples|tools)')
+	go test -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')
 	go tool cover -html build/coverage/coverage.txt

 coverage-upload:
--- a/cmd/user.go
+++ b/cmd/user.go
@@ -11,7 +11,7 @@ import (

 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
-	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 	"heckel.io/ntfy/v2/server"
 	"heckel.io/ntfy/v2/user"
 	"heckel.io/ntfy/v2/util"
@@ -379,7 +379,7 @@ func createUserManager(c *cli.Context) (*user.Manager, error) {
 		QueueWriterInterval: user.DefaultUserStatsQueueWriterInterval,
 	}
 	if databaseURL != "" {
-		pool, dbErr := db.OpenPostgres(databaseURL)
+		pool, dbErr := pg.Open(databaseURL)
 		if dbErr != nil {
 			return nil, dbErr
 		}
--- a/db/db.go
+++ b/db/db.go
@@ -2,92 +2,37 @@ package db

 import (
 	"database/sql"
-	"fmt"
-	"net/url"
-	"strconv"
-	"time"
-
-	_ "github.com/jackc/pgx/v5/stdlib" // PostgreSQL driver
 )

-const (
-	paramMaxOpenConns    = "pool_max_conns"
-	paramMaxIdleConns    = "pool_max_idle_conns"
-	paramConnMaxLifetime = "pool_conn_max_lifetime"
-	paramConnMaxIdleTime = "pool_conn_max_idle_time"
-
-	defaultMaxOpenConns = 10
-)
-
-// OpenPostgres opens a PostgreSQL database connection pool from a DSN string. It supports custom
-// query parameters for pool configuration: pool_max_conns (default 10), pool_max_idle_conns,
-// pool_conn_max_lifetime, and pool_conn_max_idle_time. These parameters are stripped from
-// the DSN before passing it to the driver.
-func OpenPostgres(dsn string) (*sql.DB, error) {
-	u, err := url.Parse(dsn)
+// ExecTx executes a function within a database transaction. If the function returns an error,
+// the transaction is rolled back. Otherwise, the transaction is committed.
+func ExecTx(db *sql.DB, f func(tx *sql.Tx) error) error {
+	tx, err := db.Begin()
 	if err != nil {
-		return nil, fmt.Errorf("invalid database URL: %w", err)
+		return err
 	}
-	q := u.Query()
-	maxOpenConns, err := extractIntParam(q, paramMaxOpenConns, defaultMaxOpenConns)
-	if err != nil {
-		return nil, err
+	defer tx.Rollback()
+	if err := f(tx); err != nil {
+		return err
 	}
-	maxIdleConns, err := extractIntParam(q, paramMaxIdleConns, 0)
-	if err != nil {
-		return nil, err
-	}
-	connMaxLifetime, err := extractDurationParam(q, paramConnMaxLifetime, 0)
-	if err != nil {
-		return nil, err
-	}
-	connMaxIdleTime, err := extractDurationParam(q, paramConnMaxIdleTime, 0)
-	if err != nil {
-		return nil, err
-	}
-	u.RawQuery = q.Encode()
-	db, err := sql.Open("pgx", u.String())
-	if err != nil {
-		return nil, err
-	}
-	db.SetMaxOpenConns(maxOpenConns)
-	if maxIdleConns > 0 {
-		db.SetMaxIdleConns(maxIdleConns)
-	}
-	if connMaxLifetime > 0 {
-		db.SetConnMaxLifetime(connMaxLifetime)
-	}
-	if connMaxIdleTime > 0 {
-		db.SetConnMaxIdleTime(connMaxIdleTime)
-	}
-	if err := db.Ping(); err != nil {
-		return nil, fmt.Errorf("ping failed: %w", err)
-	}
-	return db, nil
+	return tx.Commit()
 }

-func extractIntParam(q url.Values, key string, defaultValue int) (int, error) {
-	s := q.Get(key)
-	if s == "" {
-		return defaultValue, nil
-	}
-	q.Del(key)
-	v, err := strconv.Atoi(s)
+// QueryTx executes a function within a database transaction and returns the result. If the function
+// returns an error, the transaction is rolled back. Otherwise, the transaction is committed.
+func QueryTx[T any](db *sql.DB, f func(tx *sql.Tx) (T, error)) (T, error) {
+	tx, err := db.Begin()
 	if err != nil {
-		return 0, fmt.Errorf("invalid %s value %q: %w", key, s, err)
+		var zero T
+		return zero, err
 	}
-	return v, nil
-}
-
-func extractDurationParam(q url.Values, key string, defaultValue time.Duration) (time.Duration, error) {
-	s := q.Get(key)
-	if s == "" {
-		return defaultValue, nil
-	}
-	q.Del(key)
-	d, err := time.ParseDuration(s)
+	defer tx.Rollback()
+	t, err := f(tx)
 	if err != nil {
-		return 0, fmt.Errorf("invalid %s value %q: %w", key, s, err)
+		return t, err
 	}
-	return d, nil
+	if err := tx.Commit(); err != nil {
+		return t, err
+	}
+	return t, nil
 }
--- a/db/pg/pg.go
+++ b/db/pg/pg.go
@@ -0,0 +1,93 @@
+package pg
+
+import (
+	"database/sql"
+	"fmt"
+	"net/url"
+	"strconv"
+	"time"
+
+	_ "github.com/jackc/pgx/v5/stdlib" // PostgreSQL driver
+)
+
+const (
+	paramMaxOpenConns    = "pool_max_conns"
+	paramMaxIdleConns    = "pool_max_idle_conns"
+	paramConnMaxLifetime = "pool_conn_max_lifetime"
+	paramConnMaxIdleTime = "pool_conn_max_idle_time"
+
+	defaultMaxOpenConns = 10
+)
+
+// Open opens a PostgreSQL database connection pool from a DSN string. It supports custom
+// query parameters for pool configuration: pool_max_conns (default 10), pool_max_idle_conns,
+// pool_conn_max_lifetime, and pool_conn_max_idle_time. These parameters are stripped from
+// the DSN before passing it to the driver.
+func Open(dsn string) (*sql.DB, error) {
+	u, err := url.Parse(dsn)
+	if err != nil {
+		return nil, fmt.Errorf("invalid database URL: %w", err)
+	}
+	q := u.Query()
+	maxOpenConns, err := extractIntParam(q, paramMaxOpenConns, defaultMaxOpenConns)
+	if err != nil {
+		return nil, err
+	}
+	maxIdleConns, err := extractIntParam(q, paramMaxIdleConns, 0)
+	if err != nil {
+		return nil, err
+	}
+	connMaxLifetime, err := extractDurationParam(q, paramConnMaxLifetime, 0)
+	if err != nil {
+		return nil, err
+	}
+	connMaxIdleTime, err := extractDurationParam(q, paramConnMaxIdleTime, 0)
+	if err != nil {
+		return nil, err
+	}
+	u.RawQuery = q.Encode()
+	db, err := sql.Open("pgx", u.String())
+	if err != nil {
+		return nil, err
+	}
+	db.SetMaxOpenConns(maxOpenConns)
+	if maxIdleConns > 0 {
+		db.SetMaxIdleConns(maxIdleConns)
+	}
+	if connMaxLifetime > 0 {
+		db.SetConnMaxLifetime(connMaxLifetime)
+	}
+	if connMaxIdleTime > 0 {
+		db.SetConnMaxIdleTime(connMaxIdleTime)
+	}
+	if err := db.Ping(); err != nil {
+		return nil, fmt.Errorf("ping failed: %w", err)
+	}
+	return db, nil
+}
+
+func extractIntParam(q url.Values, key string, defaultValue int) (int, error) {
+	s := q.Get(key)
+	if s == "" {
+		return defaultValue, nil
+	}
+	q.Del(key)
+	v, err := strconv.Atoi(s)
+	if err != nil {
+		return 0, fmt.Errorf("invalid %s value %q: %w", key, s, err)
+	}
+	return v, nil
+}
+
+func extractDurationParam(q url.Values, key string, defaultValue time.Duration) (time.Duration, error) {
+	s := q.Get(key)
+	if s == "" {
+		return defaultValue, nil
+	}
+	q.Del(key)
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		return 0, fmt.Errorf("invalid %s value %q: %w", key, s, err)
+	}
+	return d, nil
+}
--- a/db/test/test.go
+++ b/db/test/test.go
@@ -8,7 +8,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/require"
-	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 	"heckel.io/ntfy/v2/util"
 )

@@ -30,7 +30,7 @@ func CreateTestPostgresSchema(t *testing.T) string {
 	q.Set("pool_max_conns", testPoolMaxConns)
 	u.RawQuery = q.Encode()
 	dsn = u.String()
-	setupDB, err := db.OpenPostgres(dsn)
+	setupDB, err := pg.Open(dsn)
 	require.Nil(t, err)
 	_, err = setupDB.Exec(fmt.Sprintf("CREATE SCHEMA %s", schema))
 	require.Nil(t, err)
@@ -39,7 +39,7 @@ func CreateTestPostgresSchema(t *testing.T) string {
 	u.RawQuery = q.Encode()
 	schemaDSN := u.String()
 	t.Cleanup(func() {
-		cleanDB, err := db.OpenPostgres(dsn)
+		cleanDB, err := pg.Open(dsn)
 		if err == nil {
 			cleanDB.Exec(fmt.Sprintf("DROP SCHEMA %s CASCADE", schema))
 			cleanDB.Close()
@@ -54,7 +54,7 @@ func CreateTestPostgresSchema(t *testing.T) string {
 func CreateTestPostgres(t *testing.T) *sql.DB {
 	t.Helper()
 	schemaDSN := CreateTestPostgresSchema(t)
-	testDB, err := db.OpenPostgres(schemaDSN)
+	testDB, err := pg.Open(schemaDSN)
 	require.Nil(t, err)
 	t.Cleanup(func() {
 		testDB.Close()
--- a/docs/config.md
+++ b/docs/config.md
@@ -512,7 +512,7 @@ Here's an example:
    ```
    # Comma-separated list
    NTFY_AUTH_FILE='/var/lib/ntfy/user.db'
-    NTFY_AUTH_USERS='phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin,ben:$2a$10$NKbrNb7HPMjtQXWJ0f1pouw03LDLT/WzlO9VAv44x84bRCkh19h6m:user'
+    NTFY_AUTH_USERS='phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin,backup-service:$2a$10$NKbrNb7HPMjtQXWJ0f1pouw03LDLT/WzlO9VAv44x84bRCkh19h6m:user'
    NTFY_AUTH_TOKENS='phil:tk_3gd7d2yftt4b8ixyfe9mnmro88o76,backup-service:tk_f099we8uzj7xi5qshzajwp6jffvkz:Backup script'
    ```

@@ -528,7 +528,8 @@ and access tokens in the `auth-tokens` section (see [access tokens via the confi

 Here's an example that defines a single admin user `phil` with the password `mypass`, and a regular user `backup-script`
 with the password `backup-script`. The admin user has full access to all topics, while regular user can only
-access the `backups` topic with read-write permissions. The `auth-default-access` is set to `deny-all`, which means
+access the `backups` topic with read-write permissions. `phil` has a token `tk_3gd7d2yftt4b8ixyfe9mnmro88o76` 
+with the label "My personal token". The `auth-default-access` is set to `deny-all`, which means
 that all other users and anonymous access are denied by default.

 === "Config via /etc/ntfy/server.yml"
@@ -539,7 +540,7 @@ that all other users and anonymous access are denied by default.
      - "phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin"
      - "backup-script:$2a$10$/ehiQt.w7lhTmHXq.RNsOOkIwiPPeWFIzWYO3DRxNixnWKLX8.uj.:user"
    auth-access:
-      - "backup-service:backups:rw"
+      - "backup-script:backups:rw"
    auth-tokens:
      - "phil:tk_3gd7d2yftt4b8ixyfe9mnmro88o76:My personal token"
    ```
@@ -549,7 +550,7 @@ that all other users and anonymous access are denied by default.
    NTFY_AUTH_FILE='/var/lib/ntfy/user.db'
    NTFY_AUTH_DEFAULT_ACCESS='deny-all'
    NTFY_AUTH_USERS='phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin,backup-script:$2a$10$/ehiQt.w7lhTmHXq.RNsOOkIwiPPeWFIzWYO3DRxNixnWKLX8.uj.:user'
-    NTFY_AUTH_ACCESS='backup-service:backups:rw'
+    NTFY_AUTH_ACCESS='backup-script:backups:rw'
    NTFY_AUTH_TOKENS='phil:tk_3gd7d2yftt4b8ixyfe9mnmro88o76:My personal token'
    ```

--- a/docs/install.md
+++ b/docs/install.md
@@ -30,37 +30,37 @@ deb/rpm packages.

 === "x86_64/amd64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_amd64.tar.gz
-    tar zxvf ntfy_2.17.0_linux_amd64.tar.gz
-    sudo cp -a ntfy_2.17.0_linux_amd64/ntfy /usr/local/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.17.0_linux_amd64/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_amd64.tar.gz
+    tar zxvf ntfy_2.18.0_linux_amd64.tar.gz
+    sudo cp -a ntfy_2.18.0_linux_amd64/ntfy /usr/local/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.18.0_linux_amd64/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "armv6"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv6.tar.gz
-    tar zxvf ntfy_2.17.0_linux_armv6.tar.gz
-    sudo cp -a ntfy_2.17.0_linux_armv6/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.17.0_linux_armv6/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv6.tar.gz
+    tar zxvf ntfy_2.18.0_linux_armv6.tar.gz
+    sudo cp -a ntfy_2.18.0_linux_armv6/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.18.0_linux_armv6/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "armv7/armhf"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv7.tar.gz
-    tar zxvf ntfy_2.17.0_linux_armv7.tar.gz
-    sudo cp -a ntfy_2.17.0_linux_armv7/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.17.0_linux_armv7/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv7.tar.gz
+    tar zxvf ntfy_2.18.0_linux_armv7.tar.gz
+    sudo cp -a ntfy_2.18.0_linux_armv7/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.18.0_linux_armv7/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "arm64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_arm64.tar.gz
-    tar zxvf ntfy_2.17.0_linux_arm64.tar.gz
-    sudo cp -a ntfy_2.17.0_linux_arm64/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.17.0_linux_arm64/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_arm64.tar.gz
+    tar zxvf ntfy_2.18.0_linux_arm64.tar.gz
+    sudo cp -a ntfy_2.18.0_linux_arm64/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.18.0_linux_arm64/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

@@ -116,7 +116,7 @@ Manually installing the .deb file:

 === "x86_64/amd64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_amd64.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_amd64.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -124,7 +124,7 @@ Manually installing the .deb file:

 === "armv6"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv6.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv6.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -132,7 +132,7 @@ Manually installing the .deb file:

 === "armv7/armhf"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv7.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv7.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -140,7 +140,7 @@ Manually installing the .deb file:

 === "arm64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_arm64.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_arm64.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -150,28 +150,28 @@ Manually installing the .deb file:

 === "x86_64/amd64"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_amd64.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_amd64.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```

 === "armv6"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv6.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv6.rpm
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
    ```

 === "armv7/armhf"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_armv7.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_armv7.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```

 === "arm64"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_linux_arm64.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_linux_arm64.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```
@@ -213,18 +213,18 @@ pkg install go-ntfy

 ## macOS
 The [ntfy CLI](subscribe/cli.md) (`ntfy publish` and `ntfy subscribe` only) is supported on macOS as well. 
-To install, please [download the tarball](https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_darwin_all.tar.gz), 
+To install, please [download the tarball](https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_darwin_all.tar.gz), 
 extract it and place it somewhere in your `PATH` (e.g. `/usr/local/bin/ntfy`). 

 If run as `root`, ntfy will look for its config at `/etc/ntfy/client.yml`. For all other users, it'll look for it at 
 `~/Library/Application Support/ntfy/client.yml` (sample included in the tarball).

 ```bash
-curl -L https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_darwin_all.tar.gz > ntfy_2.17.0_darwin_all.tar.gz
-tar zxvf ntfy_2.17.0_darwin_all.tar.gz
-sudo cp -a ntfy_2.17.0_darwin_all/ntfy /usr/local/bin/ntfy
+curl -L https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_darwin_all.tar.gz > ntfy_2.18.0_darwin_all.tar.gz
+tar zxvf ntfy_2.18.0_darwin_all.tar.gz
+sudo cp -a ntfy_2.18.0_darwin_all/ntfy /usr/local/bin/ntfy
 mkdir ~/Library/Application\ Support/ntfy 
-cp ntfy_2.17.0_darwin_all/client/client.yml ~/Library/Application\ Support/ntfy/client.yml
+cp ntfy_2.18.0_darwin_all/client/client.yml ~/Library/Application\ Support/ntfy/client.yml
 ntfy --help
 ```

@@ -245,7 +245,7 @@ brew install ntfy
 The ntfy server and CLI are fully supported on Windows. You can run the ntfy server directly or as a Windows service.
 To install, you can either

-* [Download the latest ZIP](https://github.com/binwiederhier/ntfy/releases/download/v2.17.0/ntfy_2.17.0_windows_amd64.zip),
+* [Download the latest ZIP](https://github.com/binwiederhier/ntfy/releases/download/v2.18.0/ntfy_2.18.0_windows_amd64.zip),
 extract it and place the `ntfy.exe` binary somewhere in your `%Path%`. 
 * Or install ntfy from the [Scoop](https://scoop.sh) main repository via `scoop install ntfy`

--- a/docs/integrations.md
+++ b/docs/integrations.md
@@ -306,7 +306,7 @@ ntfy community. Thanks to everyone running a public server. **You guys rock!**
 | URL                                               | Country            |
 |---------------------------------------------------|--------------------|
 | [ntfy.sh](https://ntfy.sh/) (*Official*)          | 🇺🇸 United States |
-| [ntfy.tedomum.net](https://ntfy.tedomum.net/)     | 🇫🇷 France        |
+| [ntfy.tedomum.fr](https://ntfy.tedomum.fr/)     | 🇫🇷 France        |
 | [ntfy.jae.fi](https://ntfy.jae.fi/)               | 🇫🇮 Finland       |
 | [ntfy.adminforge.de](https://ntfy.adminforge.de/) | 🇩🇪 Germany       |
 | [ntfy.envs.net](https://ntfy.envs.net)            | 🇩🇪 Germany       |
--- a/docs/releases.md
+++ b/docs/releases.md
@@ -6,12 +6,48 @@ and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/release

 | Component        | Version | Release date |
 |------------------|---------|--------------|
-| ntfy server      | v2.17.0 | Feb 8, 2026  |
-| ntfy Android app | v1.23.0 | Deb 22, 2026 |
+| ntfy server      | v2.18.0 | Mar 7, 2026  |
+| ntfy Android app | v1.24.0 | Mar 5, 2026  |
 | ntfy iOS app     | v1.3    | Nov 26, 2023 |

 Please check out the release notes for [upcoming releases](#not-released-yet) below.

+### ntfy server v2.18.0
+Released March 7, 2026
+
+This is the biggest release I've ever done on the server. It's 14,997 added lines of code, and 10,202 lines removed, all from
+one [pull request](https://github.com/binwiederhier/ntfy/pull/1619) that adds [PostgreSQL support](config.md#postgresql-experimental).
+
+The code was written by Cursor and Claude, but reviewed and heavily tested over 2-3 weeks by me. I created comparison documents,
+went through all queries multiple times and reviewed the logic over and over again. I also did load tests and manual regression tests,
+which took lots of evenings.
+
+I'll not instantly switch ntfy.sh over. Instead, I'm kindly asking the community to test the Postgres support and report back to me
+if things are working (or not working). There is a [one-off migration tool](https://github.com/binwiederhier/ntfy/tree/main/tools/pgimport) (entirely written by AI) that you can use to migrate.
+
+**Features:**
+
+* Add experimental [PostgreSQL support](config.md#postgresql-experimental) as an alternative database backend (message cache, user manager, web push subscriptions) via `database-url` config option ([#1114](https://github.com/binwiederhier/ntfy/issues/1114)/[#1619](https://github.com/binwiederhier/ntfy/pull/1619), thanks to [@brettinternet](https://github.com/brettinternet) for reporting)
+
+**Bug fixes + maintenance:**
+
+* Preserve `<br>` line breaks in HTML-only emails received via SMTP ([#690](https://github.com/binwiederhier/ntfy/issues/690), [#1620](https://github.com/binwiederhier/ntfy/pull/1620), thanks to [@uzkikh](https://github.com/uzkikh) for the fix and to [@teastrainer](https://github.com/teastrainer) for reporting)
+
+### ntfy Android v1.24.0
+Released March 5, 2026
+
+This is a tiny release that will revert the "reconnecting ..." behavior of the foreground notification. Lots of people
+have complained about it, so I'm replacing it with a notification that shows up when the server connection has failed
+for >15 minutes, hoping that people will be less annoyed by that.
+
+**Features:**
+
+* Show notification when connection to server has been lost for 15+ minutes, with dismiss, snooze and never-show-again actions
+
+**Bug fixes + maintenance:**
+
+* Fix crash in settings when fragment is detached during backup/restore or log operations
+
 ## ntfy Android v1.23.0
 Released February 22, 2026

@@ -1719,18 +1755,4 @@ and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/release

 ## Not released yet

-### ntfy server v2.18.x (UNRELEASED)
-
-**Features:**
-
-* Add experimental [PostgreSQL support](config.md#postgresql-experimental) as an alternative database backend (message cache, user manager, web push subscriptions) via `database-url` config option ([#1114](https://github.com/binwiederhier/ntfy/issues/1114), thanks to [@brettinternet](https://github.com/brettinternet) for reporting)
-
-**Bug fixes + maintenance:**
-
-* Preserve `<br>` line breaks in HTML-only emails received via SMTP ([#690](https://github.com/binwiederhier/ntfy/issues/690), [#1620](https://github.com/binwiederhier/ntfy/pull/1620), thanks to [@uzkikh](https://github.com/uzkikh) for the fix and to [@teastrainer](https://github.com/teastrainer) for reporting)
-
-### ntfy Android v1.24.x (UNRELEASED)
-
-**Bug fixes + maintenance:**
-
-* Fix crash in settings when fragment is detached during backup/restore or log operations
+_None_
--- a/go.mod
+++ b/go.mod
@@ -1,25 +1,25 @@
 module heckel.io/ntfy/v2

-go 1.24.6
+go 1.25.0

 require (
 	cloud.google.com/go/firestore v1.21.0 // indirect
-	cloud.google.com/go/storage v1.59.2 // indirect
+	cloud.google.com/go/storage v1.60.0 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/emersion/go-smtp v0.18.0
 	github.com/gabriel-vasile/mimetype v1.4.13
 	github.com/gorilla/websocket v1.5.3
-	github.com/mattn/go-sqlite3 v1.14.33
+	github.com/mattn/go-sqlite3 v1.14.34
 	github.com/olebedev/when v1.1.0
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli/v2 v2.27.7
-	golang.org/x/crypto v0.47.0
-	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/crypto v0.48.0
+	golang.org/x/oauth2 v0.35.0 // indirect
 	golang.org/x/sync v0.19.0
-	golang.org/x/term v0.39.0
+	golang.org/x/term v0.40.0
 	golang.org/x/time v0.14.0
-	google.golang.org/api v0.265.0
+	google.golang.org/api v0.269.0
 	gopkg.in/yaml.v2 v2.4.0
 )

@@ -34,14 +34,14 @@ require (
 	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stripe/stripe-go/v74 v74.30.0
-	golang.org/x/sys v0.40.0
-	golang.org/x/text v0.33.0
+	golang.org/x/sys v0.41.0
+	golang.org/x/text v0.34.0
 )

 require (
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
-	cloud.google.com/go/auth v0.18.1 // indirect
+	cloud.google.com/go/auth v0.18.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
@@ -58,8 +58,8 @@ require (
 	github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 // indirect
-	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.37.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.3 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
@@ -69,7 +69,7 @@ require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
 	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
@@ -80,27 +80,27 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.5 // indirect
-	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/prometheus/procfs v0.20.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.40.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.41.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.66.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.66.0 // indirect
+	go.opentelemetry.io/otel v1.41.0 // indirect
+	go.opentelemetry.io/otel/metric v1.41.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.41.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.41.0 // indirect
+	go.opentelemetry.io/otel/trace v1.41.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
 	google.golang.org/appengine/v2 v2.0.6 // indirect
-	google.golang.org/genproto v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/genproto v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/grpc v1.79.2 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -2,8 +2,8 @@ cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
 cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
-cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
-cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
+cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
+cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
@@ -12,14 +12,14 @@ cloud.google.com/go/firestore v1.21.0 h1:BhopUsx7kh6NFx77ccRsHhrtkbJUmDAxNY3uapW
 cloud.google.com/go/firestore v1.21.0/go.mod h1:1xH6HNcnkf/gGyR8udd6pFO4Z7GWJSwLKQMx/u6UrP4=
 cloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc=
 cloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU=
-cloud.google.com/go/logging v1.13.1 h1:O7LvmO0kGLaHY/gq8cV7T0dyp6zJhYAOtZPX4TF3QtY=
-cloud.google.com/go/logging v1.13.1/go.mod h1:XAQkfkMBxQRjQek96WLPNze7vsOmay9H5PqfsNYDqvw=
+cloud.google.com/go/logging v1.13.2 h1:qqlHCBvieJT9Cdq4QqYx1KPadCQ2noD4FK02eNqHAjA=
+cloud.google.com/go/logging v1.13.2/go.mod h1:zaybliM3yun1J8mU2dVQ1/qDzjbOqEijZCn6hSBtKak=
 cloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8=
 cloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk=
 cloud.google.com/go/monitoring v1.24.3 h1:dde+gMNc0UhPZD1Azu6at2e79bfdztVDS5lvhOdsgaE=
 cloud.google.com/go/monitoring v1.24.3/go.mod h1:nYP6W0tm3N9H/bOw8am7t62YTzZY+zUeQ+Bi6+2eonI=
-cloud.google.com/go/storage v1.59.2 h1:gmOAuG1opU8YvycMNpP+DvHfT9BfzzK5Cy+arP+Nocw=
-cloud.google.com/go/storage v1.59.2/go.mod h1:cMWbtM+anpC74gn6qjLh+exqYcfmB9Hqe5z6adx+CLI=
+cloud.google.com/go/storage v1.60.0 h1:oBfZrSOCimggVNz9Y/bXY35uUcts7OViubeddTTVzQ8=
+cloud.google.com/go/storage v1.60.0/go.mod h1:q+5196hXfejkctrnx+VYU8RKQr/L3c0cBIlrjmiAKE0=
 cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U=
 cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s=
 firebase.google.com/go/v4 v4.19.0 h1:f5NMlC2YHFsncz00c2+ecBr+ZYlRMhKIhj1z8Iz0lD8=
@@ -58,14 +58,14 @@ github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 h1:oP4q0fw+fOSWn3
 github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
 github.com/emersion/go-smtp v0.17.0 h1:tq90evlrcyqRfE6DSXaWVH54oX6OuZOQECEmhWBMEtI=
 github.com/emersion/go-smtp v0.17.0/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
-github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329 h1:K+fnvUM0VZ7ZFJf0n4L/BRlnsb9pL/GuDG6FqaH+PwM=
-github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329/go.mod h1:Alz8LEClvR7xKsrq3qzoc4N0guvVNSS8KmSChGYr9hs=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
+github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
+github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
+github.com/envoyproxy/go-control-plane/envoy v1.37.0 h1:u3riX6BoYRfF4Dr7dwSOroNfdSbEPe9Yyl09/B6wBrQ=
+github.com/envoyproxy/go-control-plane/envoy v1.37.0/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
-github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
-github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
+github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=
+github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
@@ -96,8 +96,8 @@ github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
 github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
@@ -120,8 +120,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/mattn/go-sqlite3 v1.14.33 h1:A5blZ5ulQo2AtayQ9/limgHEkFreKj1Dv226a1K73s0=
-github.com/mattn/go-sqlite3 v1.14.33/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.34 h1:3NtcvcUnFBPsuRcno8pUtupspG/GM+9nZ88zgJcp6Zk=
+github.com/mattn/go-sqlite3 v1.14.34/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
 github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -141,8 +141,8 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
 github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
-github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
-github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
+github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
@@ -165,24 +165,24 @@ github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342/go.mod h1:Ohn+xnUBi
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/detectors/gcp v1.40.0 h1:Awaf8gmW99tZTOWqkLCOl6aw1/rxAWVlHsHIZ3fT2sA=
-go.opentelemetry.io/contrib/detectors/gcp v1.40.0/go.mod h1:99OY9ZCqyLkzJLTh5XhECpLRSxcZl+ZDKBEO+jMBFR4=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 h1:XmiuHzgJt067+a6kwyAzkhXooYVv3/TOw9cM2VfJgUM=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0/go.mod h1:KDgtbWKTQs4bM+VPUr6WlL9m/WXcmkCcBlIzqxPGzmI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 h1:wm/Q0GAAykXv83wzcKzGGqAnnfLFyFe7RslekZuv+VI=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0/go.mod h1:ra3Pa40+oKjvYh+ZD3EdxFZZB0xdMfuileHAm4nNN7w=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/contrib/detectors/gcp v1.41.0 h1:MBzEwqhroF0JK0DpTVYWDxsenxm6L4PqOEfA90uZ5AA=
+go.opentelemetry.io/contrib/detectors/gcp v1.41.0/go.mod h1:5pSDD0v0t2HqUmPC5cBBc+nLQO4dLYWnzBNheXLBLgs=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.66.0 h1:w/o339tDd6Qtu3+ytwt+/jon2yjAs3Ot8Xq8pelfhSo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.66.0/go.mod h1:pdhNtM9C4H5fRdrnwO7NjxzQWhKSSxCHk/KluVqDVC0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.66.0 h1:PnV4kVnw0zOmwwFkAzCN5O07fw1YOIQor120zrh0AVo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.66.0/go.mod h1:ofAwF4uinaf8SXdVzzbL4OsxJ3VfeEg3f/F6CeF49/Y=
+go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
+go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 h1:5gn2urDL/FBnK8OkCfD1j3/ER79rUuTYmCvlXBKeYL8=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0/go.mod h1:0fBG6ZJxhqByfFZDwSwpZGzJU671HkwpWaNe2t4VUPI=
+go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
+go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
+go.opentelemetry.io/otel/sdk v1.41.0 h1:YPIEXKmiAwkGl3Gu1huk1aYWwtpRLeskpV+wPisxBp8=
+go.opentelemetry.io/otel/sdk v1.41.0/go.mod h1:ahFdU0G5y8IxglBf0QBJXgSe7agzjE4GiTJ6HT9ud90=
+go.opentelemetry.io/otel/sdk/metric v1.41.0 h1:siZQIYBAUd1rlIWQT2uCxWJxcCO7q3TriaMlf08rXw8=
+go.opentelemetry.io/otel/sdk/metric v1.41.0/go.mod h1:HNBuSvT7ROaGtGI50ArdRLUnvRTRGniSUZbxiWxSO8Y=
+go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
+go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
@@ -193,8 +193,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -209,10 +209,10 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
+golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -234,8 +234,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -245,8 +245,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -258,8 +258,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -272,18 +272,18 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.265.0 h1:FZvfUdI8nfmuNrE34aOWFPmLC+qRBEiNm3JdivTvAAU=
-google.golang.org/api v0.265.0/go.mod h1:uAvfEl3SLUj/7n6k+lJutcswVojHPp2Sp08jWCu8hLY=
+google.golang.org/api v0.269.0 h1:qDrTOxKUQ/P0MveH6a7vZ+DNHxJQjtGm/uvdbdGXCQg=
+google.golang.org/api v0.269.0/go.mod h1:N8Wpcu23Tlccl0zSHEkcAZQKDLdquxK+l9r2LkwAauE=
 google.golang.org/appengine/v2 v2.0.6 h1:LvPZLGuchSBslPBp+LAhihBeGSiRh1myRoYK4NtuBIw=
 google.golang.org/appengine/v2 v2.0.6/go.mod h1:WoEXGoXNfa0mLvaH5sV3ZSGXwVmy8yf7Z1JKf3J3wLI=
-google.golang.org/genproto v0.0.0-20260203192932-546029d2fa20 h1:/CU1zrxTpGylJJbe3Ru94yy6sZRbzALq2/oxl3pGB3U=
-google.golang.org/genproto v0.0.0-20260203192932-546029d2fa20/go.mod h1:Tt+08/KdKEt3l8x3Pby3HLQxMB3uk/MzaQ4ZIv0ORTs=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
-google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
-google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/genproto v0.0.0-20260226221140-a57be14db171 h1:RxhCsti413yL0IjU9dVvuTbCISo8gs3RW1jPMStck+4=
+google.golang.org/genproto v0.0.0-20260226221140-a57be14db171/go.mod h1:uhvzakVEqAuXU3TC2JCsxIRe5f77l+JySE3EqPoMyqM=
+google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4=
+google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
+google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
--- a/message/cache.go
+++ b/message/cache.go
@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/log"
 	"heckel.io/ntfy/v2/model"
 	"heckel.io/ntfy/v2/util"
@@ -334,17 +335,14 @@ func (c *Cache) Topics() ([]string, error) {
 func (c *Cache) DeleteMessages(ids ...string) error {
 	c.maybeLock()
 	defer c.maybeUnlock()
-	tx, err := c.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	for _, id := range ids {
-		if _, err := tx.Exec(c.queries.deleteMessage, id); err != nil {
-			return err
+	return db.ExecTx(c.db, func(tx *sql.Tx) error {
+		for _, id := range ids {
+			if _, err := tx.Exec(c.queries.deleteMessage, id); err != nil {
+				return err
+			}
 		}
-	}
-	return tx.Commit()
+		return nil
+	})
 }

 // DeleteScheduledBySequenceID deletes unpublished (scheduled) messages with the given topic and sequence ID.
@@ -352,54 +350,43 @@ func (c *Cache) DeleteMessages(ids ...string) error {
 func (c *Cache) DeleteScheduledBySequenceID(topic, sequenceID string) ([]string, error) {
 	c.maybeLock()
 	defer c.maybeUnlock()
-	tx, err := c.db.Begin()
-	if err != nil {
-		return nil, err
-	}
-	defer tx.Rollback()
-	// First, get the message IDs of scheduled messages to be deleted
-	rows, err := tx.Query(c.queries.selectScheduledMessageIDsBySeqID, topic, sequenceID)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	ids := make([]string, 0)
-	for rows.Next() {
-		var id string
-		if err := rows.Scan(&id); err != nil {
+	return db.QueryTx(c.db, func(tx *sql.Tx) ([]string, error) {
+		rows, err := tx.Query(c.queries.selectScheduledMessageIDsBySeqID, topic, sequenceID)
+		if err != nil {
 			return nil, err
 		}
-		ids = append(ids, id)
-	}
-	if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	rows.Close() // Close rows before executing delete in same transaction
-	// Then delete the messages
-	if _, err := tx.Exec(c.queries.deleteScheduledBySequenceID, topic, sequenceID); err != nil {
-		return nil, err
-	}
-	if err := tx.Commit(); err != nil {
-		return nil, err
-	}
-	return ids, nil
+		defer rows.Close()
+		ids := make([]string, 0)
+		for rows.Next() {
+			var id string
+			if err := rows.Scan(&id); err != nil {
+				return nil, err
+			}
+			ids = append(ids, id)
+		}
+		if err := rows.Err(); err != nil {
+			return nil, err
+		}
+		rows.Close() // Close rows before executing delete in same transaction
+		if _, err := tx.Exec(c.queries.deleteScheduledBySequenceID, topic, sequenceID); err != nil {
+			return nil, err
+		}
+		return ids, nil
+	})
 }

 // ExpireMessages marks messages in the given topics as expired
 func (c *Cache) ExpireMessages(topics ...string) error {
 	c.maybeLock()
 	defer c.maybeUnlock()
-	tx, err := c.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	for _, t := range topics {
-		if _, err := tx.Exec(c.queries.updateMessagesForTopicExpiry, time.Now().Unix()-1, t); err != nil {
-			return err
+	return db.ExecTx(c.db, func(tx *sql.Tx) error {
+		for _, t := range topics {
+			if _, err := tx.Exec(c.queries.updateMessagesForTopicExpiry, time.Now().Unix()-1, t); err != nil {
+				return err
+			}
 		}
-	}
-	return tx.Commit()
+		return nil
+	})
 }

 // AttachmentsExpired returns message IDs with expired attachments that have not been deleted
@@ -427,17 +414,14 @@ func (c *Cache) AttachmentsExpired() ([]string, error) {
 func (c *Cache) MarkAttachmentsDeleted(ids ...string) error {
 	c.maybeLock()
 	defer c.maybeUnlock()
-	tx, err := c.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	for _, id := range ids {
-		if _, err := tx.Exec(c.queries.updateAttachmentDeleted, id); err != nil {
-			return err
+	return db.ExecTx(c.db, func(tx *sql.Tx) error {
+		for _, id := range ids {
+			if _, err := tx.Exec(c.queries.updateAttachmentDeleted, id); err != nil {
+				return err
+			}
 		}
-	}
-	return tx.Commit()
+		return nil
+	})
 }

 // AttachmentBytesUsedBySender returns the total size of active attachments sent by the given sender
--- a/message/cache_postgres_schema.go
+++ b/message/cache_postgres_schema.go
@@ -3,6 +3,8 @@ package message
 import (
 	"database/sql"
 	"fmt"
+
+	"heckel.io/ntfy/v2/db"
 )

 // Initial PostgreSQL schema
@@ -55,34 +57,29 @@ const (

 // PostgreSQL schema management queries
 const (
-	pgCurrentSchemaVersion           = 14
+	postgresCurrentSchemaVersion     = 14
 	postgresInsertSchemaVersionQuery = `INSERT INTO schema_version (store, version) VALUES ('message', $1)`
 	postgresSelectSchemaVersionQuery = `SELECT version FROM schema_version WHERE store = 'message'`
 )

 func setupPostgres(db *sql.DB) error {
 	var schemaVersion int
-	err := db.QueryRow(postgresSelectSchemaVersionQuery).Scan(&schemaVersion)
-	if err != nil {
+	if err := db.QueryRow(postgresSelectSchemaVersionQuery).Scan(&schemaVersion); err != nil {
 		return setupNewPostgresDB(db)
-	}
-	if schemaVersion > pgCurrentSchemaVersion {
-		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, pgCurrentSchemaVersion)
+	} else if schemaVersion > postgresCurrentSchemaVersion {
+		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, postgresCurrentSchemaVersion)
 	}
 	return nil
 }

-func setupNewPostgresDB(db *sql.DB) error {
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(postgresCreateTablesQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(postgresInsertSchemaVersionQuery, pgCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return tx.Commit()
+func setupNewPostgresDB(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(postgresCreateTablesQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(postgresInsertSchemaVersionQuery, postgresCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }
--- a/message/cache_sqlite_schema.go
+++ b/message/cache_sqlite_schema.go
@@ -5,13 +5,13 @@ import (
 	"fmt"
 	"time"

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/log"
 )

 // Initial SQLite schema
 const (
 	sqliteCreateTablesQuery = `
-		BEGIN;
 		CREATE TABLE IF NOT EXISTS messages (
 			id INTEGER PRIMARY KEY AUTOINCREMENT,
 			mid TEXT NOT NULL,
@@ -52,7 +52,6 @@ const (
 			value INT
 		);
 		INSERT INTO stats (key, value) VALUES ('messages', 0);
-		COMMIT;
 	`
 )

@@ -74,11 +73,9 @@ const (
 const (
 	// 0 -> 1
 	sqliteMigrate0To1AlterMessagesTableQuery = `
-		BEGIN;
 		ALTER TABLE messages ADD COLUMN title TEXT NOT NULL DEFAULT('');
 		ALTER TABLE messages ADD COLUMN priority INT NOT NULL DEFAULT(0);
 		ALTER TABLE messages ADD COLUMN tags TEXT NOT NULL DEFAULT('');
-		COMMIT;
 	`

 	// 1 -> 2
@@ -88,7 +85,6 @@ const (

 	// 2 -> 3
 	sqliteMigrate2To3AlterMessagesTableQuery = `
-		BEGIN;
 		ALTER TABLE messages ADD COLUMN click TEXT NOT NULL DEFAULT('');
 		ALTER TABLE messages ADD COLUMN attachment_name TEXT NOT NULL DEFAULT('');
 		ALTER TABLE messages ADD COLUMN attachment_type TEXT NOT NULL DEFAULT('');
@@ -96,7 +92,6 @@ const (
 		ALTER TABLE messages ADD COLUMN attachment_expires INT NOT NULL DEFAULT('0');
 		ALTER TABLE messages ADD COLUMN attachment_owner TEXT NOT NULL DEFAULT('');
 		ALTER TABLE messages ADD COLUMN attachment_url TEXT NOT NULL DEFAULT('');
-		COMMIT;
 	`
 	// 3 -> 4
 	sqliteMigrate3To4AlterMessagesTableQuery = `
@@ -105,7 +100,6 @@ const (

 	// 4 -> 5
 	sqliteMigrate4To5AlterMessagesTableQuery = `
-		BEGIN;
 		CREATE TABLE IF NOT EXISTS messages_new (
 			id INTEGER PRIMARY KEY AUTOINCREMENT,
 			mid TEXT NOT NULL,
@@ -137,7 +131,6 @@ const (
 			FROM messages;
 		DROP TABLE messages;
 		ALTER TABLE messages_new RENAME TO messages;
-		COMMIT;
 	`

 	// 5 -> 6
@@ -223,24 +216,13 @@ func setupSQLite(db *sql.DB, startupQueries string, cacheDuration time.Duration)
 		return err
 	}
 	// If 'messages' table does not exist, this must be a new database
-	rowsMC, err := db.Query(sqliteSelectMessagesCountQuery)
-	if err != nil {
+	var messagesCount int
+	if err := db.QueryRow(sqliteSelectMessagesCountQuery).Scan(&messagesCount); err != nil {
 		return setupNewSQLite(db)
 	}
-	rowsMC.Close()
-	// If 'messages' table exists, check 'schemaVersion' table
-	schemaVersion := 0
-	rowsSV, err := db.Query(sqliteSelectSchemaVersionQuery)
-	if err == nil {
-		defer rowsSV.Close()
-		if !rowsSV.Next() {
-			return fmt.Errorf("cannot determine schema version: cache file may be corrupt")
-		}
-		if err := rowsSV.Scan(&schemaVersion); err != nil {
-			return err
-		}
-		rowsSV.Close()
-	}
+	// If 'messages' table exists (schema >= 0), check 'schemaVersion' table
+	var schemaVersion int
+	db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion) // Error means schema version is zero!
 	// Do migrations
 	if schemaVersion == sqliteCurrentSchemaVersion {
 		return nil
@@ -258,17 +240,19 @@ func setupSQLite(db *sql.DB, startupQueries string, cacheDuration time.Duration)
 	return nil
 }

-func setupNewSQLite(db *sql.DB) error {
-	if _, err := db.Exec(sqliteCreateTablesQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteCreateSchemaVersionTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return nil
+func setupNewSQLite(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteCreateTablesQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteCreateSchemaVersionTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }

 func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
@@ -280,187 +264,190 @@ func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
 	return nil
 }

-func sqliteMigrateFrom0(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom0(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 0 to 1")
-	if _, err := db.Exec(sqliteMigrate0To1AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteCreateSchemaVersionTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteInsertSchemaVersionQuery, 1); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate0To1AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteCreateSchemaVersionTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, 1); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom1(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom1(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 1 to 2")
-	if _, err := db.Exec(sqliteMigrate1To2AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 2); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate1To2AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 2); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom2(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom2(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 2 to 3")
-	if _, err := db.Exec(sqliteMigrate2To3AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 3); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate2To3AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 3); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom3(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom3(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 3 to 4")
-	if _, err := db.Exec(sqliteMigrate3To4AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 4); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate3To4AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 4); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom4(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom4(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 4 to 5")
-	if _, err := db.Exec(sqliteMigrate4To5AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 5); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate4To5AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 5); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom5(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom5(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 5 to 6")
-	if _, err := db.Exec(sqliteMigrate5To6AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 6); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate5To6AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 6); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom6(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom6(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 6 to 7")
-	if _, err := db.Exec(sqliteMigrate6To7AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 7); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate6To7AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 7); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom7(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom7(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 7 to 8")
-	if _, err := db.Exec(sqliteMigrate7To8AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 8); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate7To8AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 8); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom8(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom8(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 8 to 9")
-	if _, err := db.Exec(sqliteMigrate8To9AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteUpdateSchemaVersionQuery, 9); err != nil {
-		return err
-	}
-	return nil
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate8To9AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 9); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom9(db *sql.DB, cacheDuration time.Duration) error {
+func sqliteMigrateFrom9(sqlDB *sql.DB, cacheDuration time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 9 to 10")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate9To10AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteMigrate9To10UpdateMessageExpiryQuery, int64(cacheDuration.Seconds())); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 10); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate9To10AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteMigrate9To10UpdateMessageExpiryQuery, int64(cacheDuration.Seconds())); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 10); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom10(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom10(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 10 to 11")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate10To11AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 11); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate10To11AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 11); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom11(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom11(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 11 to 12")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate11To12AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 12); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate11To12AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 12); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom12(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom12(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 12 to 13")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate12To13AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 13); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate12To13AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 13); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom13(db *sql.DB, _ time.Duration) error {
+func sqliteMigrateFrom13(sqlDB *sql.DB, _ time.Duration) error {
 	log.Tag(tagMessageCache).Info("Migrating cache database schema: from 13 to 14")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate13To14AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 14); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate13To14AlterMessagesTableQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 14); err != nil {
+			return err
+		}
+		return nil
+	})
 }
--- a/server/server.go
+++ b/server/server.go
@@ -33,7 +33,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"golang.org/x/sync/errgroup"
 	"gopkg.in/yaml.v2"
-	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 	"heckel.io/ntfy/v2/log"
 	"heckel.io/ntfy/v2/message"
 	"heckel.io/ntfy/v2/model"
@@ -178,11 +178,11 @@ func New(conf *Config) (*Server, error) {
 	if payments.Available && conf.StripeSecretKey != "" {
 		stripe = newStripeAPI()
 	}
-	// OpenPostgres shared PostgreSQL connection pool if configured
+	// Open shared PostgreSQL connection pool if configured
 	var pool *sql.DB
 	if conf.DatabaseURL != "" {
 		var err error
-		pool, err = db.OpenPostgres(conf.DatabaseURL)
+		pool, err = pg.Open(conf.DatabaseURL)
 		if err != nil {
 			return nil, err
 		}
--- a/tools/loadtest/go.mod
+++ b/tools/loadtest/go.mod
@@ -0,0 +1,5 @@
+module loadtest
+
+go 1.25.2
+
+require github.com/gorilla/websocket v1.5.3
--- a/tools/loadtest/go.sum
+++ b/tools/loadtest/go.sum
@@ -0,0 +1,2 @@
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
--- a/tools/loadtest/main.go
+++ b/tools/loadtest/main.go
@@ -0,0 +1,543 @@
+// Load test program for ntfy staging server.
+// Replicates production traffic patterns derived from access.log analysis.
+//
+// Traffic profile (from ~5M requests over 20 hours):
+//   ~71 req/sec average, ~4,300 req/min
+//   49.6% poll requests      (GET /TOPIC/json?poll=1&since=ID)
+//   21.4% publish POST       (POST /TOPIC with small body)
+//    6.2% subscribe stream   (GET /TOPIC/json?since=X, long-lived)
+//    4.1% config check       (GET /v1/config)
+//    2.3% other topic GET    (GET /TOPIC)
+//    2.2% account check      (GET /v1/account)
+//    1.9% websocket sub      (GET /TOPIC/ws?since=X)
+//    1.5% publish PUT        (PUT /TOPIC with small body)
+//    1.5% raw subscribe      (GET /TOPIC/raw?since=X)
+//    1.1% json subscribe     (GET /TOPIC/json, no since)
+//    0.7% SSE subscribe      (GET /TOPIC/sse?since=X)
+//    remaining: static, PATCH, OPTIONS, etc. (omitted)
+
+package main
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"flag"
+	"fmt"
+	"io"
+
+	"math/big"
+	mrand "math/rand"
+	"net/http"
+	"os"
+	"os/signal"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/gorilla/websocket"
+)
+
+var (
+	baseURL    string
+	username   string
+	password   string
+	rps        float64
+	scale      float64
+	numTopics  int
+	subStreams int
+	wsStreams  int
+	sseStreams int
+	rawStreams int
+	duration   time.Duration
+
+	totalRequests atomic.Int64
+	totalErrors   atomic.Int64
+	activeStreams atomic.Int64
+
+	// Error tracking by category
+	errMu        sync.Mutex
+	recentErrors []string // last N unique error messages
+	errorCounts  = make(map[string]int64)
+)
+
+func main() {
+	flag.StringVar(&baseURL, "url", "https://staging.ntfy.sh", "Base URL of ntfy server")
+	flag.StringVar(&username, "user", "", "Username for authentication")
+	flag.StringVar(&password, "pass", "", "Password for authentication")
+	flag.Float64Var(&rps, "rps", 71, "Target requests per second (default: prod average)")
+	flag.Float64Var(&scale, "scale", 1.0, "Scale factor for all load (0.5 = half load, 2.0 = double)")
+	flag.IntVar(&numTopics, "topics", 500, "Number of unique topics to use")
+	flag.IntVar(&subStreams, "sub-streams", 200, "Number of concurrent JSON streaming subscriptions")
+	flag.IntVar(&wsStreams, "ws-streams", 50, "Number of concurrent WebSocket subscriptions")
+	flag.IntVar(&sseStreams, "sse-streams", 20, "Number of concurrent SSE subscriptions")
+	flag.IntVar(&rawStreams, "raw-streams", 30, "Number of concurrent raw subscriptions")
+	flag.DurationVar(&duration, "duration", 10*time.Minute, "Test duration")
+	flag.Parse()
+
+	rps *= scale
+	subStreams = int(float64(subStreams) * scale)
+	wsStreams = int(float64(wsStreams) * scale)
+	sseStreams = int(float64(sseStreams) * scale)
+	rawStreams = int(float64(rawStreams) * scale)
+
+	topics := generateTopics(numTopics)
+
+	fmt.Printf("ntfy load test\n")
+	fmt.Printf("  Target:       %s\n", baseURL)
+	fmt.Printf("  RPS:          %.1f\n", rps)
+	fmt.Printf("  Scale:        %.1fx\n", scale)
+	fmt.Printf("  Topics:       %d\n", numTopics)
+	fmt.Printf("  Sub streams:  %d json, %d ws, %d sse, %d raw\n", subStreams, wsStreams, sseStreams, rawStreams)
+	fmt.Printf("  Duration:     %s\n", duration)
+	fmt.Println()
+
+	ctx, cancel := context.WithTimeout(context.Background(), duration)
+	defer cancel()
+
+	// Also handle Ctrl+C
+	sigCtx, sigCancel := signal.NotifyContext(ctx, os.Interrupt)
+	defer sigCancel()
+	ctx = sigCtx
+
+	client := &http.Client{
+		Timeout: 10 * time.Second,
+		Transport: &http.Transport{
+			MaxIdleConns:        1000,
+			MaxIdleConnsPerHost: 1000,
+			IdleConnTimeout:     90 * time.Second,
+		},
+	}
+
+	// Long-lived streaming client (no timeout)
+	streamClient := &http.Client{
+		Timeout: 0,
+		Transport: &http.Transport{
+			MaxIdleConns:        500,
+			MaxIdleConnsPerHost: 500,
+			IdleConnTimeout:     0,
+		},
+	}
+
+	var wg sync.WaitGroup
+
+	// Start long-lived streaming subscriptions
+	for i := 0; i < subStreams; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			streamSubscription(ctx, streamClient, topics, "json")
+		}()
+	}
+	for i := 0; i < wsStreams; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			wsSubscription(ctx, topics)
+		}()
+	}
+	for i := 0; i < sseStreams; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			streamSubscription(ctx, streamClient, topics, "sse")
+		}()
+	}
+	for i := 0; i < rawStreams; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			streamSubscription(ctx, streamClient, topics, "raw")
+		}()
+	}
+
+	// Start request generators based on traffic weights
+	// Weights from log analysis (normalized to sum ~100):
+	//   poll=49.6, publish_post=21.4, config=4.1, other_get=2.3, account=2.2, publish_put=1.5
+	//   Total short-lived weight ≈ 81.1
+	type requestType struct {
+		name   string
+		weight float64
+		fn     func(ctx context.Context, client *http.Client, topics []string)
+	}
+
+	types := []requestType{
+		{"poll", 49.6, doPoll},
+		{"publish_post", 21.4, doPublishPost},
+		{"config", 4.1, doConfig},
+		{"other_get", 2.3, doOtherGet},
+		{"account", 2.2, doAccountCheck},
+		{"publish_put", 1.5, doPublishPut},
+	}
+
+	totalWeight := 0.0
+	for _, t := range types {
+		totalWeight += t.weight
+	}
+
+	for _, t := range types {
+		t := t
+		typeRPS := rps * (t.weight / totalWeight)
+		if typeRPS < 0.1 {
+			continue
+		}
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			runAtRate(ctx, typeRPS, func() {
+				t.fn(ctx, client, topics)
+			})
+		}()
+	}
+
+	// Stats reporter
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		reportStats(ctx)
+	}()
+
+	wg.Wait()
+	fmt.Printf("\nDone. Total requests: %d, errors: %d\n", totalRequests.Load(), totalErrors.Load())
+}
+
+func trackError(category string, err error) {
+	totalErrors.Add(1)
+	key := fmt.Sprintf("%s: %s", category, truncateErr(err))
+	errMu.Lock()
+	errorCounts[key]++
+	errMu.Unlock()
+}
+
+func trackErrorMsg(category string, msg string) {
+	totalErrors.Add(1)
+	key := fmt.Sprintf("%s: %s", category, msg)
+	errMu.Lock()
+	errorCounts[key]++
+	errMu.Unlock()
+}
+
+func truncateErr(err error) string {
+	s := err.Error()
+	if len(s) > 120 {
+		s = s[:120] + "..."
+	}
+	return s
+}
+
+func setAuth(req *http.Request) {
+	if username != "" && password != "" {
+		req.SetBasicAuth(username, password)
+	}
+}
+
+func generateTopics(n int) []string {
+	topics := make([]string, n)
+	for i := 0; i < n; i++ {
+		b := make([]byte, 8)
+		rand.Read(b)
+		topics[i] = "loadtest-" + hex.EncodeToString(b)
+	}
+	return topics
+}
+
+func pickTopic(topics []string) string {
+	n, _ := rand.Int(rand.Reader, big.NewInt(int64(len(topics))))
+	return topics[n.Int64()]
+}
+
+func randomSince() string {
+	b := make([]byte, 6)
+	rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
+func randomMessage() string {
+	messages := []string{
+		"Test notification",
+		"Server backup completed successfully",
+		"Deployment finished",
+		"Alert: disk usage above 80%",
+		"Build #1234 passed",
+		"New order received",
+		"Temperature sensor reading: 72F",
+		"Cron job completed",
+	}
+	return messages[mrand.Intn(len(messages))]
+}
+
+// runAtRate executes fn at approximately the given rate per second
+func runAtRate(ctx context.Context, rate float64, fn func()) {
+	interval := time.Duration(float64(time.Second) / rate)
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			go fn()
+		}
+	}
+}
+
+// --- Short-lived request types ---
+
+func doPoll(ctx context.Context, client *http.Client, topics []string) {
+	topic := pickTopic(topics)
+	url := fmt.Sprintf("%s/%s/json?poll=1&since=%s", baseURL, topic, randomSince())
+	doGet(ctx, client, url)
+}
+
+func doPublishPost(ctx context.Context, client *http.Client, topics []string) {
+	topic := pickTopic(topics)
+	url := fmt.Sprintf("%s/%s", baseURL, topic)
+	req, err := http.NewRequestWithContext(ctx, "POST", url, strings.NewReader(randomMessage()))
+	if err != nil {
+		trackError("publish_post_req", err)
+		return
+	}
+	setAuth(req)
+	// Some messages have titles/priorities like real traffic
+	if mrand.Float32() < 0.3 {
+		req.Header.Set("X-Title", "Load Test")
+	}
+	if mrand.Float32() < 0.1 {
+		req.Header.Set("X-Priority", fmt.Sprintf("%d", mrand.Intn(5)+1))
+	}
+	resp, err := client.Do(req)
+	totalRequests.Add(1)
+	if err != nil {
+		trackError("publish_post", err)
+		return
+	}
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		trackErrorMsg("publish_post_http", fmt.Sprintf("status %d", resp.StatusCode))
+	}
+}
+
+func doPublishPut(ctx context.Context, client *http.Client, topics []string) {
+	topic := pickTopic(topics)
+	url := fmt.Sprintf("%s/%s", baseURL, topic)
+	req, err := http.NewRequestWithContext(ctx, "PUT", url, strings.NewReader(randomMessage()))
+	if err != nil {
+		trackError("publish_put_req", err)
+		return
+	}
+	setAuth(req)
+	resp, err := client.Do(req)
+	totalRequests.Add(1)
+	if err != nil {
+		trackError("publish_put", err)
+		return
+	}
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		trackErrorMsg("publish_put_http", fmt.Sprintf("status %d", resp.StatusCode))
+	}
+}
+
+func doConfig(ctx context.Context, client *http.Client, topics []string) {
+	url := fmt.Sprintf("%s/v1/config", baseURL)
+	doGet(ctx, client, url)
+}
+
+func doAccountCheck(ctx context.Context, client *http.Client, topics []string) {
+	url := fmt.Sprintf("%s/v1/account", baseURL)
+	doGet(ctx, client, url)
+}
+
+func doOtherGet(ctx context.Context, client *http.Client, topics []string) {
+	topic := pickTopic(topics)
+	url := fmt.Sprintf("%s/%s", baseURL, topic)
+	doGet(ctx, client, url)
+}
+
+func doGet(ctx context.Context, client *http.Client, url string) {
+	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+	if err != nil {
+		trackError("get_req", err)
+		return
+	}
+	setAuth(req)
+	resp, err := client.Do(req)
+	totalRequests.Add(1)
+	if err != nil {
+		trackError("get", err)
+		return
+	}
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		trackErrorMsg("get_http", fmt.Sprintf("status %d for %s", resp.StatusCode, url))
+	}
+}
+
+// --- Long-lived streaming subscriptions ---
+
+func streamSubscription(ctx context.Context, client *http.Client, topics []string, format string) {
+	for {
+		if ctx.Err() != nil {
+			return
+		}
+		topic := pickTopic(topics)
+		url := fmt.Sprintf("%s/%s/%s?since=all", baseURL, topic, format)
+		req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+		if err != nil {
+			time.Sleep(time.Second)
+			continue
+		}
+		setAuth(req)
+		activeStreams.Add(1)
+		resp, err := client.Do(req)
+		if err != nil {
+			activeStreams.Add(-1)
+			if ctx.Err() == nil {
+				trackError("stream_"+format+"_connect", err)
+			}
+			time.Sleep(time.Second)
+			continue
+		}
+		if resp.StatusCode >= 400 {
+			trackErrorMsg("stream_"+format+"_http", fmt.Sprintf("status %d", resp.StatusCode))
+			resp.Body.Close()
+			activeStreams.Add(-1)
+			time.Sleep(time.Second)
+			continue
+		}
+		// Read from stream until context cancelled or connection drops
+		buf := make([]byte, 4096)
+		for {
+			_, err := resp.Body.Read(buf)
+			if err != nil {
+				if ctx.Err() == nil {
+					trackError("stream_"+format+"_read", err)
+				}
+				break
+			}
+		}
+		resp.Body.Close()
+		activeStreams.Add(-1)
+		// Reconnect with small delay (like real clients do)
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(time.Duration(mrand.Intn(3000)) * time.Millisecond):
+		}
+	}
+}
+
+func wsSubscription(ctx context.Context, topics []string) {
+	wsURL := strings.Replace(baseURL, "https://", "wss://", 1)
+	wsURL = strings.Replace(wsURL, "http://", "ws://", 1)
+
+	for {
+		if ctx.Err() != nil {
+			return
+		}
+		topic := pickTopic(topics)
+		url := fmt.Sprintf("%s/%s/ws?since=all", wsURL, topic)
+
+		dialer := websocket.Dialer{
+			HandshakeTimeout: 10 * time.Second,
+		}
+		var wsHeader http.Header
+		if username != "" && password != "" {
+			wsHeader = http.Header{}
+			req, _ := http.NewRequest("GET", url, nil)
+			req.SetBasicAuth(username, password)
+			wsHeader.Set("Authorization", req.Header.Get("Authorization"))
+		}
+		activeStreams.Add(1)
+		conn, _, err := dialer.DialContext(ctx, url, wsHeader)
+		if err != nil {
+			activeStreams.Add(-1)
+			if ctx.Err() == nil {
+				trackError("ws_connect", err)
+			}
+			time.Sleep(time.Second)
+			continue
+		}
+
+		// Read messages until context cancelled or error
+		done := make(chan struct{})
+		go func() {
+			defer close(done)
+			for {
+				conn.SetReadDeadline(time.Now().Add(5 * time.Minute))
+				_, _, err := conn.ReadMessage()
+				if err != nil {
+					return
+				}
+			}
+		}()
+
+		select {
+		case <-ctx.Done():
+			conn.Close()
+			activeStreams.Add(-1)
+			return
+		case <-done:
+			conn.Close()
+			activeStreams.Add(-1)
+		}
+
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(time.Duration(mrand.Intn(3000)) * time.Millisecond):
+		}
+	}
+}
+
+func reportStats(ctx context.Context) {
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	var lastRequests, lastErrors int64
+	lastTime := time.Now()
+	reportCount := 0
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			now := time.Now()
+			currentRequests := totalRequests.Load()
+			currentErrors := totalErrors.Load()
+			elapsed := now.Sub(lastTime).Seconds()
+			currentRPS := float64(currentRequests-lastRequests) / elapsed
+			errorRate := float64(currentErrors-lastErrors) / elapsed
+
+			fmt.Printf("[%s] rps=%.1f err/s=%.1f total=%d errors=%d streams=%d\n",
+				now.Format("15:04:05"),
+				currentRPS,
+				errorRate,
+				currentRequests,
+				currentErrors,
+				activeStreams.Load(),
+			)
+
+			// Print error breakdown every 30 seconds
+			reportCount++
+			if reportCount%6 == 0 && currentErrors > 0 {
+				errMu.Lock()
+				fmt.Printf("  Error breakdown:\n")
+				for k, v := range errorCounts {
+					fmt.Printf("    %s: %d\n", k, v)
+				}
+				errMu.Unlock()
+			}
+
+			lastRequests = currentRequests
+			lastErrors = currentErrors
+			lastTime = now
+		}
+	}
+}
--- a/tools/pgimport/README.md
+++ b/tools/pgimport/README.md
@@ -1,6 +1,10 @@
 # pgimport

-Migrates ntfy data from SQLite to PostgreSQL.
+One-off migration script to import ntfy data from SQLite to PostgreSQL.
+
+This is **not** a generic migration tool. It only works with specific SQLite schema versions
+(message cache v14, user db v6, web push v1) and their corresponding PostgreSQL schemas.
+If your database versions differ, this tool will refuse to run.

 ## Build

@@ -18,13 +22,22 @@ pgimport \
  --auth-file /var/lib/ntfy/user.db \
  --web-push-file /var/lib/ntfy/webpush.db

+# Using --create-schema to set up PostgreSQL schema automatically
+pgimport \
+  --create-schema \
+  --database-url "postgres://user:pass@host:5432/ntfy?sslmode=require" \
+  --cache-file /var/cache/ntfy/cache.db \
+  --auth-file /var/lib/ntfy/user.db \
+  --web-push-file /var/lib/ntfy/webpush.db
+
 # Using server.yml (flags override config values)
 pgimport --config /etc/ntfy/server.yml
 ```

 ## Prerequisites

- PostgreSQL schema must already be set up (run ntfy with `database-url` once)
+- PostgreSQL schema must already be set up, either by running ntfy with `database-url` once,
+  or by passing `--create-schema` to pgimport to create the initial schema automatically
 - ntfy must not be running during the import
 - All three SQLite files are optional; only the ones specified will be imported

--- a/tools/pgimport/main.go
+++ b/tools/pgimport/main.go
@@ -1,3 +1,6 @@
+// pgimport is a one-off migration script to import ntfy data from SQLite to PostgreSQL.
+// It is not a generic migration tool. It expects specific schema versions for each database
+// (message cache v14, user db v6, web push v1) and will refuse to run if versions don't match.
 package main

 import (
@@ -11,7 +14,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"gopkg.in/yaml.v2"
-	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 )

 const (
@@ -20,6 +23,159 @@ const (
 	expectedMessageSchemaVersion = 14
 	expectedUserSchemaVersion    = 6
 	expectedWebPushSchemaVersion = 1
+
+	everyoneID = "u_everyone"
+
+	// Initial PostgreSQL schema for message store (from message/cache_postgres_schema.go)
+	createMessageSchemaQuery = `
+		CREATE TABLE IF NOT EXISTS message (
+			id BIGSERIAL PRIMARY KEY,
+			mid TEXT NOT NULL,
+			sequence_id TEXT NOT NULL,
+			time BIGINT NOT NULL,
+			event TEXT NOT NULL,
+			expires BIGINT NOT NULL,
+			topic TEXT NOT NULL,
+			message TEXT NOT NULL,
+			title TEXT NOT NULL,
+			priority INT NOT NULL,
+			tags TEXT NOT NULL,
+			click TEXT NOT NULL,
+			icon TEXT NOT NULL,
+			actions TEXT NOT NULL,
+			attachment_name TEXT NOT NULL,
+			attachment_type TEXT NOT NULL,
+			attachment_size BIGINT NOT NULL,
+			attachment_expires BIGINT NOT NULL,
+			attachment_url TEXT NOT NULL,
+			attachment_deleted BOOLEAN NOT NULL DEFAULT FALSE,
+			sender TEXT NOT NULL,
+			user_id TEXT NOT NULL,
+			content_type TEXT NOT NULL,
+			encoding TEXT NOT NULL,
+			published BOOLEAN NOT NULL DEFAULT FALSE
+		);
+		CREATE INDEX IF NOT EXISTS idx_message_mid ON message (mid);
+		CREATE INDEX IF NOT EXISTS idx_message_sequence_id ON message (sequence_id);
+		CREATE INDEX IF NOT EXISTS idx_message_topic_published_time ON message (topic, published, time, id);
+		CREATE INDEX IF NOT EXISTS idx_message_published_expires ON message (published, expires);
+		CREATE INDEX IF NOT EXISTS idx_message_sender_attachment_expires ON message (sender, attachment_expires) WHERE user_id = '';
+		CREATE INDEX IF NOT EXISTS idx_message_user_id_attachment_expires ON message (user_id, attachment_expires);
+		CREATE TABLE IF NOT EXISTS message_stats (
+			key TEXT PRIMARY KEY,
+			value BIGINT
+		);
+		INSERT INTO message_stats (key, value) VALUES ('messages', 0);
+		CREATE TABLE IF NOT EXISTS schema_version (
+			store TEXT PRIMARY KEY,
+			version INT NOT NULL
+		);
+		INSERT INTO schema_version (store, version) VALUES ('message', 14);
+	`
+
+	// Initial PostgreSQL schema for user store (from user/manager_postgres_schema.go)
+	createUserSchemaQuery = `
+		CREATE TABLE IF NOT EXISTS tier (
+			id TEXT PRIMARY KEY,
+			code TEXT NOT NULL,
+			name TEXT NOT NULL,
+			messages_limit BIGINT NOT NULL,
+			messages_expiry_duration BIGINT NOT NULL,
+			emails_limit BIGINT NOT NULL,
+			calls_limit BIGINT NOT NULL,
+			reservations_limit BIGINT NOT NULL,
+			attachment_file_size_limit BIGINT NOT NULL,
+			attachment_total_size_limit BIGINT NOT NULL,
+			attachment_expiry_duration BIGINT NOT NULL,
+			attachment_bandwidth_limit BIGINT NOT NULL,
+			stripe_monthly_price_id TEXT,
+			stripe_yearly_price_id TEXT,
+			UNIQUE(code),
+			UNIQUE(stripe_monthly_price_id),
+			UNIQUE(stripe_yearly_price_id)
+		);
+		CREATE TABLE IF NOT EXISTS "user" (
+		    id TEXT PRIMARY KEY,
+			tier_id TEXT REFERENCES tier(id),
+			user_name TEXT NOT NULL UNIQUE,
+			pass TEXT NOT NULL,
+			role TEXT NOT NULL CHECK (role IN ('anonymous', 'admin', 'user')),
+			prefs JSONB NOT NULL DEFAULT '{}',
+			sync_topic TEXT NOT NULL,
+			provisioned BOOLEAN NOT NULL,
+			stats_messages BIGINT NOT NULL DEFAULT 0,
+			stats_emails BIGINT NOT NULL DEFAULT 0,
+			stats_calls BIGINT NOT NULL DEFAULT 0,
+			stripe_customer_id TEXT UNIQUE,
+			stripe_subscription_id TEXT UNIQUE,
+			stripe_subscription_status TEXT,
+			stripe_subscription_interval TEXT,
+			stripe_subscription_paid_until BIGINT,
+			stripe_subscription_cancel_at BIGINT,
+			created BIGINT NOT NULL,
+			deleted BIGINT
+		);
+		CREATE TABLE IF NOT EXISTS user_access (
+			user_id TEXT NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
+			topic TEXT NOT NULL,
+			read BOOLEAN NOT NULL,
+			write BOOLEAN NOT NULL,
+			owner_user_id TEXT REFERENCES "user"(id) ON DELETE CASCADE,
+			provisioned BOOLEAN NOT NULL,
+			PRIMARY KEY (user_id, topic)
+		);
+		CREATE TABLE IF NOT EXISTS user_token (
+			user_id TEXT NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
+			token TEXT NOT NULL UNIQUE,
+			label TEXT NOT NULL,
+			last_access BIGINT NOT NULL,
+			last_origin TEXT NOT NULL,
+			expires BIGINT NOT NULL,
+			provisioned BOOLEAN NOT NULL,
+			PRIMARY KEY (user_id, token)
+		);
+		CREATE TABLE IF NOT EXISTS user_phone (
+			user_id TEXT NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
+			phone_number TEXT NOT NULL,
+			PRIMARY KEY (user_id, phone_number)
+		);
+		CREATE TABLE IF NOT EXISTS schema_version (
+			store TEXT PRIMARY KEY,
+			version INT NOT NULL
+		);
+		INSERT INTO "user" (id, user_name, pass, role, sync_topic, provisioned, created)
+		VALUES ('` + everyoneID + `', '*', '', 'anonymous', '', false, EXTRACT(EPOCH FROM NOW())::BIGINT)
+		ON CONFLICT (id) DO NOTHING;
+		INSERT INTO schema_version (store, version) VALUES ('user', 6);
+	`
+
+	// Initial PostgreSQL schema for web push store (from webpush/store_postgres.go)
+	createWebPushSchemaQuery = `
+		CREATE TABLE IF NOT EXISTS webpush_subscription (
+			id TEXT PRIMARY KEY,
+			endpoint TEXT NOT NULL UNIQUE,
+			key_auth TEXT NOT NULL,
+			key_p256dh TEXT NOT NULL,
+			user_id TEXT NOT NULL,
+			subscriber_ip TEXT NOT NULL,
+			updated_at BIGINT NOT NULL,
+			warned_at BIGINT NOT NULL DEFAULT 0
+		);
+		CREATE INDEX IF NOT EXISTS idx_webpush_subscriber_ip ON webpush_subscription (subscriber_ip);
+		CREATE INDEX IF NOT EXISTS idx_webpush_updated_at ON webpush_subscription (updated_at);
+		CREATE INDEX IF NOT EXISTS idx_webpush_user_id ON webpush_subscription (user_id);
+		CREATE TABLE IF NOT EXISTS webpush_subscription_topic (
+			subscription_id TEXT NOT NULL REFERENCES webpush_subscription (id) ON DELETE CASCADE,
+			topic TEXT NOT NULL,
+			PRIMARY KEY (subscription_id, topic)
+		);
+		CREATE INDEX IF NOT EXISTS idx_webpush_topic ON webpush_subscription_topic (topic);
+		CREATE TABLE IF NOT EXISTS schema_version (
+			store TEXT PRIMARY KEY,
+			version INT NOT NULL
+		);
+		INSERT INTO schema_version (store, version) VALUES ('webpush', 1);
+	`
 )

 var flags = []cli.Flag{
@@ -28,12 +184,13 @@ var flags = []cli.Flag{
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-file", Aliases: []string{"cache_file"}, Usage: "SQLite message cache file path"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"auth_file"}, Usage: "SQLite user/auth database file path"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "web-push-file", Aliases: []string{"web_push_file"}, Usage: "SQLite web push database file path"}),
+	&cli.BoolFlag{Name: "create-schema", Usage: "create initial PostgreSQL schema before importing"},
 }

 func main() {
 	app := &cli.App{
 		Name:      "pgimport",
-		Usage:     "SQLite to PostgreSQL migration tool for ntfy",
+		Usage:     "One-off SQLite to PostgreSQL migration script for ntfy",
 		UsageText: "pgimport [OPTIONS]",
 		Flags:     flags,
 		Before:    loadConfigFile("config", flags),
@@ -79,12 +236,18 @@ func execImport(c *cli.Context) error {
 	}
 	fmt.Println()

-	pgDB, err := db.OpenPostgres(databaseURL)
+	pgDB, err := pg.Open(databaseURL)
 	if err != nil {
 		return fmt.Errorf("cannot connect to PostgreSQL: %w", err)
 	}
 	defer pgDB.Close()

+	if c.Bool("create-schema") {
+		if err := createSchema(pgDB, cacheFile, authFile, webPushFile); err != nil {
+			return fmt.Errorf("cannot create schema: %w", err)
+		}
+	}
+
 	if authFile != "" {
 		if err := verifySchemaVersion(pgDB, "user", expectedUserSchemaVersion); err != nil {
 			return err
@@ -136,6 +299,34 @@ func execImport(c *cli.Context) error {
 	return nil
 }

+func createSchema(pgDB *sql.DB, cacheFile, authFile, webPushFile string) error {
+	fmt.Println("Creating initial PostgreSQL schema ...")
+	// User schema must be created before message schema, because message_stats and
+	// schema_version use "INSERT INTO" without "ON CONFLICT", so user schema (which
+	// also creates the schema_version table) must come first.
+	if authFile != "" {
+		fmt.Println("  Creating user schema ...")
+		if _, err := pgDB.Exec(createUserSchemaQuery); err != nil {
+			return fmt.Errorf("creating user schema: %w", err)
+		}
+	}
+	if cacheFile != "" {
+		fmt.Println("  Creating message schema ...")
+		if _, err := pgDB.Exec(createMessageSchemaQuery); err != nil {
+			return fmt.Errorf("creating message schema: %w", err)
+		}
+	}
+	if webPushFile != "" {
+		fmt.Println("  Creating web push schema ...")
+		if _, err := pgDB.Exec(createWebPushSchemaQuery); err != nil {
+			return fmt.Errorf("creating web push schema: %w", err)
+		}
+	}
+	fmt.Println("  Schema creation complete.")
+	fmt.Println()
+	return nil
+}
+
 func loadConfigFile(configFlag string, flags []cli.Flag) cli.BeforeFunc {
 	return func(c *cli.Context) error {
 		configFile := c.String(configFlag)
--- a/user/manager.go
+++ b/user/manager.go
@@ -13,6 +13,7 @@ import (
 	"time"

 	"golang.org/x/crypto/bcrypt"
+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/log"
 	"heckel.io/ntfy/v2/payments"
 	"heckel.io/ntfy/v2/util"
@@ -122,7 +123,7 @@ func (a *Manager) AddUser(username, password string, role Role, hashed bool) err
 	if err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.addUserTx(tx, username, hash, role, false)
 	})
 }
@@ -150,7 +151,7 @@ func (a *Manager) RemoveUser(username string) error {
 	if err := a.CanChangeUser(username); err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.removeUserTx(tx, username)
 	})
 }
@@ -173,7 +174,7 @@ func (a *Manager) MarkUserRemoved(user *User) error {
 	if !AllowedUsername(user.Name) {
 		return ErrInvalidArgument
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		if err := a.resetUserAccessTx(tx, user.Name); err != nil {
 			return err
 		}
@@ -205,7 +206,7 @@ func (a *Manager) ChangePassword(username, password string, hashed bool) error {
 	if err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.changePasswordHashTx(tx, username, hash)
 	})
 }
@@ -224,7 +225,7 @@ func (a *Manager) ChangeRole(username string, role Role) error {
 	if err := a.CanChangeUser(username); err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.changeRoleTx(tx, username, role)
 	})
 }
@@ -365,7 +366,7 @@ func (a *Manager) writeUserStatsQueue() error {
 	a.statsQueue = make(map[string]*Stats)
 	a.mu.Unlock()

-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		log.Tag(tag).Debug("Writing user stats queue for %d user(s)", len(statsQueue))
 		for userID, update := range statsQueue {
 			log.
@@ -421,33 +422,14 @@ func (a *Manager) UserByStripeCustomer(customerID string) (*User, error) {
 	return a.readUser(rows)
 }

-// Users returns a list of users
+// Users returns a list of users. It loads all users in a single query
+// rather than one query per user to avoid N+1 performance issues.
 func (a *Manager) Users() ([]*User, error) {
-	rows, err := a.db.Query(a.queries.selectUsernames)
+	rows, err := a.db.Query(a.queries.selectUsers)
 	if err != nil {
 		return nil, err
 	}
-	defer rows.Close()
-	usernames := make([]string, 0)
-	for rows.Next() {
-		var username string
-		if err := rows.Scan(&username); err != nil {
-			return nil, err
-		} else if err := rows.Err(); err != nil {
-			return nil, err
-		}
-		usernames = append(usernames, username)
-	}
-	rows.Close()
-	users := make([]*User, 0)
-	for _, username := range usernames {
-		user, err := a.User(username)
-		if err != nil {
-			return nil, err
-		}
-		users = append(users, user)
-	}
-	return users, nil
+	return a.readUsers(rows)
 }

 // UsersCount returns the number of users in the database
@@ -469,14 +451,35 @@ func (a *Manager) UsersCount() (int64, error) {

 func (a *Manager) readUser(rows *sql.Rows) (*User, error) {
 	defer rows.Close()
+	if !rows.Next() {
+		return nil, ErrUserNotFound
+	}
+	user, err := a.scanUser(rows)
+	if err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+func (a *Manager) readUsers(rows *sql.Rows) ([]*User, error) {
+	defer rows.Close()
+	users := make([]*User, 0)
+	for rows.Next() {
+		user, err := a.scanUser(rows)
+		if err != nil {
+			return nil, err
+		}
+		users = append(users, user)
+	}
+	return users, nil
+}
+
+func (a *Manager) scanUser(rows *sql.Rows) (*User, error) {
 	var id, username, hash, role, prefs, syncTopic string
 	var provisioned bool
 	var stripeCustomerID, stripeSubscriptionID, stripeSubscriptionStatus, stripeSubscriptionInterval, stripeMonthlyPriceID, stripeYearlyPriceID, tierID, tierCode, tierName sql.NullString
 	var messages, emails, calls int64
 	var messagesLimit, messagesExpiryDuration, emailsLimit, callsLimit, reservationsLimit, attachmentFileSizeLimit, attachmentTotalSizeLimit, attachmentExpiryDuration, attachmentBandwidthLimit, stripeSubscriptionPaidUntil, stripeSubscriptionCancelAt, deleted sql.NullInt64
-	if !rows.Next() {
-		return nil, ErrUserNotFound
-	}
 	if err := rows.Scan(&id, &username, &hash, &role, &prefs, &syncTopic, &provisioned, &messages, &emails, &calls, &stripeCustomerID, &stripeSubscriptionID, &stripeSubscriptionStatus, &stripeSubscriptionInterval, &stripeSubscriptionPaidUntil, &stripeSubscriptionCancelAt, &deleted, &tierID, &tierCode, &tierName, &messagesLimit, &messagesExpiryDuration, &emailsLimit, &callsLimit, &reservationsLimit, &attachmentFileSizeLimit, &attachmentTotalSizeLimit, &attachmentExpiryDuration, &attachmentBandwidthLimit, &stripeMonthlyPriceID, &stripeYearlyPriceID); err != nil {
 		return nil, err
 	} else if err := rows.Err(); err != nil {
@@ -573,7 +576,7 @@ func (a *Manager) resolvePerms(base, perm Permission) error {
 // read/write access to a topic. The parameter topicPattern may include wildcards (*). The ACL entry
 // owner may either be a user (username), or the system (empty).
 func (a *Manager) AllowAccess(username string, topicPattern string, permission Permission) error {
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.allowAccessTx(tx, username, topicPattern, permission, false)
 	})
 }
@@ -591,7 +594,7 @@ func (a *Manager) allowAccessTx(tx *sql.Tx, username string, topicPattern string
 // ResetAccess removes an access control list entry for a specific username/topic, or (if topic is
 // empty) for an entire user. The parameter topicPattern may include wildcards (*).
 func (a *Manager) ResetAccess(username string, topicPattern string) error {
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		return a.resetAccessTx(tx, username, topicPattern)
 	})
 }
@@ -715,7 +718,7 @@ func (a *Manager) AddReservation(username string, topic string, everyone Permiss
 	if !AllowedUsername(username) || username == Everyone || !AllowedTopic(topic) {
 		return ErrInvalidArgument
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		if err := a.addReservationAccessTx(tx, username, topic, true, true, username); err != nil {
 			return err
 		}
@@ -735,7 +738,7 @@ func (a *Manager) RemoveReservations(username string, topics ...string) error {
 			return ErrInvalidArgument
 		}
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		for _, topic := range topics {
 			if err := a.resetTopicAccessTx(tx, username, topic); err != nil {
 				return err
@@ -874,7 +877,7 @@ func (a *Manager) resetTopicAccessTx(tx *sql.Tx, username, topicPattern string)
 // after a fixed duration unless ChangeToken is called. This function also prunes tokens for the
 // given user, if there are too many of them.
 func (a *Manager) CreateToken(userID, label string, expires time.Time, origin netip.Addr, provisioned bool) (*Token, error) {
-	return queryTx(a.db, func(tx *sql.Tx) (*Token, error) {
+	return db.QueryTx(a.db, func(tx *sql.Tx) (*Token, error) {
 		return a.createTokenTx(tx, userID, GenerateToken(), label, time.Now(), origin, expires, tokenMaxCount, provisioned)
 	})
 }
@@ -1033,7 +1036,7 @@ func (a *Manager) writeTokenUpdateQueue() error {
 	a.tokenQueue = make(map[string]*TokenUpdate)
 	a.mu.Unlock()

-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		log.Tag(tag).Debug("Writing token update queue for %d token(s)", len(tokenQueue))
 		for tokenID, update := range tokenQueue {
 			log.Tag(tag).Trace("Updating token %s with last access time %v", tokenID, update.LastAccess.Unix())
@@ -1243,6 +1246,12 @@ func (a *Manager) maybeProvisionUsersAccessAndTokens() error {
 	if !a.config.ProvisionEnabled {
 		return nil
 	}
+	// If there is nothing to provision, remove any previously provisioned items using
+	// cheap targeted queries, avoiding the expensive Users() call that loads all users.
+	if len(a.config.Users) == 0 && len(a.config.Access) == 0 && len(a.config.Tokens) == 0 {
+		return a.removeAllProvisioned()
+	}
+	// If there are provisioned users, do it the slow way
 	existingUsers, err := a.Users()
 	if err != nil {
 		return err
@@ -1254,7 +1263,7 @@ func (a *Manager) maybeProvisionUsersAccessAndTokens() error {
 	if err != nil {
 		return err
 	}
-	return execTx(a.db, func(tx *sql.Tx) error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
 		if err := a.maybeProvisionUsers(tx, provisionUsernames, existingUsers); err != nil {
 			return fmt.Errorf("failed to provision users: %v", err)
 		}
@@ -1268,6 +1277,23 @@ func (a *Manager) maybeProvisionUsersAccessAndTokens() error {
 	})
 }

+// removeAllProvisioned removes all provisioned users, access entries, and tokens. This is the fast path
+// for when there is nothing to provision, avoiding the expensive Users() call.
+func (a *Manager) removeAllProvisioned() error {
+	return db.ExecTx(a.db, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(a.queries.deleteUserAccessProvisioned); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(a.queries.deleteAllProvisionedTokens); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(a.queries.deleteUsersProvisioned); err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
 // maybeProvisionUsers checks if the users in the config are provisioned, and adds or updates them.
 // It also removes users that are provisioned, but not in the config anymore.
 func (a *Manager) maybeProvisionUsers(tx *sql.Tx, provisionUsernames []string, existingUsers []*User) error {
--- a/user/manager_postgres.go
+++ b/user/manager_postgres.go
@@ -7,6 +7,17 @@ import (
 // PostgreSQL queries
 const (
 	// User queries
+	postgresSelectUsersQuery = `
+		SELECT u.id, u.user_name, u.pass, u.role, u.prefs, u.sync_topic, u.provisioned, u.stats_messages, u.stats_emails, u.stats_calls, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, u.deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.calls_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
+		FROM "user" u
+		LEFT JOIN tier t on t.id = u.tier_id
+		ORDER BY
+			CASE u.role
+				WHEN 'admin' THEN 1
+				WHEN 'anonymous' THEN 3
+				ELSE 2
+			END, u.user_name
+	`
 	postgresSelectUserByIDQuery = `
 		SELECT u.id, u.user_name, u.pass, u.role, u.prefs, u.sync_topic, u.provisioned, u.stats_messages, u.stats_emails, u.stats_calls, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, u.deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.calls_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
 		FROM "user" u
@@ -56,6 +67,7 @@ const (
 	postgresDeleteUserQuery               = `DELETE FROM "user" WHERE user_name = $1`
 	postgresDeleteUserTierQuery           = `UPDATE "user" SET tier_id = null WHERE user_name = $1`
 	postgresDeleteUsersMarkedQuery        = `DELETE FROM "user" WHERE deleted < $1`
+	postgresDeleteUsersProvisionedQuery   = `DELETE FROM "user" WHERE provisioned = true`

 	// Access queries
 	postgresSelectTopicPermsQuery = `
@@ -146,13 +158,14 @@ const (
 		ON CONFLICT (user_id, token)
 		DO UPDATE SET label = excluded.label, expires = excluded.expires, provisioned = excluded.provisioned
 	`
-	postgresUpdateTokenQuery            = `UPDATE user_token SET label = $1, expires = $2 WHERE user_id = $3 AND token = $4`
-	postgresUpdateTokenLastAccessQuery  = `UPDATE user_token SET last_access = $1, last_origin = $2 WHERE token = $3`
-	postgresDeleteTokenQuery            = `DELETE FROM user_token WHERE user_id = $1 AND token = $2`
-	postgresDeleteProvisionedTokenQuery = `DELETE FROM user_token WHERE token = $1`
-	postgresDeleteAllTokenQuery         = `DELETE FROM user_token WHERE user_id = $1`
-	postgresDeleteExpiredTokensQuery    = `DELETE FROM user_token WHERE expires > 0 AND expires < $1`
-	postgresDeleteExcessTokensQuery     = `
+	postgresUpdateTokenQuery                = `UPDATE user_token SET label = $1, expires = $2 WHERE user_id = $3 AND token = $4`
+	postgresUpdateTokenLastAccessQuery      = `UPDATE user_token SET last_access = $1, last_origin = $2 WHERE token = $3`
+	postgresDeleteTokenQuery                = `DELETE FROM user_token WHERE user_id = $1 AND token = $2`
+	postgresDeleteProvisionedTokenQuery     = `DELETE FROM user_token WHERE token = $1`
+	postgresDeleteAllProvisionedTokensQuery = `DELETE FROM user_token WHERE provisioned = true`
+	postgresDeleteAllTokenQuery             = `DELETE FROM user_token WHERE user_id = $1`
+	postgresDeleteExpiredTokensQuery        = `DELETE FROM user_token WHERE expires > 0 AND expires < $1`
+	postgresDeleteExcessTokensQuery         = `
 		DELETE FROM user_token
 		WHERE user_id = $1
 		  AND (user_id, token) NOT IN (
@@ -210,6 +223,7 @@ var postgresQueries = queries{
 	selectUserByToken:            postgresSelectUserByTokenQuery,
 	selectUserByStripeCustomerID: postgresSelectUserByStripeCustomerIDQuery,
 	selectUsernames:              postgresSelectUsernamesQuery,
+	selectUsers:                  postgresSelectUsersQuery,
 	selectUserCount:              postgresSelectUserCountQuery,
 	selectUserIDFromUsername:     postgresSelectUserIDFromUsernameQuery,
 	insertUser:                   postgresInsertUserQuery,
@@ -224,6 +238,7 @@ var postgresQueries = queries{
 	deleteUser:                   postgresDeleteUserQuery,
 	deleteUserTier:               postgresDeleteUserTierQuery,
 	deleteUsersMarked:            postgresDeleteUsersMarkedQuery,
+	deleteUsersProvisioned:       postgresDeleteUsersProvisionedQuery,
 	selectTopicPerms:             postgresSelectTopicPermsQuery,
 	selectUserAllAccess:          postgresSelectUserAllAccessQuery,
 	selectUserAccess:             postgresSelectUserAccessQuery,
@@ -246,6 +261,7 @@ var postgresQueries = queries{
 	updateTokenLastAccess:        postgresUpdateTokenLastAccessQuery,
 	deleteToken:                  postgresDeleteTokenQuery,
 	deleteProvisionedToken:       postgresDeleteProvisionedTokenQuery,
+	deleteAllProvisionedTokens:   postgresDeleteAllProvisionedTokensQuery,
 	deleteAllToken:               postgresDeleteAllTokenQuery,
 	deleteExpiredTokens:          postgresDeleteExpiredTokensQuery,
 	deleteExcessTokens:           postgresDeleteExcessTokensQuery,
--- a/user/manager_sqlite.go
+++ b/user/manager_sqlite.go
@@ -12,6 +12,17 @@ import (

 const (
 	// User queries
+	sqliteSelectUsersQuery = `
+		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.provisioned, u.stats_messages, u.stats_emails, u.stats_calls, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.calls_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
+		FROM user u
+		LEFT JOIN tier t on t.id = u.tier_id
+		ORDER BY
+			CASE u.role
+				WHEN 'admin' THEN 1
+				WHEN 'anonymous' THEN 3
+				ELSE 2
+			END, u.user
+	`
 	sqliteSelectUserByIDQuery = `
 		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.provisioned, u.stats_messages, u.stats_emails, u.stats_calls, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.calls_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
 		FROM user u
@@ -61,6 +72,7 @@ const (
 	sqliteDeleteUserQuery               = `DELETE FROM user WHERE user = ?`
 	sqliteDeleteUserTierQuery           = `UPDATE user SET tier_id = null WHERE user = ?`
 	sqliteDeleteUsersMarkedQuery        = `DELETE FROM user WHERE deleted < ?`
+	sqliteDeleteUsersProvisionedQuery   = `DELETE FROM user WHERE provisioned = 1`

 	// Access queries
 	sqliteSelectTopicPermsQuery = `
@@ -144,13 +156,14 @@ const (
 		ON CONFLICT (user_id, token)
 		DO UPDATE SET label = excluded.label, expires = excluded.expires, provisioned = excluded.provisioned
 	`
-	sqliteUpdateTokenQuery            = `UPDATE user_token SET label = ?, expires = ? WHERE user_id = ? AND token = ?`
-	sqliteUpdateTokenLastAccessQuery  = `UPDATE user_token SET last_access = ?, last_origin = ? WHERE token = ?`
-	sqliteDeleteTokenQuery            = `DELETE FROM user_token WHERE user_id = ? AND token = ?`
-	sqliteDeleteProvisionedTokenQuery = `DELETE FROM user_token WHERE token = ?`
-	sqliteDeleteAllTokenQuery         = `DELETE FROM user_token WHERE user_id = ?`
-	sqliteDeleteExpiredTokensQuery    = `DELETE FROM user_token WHERE expires > 0 AND expires < ?`
-	sqliteDeleteExcessTokensQuery     = `
+	sqliteUpdateTokenQuery                = `UPDATE user_token SET label = ?, expires = ? WHERE user_id = ? AND token = ?`
+	sqliteUpdateTokenLastAccessQuery      = `UPDATE user_token SET last_access = ?, last_origin = ? WHERE token = ?`
+	sqliteDeleteTokenQuery                = `DELETE FROM user_token WHERE user_id = ? AND token = ?`
+	sqliteDeleteProvisionedTokenQuery     = `DELETE FROM user_token WHERE token = ?`
+	sqliteDeleteAllProvisionedTokensQuery = `DELETE FROM user_token WHERE provisioned = 1`
+	sqliteDeleteAllTokenQuery             = `DELETE FROM user_token WHERE user_id = ?`
+	sqliteDeleteExpiredTokensQuery        = `DELETE FROM user_token WHERE expires > 0 AND expires < ?`
+	sqliteDeleteExcessTokensQuery         = `
 		DELETE FROM user_token
 		WHERE user_id = ?
 		  AND (user_id, token) NOT IN (
@@ -207,6 +220,7 @@ var sqliteQueries = queries{
 	selectUserByToken:            sqliteSelectUserByTokenQuery,
 	selectUserByStripeCustomerID: sqliteSelectUserByStripeCustomerIDQuery,
 	selectUsernames:              sqliteSelectUsernamesQuery,
+	selectUsers:                  sqliteSelectUsersQuery,
 	selectUserCount:              sqliteSelectUserCountQuery,
 	selectUserIDFromUsername:     sqliteSelectUserIDFromUsernameQuery,
 	insertUser:                   sqliteInsertUserQuery,
@@ -221,6 +235,7 @@ var sqliteQueries = queries{
 	deleteUser:                   sqliteDeleteUserQuery,
 	deleteUserTier:               sqliteDeleteUserTierQuery,
 	deleteUsersMarked:            sqliteDeleteUsersMarkedQuery,
+	deleteUsersProvisioned:       sqliteDeleteUsersProvisionedQuery,
 	selectTopicPerms:             sqliteSelectTopicPermsQuery,
 	selectUserAllAccess:          sqliteSelectUserAllAccessQuery,
 	selectUserAccess:             sqliteSelectUserAccessQuery,
@@ -243,6 +258,7 @@ var sqliteQueries = queries{
 	updateTokenLastAccess:        sqliteUpdateTokenLastAccessQuery,
 	deleteToken:                  sqliteDeleteTokenQuery,
 	deleteProvisionedToken:       sqliteDeleteProvisionedTokenQuery,
+	deleteAllProvisionedTokens:   sqliteDeleteAllProvisionedTokensQuery,
 	deleteAllToken:               sqliteDeleteAllTokenQuery,
 	deleteExpiredTokens:          sqliteDeleteExpiredTokensQuery,
 	deleteExcessTokens:           sqliteDeleteExcessTokensQuery,
--- a/user/manager_sqlite_schema.go
+++ b/user/manager_sqlite_schema.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"fmt"

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/log"
 	"heckel.io/ntfy/v2/util"
 )
@@ -11,7 +12,6 @@ import (
 // Initial SQLite schema
 const (
 	sqliteCreateTablesQueries = `
-		BEGIN;
 		CREATE TABLE IF NOT EXISTS tier (
 			id TEXT PRIMARY KEY,
 			code TEXT NOT NULL,
@@ -92,7 +92,6 @@ const (
 		INSERT INTO user (id, user, pass, role, sync_topic, provisioned, created)
 		VALUES ('` + everyoneID + `', '*', '', 'anonymous', '', false, UNIXEPOCH())
 		ON CONFLICT (id) DO NOTHING;
-		COMMIT;
 	`
 )

@@ -328,8 +327,7 @@ var (

 func setupSQLite(db *sql.DB) error {
 	var schemaVersion int
-	err := db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion)
-	if err != nil {
+	if err := db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion); err != nil {
 		return setupNewSQLite(db)
 	}
 	if schemaVersion == sqliteCurrentSchemaVersion {
@@ -348,14 +346,16 @@ func setupSQLite(db *sql.DB) error {
 	return nil
 }

-func setupNewSQLite(db *sql.DB) error {
-	if _, err := db.Exec(sqliteCreateTablesQueries); err != nil {
-		return err
-	}
-	if _, err := db.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return nil
+func setupNewSQLite(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteCreateTablesQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }

 func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
@@ -370,114 +370,96 @@ func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
 	return nil
 }

-func sqliteMigrateFrom1(db *sql.DB) error {
+func sqliteMigrateFrom1(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 1 to 2")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	// Rename user -> user_old, and create new tables
-	if _, err := tx.Exec(sqliteMigrate1To2CreateTablesQueries); err != nil {
-		return err
-	}
-	// Insert users from user_old into new user table, with ID and sync_topic
-	rows, err := tx.Query(sqliteMigrate1To2SelectAllOldUsernamesNoTxQuery)
-	if err != nil {
-		return err
-	}
-	defer rows.Close()
-	usernames := make([]string, 0)
-	for rows.Next() {
-		var username string
-		if err := rows.Scan(&username); err != nil {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		// Rename user -> user_old, and create new tables
+		if _, err := tx.Exec(sqliteMigrate1To2CreateTablesQueries); err != nil {
 			return err
 		}
-		usernames = append(usernames, username)
-	}
-	if err := rows.Close(); err != nil {
-		return err
-	}
-	for _, username := range usernames {
-		userID := util.RandomStringPrefix(userIDPrefix, userIDLength)
-		syncTopic := util.RandomStringPrefix(syncTopicPrefix, syncTopicLength)
-		if _, err := tx.Exec(sqliteMigrate1To2InsertUserNoTxQuery, userID, syncTopic, username); err != nil {
+		// Insert users from user_old into new user table, with ID and sync_topic
+		rows, err := tx.Query(sqliteMigrate1To2SelectAllOldUsernamesNoTxQuery)
+		if err != nil {
 			return err
 		}
-	}
-	// Migrate old "access" table to "user_access" and drop "access" and "user_old"
-	if _, err := tx.Exec(sqliteMigrate1To2InsertFromOldTablesAndDropNoTxQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 2); err != nil {
-		return err
-	}
-	if err := tx.Commit(); err != nil {
-		return err
-	}
-	return nil
+		defer rows.Close()
+		usernames := make([]string, 0)
+		for rows.Next() {
+			var username string
+			if err := rows.Scan(&username); err != nil {
+				return err
+			}
+			usernames = append(usernames, username)
+		}
+		if err := rows.Close(); err != nil {
+			return err
+		}
+		for _, username := range usernames {
+			userID := util.RandomStringPrefix(userIDPrefix, userIDLength)
+			syncTopic := util.RandomStringPrefix(syncTopicPrefix, syncTopicLength)
+			if _, err := tx.Exec(sqliteMigrate1To2InsertUserNoTxQuery, userID, syncTopic, username); err != nil {
+				return err
+			}
+		}
+		// Migrate old "access" table to "user_access" and drop "access" and "user_old"
+		if _, err := tx.Exec(sqliteMigrate1To2InsertFromOldTablesAndDropNoTxQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 2); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom2(db *sql.DB) error {
+func sqliteMigrateFrom2(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 2 to 3")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate2To3UpdateQueries); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 3); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate2To3UpdateQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 3); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom3(db *sql.DB) error {
+func sqliteMigrateFrom3(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 3 to 4")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate3To4UpdateQueries); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 4); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate3To4UpdateQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 4); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom4(db *sql.DB) error {
+func sqliteMigrateFrom4(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 4 to 5")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate4To5UpdateQueries); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 5); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate4To5UpdateQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 5); err != nil {
+			return err
+		}
+		return nil
+	})
 }

-func sqliteMigrateFrom5(db *sql.DB) error {
+func sqliteMigrateFrom5(sqlDB *sql.DB) error {
 	log.Tag(tag).Info("Migrating user database schema: from 5 to 6")
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteMigrate5To6UpdateQueries); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 6); err != nil {
-		return err
-	}
-	return tx.Commit()
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteMigrate5To6UpdateQueries); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteUpdateSchemaVersionQuery, 6); err != nil {
+			return err
+		}
+		return nil
+	})
 }
--- a/user/manager_test.go
+++ b/user/manager_test.go
@@ -11,7 +11,7 @@ import (

 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
-	"heckel.io/ntfy/v2/db"
+	"heckel.io/ntfy/v2/db/pg"
 	dbtest "heckel.io/ntfy/v2/db/test"
 	"heckel.io/ntfy/v2/util"
 )
@@ -36,7 +36,7 @@ func forEachBackend(t *testing.T, f func(t *testing.T, newManager newManagerFunc
 	t.Run("postgres", func(t *testing.T) {
 		schemaDSN := dbtest.CreateTestPostgresSchema(t)
 		f(t, func(config *Config) *Manager {
-			pool, err := db.OpenPostgres(schemaDSN)
+			pool, err := pg.Open(schemaDSN)
 			require.Nil(t, err)
 			a, err := NewPostgresManager(pool, config)
 			require.Nil(t, err)
@@ -1441,6 +1441,54 @@ func TestManager_UpdateNonProvisionedUsersToProvisionedUsers(t *testing.T) {
 	})
 }

+func TestManager_RemoveProvisionedOnEmptyConfig(t *testing.T) {
+	forEachBackend(t, func(t *testing.T, newManager newManagerFunc) {
+		// Start with provisioned users, access, and tokens
+		conf := &Config{
+			DefaultAccess:    PermissionReadWrite,
+			ProvisionEnabled: true,
+			BcryptCost:       bcrypt.MinCost,
+			Users: []*User{
+				{Name: "provuser", Hash: "$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C", Role: RoleUser},
+			},
+			Access: map[string][]*Grant{
+				"provuser": {
+					{TopicPattern: "stats", Permission: PermissionReadWrite},
+				},
+			},
+			Tokens: map[string][]*Token{
+				"provuser": {
+					{Value: "tk_op56p8lz5bf3cxkz9je99v9oc37lo", Label: "Provisioned token"},
+				},
+			},
+		}
+		a := newTestManagerFromConfig(t, newManager, conf)
+
+		// Also add a manual (non-provisioned) user
+		require.Nil(t, a.AddUser("manualuser", "manual", RoleUser, false))
+
+		// Verify initial state
+		users, err := a.Users()
+		require.Nil(t, err)
+		require.Len(t, users, 3) // provuser, manualuser, everyone
+
+		// Re-open with empty provisioning config (simulates config change)
+		require.Nil(t, a.Close())
+		conf.Users = nil
+		conf.Access = nil
+		conf.Tokens = nil
+		a = newTestManagerFromConfig(t, newManager, conf)
+
+		// Provisioned user should be removed, manual user should remain
+		users, err = a.Users()
+		require.Nil(t, err)
+		require.Len(t, users, 2)
+		require.Equal(t, "manualuser", users[0].Name)
+		require.False(t, users[0].Provisioned)
+		require.Equal(t, "*", users[1].Name) // everyone
+	})
+}
+
 func TestToFromSQLWildcard(t *testing.T) {
 	require.Equal(t, "up%", toSQLWildcard("up*"))
 	require.Equal(t, "up\\_%", toSQLWildcard("up_*"))
--- a/user/types.go
+++ b/user/types.go
@@ -283,6 +283,7 @@ type queries struct {
 	selectUserByToken            string
 	selectUserByStripeCustomerID string
 	selectUsernames              string
+	selectUsers                  string
 	selectUserCount              string
 	selectUserIDFromUsername     string
 	insertUser                   string
@@ -297,6 +298,7 @@ type queries struct {
 	deleteUser                   string
 	deleteUserTier               string
 	deleteUsersMarked            string
+	deleteUsersProvisioned       string

 	// Access queries
 	selectTopicPerms            string
@@ -323,6 +325,7 @@ type queries struct {
 	updateTokenLastAccess      string
 	deleteToken                string
 	deleteProvisionedToken     string
+	deleteAllProvisionedTokens string
 	deleteAllToken             string
 	deleteExpiredTokens        string
 	deleteExcessTokens         string
--- a/user/util.go
+++ b/user/util.go
@@ -113,35 +113,3 @@ func escapeUnderscore(s string) string {
 func unescapeUnderscore(s string) string {
 	return strings.ReplaceAll(s, "\\_", "_")
 }
-
-// execTx executes a function in a transaction. If the function returns an error, the transaction is rolled back.
-func execTx(db *sql.DB, f func(tx *sql.Tx) error) error {
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if err := f(tx); err != nil {
-		return err
-	}
-	return tx.Commit()
-}
-
-// queryTx executes a function in a transaction and returns the result. If the function
-// returns an error, the transaction is rolled back.
-func queryTx[T any](db *sql.DB, f func(tx *sql.Tx) (T, error)) (T, error) {
-	tx, err := db.Begin()
-	if err != nil {
-		var zero T
-		return zero, err
-	}
-	defer tx.Rollback()
-	t, err := f(tx)
-	if err != nil {
-		return t, err
-	}
-	if err := tx.Commit(); err != nil {
-		return t, err
-	}
-	return t, nil
-}
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/public/static/langs/hu.json
+++ b/web/public/static/langs/hu.json
@@ -215,5 +215,13 @@
    "alert_notification_permission_denied_title": "Az értesítések blokkolva vannak",
    "alert_notification_permission_denied_description": "Kérjük kapcsold őket vissza a böngésződben",
    "alert_notification_ios_install_required_title": "iOS telepítés szükséges",
-    "alert_not_supported_context_description": "Az értesítések kizárólag HTTPS-en keresztül támogatottak. Ez a <mdnLink>Notifications API</mdnLink> korlátozása."
+    "alert_not_supported_context_description": "Az értesítések kizárólag HTTPS-en keresztül támogatottak. Ez a <mdnLink>Notifications API</mdnLink> korlátozása.",
+    "signup_form_toggle_password_visibility": "Jelszó láthatóságának kapcsolása",
+    "signup_disabled": "A regisztráció le van tiltva",
+    "action_bar_reservation_add": "Téma fenntartása",
+    "action_bar_reservation_edit": "Foglalás módosítása",
+    "action_bar_reservation_delete": "Foglalás törlése",
+    "nav_upgrade_banner_label": "Frissítés ntfy Pro-ra",
+    "nav_upgrade_banner_description": "Témák, több üzenet és e-mail, valamint nagyobb mellékletek megőrzése",
+    "alert_notification_ios_install_required_description": "Kattintson a Megosztás ikonra, majd a Hozzáadás a kezdőképernyőhöz gombra, hogy engedélyezze az értesítéseket iOS rendszeren"
 }
--- a/web/public/static/langs/tr.json
+++ b/web/public/static/langs/tr.json
@@ -403,5 +403,7 @@
    "web_push_subscription_expiring_body": "Bildirimleri almaya devam etmek için ntfy'yi açın",
    "web_push_unknown_notification_title": "Sunucudan bilinmeyen bildirim alındı",
    "web_push_unknown_notification_body": "Web uygulamasını açarak ntfy'yi güncellemeniz gerekebilir",
-    "subscribe_dialog_subscribe_use_another_background_info": "Web uygulaması açık değilken diğer sunuculardan gelen bildirimler alınmayacaktır"
+    "subscribe_dialog_subscribe_use_another_background_info": "Web uygulaması açık değilken diğer sunuculardan gelen bildirimler alınmayacaktır",
+    "account_basics_cannot_edit_or_delete_provisioned_user": "Yetkilendirilmiş kullanıcı düzenlenemez veya silinemez",
+    "account_tokens_table_cannot_delete_or_edit_provisioned_token": "Sağlanmış belirteci düzenleyemez veya silemezsiniz"
 }
--- a/web/public/static/langs/zh_Hant.json
+++ b/web/public/static/langs/zh_Hant.json
@@ -361,7 +361,7 @@
    "publish_dialog_tags_placeholder": "英文逗號分隔標記列表，例如 warning, srv1-backup",
    "publish_dialog_title_label": "主題",
    "publish_dialog_title_no_topic": "發布通知",
-    "publish_dialog_title_placeholder": "主題標題，例如 磁碟空間警告",
+    "publish_dialog_title_placeholder": "主題標題，例如：磁碟空間警告",
    "publish_dialog_title_topic": "發布到 {{topic}}",
    "publish_dialog_topic_label": "主題名稱",
    "publish_dialog_topic_placeholder": "主題名稱，例如 phil_alerts",
--- a/webpush/store.go
+++ b/webpush/store.go
@@ -6,6 +6,7 @@ import (
 	"net/netip"
 	"time"

+	"heckel.io/ntfy/v2/db"
 	"heckel.io/ntfy/v2/util"
 )

@@ -46,41 +47,38 @@ type queries struct {

 // UpsertSubscription adds or updates Web Push subscriptions for the given topics and user ID.
 func (s *Store) UpsertSubscription(endpoint string, auth, p256dh, userID string, subscriberIP netip.Addr, topics []string) error {
-	tx, err := s.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	// Read number of subscriptions for subscriber IP address
-	var subscriptionCount int
-	if err := tx.QueryRow(s.queries.selectSubscriptionCountBySubscriberIP, subscriberIP.String()).Scan(&subscriptionCount); err != nil {
-		return err
-	}
-	// Read existing subscription ID for endpoint (or create new ID)
-	var subscriptionID string
-	if err := tx.QueryRow(s.queries.selectSubscriptionIDByEndpoint, endpoint).Scan(&subscriptionID); errors.Is(err, sql.ErrNoRows) {
-		if subscriptionCount >= subscriptionEndpointLimitPerSubscriberIP {
-			return ErrWebPushTooManySubscriptions
-		}
-		subscriptionID = util.RandomStringPrefix(subscriptionIDPrefix, subscriptionIDLength)
-	} else if err != nil {
-		return err
-	}
-	// Insert or update subscription
-	updatedAt, warnedAt := time.Now().Unix(), 0
-	if _, err := tx.Exec(s.queries.upsertSubscription, subscriptionID, endpoint, auth, p256dh, userID, subscriberIP.String(), updatedAt, warnedAt); err != nil {
-		return err
-	}
-	// Replace all subscription topics
-	if _, err := tx.Exec(s.queries.deleteSubscriptionTopicAll, subscriptionID); err != nil {
-		return err
-	}
-	for _, topic := range topics {
-		if _, err = tx.Exec(s.queries.insertSubscriptionTopic, subscriptionID, topic); err != nil {
+	return db.ExecTx(s.db, func(tx *sql.Tx) error {
+		// Read number of subscriptions for subscriber IP address
+		var subscriptionCount int
+		if err := tx.QueryRow(s.queries.selectSubscriptionCountBySubscriberIP, subscriberIP.String()).Scan(&subscriptionCount); err != nil {
 			return err
 		}
-	}
-	return tx.Commit()
+		// Read existing subscription ID for endpoint (or create new ID)
+		var subscriptionID string
+		if err := tx.QueryRow(s.queries.selectSubscriptionIDByEndpoint, endpoint).Scan(&subscriptionID); errors.Is(err, sql.ErrNoRows) {
+			if subscriptionCount >= subscriptionEndpointLimitPerSubscriberIP {
+				return ErrWebPushTooManySubscriptions
+			}
+			subscriptionID = util.RandomStringPrefix(subscriptionIDPrefix, subscriptionIDLength)
+		} else if err != nil {
+			return err
+		}
+		// Insert or update subscription
+		updatedAt, warnedAt := time.Now().Unix(), 0
+		if _, err := tx.Exec(s.queries.upsertSubscription, subscriptionID, endpoint, auth, p256dh, userID, subscriberIP.String(), updatedAt, warnedAt); err != nil {
+			return err
+		}
+		// Replace all subscription topics
+		if _, err := tx.Exec(s.queries.deleteSubscriptionTopicAll, subscriptionID); err != nil {
+			return err
+		}
+		for _, topic := range topics {
+			if _, err := tx.Exec(s.queries.insertSubscriptionTopic, subscriptionID, topic); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
 }

 // SubscriptionsForTopic returns all subscriptions for the given topic.
@@ -105,17 +103,14 @@ func (s *Store) SubscriptionsExpiring(warnAfter time.Duration) ([]*Subscription,

 // MarkExpiryWarningSent marks the given subscriptions as having received a warning about expiring soon.
 func (s *Store) MarkExpiryWarningSent(subscriptions []*Subscription) error {
-	tx, err := s.db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	for _, subscription := range subscriptions {
-		if _, err := tx.Exec(s.queries.updateSubscriptionWarningSent, time.Now().Unix(), subscription.ID); err != nil {
-			return err
+	return db.ExecTx(s.db, func(tx *sql.Tx) error {
+		for _, subscription := range subscriptions {
+			if _, err := tx.Exec(s.queries.updateSubscriptionWarningSent, time.Now().Unix(), subscription.ID); err != nil {
+				return err
+			}
 		}
-	}
-	return tx.Commit()
+		return nil
+	})
 }

 // RemoveSubscriptionsByEndpoint removes the subscription for the given endpoint.
@@ -135,12 +130,13 @@ func (s *Store) RemoveSubscriptionsByUserID(userID string) error {

 // RemoveExpiredSubscriptions removes all subscriptions that have not been updated for a given time period.
 func (s *Store) RemoveExpiredSubscriptions(expireAfter time.Duration) error {
-	_, err := s.db.Exec(s.queries.deleteSubscriptionByAge, time.Now().Add(-expireAfter).Unix())
-	if err != nil {
+	return db.ExecTx(s.db, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(s.queries.deleteSubscriptionByAge, time.Now().Add(-expireAfter).Unix()); err != nil {
+			return err
+		}
+		_, err := tx.Exec(s.queries.deleteSubscriptionTopicWithoutSubscription)
 		return err
-	}
-	_, err = s.db.Exec(s.queries.deleteSubscriptionTopicWithoutSubscription)
-	return err
+	})
 }

 // SetSubscriptionUpdatedAt updates the updated_at timestamp for a subscription by endpoint. This is
--- a/webpush/store_postgres.go
+++ b/webpush/store_postgres.go
@@ -3,6 +3,8 @@ package webpush
 import (
 	"database/sql"
 	"fmt"
+
+	"heckel.io/ntfy/v2/db"
 )

 const (
@@ -107,17 +109,14 @@ func setupPostgres(db *sql.DB) error {
 	return nil
 }

-func setupNewPostgres(db *sql.DB) error {
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(postgresCreateTablesQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(postgresInsertSchemaVersionQuery, pgCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return tx.Commit()
+func setupNewPostgres(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(postgresCreateTablesQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(postgresInsertSchemaVersionQuery, pgCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }
--- a/webpush/store_sqlite.go
+++ b/webpush/store_sqlite.go
@@ -5,6 +5,8 @@ import (
 	"fmt"

 	_ "github.com/mattn/go-sqlite3" // SQLite driver
+
+	"heckel.io/ntfy/v2/db"
 )

 const (
@@ -109,29 +111,24 @@ func NewSQLiteStore(filename, startupQueries string) (*Store, error) {

 func setupSQLite(db *sql.DB) error {
 	var schemaVersion int
-	err := db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion)
-	if err != nil {
+	if err := db.QueryRow(sqliteSelectSchemaVersionQuery).Scan(&schemaVersion); err != nil {
 		return setupNewSQLite(db)
-	}
-	if schemaVersion > sqliteCurrentSchemaVersion {
+	} else if schemaVersion > sqliteCurrentSchemaVersion {
 		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, sqliteCurrentSchemaVersion)
 	}
 	return nil
 }

-func setupNewSQLite(db *sql.DB) error {
-	tx, err := db.Begin()
-	if err != nil {
-		return err
-	}
-	defer tx.Rollback()
-	if _, err := tx.Exec(sqliteCreateTablesQuery); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
-		return err
-	}
-	return tx.Commit()
+func setupNewSQLite(sqlDB *sql.DB) error {
+	return db.ExecTx(sqlDB, func(tx *sql.Tx) error {
+		if _, err := tx.Exec(sqliteCreateTablesQuery); err != nil {
+			return err
+		}
+		if _, err := tx.Exec(sqliteInsertSchemaVersionQuery, sqliteCurrentSchemaVersion); err != nil {
+			return err
+		}
+		return nil
+	})
 }

 func runSQLiteStartupQueries(db *sql.DB, startupQueries string) error {
Author	SHA1	Message	Date
binwiederhier	fcf95dc9b8	Fix release notes	2026-03-07 16:17:00 -05:00
binwiederhier	79c3ab9ecc	Bump version	2026-03-07 16:07:38 -05:00
binwiederhier	d51465fb6a	Release notes	2026-03-07 08:51:57 -05:00
binwiederhier	0b189f65ff	Loadtest username/pass	2026-03-06 15:52:53 -05:00
binwiederhier	0d4b1b00e6	Users() optimization to help with startup time	2026-03-06 14:46:53 -05:00
binwiederhier	28c3fd5cbe	BUmp	2026-03-06 12:50:49 -05:00
binwiederhier	62bb335675	Grr	2026-03-04 22:42:45 -05:00
binwiederhier	70fb2732af	Merge branch 'main' into postgres-support	2026-03-04 22:35:38 -05:00
binwiederhier	8e91e028a0	Fix coverage issue	2026-03-04 22:34:34 -05:00
binwiederhier	6d22f568f9	Merge branch 'main' into postgres-support	2026-03-04 21:07:40 -05:00
binwiederhier	59e6c16633	Fix cov test	2026-03-04 21:07:21 -05:00
binwiederhier	2e0b934bc2	Merge branch 'main' into postgres-support	2026-03-04 20:51:25 -05:00
binwiederhier	4f4a093f8d	Merge branch 'main' of https://hosted.weblate.org/git/ntfy/web	2026-03-04 20:50:28 -05:00
binwiederhier	5610b7c56d	Bump	2026-03-04 20:49:18 -05:00
binwiederhier	d4038f566c	Release notes	2026-03-04 20:48:30 -05:00
binwiederhier	bff2b47eb6	Simplify schema reading	2026-03-03 14:52:29 -05:00
binwiederhier	33b19814c7	Transactions	2026-03-03 14:42:36 -05:00
binwiederhier	fb26e7ef3a	BUmp	2026-03-03 09:42:59 -05:00
binwiederhier	66449bd19b	pgimport readme	2026-03-02 20:15:35 -05:00
binwiederhier	bedbb121e4	Remove codecov.io	2026-03-02 20:05:29 -05:00
binwiederhier	c4b8cfa756	Manual correction	2026-03-02 20:04:03 -05:00
binwiederhier	c864a9baeb	Put more things in tx	2026-03-02 19:58:26 -05:00
binwiederhier	8afeb813d9	Move OpenPostgres	2026-03-02 19:52:36 -05:00
binwiederhier	ea4739f79b	Extract ExecTx	2026-03-02 19:45:35 -05:00
Philipp C. Heckel	941c43c10b	Merge pull request #1622 from acress1/patch-1 Update ntfy.tedomum.net URL to ntfy.tedomum.fr	2026-03-01 12:19:44 -05:00
Philipp C. Heckel	af76aa011d	Merge pull request #1629 from azrikahar/docs-config-access-token docs: fix references in access token examples	2026-03-01 12:19:10 -05:00
azrikahar	b937b44f2d	undo unrelated formatting changes	2026-02-28 15:06:37 +08:00
azrikahar	e618cf1a39	mention token in private instance example	2026-02-28 15:03:09 +08:00
azrikahar	e9cf2b5523	align backup-script user references in private instance section	2026-02-28 14:56:40 +08:00
azrikahar	c49a8179cf	align backup-service user references in token via the config section	2026-02-28 14:55:25 +08:00
Bora Atıcı	a1cca7972d	Translated using Weblate (Turkish) Currently translated at 100.0% (407 of 407 strings) Translation: ntfy/Web app Translate-URL: https://hosted.weblate.org/projects/ntfy/web/tr/	2026-02-27 09:09:49 +01:00
ezn24	da1c7b1949	Translated using Weblate (Chinese (Traditional Han script)) Currently translated at 100.0% (407 of 407 strings) Translation: ntfy/Web app Translate-URL: https://hosted.weblate.org/projects/ntfy/web/zh_Hant/	2026-02-27 09:09:47 +01:00
acress1	0d375d3a08	Update ntfy.tedomum.net URL to ntfy.tedomum.fr	2026-02-23 09:22:38 +01:00
Gergő Mihály	390cff0604	Translated using Weblate (Hungarian) Currently translated at 55.2% (225 of 407 strings) Translation: ntfy/Web app Translate-URL: https://hosted.weblate.org/projects/ntfy/web/hu/	2026-02-22 13:09:46 +00:00