Payments webhook test, delete attachments/messages when reservations are removed,

Deleting account deletes subscription
Allow mocking the Stripe API
2026-01-19 00:27:25 +01:00 · 2023-01-20 22:47:37 -05:00 · 2023-01-19 14:03:39 -05:00 · 2023-01-18 23:01:26 -05:00 · 2023-01-18 15:50:06 -05:00 · 2023-01-18 13:46:40 -05:00
271 changed files with 57448 additions and 5345 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [binwiederhier]
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,39 @@
+name: build
+on: [push, pull_request]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '1.18.x'
+      -
+        name: Install node
+        uses: actions/setup-node@v2
+        with:
+          node-version: '17'
+      -
+        name: Checkout code
+        uses: actions/checkout@v2
+      -
+        name: Cache Go and npm modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/go/bin
+            ~/.npm
+            web/node_modules
+          key: ${{ runner.os }}-ntfy-${{ hashFiles('**/go.sum', '**/package.lock') }}
+          restore-keys: ${{ runner.os }}-ntfy-
+      -
+        name: Install dependencies
+        run: make build-deps-ubuntu
+      -
+        name: Build all the things
+        run: make build
+      -
+        name: Print build results and checksums
+        run: make cli-build-results
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -0,0 +1,36 @@
+name: docs
+on:
+  push:
+    branches:
+      - main
+jobs:
+  publish-docs:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout ntfy code
+        uses: actions/checkout@v3
+      -
+        name: Checkout docs pages code
+        uses: actions/checkout@v3
+        with:
+          repository: binwiederhier/ntfy-docs.github.io
+          path: build/ntfy-docs.github.io
+          token: ${{secrets.NTFY_DOCS_PUSH_TOKEN}}
+          # Expires after 1 year, re-generate via
+          # User -> Settings -> Developer options -> Personal Access Tokens -> Fine Grained Token
+      -
+        name: Build docs
+        run: make docs
+      -
+        name: Copy generated docs
+        run: rsync -av --exclude CNAME --delete server/docs/ build/ntfy-docs.github.io/docs/
+      -
+        name: Publish docs
+        run: |
+          cd build/ntfy-docs.github.io
+          git config user.name "GitHub Actions Bot"
+          git config user.email "<>"          
+          git add docs/
+          git commit -m "Updated docs"
+          git push origin main
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,50 @@
+name: release
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '1.18.x'
+      -
+        name: Install node
+        uses: actions/setup-node@v2
+        with:
+          node-version: '17'
+      -
+        name: Checkout code
+        uses: actions/checkout@v2
+      -
+        name: Cache Go and npm modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/go/bin
+            ~/.npm
+            web/node_modules
+          key: ${{ runner.os }}-ntfy-${{ hashFiles('**/go.sum', '**/package.lock') }}
+          restore-keys: ${{ runner.os }}-ntfy-
+      -
+        name: Docker login
+        uses: docker/login-action@v2
+        with:
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      -
+        name: Install dependencies
+        run: make build-deps-ubuntu
+      -
+        name: Build and publish
+        run: make release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Print build results and checksums
+        run: make cli-build-results
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -4,19 +4,45 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - name: Install Go
+      -
+        name: Install Go
        uses: actions/setup-go@v2
        with:
-          go-version: '1.17.x'
-      - name: Checkout code
+          go-version: '1.18.x'
+      -
+        name: Install node
+        uses: actions/setup-node@v2
+        with:
+          node-version: '17'
+      -
+        name: Checkout code
        uses: actions/checkout@v2
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y python3-pip curl
-      - name: Build docs (required for tests)
+      -
+        name: Cache Go and npm modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/go/bin
+            ~/.npm
+            web/node_modules
+          key: ${{ runner.os }}-ntfy-${{ hashFiles('**/go.sum', '**/package.lock') }}
+          restore-keys: ${{ runner.os }}-ntfy-
+      -
+        name: Install dependencies
+        run: make build-deps-ubuntu
+      -
+        name: Build docs (required for tests)
        run: make docs
-      - name: Run tests, formatting, vetting and linting
+      -
+        name: Build web app (required for tests)
+        run: make web
+      -
+        name: Run tests, formatting, vetting and linting
        run: make check
-      - name: Run coverage
+      -
+        name: Run coverage
        run: make coverage
-      - name: Upload coverage to codecov.io
+      -
+        name: Upload coverage to codecov.io
        run: make coverage-upload
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,13 @@
 dist/
 build/
 .idea/
+.vscode/
+*.swp
 server/docs/
+server/site/
 tools/fbsend/fbsend
 playground/
+secrets/
 *.iml
+node_modules/
+.DS_Store
--- a/.gitpod.yml
+++ b/.gitpod.yml
@@ -0,0 +1,28 @@
+tasks:
+  - name: docs
+    before: make docs-deps
+    command: mkdocs serve
+  - name: binary
+    before: |
+      npm install --global nodemon
+      make cli-deps-static-sites
+    command: |
+      nodemon --watch './**/*.go' --ext go --signal SIGTERM --exec "CGO_ENABLED=1 go run main.go serve --listen-http :2586 --debug --base-url $(gp url 2586)"
+    openMode: split-right
+  - name: web
+    before: make web-deps
+    command: cd web && npm start
+    openMode: split-right
+
+vscode:
+  extensions:
+    - golang.go
+    - ms-azuretools.vscode-docker
+
+ports:
+  - name: docs
+    port: 8000
+  - name: binary
+    port: 2586
+  - name: web
+    port: 3000
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -4,7 +4,7 @@ before:
    - go mod tidy
 builds:
  -
-    id: ntfy
+    id: ntfy_linux_amd64
    binary: ntfy
    env:
      - CGO_ENABLED=1 # required for go-sqlite3
@@ -13,11 +13,20 @@ builds:
      - "-linkmode=external -extldflags=-static -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}"
    goos: [linux]
    goarch: [amd64]
-    hooks:
-      post:
-        - upx "{{ .Path }}" # apt install upx
  -
-    id: ntfy_armv7
+    id: ntfy_linux_armv6
+    binary: ntfy
+    env:
+      - CGO_ENABLED=1 # required for go-sqlite3
+      - CC=arm-linux-gnueabi-gcc # apt install gcc-arm-linux-gnueabi
+    tags: [sqlite_omit_load_extension,osusergo,netgo]
+    ldflags:
+      - "-linkmode=external -extldflags=-static -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}"
+    goos: [linux]
+    goarch: [arm]
+    goarm: [6]
+  -
+    id: ntfy_linux_armv7
    binary: ntfy
    env:
      - CGO_ENABLED=1 # required for go-sqlite3
@@ -28,11 +37,8 @@ builds:
    goos: [linux]
    goarch: [arm]
    goarm: [7]
-    hooks:
-      post:
-        - upx "{{ .Path }}" # apt install upx
  -
-    id: ntfy_arm64
+    id: ntfy_linux_arm64
    binary: ntfy
    env:
      - CGO_ENABLED=1 # required for go-sqlite3
@@ -42,9 +48,26 @@ builds:
      - "-linkmode=external -extldflags=-static -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}"
    goos: [linux]
    goarch: [arm64]
-    hooks:
-      post:
-        - upx "{{ .Path }}" # apt install upx
+  -
+    id: ntfy_windows_amd64
+    binary: ntfy
+    env:
+      - CGO_ENABLED=0 # explicitly disable, since we don't need go-sqlite3
+    tags: [noserver] # don't include server files
+    ldflags:
+      - "-X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}"
+    goos: [windows]
+    goarch: [amd64]
+  -
+    id: ntfy_darwin_all
+    binary: ntfy
+    env:
+      - CGO_ENABLED=0 # explicitly disable, since we don't need go-sqlite3
+    tags: [noserver] # don't include server files
+    ldflags:
+      - "-X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}"
+    goos: [darwin]
+    goarch: [amd64, arm64] # will be combined to "universal binary" (see below)
 nfpms:
  -
    package_name: ntfy
@@ -59,12 +82,12 @@ nfpms:
    contents:
      - src: server/server.yml
        dst: /etc/ntfy/server.yml
-        type: config
+        type: "config|noreplace"
      - src: server/ntfy.service
        dst: /lib/systemd/system/ntfy.service
      - src: client/client.yml
        dst: /etc/ntfy/client.yml
-        type: config
+        type: "config|noreplace"
      - src: client/ntfy-client.service
        dst: /lib/systemd/system/ntfy-client.service
      - dst: /var/cache/ntfy
@@ -74,7 +97,7 @@ nfpms:
      - dst: /var/lib/ntfy
        type: dir
      - dst: /usr/share/ntfy/logo.png
-        src: server/static/img/ntfy.png
+        src: web/public/static/img/ntfy.png
    scripts:
      preinstall: "scripts/preinst.sh"
      postinstall: "scripts/postinst.sh"
@@ -82,6 +105,12 @@ nfpms:
      postremove: "scripts/postrm.sh"
 archives:
  -
+    id: ntfy_linux
+    builds:
+      - ntfy_linux_amd64
+      - ntfy_linux_armv6
+      - ntfy_linux_armv7
+      - ntfy_linux_arm64
    wrap_in_directory: true
    files:
      - LICENSE
@@ -91,8 +120,35 @@ archives:
      - client/client.yml
      - client/ntfy-client.service
    replacements:
-      386: i386
      amd64: x86_64
+  -
+    id: ntfy_windows
+    builds:
+      - ntfy_windows_amd64
+    format: zip
+    wrap_in_directory: true
+    files:
+      - LICENSE
+      - README.md
+      - client/client.yml
+    replacements:
+      amd64: x86_64
+  -
+    id: ntfy_darwin
+    builds:
+      - ntfy_darwin_all
+    wrap_in_directory: true
+    files:
+      - LICENSE
+      - README.md
+      - client/client.yml
+    replacements:
+      darwin: macOS
+universal_binaries:
+  -
+    id: ntfy_darwin_all
+    replace: true
+    name_template: ntfy
 checksum:
  name_template: 'checksums.txt'
 snapshot:
@@ -126,14 +182,24 @@ dockers:
    goarm: 7
    build_flag_templates:
      - "--platform=linux/arm/v7"
+  - image_templates:
+      - &armv6_image "binwiederhier/ntfy:{{ .Tag }}-armv6"
+    use: buildx
+    dockerfile: Dockerfile
+    goarch: arm
+    goarm: 6
+    build_flag_templates:
+      - "--platform=linux/arm/v6"
 docker_manifests:
  - name_template: "binwiederhier/ntfy:latest"
    image_templates:
      - *amd64_image
      - *arm64v8_image
      - *armv7_image
+      - *armv6_image
  - name_template: "binwiederhier/ntfy:{{ .Tag }}"
    image_templates:
      - *amd64_image
      - *arm64v8_image
      - *armv7_image
+      - *armv6_image
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,133 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement via Discord/Matrix (binwiederhier),
+or email (ntfy@heckel.io). All complaints will be reviewed and investigated promptly 
+and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations
+
--- a/4
+++ b/4
@@ -2,4 +2,8 @@ FROM alpine
 MAINTAINER Philipp C. Heckel <philipp.heckel@gmail.com>

 COPY ntfy /usr/bin
+
+HEALTHCHECK --interval=60s --timeout=10s CMD wget -q --tries=1 http://localhost/v1/health -O - | grep -Eo '"healthy"\s*:\s*true' || exit 1
+
+EXPOSE 80/tcp
 ENTRYPOINT ["ntfy"]
--- a/316
+++ b/316
@@ -1,48 +1,230 @@
+MAKEFLAGS := --jobs=1
 VERSION := $(shell git describe --tag)
+COMMIT := $(shell git rev-parse --short HEAD)

 .PHONY:

 help:
-	@echo "Typical commands:"
-	@echo "  make check                       - Run all tests, vetting/formatting checks and linters"
-	@echo "  make fmt build-snapshot install  - Build latest and install to local system"
+	@echo "Typical commands (more see below):"
+	@echo "  make build                      - Build web app, documentation and server/client (sloowwww)"
+	@echo "  make cli-linux-amd64            - Build server/client binary (amd64, no web app or docs)"
+	@echo "  make install-linux-amd64        - Install ntfy binary to /usr/bin/ntfy (amd64)"
+	@echo "  make web                        - Build the web app"
+	@echo "  make docs                       - Build the documentation"
+	@echo "  make check                      - Run all tests, vetting/formatting checks and linters"
+	@echo
+	@echo "Build everything:"
+	@echo "  make build                      - Build web app, documentation and server/client"
+	@echo "  make clean                      - Clean build/dist folders"
+	@echo
+	@echo "Build server & client (using GoReleaser, not release version):"
+	@echo "  make cli                        - Build server & client (all architectures)"
+	@echo "  make cli-linux-amd64            - Build server & client (Linux, amd64 only)"
+	@echo "  make cli-linux-armv6            - Build server & client (Linux, armv6 only)"
+	@echo "  make cli-linux-armv7            - Build server & client (Linux, armv7 only)"
+	@echo "  make cli-linux-arm64            - Build server & client (Linux, arm64 only)"
+	@echo "  make cli-windows-amd64          - Build client (Windows, amd64 only)"
+	@echo "  make cli-darwin-all             - Build client (macOS, arm64+amd64 universal binary)"
+	@echo
+	@echo "Build server & client (without GoReleaser):"
+	@echo "  make cli-linux-server           - Build client & server (no GoReleaser, current arch, Linux)"
+	@echo "  make cli-darwin-server          - Build client & server (no GoReleaser, current arch, macOS)"
+	@echo "  make cli-client                 - Build client only (no GoReleaser, current arch, Linux/macOS/Windows)"
+	@echo
+	@echo "Build web app:"
+	@echo "  make web                        - Build the web app"
+	@echo "  make web-deps                   - Install web app dependencies (npm install the universe)"
+	@echo "  make web-build                  - Actually build the web app"
+	@echo
+	@echo "Build documentation:"
+	@echo "  make docs                       - Build the documentation"
+	@echo "  make docs-deps                  - Install Python dependencies (pip3 install)"
+	@echo "  make docs-build                 - Actually build the documentation"
 	@echo
 	@echo "Test/check:"
-	@echo "  make test                        - Run tests"
-	@echo "  make race                        - Run tests with -race flag"
-	@echo "  make coverage                    - Run tests and show coverage"
-	@echo "  make coverage-html               - Run tests and show coverage (as HTML)"
-	@echo "  make coverage-upload             - Upload coverage results to codecov.io"
+	@echo "  make test                       - Run tests"
+	@echo "  make race                       - Run tests with -race flag"
+	@echo "  make coverage                   - Run tests and show coverage"
+	@echo "  make coverage-html              - Run tests and show coverage (as HTML)"
+	@echo "  make coverage-upload            - Upload coverage results to codecov.io"
 	@echo
 	@echo "Lint/format:"
-	@echo "  make fmt                         - Run 'go fmt'"
-	@echo "  make fmt-check                   - Run 'go fmt', but don't change anything"
-	@echo "  make vet                         - Run 'go vet'"
-	@echo "  make lint                        - Run 'golint'"
-	@echo "  make staticcheck                 - Run 'staticcheck'"
+	@echo "  make fmt                        - Run 'go fmt'"
+	@echo "  make fmt-check                  - Run 'go fmt', but don't change anything"
+	@echo "  make vet                        - Run 'go vet'"
+	@echo "  make lint                       - Run 'golint'"
+	@echo "  make staticcheck                - Run 'staticcheck'"
 	@echo
-	@echo "Build:"
-	@echo "  make build                       - Build"
-	@echo "  make build-snapshot              - Build snapshot"
-	@echo "  make build-simple                - Build (using go build, without goreleaser)"
-	@echo "  make clean                       - Clean build folder"
-	@echo
-	@echo "Releasing (requires goreleaser):"
-	@echo "  make release                     - Create a release"
-	@echo "  make release-snapshot            - Create a test release"
+	@echo "Releasing:"
+	@echo "  make release                    - Create a release"
+	@echo "  make release-snapshot           - Create a test release"
 	@echo
 	@echo "Install locally (requires sudo):"
-	@echo "  make install                     - Copy binary from dist/ to /usr/bin"
-	@echo "  make install-deb                 - Install .deb from dist/"
-	@echo "  make install-lint                - Install golint"
+	@echo "  make install-linux-amd64        - Copy amd64 binary from dist/ to /usr/bin/ntfy"
+	@echo "  make install-linux-armv6        - Copy armv6 binary from dist/ to /usr/bin/ntfy"
+	@echo "  make install-linux-armv7        - Copy armv7 binary from dist/ to /usr/bin/ntfy"
+	@echo "  make install-linux-arm64        - Copy arm64 binary from dist/ to /usr/bin/ntfy"
+	@echo "  make install-linux-deb-amd64    - Install .deb from dist/ (amd64 only)"
+	@echo "  make install-linux-deb-armv6    - Install .deb from dist/ (armv6 only)"
+	@echo "  make install-linux-deb-armv7    - Install .deb from dist/ (armv7 only)"
+	@echo "  make install-linux-deb-arm64    - Install .deb from dist/ (arm64 only)"


+# Building everything
+
+clean: .PHONY
+	rm -rf dist build server/docs server/site
+
+build: web docs cli
+
+update: web-deps-update cli-deps-update docs-deps-update
+	docker pull alpine
+
+# Ubuntu-specific
+
+build-deps-ubuntu:
+	sudo apt update
+	sudo apt install -y \
+		curl \
+		gcc-aarch64-linux-gnu \
+		gcc-arm-linux-gnueabi \
+		upx \
+		jq
+	which pip3 || sudo apt install -y python3-pip
+
 # Documentation
+
+docs: docs-deps docs-build
+
+docs-build: .PHONY
+	@if ! /bin/echo -e "import sys\nif sys.version_info < (3,8):\n exit(1)" | python3; then \
+	  if which python3.8; then \
+	  	echo "python3.8 $(shell which mkdocs) build"; \
+	    python3.8 $(shell which mkdocs) build; \
+	  else \
+	    echo "ERROR: Python version too low. mkdocs-material needs >= 3.8"; \
+	    exit 1; \
+	  fi; \
+	else \
+	  echo "mkdocs build"; \
+	  mkdocs build; \
+	fi
+
 docs-deps: .PHONY
 	pip3 install -r requirements.txt

-docs: docs-deps
-	mkdocs build
+docs-deps-update: .PHONY
+	pip3 install -r requirements.txt --upgrade
+
+
+# Web app
+
+web: web-deps web-build
+
+web-build:
+	cd web \
+		&& npm run build \
+		&& mv build/index.html build/app.html \
+		&& rm -rf ../server/site \
+		&& mv build ../server/site \
+		&& rm \
+			../server/site/config.js \
+			../server/site/asset-manifest.json
+
+web-deps:
+	cd web && npm install
+	# If this fails for .svg files, optimize them with svgo
+
+web-deps-update:
+	cd web && npm update
+
+
+# Main server/client build
+
+cli: cli-deps
+	goreleaser build --snapshot --rm-dist
+
+cli-linux-amd64: cli-deps-static-sites
+	goreleaser build --snapshot --rm-dist --id ntfy_linux_amd64
+
+cli-linux-armv6: cli-deps-static-sites cli-deps-gcc-armv6-armv7
+	goreleaser build --snapshot --rm-dist --id ntfy_linux_armv6
+
+cli-linux-armv7: cli-deps-static-sites cli-deps-gcc-armv6-armv7
+	goreleaser build --snapshot --rm-dist --id ntfy_linux_armv7
+
+cli-linux-arm64: cli-deps-static-sites cli-deps-gcc-arm64
+	goreleaser build --snapshot --rm-dist --id ntfy_linux_arm64
+
+cli-windows-amd64: cli-deps-static-sites
+	goreleaser build --snapshot --rm-dist --id ntfy_windows_amd64
+
+cli-darwin-all: cli-deps-static-sites
+	goreleaser build --snapshot --rm-dist --id ntfy_darwin_all
+
+cli-linux-server: cli-deps-static-sites
+	# This is a target to build the CLI (including the server) manually.
+	# Use this for development, if you really don't want to install GoReleaser ...
+	mkdir -p dist/ntfy_linux_server server/docs
+	CGO_ENABLED=1 go build \
+		-o dist/ntfy_linux_server/ntfy \
+		-tags sqlite_omit_load_extension,osusergo,netgo \
+		-ldflags \
+		"-linkmode=external -extldflags=-static -s -w -X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(shell date +%s)"
+
+cli-darwin-server: cli-deps-static-sites
+	# This is a target to build the CLI (including the server) manually.
+	# Use this for macOS/iOS development, so you have a local server to test with.
+	mkdir -p dist/ntfy_darwin_server server/docs
+	CGO_ENABLED=1 go build \
+		-o dist/ntfy_darwin_server/ntfy \
+		-tags sqlite_omit_load_extension,osusergo,netgo \
+		-ldflags \
+		"-linkmode=external -s -w -X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(shell date +%s)"
+
+cli-client: cli-deps-static-sites
+	# This is a target to build the CLI (excluding the server) manually. This should work on Linux/macOS/Windows.
+	# Use this for development, if you really don't want to install GoReleaser ...
+	mkdir -p dist/ntfy_client server/docs
+	CGO_ENABLED=0 go build \
+		-o dist/ntfy_client/ntfy \
+		-tags noserver \
+		-ldflags \
+		"-X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(shell date +%s)"
+
+cli-deps: cli-deps-static-sites cli-deps-all cli-deps-gcc
+
+cli-deps-gcc: cli-deps-gcc-armv6-armv7 cli-deps-gcc-arm64
+
+cli-deps-static-sites:
+	mkdir -p server/docs server/site
+	touch server/docs/index.html server/site/app.html
+
+cli-deps-all:
+	which upx || { echo "ERROR: upx not installed. On Ubuntu, run: apt install upx"; exit 1; }
+	go install github.com/goreleaser/goreleaser@latest
+
+cli-deps-gcc-armv6-armv7:
+	which arm-linux-gnueabi-gcc || { echo "ERROR: ARMv6/ARMv7 cross compiler not installed. On Ubuntu, run: apt install gcc-arm-linux-gnueabi"; exit 1; }
+
+cli-deps-gcc-arm64:
+	which aarch64-linux-gnu-gcc || { echo "ERROR: ARM64 cross compiler not installed. On Ubuntu, run: apt install gcc-aarch64-linux-gnu"; exit 1; }
+
+cli-deps-update:
+	go get -u
+	go install honnef.co/go/tools/cmd/staticcheck@latest
+	go install golang.org/x/lint/golint@latest
+	go install github.com/goreleaser/goreleaser@latest
+
+cli-build-results:
+	cat dist/config.yaml
+	[ -f dist/artifacts.json ] && cat dist/artifacts.json | jq . || true
+	[ -f dist/metadata.json ] && cat dist/metadata.json | jq . || true
+	[ -f dist/checksums.txt ] && cat dist/checksums.txt || true
+	find dist -maxdepth 2 -type f \
+		\( -name '*.deb' -or -name '*.rpm' -or -name '*.zip' -or -name '*.tar.gz' -or -name 'ntfy' \) \
+		-and -not -path 'dist/goreleaserdocker*' \
+		-exec sha256sum {} \;

 # Test/check targets

@@ -92,55 +274,59 @@ staticcheck: .PHONY
 	rm -rf build/staticcheck


-# Building targets
-
-build-deps: docs
-	which arm-linux-gnueabi-gcc || { echo "ERROR: ARMv6/v7 cross compiler not installed. On Ubuntu, run: apt install gcc-arm-linux-gnueabi"; exit 1; }
-	which aarch64-linux-gnu-gcc || { echo "ERROR: ARM64 cross compiler not installed. On Ubuntu, run: apt install gcc-aarch64-linux-gnu"; exit 1; }
-
-build: build-deps
-	goreleaser build --rm-dist --debug
-
-build-snapshot: build-deps
-	goreleaser build --snapshot --rm-dist --debug
-
-build-simple: clean
-	mkdir -p dist/ntfy_linux_amd64 server/docs
-	touch server/docs/dummy
-	export CGO_ENABLED=1
-	go build \
-		-o dist/ntfy_linux_amd64/ntfy \
-		-tags sqlite_omit_load_extension,osusergo,netgo \
-		-ldflags \
-		"-linkmode=external -extldflags=-static -s -w -X main.version=$(VERSION) -X main.commit=$(shell git rev-parse --short HEAD) -X main.date=$(shell date +%s)"
-
-clean: .PHONY
-	rm -rf dist build server/docs
-
-
 # Releasing targets

-release-check-tags:
+release: clean update cli-deps release-checks docs web check
+	goreleaser release --rm-dist
+
+release-snapshot: clean update cli-deps docs web check
+	goreleaser release --snapshot --skip-publish --rm-dist
+
+release-checks:
 	$(eval LATEST_TAG := $(shell git describe --abbrev=0 --tags | cut -c2-))
 	if ! grep -q $(LATEST_TAG) docs/install.md; then\
 	 	echo "ERROR: Must update docs/install.md with latest tag first.";\
 	 	exit 1;\
 	fi
-
-release: build-deps release-check-tags check
-	goreleaser release --rm-dist --debug
-
-release-snapshot: build-deps
-	goreleaser release --snapshot --skip-publish --rm-dist --debug
+	if ! grep -q $(LATEST_TAG) docs/releases.md; then\
+		echo "ERROR: Must update docs/releases.md with latest tag first.";\
+		exit 1;\
+	fi
+	if [ -n "$(shell git status -s)" ]; then\
+	  echo "ERROR: Git repository is in an unclean state.";\
+	  exit 1;\
+	fi


 # Installing targets

-install:
-	sudo rm -f /usr/bin/ntfy
-	sudo cp -a dist/ntfy_linux_amd64/ntfy /usr/bin/ntfy
+install-linux-amd64: remove-binary
+	sudo cp -a dist/ntfy_linux_amd64_linux_amd64_v1/ntfy /usr/bin/ntfy

-install-deb:
+install-linux-armv6: remove-binary
+	sudo cp -a dist/ntfy_linux_armv6_linux_arm_6/ntfy /usr/bin/ntfy
+
+install-linux-armv7: remove-binary
+	sudo cp -a dist/ntfy_linux_armv7_linux_arm_7/ntfy /usr/bin/ntfy
+
+install-linux-arm64: remove-binary
+	sudo cp -a dist/ntfy_linux_arm64_linux_arm64/ntfy /usr/bin/ntfy
+
+remove-binary:
+	sudo rm -f /usr/bin/ntfy
+
+install-linux-amd64-deb: purge-package
+	sudo dpkg -i dist/ntfy_*_linux_amd64.deb
+
+install-linux-armv6-deb: purge-package
+	sudo dpkg -i dist/ntfy_*_linux_armv6.deb
+
+install-linux-armv7-deb: purge-package
+	sudo dpkg -i dist/ntfy_*_linux_armv7.deb
+
+install-linux-arm64-deb: purge-package
+	sudo dpkg -i dist/ntfy_*_linux_arm64.deb
+
+purge-package:
 	sudo systemctl stop ntfy || true
 	sudo apt-get purge ntfy || true
-	sudo dpkg -i dist/ntfy_*_linux_amd64.deb
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-![ntfy](server/static/img/ntfy.png)
+![ntfy](web/public/static/img/ntfy.png)

 # ntfy.sh | Send push notifications to your phone or desktop via PUT/POST
 [![Release](https://img.shields.io/github/release/binwiederhier/ntfy.svg?color=success&style=flat-square)](https://github.com/binwiederhier/ntfy/releases/latest)
@@ -8,21 +8,23 @@
 [![codecov](https://codecov.io/gh/binwiederhier/ntfy/branch/main/graph/badge.svg?token=A597KQ463G)](https://codecov.io/gh/binwiederhier/ntfy)
 [![Discord](https://img.shields.io/discord/874398661709295626?label=Discord)](https://discord.gg/cT7ECsZj9w)
 [![Matrix](https://img.shields.io/matrix/ntfy:matrix.org?label=Matrix)](https://matrix.to/#/#ntfy:matrix.org)
+[![Matrix space](https://img.shields.io/matrix/ntfy-space:matrix.org?label=Matrix+space)](https://matrix.to/#/#ntfy-space:matrix.org)
+[![Reddit](https://img.shields.io/reddit/subreddit-subscribers/ntfy?color=%23317f6f&label=-%20r%2Fntfy&style=social)](https://www.reddit.com/r/ntfy/)
 [![Healthcheck](https://healthchecks.io/badge/68b65976-b3b0-4102-aec9-980921/kcoEgrLY.svg)](https://ntfy.statuspage.io/)
+[![Gitpod](https://img.shields.io/badge/Contribute%20with-Gitpod-908a85?logo=gitpod)](https://gitpod.io/#https://github.com/binwiederhier/ntfy)

 **ntfy** (pronounce: *notify*) is a simple HTTP-based [pub-sub](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern) notification service.
 It allows you to **send notifications to your phone or desktop via scripts** from any computer, entirely **without signup or cost**.
 It's also open source (as you can plainly see) if you want to run your own.

-I run a free version of it at **[ntfy.sh](https://ntfy.sh)**, and there's an [open source](https://github.com/binwiederhier/ntfy-android) [Android app](https://play.google.com/store/apps/details?id=io.heckel.ntfy)
-too.
+I run a free version of it at **[ntfy.sh](https://ntfy.sh)**. There's also an [open source Android app](https://github.com/binwiederhier/ntfy-android) (see [Google Play](https://play.google.com/store/apps/details?id=io.heckel.ntfy) or [F-Droid](https://f-droid.org/en/packages/io.heckel.ntfy/)), and an [open source iOS app](https://github.com/binwiederhier/ntfy-ios) (see [App Store](https://apps.apple.com/us/app/ntfy/id1625396347)).

 <p>
-  <img src="server/static/img/screenshot-curl.png" height="180">
-  <img src="server/static/img/screenshot-web-detail.png" height="180">
-  <img src="server/static/img/screenshot-phone-main.jpg" height="180">
-  <img src="server/static/img/screenshot-phone-detail.jpg" height="180">
-  <img src="server/static/img/screenshot-phone-notification.jpg" height="180">
+  <img src="web/public/static/img/screenshot-curl.png" height="180">
+  <img src="web/public/static/img/screenshot-web-detail.png" height="180">
+  <img src="web/public/static/img/screenshot-phone-main.jpg" height="180">
+  <img src="web/public/static/img/screenshot-phone-detail.jpg" height="180">
+  <img src="web/public/static/img/screenshot-phone-notification.jpg" height="180">
 </p>

 ## **[Documentation](https://ntfy.sh/docs/)**
@@ -33,27 +35,115 @@ too.
 [Install / Self-hosting](https://ntfy.sh/docs/install/) |
 [Building](https://ntfy.sh/docs/develop/)

-## Contributing
-I welcome any and all contributions. Just create a PR or an issue.
+## Chat / forum
+There are a few ways to get in touch with me and/or the rest of the community. Feel free to use any of these methods. Whatever
+works best for you:

-## Contact me
-You can directly contact me **[on Discord](https://discord.gg/cT7ECsZj9w)** or [on Matrix](https://matrix.to/#/#ntfy:matrix.org) 
-(bridged from Discord), or via the [GitHub issues](https://github.com/binwiederhier/ntfy/issues), or find more contact information
-[on my website](https://heckel.io/about).
+* [Discord server](https://discord.gg/cT7ECsZj9w) - direct chat with the community
+* [Matrix room #ntfy](https://matrix.to/#/#ntfy:matrix.org) (+ [Matrix space](https://matrix.to/#/#ntfy-space:matrix.org)) - same chat, bridged from Discord
+* [Reddit r/ntfy](https://www.reddit.com/r/ntfy/) - asynchronous forum (_new as of October 2022_)
+* [GitHub issues](https://github.com/binwiederhier/ntfy/issues) - questions, features, bugs
+* [Email](https://heckel.io/about) - reach me directly (_I usually prefer the other methods_)
+
+## Announcements / beta testers
+For announcements of new releases and cutting-edge beta versions, please subscribe to the [ntfy.sh/announcements](https://ntfy.sh/announcements) 
+topic. If you'd like to test the iOS app, join [TestFlight](https://testflight.apple.com/join/P1fFnAm9). For Android betas,
+join Discord/Matrix (I'll eventually make a testing channel in Google Play).
+
+## Contributing
+I welcome any and all contributions. Just create a PR or an issue. For larger features/ideas, please reach out
+on Discord/Matrix first to see if I'd accept them. To contribute code, check out the [build instructions](https://ntfy.sh/docs/develop/) 
+for the server and the Android app. Or, if you'd like to help translate 🇩🇪 🇺🇸 🇧🇬, you can start immediately in
+[Hosted Weblate](https://hosted.weblate.org/projects/ntfy/).
+
+<a href="https://hosted.weblate.org/engage/ntfy/">
+<img src="https://hosted.weblate.org/widgets/ntfy/-/multi-blue.svg" alt="Translation status" />
+</a>
+
+## Sponsors
+I have just very recently started accepting donations via [GitHub Sponsors](https://github.com/sponsors/binwiederhier). 
+I would be humbled if you helped me carry the server and developer account costs. Even small donations are very much 
+appreciated. A big fat **Thank You** to the folks already sponsoring ntfy:
+
+<a href="https://github.com/neutralinsomniac"><img src="https://github.com/neutralinsomniac.png" width="40px" /></a>
+<a href="https://github.com/aspyct"><img src="https://github.com/aspyct.png" width="40px" /></a>
+<a href="https://github.com/nickexyz"><img src="https://github.com/nickexyz.png" width="40px" /></a>
+<a href="https://github.com/qcasey"><img src="https://github.com/qcasey.png" width="40px" /></a>
+<a href="https://github.com/mckay115"><img src="https://github.com/mckay115.png" width="40px" /></a>
+<a href="https://github.com/Salamafet"><img src="https://github.com/Salamafet.png" width="40px" /></a>
+<a href="https://github.com/codinghipster"><img src="https://github.com/codinghipster.png" width="40px" /></a>
+<a href="https://github.com/HinFort"><img src="https://github.com/HinFort.png" width="40px" /></a>
+<a href="https://github.com/Lexevolution"><img src="https://github.com/Lexevolution.png" width="40px" /></a>
+<a href="https://github.com/johnnyip"><img src="https://github.com/johnnyip.png" width="40px" /></a>
+<a href="https://github.com/JonDerThan"><img src="https://github.com/JonDerThan.png" width="40px" /></a>
+<a href="https://github.com/12nick12"><img src="https://github.com/12nick12.png" width="40px" /></a>
+<a href="https://github.com/eanplatter"><img src="https://github.com/eanplatter.png" width="40px" /></a>
+<a href="https://github.com/fnoelscher"><img src="https://github.com/fnoelscher.png" width="40px" /></a>
+<a href="https://github.com/bnorick"><img src="https://github.com/bnorick.png" width="40px" /></a>
+<a href="https://github.com/snh"><img src="https://github.com/snh.png" width="40px" /></a>
+<a href="https://github.com/hen-x"><img src="https://github.com/hen-x.png" width="40px" /></a>
+<a href="https://github.com/JamieGoodson"><img src="https://github.com/JamieGoodson.png" width="40px" /></a>
+<a href="https://github.com/cremesk"><img src="https://github.com/cremesk.png" width="40px" /></a>
+<a href="https://github.com/dangowans"><img src="https://github.com/dangowans.png" width="40px" /></a>
+<a href="https://github.com/mnault"><img src="https://github.com/mnault.png" width="40px" /></a>
+<a href="https://github.com/nwithan8"><img src="https://github.com/nwithan8.png" width="40px" /></a>
+<a href="https://github.com/peterleiser"><img src="https://github.com/peterleiser.png" width="40px" /></a>
+<a href="https://github.com/portothree"><img src="https://github.com/portothree.png" width="40px" /></a>
+<a href="https://github.com/finngreig"><img src="https://github.com/finngreig.png" width="40px" /></a>
+<a href="https://github.com/skrollme"><img src="https://github.com/skrollme.png" width="40px" /></a>
+<a href="https://github.com/gergepalfi"><img src="https://github.com/gergepalfi.png" width="40px" /></a>
+<a href="https://github.com/tonyakwei"><img src="https://github.com/tonyakwei.png" width="40px" /></a>
+<a href="https://github.com/crosbyh"><img src="https://github.com/crosbyh.png" width="40px" /></a>
+<a href="https://github.com/mdlnr"><img src="https://github.com/mdlnr.png" width="40px" /></a>
+<a href="https://github.com/p-samuel"><img src="https://github.com/p-samuel.png" width="40px" /></a>
+<a href="https://github.com/zugaldia"><img src="https://github.com/zugaldia.png" width="40px" /></a>
+<a href="https://github.com/NathanSweet"><img src="https://github.com/NathanSweet.png" width="40px" /></a>
+<a href="https://github.com/msdeibel"><img src="https://github.com/msdeibel.png" width="40px" /></a>
+<a href="https://github.com/ksurl"><img src="https://github.com/ksurl.png" width="40px" /></a>
+<a href="https://github.com/CodingTimeDEV"><img src="https://github.com/CodingTimeDEV.png" width="40px" /></a>
+<a href="https://github.com/Terrormixer3000"><img src="https://github.com/Terrormixer3000.png" width="40px" /></a>
+<a href="https://github.com/voroskoi"><img src="https://github.com/voroskoi.png" width="40px" /></a>
+<a href="https://github.com/Nickwasused"><img src="https://github.com/Nickwasused.png" width="40px" /></a>
+<a href="https://github.com/bahur142"><img src="https://github.com/bahur142.png" width="40px" /></a>
+<a href="https://github.com/vinhdizzo"><img src="https://github.com/vinhdizzo.png" width="40px" /></a>
+<a href="https://github.com/Ge0rg3"><img src="https://github.com/Ge0rg3.png" width="40px" /></a>
+<a href="https://github.com/biopsin"><img src="https://github.com/biopsin.png" width="40px" /></a>
+<a href="https://github.com/thebino"><img src="https://github.com/thebino.png" width="40px" /></a>
+<a href="https://github.com/sky4055"><img src="https://github.com/sky4055.png" width="40px" /></a>
+
+I'd also like to thank JetBrains for providing their awesome [IntelliJ IDEA](https://www.jetbrains.com/idea/) to me for free,
+and [DigitalOcean](https://www.digitalocean.com/) for supporting the project:
+
+<a href="https://www.digitalocean.com/"><img src="https://opensource.nyc3.cdn.digitaloceanspaces.com/attribution/assets/SVG/DO_Logo_horizontal_blue.svg" width="201px"></a>
+
+## Code of Conduct
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
+
+**We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.**
+
+_Please be sure to read the complete [Code of Conduct](CODE_OF_CONDUCT.md)._    

 ## License
 Made with ❤️ by [Philipp C. Heckel](https://heckel.io).   
 The project is dual licensed under the [Apache License 2.0](LICENSE) and the [GPLv2 License](LICENSE.GPLv2).

 Third party libraries and resources:
-* [github.com/urfave/cli/v2](https://github.com/urfave/cli/v2) (MIT) is used to drive the CLI
-* [Mixkit sound](https://mixkit.co/free-sound-effects/notification/) (Mixkit Free License) used as notification sound
-* [Lato Font](https://www.latofonts.com/) (OFL) is used as a font in the Web UI
+* [github.com/urfave/cli](https://github.com/urfave/cli) (MIT) is used to drive the CLI
+* [Mixkit sounds](https://mixkit.co/free-sound-effects/notification/) (Mixkit Free License) are used as notification sounds
+* [Sounds from notificationsounds.com](https://notificationsounds.com) (Creative Commons Attribution) are used as notification sounds
+* [Roboto Font](https://fonts.google.com/specimen/Roboto) (Apache 2.0) is used as a font in everything web
+* [React](https://reactjs.org/) (MIT) is used for the web app
+* [Material UI components](https://mui.com/) (MIT) are used in the web app
+* [MUI dashboard template](https://github.com/mui/material-ui/tree/master/docs/data/material/getting-started/templates/dashboard) (MIT) was used as a basis for the web app
+* [Dexie.js](https://github.com/dexie/Dexie.js) (Apache 2.0) is used for web app persistence in IndexedDB
 * [GoReleaser](https://goreleaser.com/) (MIT) is used to create releases
 * [go-smtp](https://github.com/emersion/go-smtp) (MIT) is used to receive e-mails
 * [stretchr/testify](https://github.com/stretchr/testify) (MIT) is used for unit and integration tests
 * [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) (MIT) is used to provide the persistent message cache
 * [Firebase Admin SDK](https://github.com/firebase/firebase-admin-go) (Apache 2.0) is used to send FCM messages
 * [github/gemoji](https://github.com/github/gemoji) (MIT) is used for emoji support (specifically the [emoji.json](https://raw.githubusercontent.com/github/gemoji/master/db/emoji.json) file)
-* [Lightbox with vanilla JS](https://yossiabramov.com/blog/vanilla-js-lightbox) 
+* [Lightbox with vanilla JS](https://yossiabramov.com/blog/vanilla-js-lightbox) as a lightbox on the landing page 
+* [HTTP middleware for gzip compression](https://gist.github.com/CJEnright/bc2d8b8dc0c1389a9feeddb110f822d7) (MIT) is used for serving static files
+* [Regex for auto-linking](https://github.com/bryanwoods/autolink-js) (MIT) is used to highlight links (the library is not used)
 * [Statically linking go-sqlite3](https://www.arp242.net/static-go.html)
+* [Linked tabs in mkdocs](https://facelessuser.github.io/pymdown-extensions/extensions/tabbed/#linked-tabs)
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -1,122 +0,0 @@
-// Package auth deals with authentication and authorization against topics
-package auth
-
-import (
-	"errors"
-	"regexp"
-)
-
-// Auther is a generic interface to implement password-based authentication and authorization
-type Auther interface {
-	// Authenticate checks username and password and returns a user if correct. The method
-	// returns in constant-ish time, regardless of whether the user exists or the password is
-	// correct or incorrect.
-	Authenticate(username, password string) (*User, error)
-
-	// Authorize returns nil if the given user has access to the given topic using the desired
-	// permission. The user param may be nil to signal an anonymous user.
-	Authorize(user *User, topic string, perm Permission) error
-}
-
-// Manager is an interface representing user and access management
-type Manager interface {
-	// AddUser adds a user with the given username, password and role. The password should be hashed
-	// before it is stored in a persistence layer.
-	AddUser(username, password string, role Role) error
-
-	// RemoveUser deletes the user with the given username. The function returns nil on success, even
-	// if the user did not exist in the first place.
-	RemoveUser(username string) error
-
-	// Users returns a list of users. It always also returns the Everyone user ("*").
-	Users() ([]*User, error)
-
-	// User returns the user with the given username if it exists, or ErrNotFound otherwise.
-	// You may also pass Everyone to retrieve the anonymous user and its Grant list.
-	User(username string) (*User, error)
-
-	// ChangePassword changes a user's password
-	ChangePassword(username, password string) error
-
-	// ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
-	// all existing access control entries (Grant) are removed, since they are no longer needed.
-	ChangeRole(username string, role Role) error
-
-	// AllowAccess adds or updates an entry in th access control list for a specific user. It controls
-	// read/write access to a topic. The parameter topicPattern may include wildcards (*).
-	AllowAccess(username string, topicPattern string, read bool, write bool) error
-
-	// ResetAccess removes an access control list entry for a specific username/topic, or (if topic is
-	// empty) for an entire user. The parameter topicPattern may include wildcards (*).
-	ResetAccess(username string, topicPattern string) error
-
-	// DefaultAccess returns the default read/write access if no access control entry matches
-	DefaultAccess() (read bool, write bool)
-}
-
-// User is a struct that represents a user
-type User struct {
-	Name   string
-	Hash   string // password hash (bcrypt)
-	Role   Role
-	Grants []Grant
-}
-
-// Grant is a struct that represents an access control entry to a topic
-type Grant struct {
-	TopicPattern string // May include wildcard (*)
-	AllowRead    bool
-	AllowWrite   bool
-}
-
-// Permission represents a read or write permission to a topic
-type Permission int
-
-// Permissions to a topic
-const (
-	PermissionRead  = Permission(1)
-	PermissionWrite = Permission(2)
-)
-
-// Role represents a user's role, either admin or regular user
-type Role string
-
-// User roles
-const (
-	RoleAdmin     = Role("admin")
-	RoleUser      = Role("user")
-	RoleAnonymous = Role("anonymous")
-)
-
-// Everyone is a special username representing anonymous users
-const (
-	Everyone = "*"
-)
-
-var (
-	allowedUsernameRegex     = regexp.MustCompile(`^[-_.@a-zA-Z0-9]+$`)     // Does not include Everyone (*)
-	allowedTopicPatternRegex = regexp.MustCompile(`^[-_*A-Za-z0-9]{1,64}$`) // Adds '*' for wildcards!
-)
-
-// AllowedRole returns true if the given role can be used for new users
-func AllowedRole(role Role) bool {
-	return role == RoleUser || role == RoleAdmin
-}
-
-// AllowedUsername returns true if the given username is valid
-func AllowedUsername(username string) bool {
-	return allowedUsernameRegex.MatchString(username)
-}
-
-// AllowedTopicPattern returns true if the given topic pattern is valid; this includes the wildcard character (*)
-func AllowedTopicPattern(username string) bool {
-	return allowedTopicPatternRegex.MatchString(username)
-}
-
-// Error constants used by the package
-var (
-	ErrUnauthenticated = errors.New("unauthenticated")
-	ErrUnauthorized    = errors.New("unauthorized")
-	ErrInvalidArgument = errors.New("invalid argument")
-	ErrNotFound        = errors.New("not found")
-)
--- a/auth/auth_sqlite.go
+++ b/auth/auth_sqlite.go
@@ -1,399 +0,0 @@
-package auth
-
-import (
-	"database/sql"
-	"errors"
-	"fmt"
-	_ "github.com/mattn/go-sqlite3" // SQLite driver
-	"golang.org/x/crypto/bcrypt"
-	"strings"
-)
-
-const (
-	bcryptCost              = 10
-	intentionalSlowDownHash = "$2a$10$YFCQvqQDwIIwnJM1xkAYOeih0dg17UVGanaTStnrSzC8NCWxcLDwy" // Cost should match bcryptCost
-)
-
-// Auther-related queries
-const (
-	createAuthTablesQueries = `
-		BEGIN;
-		CREATE TABLE IF NOT EXISTS user (
-			user TEXT NOT NULL PRIMARY KEY,
-			pass TEXT NOT NULL,
-			role TEXT NOT NULL
-		);
-		CREATE TABLE IF NOT EXISTS access (
-			user TEXT NOT NULL,		
-			topic TEXT NOT NULL,
-			read INT NOT NULL,
-			write INT NOT NULL,
-			PRIMARY KEY (topic, user)
-		);
-		CREATE TABLE IF NOT EXISTS schemaVersion (
-			id INT PRIMARY KEY,
-			version INT NOT NULL
-		);
-		COMMIT;
-	`
-	selectUserQuery       = `SELECT pass, role FROM user WHERE user = ?`
-	selectTopicPermsQuery = `
-		SELECT read, write 
-		FROM access 
-		WHERE user IN ('*', ?) AND ? LIKE topic
-		ORDER BY user DESC
-	`
-)
-
-// Manager-related queries
-const (
-	insertUserQuery      = `INSERT INTO user (user, pass, role) VALUES (?, ?, ?)`
-	selectUsernamesQuery = `SELECT user FROM user ORDER BY role, user`
-	updateUserPassQuery  = `UPDATE user SET pass = ? WHERE user = ?`
-	updateUserRoleQuery  = `UPDATE user SET role = ? WHERE user = ?`
-	deleteUserQuery      = `DELETE FROM user WHERE user = ?`
-
-	upsertUserAccessQuery = `
-		INSERT INTO access (user, topic, read, write) 
-		VALUES (?, ?, ?, ?)
-		ON CONFLICT (user, topic) DO UPDATE SET read=excluded.read, write=excluded.write
-	`
-	selectUserAccessQuery  = `SELECT topic, read, write FROM access WHERE user = ?`
-	deleteAllAccessQuery   = `DELETE FROM access`
-	deleteUserAccessQuery  = `DELETE FROM access WHERE user = ?`
-	deleteTopicAccessQuery = `DELETE FROM access WHERE user = ? AND topic = ?`
-)
-
-// Schema management queries
-const (
-	currentSchemaVersion     = 1
-	insertSchemaVersion      = `INSERT INTO schemaVersion VALUES (1, ?)`
-	selectSchemaVersionQuery = `SELECT version FROM schemaVersion WHERE id = 1`
-)
-
-// SQLiteAuth is an implementation of Auther and Manager. It stores users and access control list
-// in a SQLite database.
-type SQLiteAuth struct {
-	db           *sql.DB
-	defaultRead  bool
-	defaultWrite bool
-}
-
-var _ Auther = (*SQLiteAuth)(nil)
-var _ Manager = (*SQLiteAuth)(nil)
-
-// NewSQLiteAuth creates a new SQLiteAuth instance
-func NewSQLiteAuth(filename string, defaultRead, defaultWrite bool) (*SQLiteAuth, error) {
-	db, err := sql.Open("sqlite3", filename)
-	if err != nil {
-		return nil, err
-	}
-	if err := setupAuthDB(db); err != nil {
-		return nil, err
-	}
-	return &SQLiteAuth{
-		db:           db,
-		defaultRead:  defaultRead,
-		defaultWrite: defaultWrite,
-	}, nil
-}
-
-// Authenticate checks username and password and returns a user if correct. The method
-// returns in constant-ish time, regardless of whether the user exists or the password is
-// correct or incorrect.
-func (a *SQLiteAuth) Authenticate(username, password string) (*User, error) {
-	if username == Everyone {
-		return nil, ErrUnauthenticated
-	}
-	user, err := a.User(username)
-	if err != nil {
-		bcrypt.CompareHashAndPassword([]byte(intentionalSlowDownHash),
-			[]byte("intentional slow-down to avoid timing attacks"))
-		return nil, ErrUnauthenticated
-	}
-	if err := bcrypt.CompareHashAndPassword([]byte(user.Hash), []byte(password)); err != nil {
-		return nil, ErrUnauthenticated
-	}
-	return user, nil
-}
-
-// Authorize returns nil if the given user has access to the given topic using the desired
-// permission. The user param may be nil to signal an anonymous user.
-func (a *SQLiteAuth) Authorize(user *User, topic string, perm Permission) error {
-	if user != nil && user.Role == RoleAdmin {
-		return nil // Admin can do everything
-	}
-	username := Everyone
-	if user != nil {
-		username = user.Name
-	}
-	// Select the read/write permissions for this user/topic combo. The query may return two
-	// rows (one for everyone, and one for the user), but prioritizes the user. The value for
-	// user.Name may be empty (= everyone).
-	rows, err := a.db.Query(selectTopicPermsQuery, username, topic)
-	if err != nil {
-		return err
-	}
-	defer rows.Close()
-	if !rows.Next() {
-		return a.resolvePerms(a.defaultRead, a.defaultWrite, perm)
-	}
-	var read, write bool
-	if err := rows.Scan(&read, &write); err != nil {
-		return err
-	} else if err := rows.Err(); err != nil {
-		return err
-	}
-	return a.resolvePerms(read, write, perm)
-}
-
-func (a *SQLiteAuth) resolvePerms(read, write bool, perm Permission) error {
-	if perm == PermissionRead && read {
-		return nil
-	} else if perm == PermissionWrite && write {
-		return nil
-	}
-	return ErrUnauthorized
-}
-
-// AddUser adds a user with the given username, password and role. The password should be hashed
-// before it is stored in a persistence layer.
-func (a *SQLiteAuth) AddUser(username, password string, role Role) error {
-	if !AllowedUsername(username) || !AllowedRole(role) {
-		return ErrInvalidArgument
-	}
-	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)
-	if err != nil {
-		return err
-	}
-	if _, err = a.db.Exec(insertUserQuery, username, hash, role); err != nil {
-		return err
-	}
-	return nil
-}
-
-// RemoveUser deletes the user with the given username. The function returns nil on success, even
-// if the user did not exist in the first place.
-func (a *SQLiteAuth) RemoveUser(username string) error {
-	if !AllowedUsername(username) {
-		return ErrInvalidArgument
-	}
-	if _, err := a.db.Exec(deleteUserQuery, username); err != nil {
-		return err
-	}
-	if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil {
-		return err
-	}
-	return nil
-}
-
-// Users returns a list of users. It always also returns the Everyone user ("*").
-func (a *SQLiteAuth) Users() ([]*User, error) {
-	rows, err := a.db.Query(selectUsernamesQuery)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	usernames := make([]string, 0)
-	for rows.Next() {
-		var username string
-		if err := rows.Scan(&username); err != nil {
-			return nil, err
-		} else if err := rows.Err(); err != nil {
-			return nil, err
-		}
-		usernames = append(usernames, username)
-	}
-	rows.Close()
-	users := make([]*User, 0)
-	for _, username := range usernames {
-		user, err := a.User(username)
-		if err != nil {
-			return nil, err
-		}
-		users = append(users, user)
-	}
-	everyone, err := a.everyoneUser()
-	if err != nil {
-		return nil, err
-	}
-	users = append(users, everyone)
-	return users, nil
-}
-
-// User returns the user with the given username if it exists, or ErrNotFound otherwise.
-// You may also pass Everyone to retrieve the anonymous user and its Grant list.
-func (a *SQLiteAuth) User(username string) (*User, error) {
-	if username == Everyone {
-		return a.everyoneUser()
-	}
-	rows, err := a.db.Query(selectUserQuery, username)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	var hash, role string
-	if !rows.Next() {
-		return nil, ErrNotFound
-	}
-	if err := rows.Scan(&hash, &role); err != nil {
-		return nil, err
-	} else if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	grants, err := a.readGrants(username)
-	if err != nil {
-		return nil, err
-	}
-	return &User{
-		Name:   username,
-		Hash:   hash,
-		Role:   Role(role),
-		Grants: grants,
-	}, nil
-}
-
-func (a *SQLiteAuth) everyoneUser() (*User, error) {
-	grants, err := a.readGrants(Everyone)
-	if err != nil {
-		return nil, err
-	}
-	return &User{
-		Name:   Everyone,
-		Hash:   "",
-		Role:   RoleAnonymous,
-		Grants: grants,
-	}, nil
-}
-
-func (a *SQLiteAuth) readGrants(username string) ([]Grant, error) {
-	rows, err := a.db.Query(selectUserAccessQuery, username)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	grants := make([]Grant, 0)
-	for rows.Next() {
-		var topic string
-		var read, write bool
-		if err := rows.Scan(&topic, &read, &write); err != nil {
-			return nil, err
-		} else if err := rows.Err(); err != nil {
-			return nil, err
-		}
-		grants = append(grants, Grant{
-			TopicPattern: fromSQLWildcard(topic),
-			AllowRead:    read,
-			AllowWrite:   write,
-		})
-	}
-	return grants, nil
-}
-
-// ChangePassword changes a user's password
-func (a *SQLiteAuth) ChangePassword(username, password string) error {
-	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)
-	if err != nil {
-		return err
-	}
-	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
-		return err
-	}
-	return nil
-}
-
-// ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
-// all existing access control entries (Grant) are removed, since they are no longer needed.
-func (a *SQLiteAuth) ChangeRole(username string, role Role) error {
-	if !AllowedUsername(username) || !AllowedRole(role) {
-		return ErrInvalidArgument
-	}
-	if _, err := a.db.Exec(updateUserRoleQuery, string(role), username); err != nil {
-		return err
-	}
-	if role == RoleAdmin {
-		if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// AllowAccess adds or updates an entry in th access control list for a specific user. It controls
-// read/write access to a topic. The parameter topicPattern may include wildcards (*).
-func (a *SQLiteAuth) AllowAccess(username string, topicPattern string, read bool, write bool) error {
-	if (!AllowedUsername(username) && username != Everyone) || !AllowedTopicPattern(topicPattern) {
-		return ErrInvalidArgument
-	}
-	if _, err := a.db.Exec(upsertUserAccessQuery, username, toSQLWildcard(topicPattern), read, write); err != nil {
-		return err
-	}
-	return nil
-}
-
-// ResetAccess removes an access control list entry for a specific username/topic, or (if topic is
-// empty) for an entire user. The parameter topicPattern may include wildcards (*).
-func (a *SQLiteAuth) ResetAccess(username string, topicPattern string) error {
-	if !AllowedUsername(username) && username != Everyone && username != "" {
-		return ErrInvalidArgument
-	} else if !AllowedTopicPattern(topicPattern) && topicPattern != "" {
-		return ErrInvalidArgument
-	}
-	if username == "" && topicPattern == "" {
-		_, err := a.db.Exec(deleteAllAccessQuery, username)
-		return err
-	} else if topicPattern == "" {
-		_, err := a.db.Exec(deleteUserAccessQuery, username)
-		return err
-	}
-	_, err := a.db.Exec(deleteTopicAccessQuery, username, toSQLWildcard(topicPattern))
-	return err
-}
-
-// DefaultAccess returns the default read/write access if no access control entry matches
-func (a *SQLiteAuth) DefaultAccess() (read bool, write bool) {
-	return a.defaultRead, a.defaultWrite
-}
-
-func toSQLWildcard(s string) string {
-	return strings.ReplaceAll(s, "*", "%")
-}
-
-func fromSQLWildcard(s string) string {
-	return strings.ReplaceAll(s, "%", "*")
-}
-
-func setupAuthDB(db *sql.DB) error {
-	// If 'schemaVersion' table does not exist, this must be a new database
-	rowsSV, err := db.Query(selectSchemaVersionQuery)
-	if err != nil {
-		return setupNewAuthDB(db)
-	}
-	defer rowsSV.Close()
-
-	// If 'schemaVersion' table exists, read version and potentially upgrade
-	schemaVersion := 0
-	if !rowsSV.Next() {
-		return errors.New("cannot determine schema version: database file may be corrupt")
-	}
-	if err := rowsSV.Scan(&schemaVersion); err != nil {
-		return err
-	}
-	rowsSV.Close()
-
-	// Do migrations
-	if schemaVersion == currentSchemaVersion {
-		return nil
-	}
-	return fmt.Errorf("unexpected schema version found: %d", schemaVersion)
-}
-
-func setupNewAuthDB(db *sql.DB) error {
-	if _, err := db.Exec(createAuthTablesQueries); err != nil {
-		return err
-	}
-	if _, err := db.Exec(insertSchemaVersion, currentSchemaVersion); err != nil {
-		return err
-	}
-	return nil
-}
--- a/auth/auth_sqlite_test.go
+++ b/auth/auth_sqlite_test.go
@@ -1,243 +0,0 @@
-package auth_test
-
-import (
-	"github.com/stretchr/testify/require"
-	"heckel.io/ntfy/auth"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-)
-
-const minBcryptTimingMillis = int64(50) // Ideally should be >100ms, but this should also run on a Raspberry Pi without massive resources
-
-func TestSQLiteAuth_FullScenario_Default_DenyAll(t *testing.T) {
-	a := newTestAuth(t, false, false)
-	require.Nil(t, a.AddUser("phil", "phil", auth.RoleAdmin))
-	require.Nil(t, a.AddUser("ben", "ben", auth.RoleUser))
-	require.Nil(t, a.AllowAccess("ben", "mytopic", true, true))
-	require.Nil(t, a.AllowAccess("ben", "readme", true, false))
-	require.Nil(t, a.AllowAccess("ben", "writeme", false, true))
-	require.Nil(t, a.AllowAccess("ben", "everyonewrite", false, false)) // How unfair!
-	require.Nil(t, a.AllowAccess(auth.Everyone, "announcements", true, false))
-	require.Nil(t, a.AllowAccess(auth.Everyone, "everyonewrite", true, true))
-	require.Nil(t, a.AllowAccess(auth.Everyone, "up*", false, true)) // Everyone can write to /up*
-
-	phil, err := a.Authenticate("phil", "phil")
-	require.Nil(t, err)
-	require.Equal(t, "phil", phil.Name)
-	require.True(t, strings.HasPrefix(phil.Hash, "$2a$10$"))
-	require.Equal(t, auth.RoleAdmin, phil.Role)
-	require.Equal(t, []auth.Grant{}, phil.Grants)
-
-	ben, err := a.Authenticate("ben", "ben")
-	require.Nil(t, err)
-	require.Equal(t, "ben", ben.Name)
-	require.True(t, strings.HasPrefix(ben.Hash, "$2a$10$"))
-	require.Equal(t, auth.RoleUser, ben.Role)
-	require.Equal(t, []auth.Grant{
-		{"mytopic", true, true},
-		{"readme", true, false},
-		{"writeme", false, true},
-		{"everyonewrite", false, false},
-	}, ben.Grants)
-
-	notben, err := a.Authenticate("ben", "this is wrong")
-	require.Nil(t, notben)
-	require.Equal(t, auth.ErrUnauthenticated, err)
-
-	// Admin can do everything
-	require.Nil(t, a.Authorize(phil, "sometopic", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(phil, "mytopic", auth.PermissionRead))
-	require.Nil(t, a.Authorize(phil, "readme", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(phil, "writeme", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(phil, "announcements", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(phil, "everyonewrite", auth.PermissionWrite))
-
-	// User cannot do everything
-	require.Nil(t, a.Authorize(ben, "mytopic", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(ben, "mytopic", auth.PermissionRead))
-	require.Nil(t, a.Authorize(ben, "readme", auth.PermissionRead))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "readme", auth.PermissionWrite))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "writeme", auth.PermissionRead))
-	require.Nil(t, a.Authorize(ben, "writeme", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(ben, "writeme", auth.PermissionWrite))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "everyonewrite", auth.PermissionRead))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "everyonewrite", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(ben, "announcements", auth.PermissionRead))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "announcements", auth.PermissionWrite))
-
-	// Everyone else can do barely anything
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "sometopicnotinthelist", auth.PermissionRead))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "sometopicnotinthelist", auth.PermissionWrite))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "mytopic", auth.PermissionRead))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "mytopic", auth.PermissionWrite))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "readme", auth.PermissionRead))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "readme", auth.PermissionWrite))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "writeme", auth.PermissionRead))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "writeme", auth.PermissionWrite))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(nil, "announcements", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(nil, "announcements", auth.PermissionRead))
-	require.Nil(t, a.Authorize(nil, "everyonewrite", auth.PermissionRead))
-	require.Nil(t, a.Authorize(nil, "everyonewrite", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(nil, "up1234", auth.PermissionWrite)) // Wildcard permission
-	require.Nil(t, a.Authorize(nil, "up5678", auth.PermissionWrite))
-}
-
-func TestSQLiteAuth_AddUser_Invalid(t *testing.T) {
-	a := newTestAuth(t, false, false)
-	require.Equal(t, auth.ErrInvalidArgument, a.AddUser("  invalid  ", "pass", auth.RoleAdmin))
-	require.Equal(t, auth.ErrInvalidArgument, a.AddUser("validuser", "pass", "invalid-role"))
-}
-
-func TestSQLiteAuth_AddUser_Timing(t *testing.T) {
-	a := newTestAuth(t, false, false)
-	start := time.Now().UnixMilli()
-	require.Nil(t, a.AddUser("user", "pass", auth.RoleAdmin))
-	require.GreaterOrEqual(t, time.Now().UnixMilli()-start, minBcryptTimingMillis)
-}
-
-func TestSQLiteAuth_Authenticate_Timing(t *testing.T) {
-	a := newTestAuth(t, false, false)
-	require.Nil(t, a.AddUser("user", "pass", auth.RoleAdmin))
-
-	// Timing a correct attempt
-	start := time.Now().UnixMilli()
-	_, err := a.Authenticate("user", "pass")
-	require.Nil(t, err)
-	require.GreaterOrEqual(t, time.Now().UnixMilli()-start, minBcryptTimingMillis)
-
-	// Timing an incorrect attempt
-	start = time.Now().UnixMilli()
-	_, err = a.Authenticate("user", "INCORRECT")
-	require.Equal(t, auth.ErrUnauthenticated, err)
-	require.GreaterOrEqual(t, time.Now().UnixMilli()-start, minBcryptTimingMillis)
-
-	// Timing a non-existing user attempt
-	start = time.Now().UnixMilli()
-	_, err = a.Authenticate("DOES-NOT-EXIST", "hithere")
-	require.Equal(t, auth.ErrUnauthenticated, err)
-	require.GreaterOrEqual(t, time.Now().UnixMilli()-start, minBcryptTimingMillis)
-}
-
-func TestSQLiteAuth_UserManagement(t *testing.T) {
-	a := newTestAuth(t, false, false)
-	require.Nil(t, a.AddUser("phil", "phil", auth.RoleAdmin))
-	require.Nil(t, a.AddUser("ben", "ben", auth.RoleUser))
-	require.Nil(t, a.AllowAccess("ben", "mytopic", true, true))
-	require.Nil(t, a.AllowAccess("ben", "readme", true, false))
-	require.Nil(t, a.AllowAccess("ben", "writeme", false, true))
-	require.Nil(t, a.AllowAccess("ben", "everyonewrite", false, false)) // How unfair!
-	require.Nil(t, a.AllowAccess(auth.Everyone, "announcements", true, false))
-	require.Nil(t, a.AllowAccess(auth.Everyone, "everyonewrite", true, true))
-
-	// Query user details
-	phil, err := a.User("phil")
-	require.Nil(t, err)
-	require.Equal(t, "phil", phil.Name)
-	require.True(t, strings.HasPrefix(phil.Hash, "$2a$10$"))
-	require.Equal(t, auth.RoleAdmin, phil.Role)
-	require.Equal(t, []auth.Grant{}, phil.Grants)
-
-	ben, err := a.User("ben")
-	require.Nil(t, err)
-	require.Equal(t, "ben", ben.Name)
-	require.True(t, strings.HasPrefix(ben.Hash, "$2a$10$"))
-	require.Equal(t, auth.RoleUser, ben.Role)
-	require.Equal(t, []auth.Grant{
-		{"mytopic", true, true},
-		{"readme", true, false},
-		{"writeme", false, true},
-		{"everyonewrite", false, false},
-	}, ben.Grants)
-
-	everyone, err := a.User(auth.Everyone)
-	require.Nil(t, err)
-	require.Equal(t, "*", everyone.Name)
-	require.Equal(t, "", everyone.Hash)
-	require.Equal(t, auth.RoleAnonymous, everyone.Role)
-	require.Equal(t, []auth.Grant{
-		{"announcements", true, false},
-		{"everyonewrite", true, true},
-	}, everyone.Grants)
-
-	// Ben: Before revoking
-	require.Nil(t, a.AllowAccess("ben", "mytopic", true, true))
-	require.Nil(t, a.AllowAccess("ben", "readme", true, false))
-	require.Nil(t, a.AllowAccess("ben", "writeme", false, true))
-	require.Nil(t, a.Authorize(ben, "mytopic", auth.PermissionRead))
-	require.Nil(t, a.Authorize(ben, "mytopic", auth.PermissionWrite))
-	require.Nil(t, a.Authorize(ben, "readme", auth.PermissionRead))
-	require.Nil(t, a.Authorize(ben, "writeme", auth.PermissionWrite))
-
-	// Revoke access for "ben" to "mytopic", then check again
-	require.Nil(t, a.ResetAccess("ben", "mytopic"))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "mytopic", auth.PermissionWrite)) // Revoked
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "mytopic", auth.PermissionRead))  // Revoked
-	require.Nil(t, a.Authorize(ben, "readme", auth.PermissionRead))                           // Unchanged
-	require.Nil(t, a.Authorize(ben, "writeme", auth.PermissionWrite))                         // Unchanged
-
-	// Revoke rest of the access
-	require.Nil(t, a.ResetAccess("ben", ""))
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "readme", auth.PermissionRead))    // Revoked
-	require.Equal(t, auth.ErrUnauthorized, a.Authorize(ben, "wrtiteme", auth.PermissionWrite)) // Revoked
-
-	// User list
-	users, err := a.Users()
-	require.Nil(t, err)
-	require.Equal(t, 3, len(users))
-	require.Equal(t, "phil", users[0].Name)
-	require.Equal(t, "ben", users[1].Name)
-	require.Equal(t, "*", users[2].Name)
-
-	// Remove user
-	require.Nil(t, a.RemoveUser("ben"))
-	_, err = a.User("ben")
-	require.Equal(t, auth.ErrNotFound, err)
-
-	users, err = a.Users()
-	require.Nil(t, err)
-	require.Equal(t, 2, len(users))
-	require.Equal(t, "phil", users[0].Name)
-	require.Equal(t, "*", users[1].Name)
-}
-
-func TestSQLiteAuth_ChangePassword(t *testing.T) {
-	a := newTestAuth(t, false, false)
-	require.Nil(t, a.AddUser("phil", "phil", auth.RoleAdmin))
-
-	_, err := a.Authenticate("phil", "phil")
-	require.Nil(t, err)
-
-	require.Nil(t, a.ChangePassword("phil", "newpass"))
-	_, err = a.Authenticate("phil", "phil")
-	require.Equal(t, auth.ErrUnauthenticated, err)
-	_, err = a.Authenticate("phil", "newpass")
-	require.Nil(t, err)
-}
-
-func TestSQLiteAuth_ChangeRole(t *testing.T) {
-	a := newTestAuth(t, false, false)
-	require.Nil(t, a.AddUser("ben", "ben", auth.RoleUser))
-	require.Nil(t, a.AllowAccess("ben", "mytopic", true, true))
-	require.Nil(t, a.AllowAccess("ben", "readme", true, false))
-
-	ben, err := a.User("ben")
-	require.Nil(t, err)
-	require.Equal(t, auth.RoleUser, ben.Role)
-	require.Equal(t, 2, len(ben.Grants))
-
-	require.Nil(t, a.ChangeRole("ben", auth.RoleAdmin))
-
-	ben, err = a.User("ben")
-	require.Nil(t, err)
-	require.Equal(t, auth.RoleAdmin, ben.Role)
-	require.Equal(t, 0, len(ben.Grants))
-}
-
-func newTestAuth(t *testing.T, defaultRead, defaultWrite bool) *auth.SQLiteAuth {
-	filename := filepath.Join(t.TempDir(), "user.db")
-	a, err := auth.NewSQLiteAuth(filename, defaultRead, defaultWrite)
-	require.Nil(t, err)
-	return a
-}
--- a/client/client.go
+++ b/client/client.go
@@ -7,9 +7,9 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"heckel.io/ntfy/log"
 	"heckel.io/ntfy/util"
 	"io"
-	"log"
 	"net/http"
 	"strings"
 	"sync"
@@ -47,6 +47,7 @@ type Message struct { // TODO combine with server.message
 	Priority   int
 	Tags       []string
 	Click      string
+	Icon       string
 	Attachment *Attachment

 	// Additional fields
@@ -102,6 +103,7 @@ func (c *Client) PublishReader(topic string, body io.Reader, options ...PublishO
 			return nil, err
 		}
 	}
+	log.Debug("%s Publishing message with headers %s", util.ShortTopicURL(topicURL), req.Header)
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return nil, err
@@ -136,6 +138,7 @@ func (c *Client) Poll(topic string, options ...SubscribeOption) ([]*Message, err
 	msgChan := make(chan *Message)
 	errChan := make(chan error)
 	topicURL := c.expandTopicURL(topic)
+	log.Debug("%s Polling from topic", util.ShortTopicURL(topicURL))
 	options = append(options, WithPoll())
 	go func() {
 		err := performSubscribeRequest(ctx, msgChan, topicURL, "", options...)
@@ -161,16 +164,18 @@ func (c *Client) Poll(topic string, options ...SubscribeOption) ([]*Message, err
 // The method returns a unique subscriptionID that can be used in Unsubscribe.
 //
 // Example:
-//   c := client.New(client.NewConfig())
-//   subscriptionID := c.Subscribe("mytopic")
-//   for m := range c.Messages {
-//     fmt.Printf("New message: %s", m.Message)
-//   }
+//
+//	c := client.New(client.NewConfig())
+//	subscriptionID := c.Subscribe("mytopic")
+//	for m := range c.Messages {
+//	  fmt.Printf("New message: %s", m.Message)
+//	}
 func (c *Client) Subscribe(topic string, options ...SubscribeOption) string {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	subscriptionID := util.RandomString(10)
 	topicURL := c.expandTopicURL(topic)
+	log.Debug("%s Subscribing to topic", util.ShortTopicURL(topicURL))
 	ctx, cancel := context.WithCancel(context.Background())
 	c.subscriptions[subscriptionID] = &subscription{
 		ID:       subscriptionID,
@@ -226,11 +231,11 @@ func handleSubscribeConnLoop(ctx context.Context, msgChan chan *Message, topicUR
 		// TODO The retry logic is crude and may lose messages. It should record the last message like the
 		//      Android client, use since=, and do incremental backoff too
 		if err := performSubscribeRequest(ctx, msgChan, topicURL, subcriptionID, options...); err != nil {
-			log.Printf("Connection to %s failed: %s", topicURL, err.Error())
+			log.Warn("%s Connection failed: %s", util.ShortTopicURL(topicURL), err.Error())
 		}
 		select {
 		case <-ctx.Done():
-			log.Printf("Connection to %s exited", topicURL)
+			log.Info("%s Connection exited", util.ShortTopicURL(topicURL))
 			return
 		case <-time.After(10 * time.Second): // TODO Add incremental backoff
 		}
@@ -238,7 +243,9 @@ func handleSubscribeConnLoop(ctx context.Context, msgChan chan *Message, topicUR
 }

 func performSubscribeRequest(ctx context.Context, msgChan chan *Message, topicURL string, subscriptionID string, options ...SubscribeOption) error {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("%s/json", topicURL), nil)
+	streamURL := fmt.Sprintf("%s/json", topicURL)
+	log.Debug("%s Listening to %s", util.ShortTopicURL(topicURL), streamURL)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, streamURL, nil)
 	if err != nil {
 		return err
 	}
@@ -261,10 +268,12 @@ func performSubscribeRequest(ctx context.Context, msgChan chan *Message, topicUR
 	}
 	scanner := bufio.NewScanner(resp.Body)
 	for scanner.Scan() {
-		m, err := toMessage(scanner.Text(), topicURL, subscriptionID)
+		messageJSON := scanner.Text()
+		m, err := toMessage(messageJSON, topicURL, subscriptionID)
 		if err != nil {
 			return err
 		}
+		log.Trace("%s Message received: %s", util.ShortTopicURL(topicURL), messageJSON)
 		if m.Event == MessageEvent {
 			msgChan <- m
 		}
--- a/client/client.yml
+++ b/client/client.yml
@@ -5,6 +5,16 @@
 #
 # default-host: https://ntfy.sh

+# Default username and password will be used with "ntfy publish" if no credentials are provided on command line
+# Default username and password will be used with "ntfy subscribe" if no credentials are provided in subscription below
+# For an empty password, use empty double-quotes ("")
+#
+# default-user:
+# default-password:
+
+# Default command will execute after "ntfy subscribe" receives a message if no command is provided in subscription below
+# default-command:
+
 # Subscriptions to topics and their actions. This option is primarily used by the systemd service,
 # or if you cann "ntfy subscribe --from-config" directly.
 #
@@ -16,6 +26,10 @@
 #         command: 'echo "$message"'
 #         if:
 #             priority: high,urgent
+#       - topic: secret
+#         command: 'notify-send "$m"'
+#         user: phill
+#         password: mypass
 #
 # Variables:
 #     Variable        Aliases               Description
--- a/client/config.go
+++ b/client/config.go
@@ -12,19 +12,27 @@ const (

 // Config is the config struct for a Client
 type Config struct {
-	DefaultHost string `yaml:"default-host"`
-	Subscribe   []struct {
-		Topic   string            `yaml:"topic"`
-		Command string            `yaml:"command"`
-		If      map[string]string `yaml:"if"`
+	DefaultHost     string  `yaml:"default-host"`
+	DefaultUser     string  `yaml:"default-user"`
+	DefaultPassword *string `yaml:"default-password"`
+	DefaultCommand  string  `yaml:"default-command"`
+	Subscribe       []struct {
+		Topic    string            `yaml:"topic"`
+		User     string            `yaml:"user"`
+		Password *string           `yaml:"password"`
+		Command  string            `yaml:"command"`
+		If       map[string]string `yaml:"if"`
 	} `yaml:"subscribe"`
 }

 // NewConfig creates a new Config struct for a Client
 func NewConfig() *Config {
 	return &Config{
-		DefaultHost: DefaultBaseURL,
-		Subscribe:   nil,
+		DefaultHost:     DefaultBaseURL,
+		DefaultUser:     "",
+		DefaultPassword: nil,
+		DefaultCommand:  "",
+		Subscribe:       nil,
 	}
 }

--- a/client/config_test.go
+++ b/client/config_test.go
@@ -12,25 +12,107 @@ func TestConfig_Load(t *testing.T) {
 	filename := filepath.Join(t.TempDir(), "client.yml")
 	require.Nil(t, os.WriteFile(filename, []byte(`
 default-host: http://localhost
+default-user: philipp
+default-password: mypass
+default-command: 'echo "Got the message: $message"'
 subscribe:
-  - topic: no-command
+  - topic: no-command-with-auth
+    user: phil
+    password: mypass
  - topic: echo-this
    command: 'echo "Message received: $message"'
  - topic: alerts
    command: notify-send -i /usr/share/ntfy/logo.png "Important" "$m"
    if:
            priority: high,urgent
+  - topic: defaults
 `), 0600))

 	conf, err := client.LoadConfig(filename)
 	require.Nil(t, err)
 	require.Equal(t, "http://localhost", conf.DefaultHost)
-	require.Equal(t, 3, len(conf.Subscribe))
-	require.Equal(t, "no-command", conf.Subscribe[0].Topic)
+	require.Equal(t, "philipp", conf.DefaultUser)
+	require.Equal(t, "mypass", *conf.DefaultPassword)
+	require.Equal(t, `echo "Got the message: $message"`, conf.DefaultCommand)
+	require.Equal(t, 4, len(conf.Subscribe))
+	require.Equal(t, "no-command-with-auth", conf.Subscribe[0].Topic)
 	require.Equal(t, "", conf.Subscribe[0].Command)
+	require.Equal(t, "phil", conf.Subscribe[0].User)
+	require.Equal(t, "mypass", *conf.Subscribe[0].Password)
 	require.Equal(t, "echo-this", conf.Subscribe[1].Topic)
 	require.Equal(t, `echo "Message received: $message"`, conf.Subscribe[1].Command)
 	require.Equal(t, "alerts", conf.Subscribe[2].Topic)
 	require.Equal(t, `notify-send -i /usr/share/ntfy/logo.png "Important" "$m"`, conf.Subscribe[2].Command)
 	require.Equal(t, "high,urgent", conf.Subscribe[2].If["priority"])
+	require.Equal(t, "defaults", conf.Subscribe[3].Topic)
+}
+
+func TestConfig_EmptyPassword(t *testing.T) {
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(`
+default-host: http://localhost
+default-user: philipp
+default-password: ""
+subscribe:
+  - topic: no-command-with-auth
+    user: phil
+    password: ""
+`), 0600))
+
+	conf, err := client.LoadConfig(filename)
+	require.Nil(t, err)
+	require.Equal(t, "http://localhost", conf.DefaultHost)
+	require.Equal(t, "philipp", conf.DefaultUser)
+	require.Equal(t, "", *conf.DefaultPassword)
+	require.Equal(t, 1, len(conf.Subscribe))
+	require.Equal(t, "no-command-with-auth", conf.Subscribe[0].Topic)
+	require.Equal(t, "", conf.Subscribe[0].Command)
+	require.Equal(t, "phil", conf.Subscribe[0].User)
+	require.Equal(t, "", *conf.Subscribe[0].Password)
+}
+
+func TestConfig_NullPassword(t *testing.T) {
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(`
+default-host: http://localhost
+default-user: philipp
+default-password: ~
+subscribe:
+  - topic: no-command-with-auth
+    user: phil
+    password: ~
+`), 0600))
+
+	conf, err := client.LoadConfig(filename)
+	require.Nil(t, err)
+	require.Equal(t, "http://localhost", conf.DefaultHost)
+	require.Equal(t, "philipp", conf.DefaultUser)
+	require.Nil(t, conf.DefaultPassword)
+	require.Equal(t, 1, len(conf.Subscribe))
+	require.Equal(t, "no-command-with-auth", conf.Subscribe[0].Topic)
+	require.Equal(t, "", conf.Subscribe[0].Command)
+	require.Equal(t, "phil", conf.Subscribe[0].User)
+	require.Nil(t, conf.Subscribe[0].Password)
+}
+
+func TestConfig_NoPassword(t *testing.T) {
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(`
+default-host: http://localhost
+default-user: philipp
+subscribe:
+  - topic: no-command-with-auth
+    user: phil
+`), 0600))
+
+	conf, err := client.LoadConfig(filename)
+	require.Nil(t, err)
+	require.Equal(t, "http://localhost", conf.DefaultHost)
+	require.Equal(t, "philipp", conf.DefaultUser)
+	require.Nil(t, conf.DefaultPassword)
+	require.Equal(t, 1, len(conf.Subscribe))
+	require.Equal(t, "no-command-with-auth", conf.Subscribe[0].Topic)
+	require.Equal(t, "", conf.Subscribe[0].Command)
+	require.Equal(t, "phil", conf.Subscribe[0].User)
+	require.Nil(t, conf.Subscribe[0].Password)
 }
--- a/client/options.go
+++ b/client/options.go
@@ -56,6 +56,17 @@ func WithClick(url string) PublishOption {
 	return WithHeader("X-Click", url)
 }

+// WithIcon makes the notification use the given URL as its icon
+func WithIcon(icon string) PublishOption {
+	return WithHeader("X-Icon", icon)
+}
+
+// WithActions adds custom user actions to the notification. The value can be either a JSON array or the
+// simple format definition. See https://ntfy.sh/docs/publish/#action-buttons for details.
+func WithActions(value string) PublishOption {
+	return WithHeader("X-Actions", value)
+}
+
 // WithAttach sets a URL that will be used by the client to download an attachment
 func WithAttach(attach string) PublishOption {
 	return WithHeader("X-Attach", attach)
--- a/cmd/access.go
+++ b/cmd/access.go
@@ -1,19 +1,25 @@
+//go:build !noserver
+
 package cmd

 import (
 	"errors"
 	"fmt"
 	"github.com/urfave/cli/v2"
-	"heckel.io/ntfy/auth"
+	"heckel.io/ntfy/user"
 	"heckel.io/ntfy/util"
 )

+func init() {
+	commands = append(commands, cmdAccess)
+}
+
 const (
 	userEveryone = "everyone"
 )

 var flagsAccess = append(
-	userCommandFlags(),
+	flagsUser,
 	&cli.BoolFlag{Name: "reset", Aliases: []string{"r"}, Usage: "reset access for user (and topic)"},
 )

@@ -22,7 +28,7 @@ var cmdAccess = &cli.Command{
 	Usage:     "Grant/revoke access to a topic, or show access",
 	UsageText: "ntfy access [USERNAME [TOPIC [PERMISSION]]]",
 	Flags:     flagsAccess,
-	Before:    initConfigFileInputSource("config", flagsAccess),
+	Before:    initConfigFileInputSourceFunc("config", flagsAccess, initLogFunc),
 	Action:    execUserAccess,
 	Category:  categoryServer,
 	Description: `Manage the access control list for the ntfy server.
@@ -65,13 +71,13 @@ func execUserAccess(c *cli.Context) error {
 	if c.NArg() > 3 {
 		return errors.New("too many arguments, please check 'ntfy access --help' for usage details")
 	}
-	manager, err := createAuthManager(c)
+	manager, err := createUserManager(c)
 	if err != nil {
 		return err
 	}
 	username := c.Args().Get(0)
 	if username == userEveryone {
-		username = auth.Everyone
+		username = user.Everyone
 	}
 	topic := c.Args().Get(1)
 	perms := c.Args().Get(2)
@@ -90,26 +96,28 @@ func execUserAccess(c *cli.Context) error {
 	return changeAccess(c, manager, username, topic, perms)
 }

-func changeAccess(c *cli.Context, manager auth.Manager, username string, topic string, perms string) error {
-	if !util.InStringList([]string{"", "read-write", "rw", "read-only", "read", "ro", "write-only", "write", "wo", "none", "deny"}, perms) {
+func changeAccess(c *cli.Context, manager *user.Manager, username string, topic string, perms string) error {
+	if !util.Contains([]string{"", "read-write", "rw", "read-only", "read", "ro", "write-only", "write", "wo", "none", "deny"}, perms) {
 		return errors.New("permission must be one of: read-write, read-only, write-only, or deny (or the aliases: read, ro, write, wo, none)")
 	}
-	read := util.InStringList([]string{"read-write", "rw", "read-only", "read", "ro"}, perms)
-	write := util.InStringList([]string{"read-write", "rw", "write-only", "write", "wo"}, perms)
-	user, err := manager.User(username)
-	if err == auth.ErrNotFound {
-		return fmt.Errorf("user %s does not exist", username)
-	} else if user.Role == auth.RoleAdmin {
-		return fmt.Errorf("user %s is an admin user, access control entries have no effect", username)
-	}
-	if err := manager.AllowAccess(username, topic, read, write); err != nil {
+	permission, err := user.ParsePermission(perms)
+	if err != nil {
 		return err
 	}
-	if read && write {
+	u, err := manager.User(username)
+	if err == user.ErrUserNotFound {
+		return fmt.Errorf("user %s does not exist", username)
+	} else if u.Role == user.RoleAdmin {
+		return fmt.Errorf("user %s is an admin user, access control entries have no effect", username)
+	}
+	if err := manager.AllowAccess(username, topic, permission); err != nil {
+		return err
+	}
+	if permission.IsReadWrite() {
 		fmt.Fprintf(c.App.ErrWriter, "granted read-write access to topic %s\n\n", topic)
-	} else if read {
+	} else if permission.IsRead() {
 		fmt.Fprintf(c.App.ErrWriter, "granted read-only access to topic %s\n\n", topic)
-	} else if write {
+	} else if permission.IsWrite() {
 		fmt.Fprintf(c.App.ErrWriter, "granted write-only access to topic %s\n\n", topic)
 	} else {
 		fmt.Fprintf(c.App.ErrWriter, "revoked all access to topic %s\n\n", topic)
@@ -117,7 +125,7 @@ func changeAccess(c *cli.Context, manager auth.Manager, username string, topic s
 	return showUserAccess(c, manager, username)
 }

-func resetAccess(c *cli.Context, manager auth.Manager, username, topic string) error {
+func resetAccess(c *cli.Context, manager *user.Manager, username, topic string) error {
 	if username == "" {
 		return resetAllAccess(c, manager)
 	} else if topic == "" {
@@ -126,7 +134,7 @@ func resetAccess(c *cli.Context, manager auth.Manager, username, topic string) e
 	return resetUserTopicAccess(c, manager, username, topic)
 }

-func resetAllAccess(c *cli.Context, manager auth.Manager) error {
+func resetAllAccess(c *cli.Context, manager *user.Manager) error {
 	if err := manager.ResetAccess("", ""); err != nil {
 		return err
 	}
@@ -134,7 +142,7 @@ func resetAllAccess(c *cli.Context, manager auth.Manager) error {
 	return nil
 }

-func resetUserAccess(c *cli.Context, manager auth.Manager, username string) error {
+func resetUserAccess(c *cli.Context, manager *user.Manager, username string) error {
 	if err := manager.ResetAccess(username, ""); err != nil {
 		return err
 	}
@@ -142,7 +150,7 @@ func resetUserAccess(c *cli.Context, manager auth.Manager, username string) erro
 	return showUserAccess(c, manager, username)
 }

-func resetUserTopicAccess(c *cli.Context, manager auth.Manager, username string, topic string) error {
+func resetUserTopicAccess(c *cli.Context, manager *user.Manager, username string, topic string) error {
 	if err := manager.ResetAccess(username, topic); err != nil {
 		return err
 	}
@@ -150,14 +158,14 @@ func resetUserTopicAccess(c *cli.Context, manager auth.Manager, username string,
 	return showUserAccess(c, manager, username)
 }

-func showAccess(c *cli.Context, manager auth.Manager, username string) error {
+func showAccess(c *cli.Context, manager *user.Manager, username string) error {
 	if username == "" {
 		return showAllAccess(c, manager)
 	}
 	return showUserAccess(c, manager, username)
 }

-func showAllAccess(c *cli.Context, manager auth.Manager) error {
+func showAllAccess(c *cli.Context, manager *user.Manager) error {
 	users, err := manager.Users()
 	if err != nil {
 		return err
@@ -165,28 +173,32 @@ func showAllAccess(c *cli.Context, manager auth.Manager) error {
 	return showUsers(c, manager, users)
 }

-func showUserAccess(c *cli.Context, manager auth.Manager, username string) error {
+func showUserAccess(c *cli.Context, manager *user.Manager, username string) error {
 	users, err := manager.User(username)
-	if err == auth.ErrNotFound {
+	if err == user.ErrUserNotFound {
 		return fmt.Errorf("user %s does not exist", username)
 	} else if err != nil {
 		return err
 	}
-	return showUsers(c, manager, []*auth.User{users})
+	return showUsers(c, manager, []*user.User{users})
 }

-func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
-	for _, user := range users {
-		fmt.Fprintf(c.App.ErrWriter, "user %s (%s)\n", user.Name, user.Role)
-		if user.Role == auth.RoleAdmin {
+func showUsers(c *cli.Context, manager *user.Manager, users []*user.User) error {
+	for _, u := range users {
+		grants, err := manager.Grants(u.Name)
+		if err != nil {
+			return err
+		}
+		fmt.Fprintf(c.App.ErrWriter, "user %s (%s)\n", u.Name, u.Role)
+		if u.Role == user.RoleAdmin {
 			fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
-		} else if len(user.Grants) > 0 {
-			for _, grant := range user.Grants {
-				if grant.AllowRead && grant.AllowWrite {
+		} else if len(grants) > 0 {
+			for _, grant := range grants {
+				if grant.Allow.IsReadWrite() {
 					fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern)
-				} else if grant.AllowRead {
+				} else if grant.Allow.IsRead() {
 					fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.TopicPattern)
-				} else if grant.AllowWrite {
+				} else if grant.Allow.IsWrite() {
 					fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.TopicPattern)
 				} else {
 					fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.TopicPattern)
@@ -195,13 +207,13 @@ func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
 		} else {
 			fmt.Fprintf(c.App.ErrWriter, "- no topic-specific permissions\n")
 		}
-		if user.Name == auth.Everyone {
-			defaultRead, defaultWrite := manager.DefaultAccess()
-			if defaultRead && defaultWrite {
+		if u.Name == user.Everyone {
+			access := manager.DefaultAccess()
+			if access.IsReadWrite() {
 				fmt.Fprintln(c.App.ErrWriter, "- read-write access to all (other) topics (server config)")
-			} else if defaultRead {
+			} else if access.IsRead() {
 				fmt.Fprintln(c.App.ErrWriter, "- read-only access to all (other) topics (server config)")
-			} else if defaultWrite {
+			} else if access.IsWrite() {
 				fmt.Fprintln(c.App.ErrWriter, "- write-only access to all (other) topics (server config)")
 			} else {
 				fmt.Fprintln(c.App.ErrWriter, "- no access to any (other) topics (server config)")
--- a/cmd/access_test.go
+++ b/cmd/access_test.go
@@ -81,7 +81,7 @@ func runAccessCommand(app *cli.App, conf *server.Config, args ...string) error {
 		"ntfy",
 		"access",
 		"--auth-file=" + conf.AuthFile,
-		"--auth-default-access=" + confToDefaultAccess(conf),
+		"--auth-default-access=" + conf.AuthDefault.String(),
 	}
 	return app.Run(append(userArgs, args...))
 }
--- a/cmd/app.go
+++ b/cmd/app.go
@@ -2,23 +2,26 @@
 package cmd

 import (
-	"fmt"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
-	"heckel.io/ntfy/util"
+	"heckel.io/ntfy/log"
 	"os"
 )

-var (
-	defaultClientRootConfigFile = "/etc/ntfy/client.yml"
-	defaultClientUserConfigFile = "~/.config/ntfy/client.yml"
-)
-
 const (
 	categoryClient = "Client commands"
 	categoryServer = "Server commands"
 )

+var commands = make([]*cli.Command, 0)
+
+var flagsDefault = []cli.Flag{
+	&cli.BoolFlag{Name: "debug", Aliases: []string{"d"}, EnvVars: []string{"NTFY_DEBUG"}, Usage: "enable debug logging"},
+	&cli.BoolFlag{Name: "trace", EnvVars: []string{"NTFY_TRACE"}, Usage: "enable tracing (very verbose, be careful)"},
+	&cli.BoolFlag{Name: "no-log-dates", Aliases: []string{"no_log_dates"}, EnvVars: []string{"NTFY_NO_LOG_DATES"}, Usage: "disable the date/time prefix"},
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "log-level", Aliases: []string{"log_level"}, Value: log.InfoLevel.String(), EnvVars: []string{"NTFY_LOG_LEVEL"}, Usage: "set log level"}),
+}
+
 // New creates a new CLI application
 func New() *cli.App {
 	return &cli.App{
@@ -30,42 +33,22 @@ func New() *cli.App {
 		Reader:                 os.Stdin,
 		Writer:                 os.Stdout,
 		ErrWriter:              os.Stderr,
-		Action:                 execMainApp,
-		Before:                 initConfigFileInputSource("config", flagsServe), // DEPRECATED, see deprecation notice
-		Flags:                  flagsServe,                                      // DEPRECATED, see deprecation notice
-		Commands: []*cli.Command{
-			// Server commands
-			cmdServe,
-			cmdUser,
-			cmdAccess,
-
-			// Client commands
-			cmdPublish,
-			cmdSubscribe,
-		},
+		Commands:               commands,
+		Flags:                  flagsDefault,
+		Before:                 initLogFunc,
 	}
 }

-func execMainApp(c *cli.Context) error {
-	fmt.Fprintln(c.App.ErrWriter, "\x1b[1;33mDeprecation notice: Please run the server using 'ntfy serve'; see 'ntfy -h' for help.\x1b[0m")
-	fmt.Fprintln(c.App.ErrWriter, "\x1b[1;33mThis way of running the server will be removed March 2022. See https://ntfy.sh/docs/deprecations/ for details.\x1b[0m")
-	return execServe(c)
-}
-
-// initConfigFileInputSource is like altsrc.InitInputSourceWithContext and altsrc.NewYamlSourceFromFlagFunc, but checks
-// if the config flag is exists and only loads it if it does. If the flag is set and the file exists, it fails.
-func initConfigFileInputSource(configFlag string, flags []cli.Flag) cli.BeforeFunc {
-	return func(context *cli.Context) error {
-		configFile := context.String(configFlag)
-		if context.IsSet(configFlag) && !util.FileExists(configFile) {
-			return fmt.Errorf("config file %s does not exist", configFile)
-		} else if !context.IsSet(configFlag) && !util.FileExists(configFile) {
-			return nil
-		}
-		inputSource, err := altsrc.NewYamlSourceFromFile(configFile)
-		if err != nil {
-			return err
-		}
-		return altsrc.ApplyInputSourceValues(context, inputSource, flags)
+func initLogFunc(c *cli.Context) error {
+	if c.Bool("trace") {
+		log.SetLevel(log.TraceLevel)
+	} else if c.Bool("debug") {
+		log.SetLevel(log.DebugLevel)
+	} else {
+		log.SetLevel(log.ToLevel(c.String("log-level")))
 	}
+	if c.Bool("no-log-dates") {
+		log.DisableDates()
+	}
+	return nil
 }
--- a/cmd/config_loader.go
+++ b/cmd/config_loader.go
@@ -0,0 +1,60 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v2/altsrc"
+	"gopkg.in/yaml.v2"
+	"heckel.io/ntfy/util"
+	"os"
+)
+
+// initConfigFileInputSourceFunc is like altsrc.InitInputSourceWithContext and altsrc.NewYamlSourceFromFlagFunc, but checks
+// if the config flag is exists and only loads it if it does. If the flag is set and the file exists, it fails.
+func initConfigFileInputSourceFunc(configFlag string, flags []cli.Flag, next cli.BeforeFunc) cli.BeforeFunc {
+	return func(context *cli.Context) error {
+		configFile := context.String(configFlag)
+		if context.IsSet(configFlag) && !util.FileExists(configFile) {
+			return fmt.Errorf("config file %s does not exist", configFile)
+		} else if !context.IsSet(configFlag) && !util.FileExists(configFile) {
+			return nil
+		}
+		inputSource, err := newYamlSourceFromFile(configFile, flags)
+		if err != nil {
+			return err
+		}
+		if err := altsrc.ApplyInputSourceValues(context, inputSource, flags); err != nil {
+			return err
+		}
+		if next != nil {
+			if err := next(context); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+// newYamlSourceFromFile creates a new Yaml InputSourceContext from a filepath.
+//
+// This function also maps aliases, so a .yml file can contain short options, or options with underscores
+// instead of dashes. See https://github.com/binwiederhier/ntfy/issues/255.
+func newYamlSourceFromFile(file string, flags []cli.Flag) (altsrc.InputSourceContext, error) {
+	var rawConfig map[any]any
+	b, err := os.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	if err := yaml.Unmarshal(b, &rawConfig); err != nil {
+		return nil, err
+	}
+	for _, f := range flags {
+		flagName := f.Names()[0]
+		for _, flagAlias := range f.Names()[1:] {
+			if _, ok := rawConfig[flagAlias]; ok {
+				rawConfig[flagName] = rawConfig[flagAlias]
+			}
+		}
+	}
+	return altsrc.NewMapInputSource(file, rawConfig), nil
+}
--- a/cmd/config_loader_test.go
+++ b/cmd/config_loader_test.go
@@ -0,0 +1,38 @@
+package cmd
+
+import (
+	"github.com/stretchr/testify/require"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestNewYamlSourceFromFile(t *testing.T) {
+	filename := filepath.Join(t.TempDir(), "server.yml")
+	contents := `
+# Normal options
+listen-https: ":10443"
+
+# Note the underscore!
+listen_http: ":1080"
+
+# OMG this is allowed now ...
+K: /some/file.pem
+`
+	require.Nil(t, os.WriteFile(filename, []byte(contents), 0600))
+
+	ctx, err := newYamlSourceFromFile(filename, flagsServe)
+	require.Nil(t, err)
+
+	listenHTTPS, err := ctx.String("listen-https")
+	require.Nil(t, err)
+	require.Equal(t, ":10443", listenHTTPS)
+
+	listenHTTP, err := ctx.String("listen-http") // No underscore!
+	require.Nil(t, err)
+	require.Equal(t, ":1080", listenHTTP)
+
+	keyFile, err := ctx.String("key-file") // Long option!
+	require.Nil(t, err)
+	require.Equal(t, "/some/file.pem", keyFile)
+}
--- a/cmd/publish.go
+++ b/cmd/publish.go
@@ -5,37 +5,55 @@ import (
 	"fmt"
 	"github.com/urfave/cli/v2"
 	"heckel.io/ntfy/client"
+	"heckel.io/ntfy/log"
 	"heckel.io/ntfy/util"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
+	"time"
+)
+
+func init() {
+	commands = append(commands, cmdPublish)
+}
+
+var flagsPublish = append(
+	flagsDefault,
+	&cli.StringFlag{Name: "config", Aliases: []string{"c"}, EnvVars: []string{"NTFY_CONFIG"}, Usage: "client config file"},
+	&cli.StringFlag{Name: "title", Aliases: []string{"t"}, EnvVars: []string{"NTFY_TITLE"}, Usage: "message title"},
+	&cli.StringFlag{Name: "message", Aliases: []string{"m"}, EnvVars: []string{"NTFY_MESSAGE"}, Usage: "message body"},
+	&cli.StringFlag{Name: "priority", Aliases: []string{"p"}, EnvVars: []string{"NTFY_PRIORITY"}, Usage: "priority of the message (1=min, 2=low, 3=default, 4=high, 5=max)"},
+	&cli.StringFlag{Name: "tags", Aliases: []string{"tag", "T"}, EnvVars: []string{"NTFY_TAGS"}, Usage: "comma separated list of tags and emojis"},
+	&cli.StringFlag{Name: "delay", Aliases: []string{"at", "in", "D"}, EnvVars: []string{"NTFY_DELAY"}, Usage: "delay/schedule message"},
+	&cli.StringFlag{Name: "click", Aliases: []string{"U"}, EnvVars: []string{"NTFY_CLICK"}, Usage: "URL to open when notification is clicked"},
+	&cli.StringFlag{Name: "icon", Aliases: []string{"i"}, EnvVars: []string{"NTFY_ICON"}, Usage: "URL to use as notification icon"},
+	&cli.StringFlag{Name: "actions", Aliases: []string{"A"}, EnvVars: []string{"NTFY_ACTIONS"}, Usage: "actions JSON array or simple definition"},
+	&cli.StringFlag{Name: "attach", Aliases: []string{"a"}, EnvVars: []string{"NTFY_ATTACH"}, Usage: "URL to send as an external attachment"},
+	&cli.StringFlag{Name: "filename", Aliases: []string{"name", "n"}, EnvVars: []string{"NTFY_FILENAME"}, Usage: "filename for the attachment"},
+	&cli.StringFlag{Name: "file", Aliases: []string{"f"}, EnvVars: []string{"NTFY_FILE"}, Usage: "file to upload as an attachment"},
+	&cli.StringFlag{Name: "email", Aliases: []string{"mail", "e"}, EnvVars: []string{"NTFY_EMAIL"}, Usage: "also send to e-mail address"},
+	&cli.StringFlag{Name: "user", Aliases: []string{"u"}, EnvVars: []string{"NTFY_USER"}, Usage: "username[:password] used to auth against the server"},
+	&cli.IntFlag{Name: "wait-pid", Aliases: []string{"wait_pid", "pid"}, EnvVars: []string{"NTFY_WAIT_PID"}, Usage: "wait until PID exits before publishing"},
+	&cli.BoolFlag{Name: "wait-cmd", Aliases: []string{"wait_cmd", "cmd", "done"}, EnvVars: []string{"NTFY_WAIT_CMD"}, Usage: "run command and wait until it finishes before publishing"},
+	&cli.BoolFlag{Name: "no-cache", Aliases: []string{"no_cache", "C"}, EnvVars: []string{"NTFY_NO_CACHE"}, Usage: "do not cache message server-side"},
+	&cli.BoolFlag{Name: "no-firebase", Aliases: []string{"no_firebase", "F"}, EnvVars: []string{"NTFY_NO_FIREBASE"}, Usage: "do not forward message to Firebase"},
+	&cli.BoolFlag{Name: "env-topic", Aliases: []string{"env_topic", "P"}, EnvVars: []string{"NTFY_ENV_TOPIC"}, Usage: "use topic from NTFY_TOPIC env variable"},
+	&cli.BoolFlag{Name: "quiet", Aliases: []string{"q"}, EnvVars: []string{"NTFY_QUIET"}, Usage: "do not print message"},
 )

 var cmdPublish = &cli.Command{
-	Name:      "publish",
-	Aliases:   []string{"pub", "send", "trigger"},
-	Usage:     "Send message via a ntfy server",
-	UsageText: "ntfy send [OPTIONS..] TOPIC [MESSAGE]\n   NTFY_TOPIC=.. ntfy send [OPTIONS..] -P [MESSAGE]",
-	Action:    execPublish,
-	Category:  categoryClient,
-	Flags: []cli.Flag{
-		&cli.StringFlag{Name: "config", Aliases: []string{"c"}, EnvVars: []string{"NTFY_CONFIG"}, Usage: "client config file"},
-		&cli.StringFlag{Name: "title", Aliases: []string{"t"}, EnvVars: []string{"NTFY_TITLE"}, Usage: "message title"},
-		&cli.StringFlag{Name: "priority", Aliases: []string{"p"}, EnvVars: []string{"NTFY_PRIORITY"}, Usage: "priority of the message (1=min, 2=low, 3=default, 4=high, 5=max)"},
-		&cli.StringFlag{Name: "tags", Aliases: []string{"tag", "T"}, EnvVars: []string{"NTFY_TAGS"}, Usage: "comma separated list of tags and emojis"},
-		&cli.StringFlag{Name: "delay", Aliases: []string{"at", "in", "D"}, EnvVars: []string{"NTFY_DELAY"}, Usage: "delay/schedule message"},
-		&cli.StringFlag{Name: "click", Aliases: []string{"U"}, EnvVars: []string{"NTFY_CLICK"}, Usage: "URL to open when notification is clicked"},
-		&cli.StringFlag{Name: "attach", Aliases: []string{"a"}, EnvVars: []string{"NTFY_ATTACH"}, Usage: "URL to send as an external attachment"},
-		&cli.StringFlag{Name: "filename", Aliases: []string{"name", "n"}, EnvVars: []string{"NTFY_FILENAME"}, Usage: "filename for the attachment"},
-		&cli.StringFlag{Name: "file", Aliases: []string{"f"}, EnvVars: []string{"NTFY_FILE"}, Usage: "file to upload as an attachment"},
-		&cli.StringFlag{Name: "email", Aliases: []string{"mail", "e"}, EnvVars: []string{"NTFY_EMAIL"}, Usage: "also send to e-mail address"},
-		&cli.StringFlag{Name: "user", Aliases: []string{"u"}, EnvVars: []string{"NTFY_USER"}, Usage: "username[:password] used to auth against the server"},
-		&cli.BoolFlag{Name: "no-cache", Aliases: []string{"C"}, EnvVars: []string{"NTFY_NO_CACHE"}, Usage: "do not cache message server-side"},
-		&cli.BoolFlag{Name: "no-firebase", Aliases: []string{"F"}, EnvVars: []string{"NTFY_NO_FIREBASE"}, Usage: "do not forward message to Firebase"},
-		&cli.BoolFlag{Name: "env-topic", Aliases: []string{"P"}, EnvVars: []string{"NTFY_ENV_TOPIC"}, Usage: "use topic from NTFY_TOPIC env variable"},
-		&cli.BoolFlag{Name: "quiet", Aliases: []string{"q"}, EnvVars: []string{"NTFY_QUIET"}, Usage: "do print message"},
-	},
+	Name:    "publish",
+	Aliases: []string{"pub", "send", "trigger"},
+	Usage:   "Send message via a ntfy server",
+	UsageText: `ntfy publish [OPTIONS..] TOPIC [MESSAGE...]
+ntfy publish [OPTIONS..] --wait-cmd COMMAND...
+NTFY_TOPIC=.. ntfy publish [OPTIONS..] [MESSAGE...]`,
+	Action:   execPublish,
+	Category: categoryClient,
+	Flags:    flagsPublish,
+	Before:   initLogFunc,
 	Description: `Publish a message to a ntfy server.

 Examples:
@@ -47,19 +65,21 @@ Examples:
  ntfy pub --at=8:30am delayed_topic Laterzz              # Send message at 8:30am
  ntfy pub -e phil@example.com alerts 'App is down!'      # Also send email to phil@example.com
  ntfy pub --click="https://reddit.com" redd 'New msg'    # Opens Reddit when notification is clicked
+  ntfy pub --icon="http://some.tld/icon.png" 'Icon!'      # Send notification with custom icon
  ntfy pub --attach="http://some.tld/file.zip" files      # Send ZIP archive from URL as attachment
  ntfy pub --file=flower.jpg flowers 'Nice!'              # Send image.jpg as attachment
  ntfy pub -u phil:mypass secret Psst                     # Publish with username/password
+  ntfy pub --wait-pid 1234 mytopic                        # Wait for process 1234 to exit before publishing
+  ntfy pub --wait-cmd mytopic rsync -av ./ /tmp/a         # Run command and publish after it completes
  NTFY_USER=phil:mypass ntfy pub secret Psst              # Use env variables to set username/password
-  NTFY_TOPIC=mytopic ntfy pub -P "some message""          # Use NTFY_TOPIC variable as topic 
+  NTFY_TOPIC=mytopic ntfy pub "some message"              # Use NTFY_TOPIC variable as topic 
  cat flower.jpg | ntfy pub --file=- flowers 'Nice!'      # Same as above, send image.jpg as attachment
  ntfy trigger mywebhook                                  # Sending without message, useful for webhooks
 
 Please also check out the docs on publishing messages. Especially for the --tags and --delay options, 
 it has incredibly useful information: https://ntfy.sh/docs/publish/.

-The default config file for all client commands is /etc/ntfy/client.yml (if root user),
-or ~/.config/ntfy/client.yml for all other users.`,
+` + clientCommandDescriptionSuffix,
 }

 func execPublish(c *cli.Context) error {
@@ -72,6 +92,8 @@ func execPublish(c *cli.Context) error {
 	tags := c.String("tags")
 	delay := c.String("delay")
 	click := c.String("click")
+	icon := c.String("icon")
+	actions := c.String("actions")
 	attach := c.String("attach")
 	filename := c.String("filename")
 	file := c.String("file")
@@ -79,22 +101,11 @@ func execPublish(c *cli.Context) error {
 	user := c.String("user")
 	noCache := c.Bool("no-cache")
 	noFirebase := c.Bool("no-firebase")
-	envTopic := c.Bool("env-topic")
 	quiet := c.Bool("quiet")
-	var topic, message string
-	if envTopic {
-		topic = os.Getenv("NTFY_TOPIC")
-		if c.NArg() > 0 {
-			message = strings.Join(c.Args().Slice(), " ")
-		}
-	} else {
-		if c.NArg() < 1 {
-			return errors.New("must specify topic, type 'ntfy publish --help' for help")
-		}
-		topic = c.Args().Get(0)
-		if c.NArg() > 1 {
-			message = strings.Join(c.Args().Slice()[1:], " ")
-		}
+	pid := c.Int("wait-pid")
+	topic, message, command, err := parseTopicMessageCommand(c)
+	if err != nil {
+		return err
 	}
 	var options []client.PublishOption
 	if title != "" {
@@ -112,6 +123,12 @@ func execPublish(c *cli.Context) error {
 	if click != "" {
 		options = append(options, client.WithClick(click))
 	}
+	if icon != "" {
+		options = append(options, client.WithIcon(icon))
+	}
+	if actions != "" {
+		options = append(options, client.WithActions(strings.ReplaceAll(actions, "\n", " ")))
+	}
 	if attach != "" {
 		options = append(options, client.WithAttach(attach))
 	}
@@ -143,6 +160,23 @@ func execPublish(c *cli.Context) error {
 			fmt.Fprintf(c.App.ErrWriter, "\r%s\r", strings.Repeat(" ", 20))
 		}
 		options = append(options, client.WithBasicAuth(user, pass))
+	} else if conf.DefaultUser != "" && conf.DefaultPassword != nil {
+		options = append(options, client.WithBasicAuth(conf.DefaultUser, *conf.DefaultPassword))
+	}
+	if pid > 0 {
+		newMessage, err := waitForProcess(pid)
+		if err != nil {
+			return err
+		} else if message == "" {
+			message = newMessage
+		}
+	} else if len(command) > 0 {
+		newMessage, err := runAndWaitForCommand(command)
+		if err != nil {
+			return err
+		} else if message == "" {
+			message = newMessage
+		}
 	}
 	var body io.Reader
 	if file == "" {
@@ -176,3 +210,88 @@ func execPublish(c *cli.Context) error {
 	}
 	return nil
 }
+
+// parseTopicMessageCommand reads the topic and the remaining arguments from the context.
+
+// There are a few cases to consider:
+//
+//	ntfy publish <topic> [<message>]
+//	ntfy publish --wait-cmd <topic> <command>
+//	NTFY_TOPIC=.. ntfy publish [<message>]
+//	NTFY_TOPIC=.. ntfy publish --wait-cmd <command>
+func parseTopicMessageCommand(c *cli.Context) (topic string, message string, command []string, err error) {
+	var args []string
+	topic, args, err = parseTopicAndArgs(c)
+	if err != nil {
+		return
+	}
+	if c.Bool("wait-cmd") {
+		if len(args) == 0 {
+			err = errors.New("must specify command when --wait-cmd is passed, type 'ntfy publish --help' for help")
+			return
+		}
+		command = args
+	} else {
+		message = strings.Join(args, " ")
+	}
+	if c.String("message") != "" {
+		message = c.String("message")
+	}
+	return
+}
+
+func parseTopicAndArgs(c *cli.Context) (topic string, args []string, err error) {
+	envTopic := os.Getenv("NTFY_TOPIC")
+	if envTopic != "" {
+		topic = envTopic
+		return topic, remainingArgs(c, 0), nil
+	}
+	if c.NArg() < 1 {
+		return "", nil, errors.New("must specify topic, type 'ntfy publish --help' for help")
+	}
+	return c.Args().Get(0), remainingArgs(c, 1), nil
+}
+
+func remainingArgs(c *cli.Context, fromIndex int) []string {
+	if c.NArg() > fromIndex {
+		return c.Args().Slice()[fromIndex:]
+	}
+	return []string{}
+}
+
+func waitForProcess(pid int) (message string, err error) {
+	if !processExists(pid) {
+		return "", fmt.Errorf("process with PID %d not running", pid)
+	}
+	start := time.Now()
+	log.Debug("Waiting for process with PID %d to exit", pid)
+	for processExists(pid) {
+		time.Sleep(500 * time.Millisecond)
+	}
+	runtime := time.Since(start).Round(time.Millisecond)
+	log.Debug("Process with PID %d exited after %s", pid, runtime)
+	return fmt.Sprintf("Process with PID %d exited after %s", pid, runtime), nil
+}
+
+func runAndWaitForCommand(command []string) (message string, err error) {
+	prettyCmd := util.QuoteCommand(command)
+	log.Debug("Running command: %s", prettyCmd)
+	start := time.Now()
+	cmd := exec.Command(command[0], command[1:]...)
+	if log.IsTrace() {
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+	}
+	err = cmd.Run()
+	runtime := time.Since(start).Round(time.Millisecond)
+	if err != nil {
+		if exitError, ok := err.(*exec.ExitError); ok {
+			log.Debug("Command failed after %s (exit code %d): %s", runtime, exitError.ExitCode(), prettyCmd)
+			return fmt.Sprintf("Command failed after %s (exit code %d): %s", runtime, exitError.ExitCode(), prettyCmd), nil
+		}
+		// Hard fail when command does not exist or could not be properly launched
+		return "", fmt.Errorf("command failed: %s, error: %s", prettyCmd, err.Error())
+	}
+	log.Debug("Command succeeded after %s: %s", runtime, prettyCmd)
+	return fmt.Sprintf("Command succeeded after %s: %s", runtime, prettyCmd), nil
+}
--- a/cmd/publish_test.go
+++ b/cmd/publish_test.go
@@ -5,7 +5,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"heckel.io/ntfy/test"
 	"heckel.io/ntfy/util"
+	"os"
+	"os/exec"
+	"strconv"
 	"testing"
+	"time"
 )

 func TestCLI_Publish_Subscribe_Poll_Real_Server(t *testing.T) {
@@ -13,6 +17,7 @@ func TestCLI_Publish_Subscribe_Poll_Real_Server(t *testing.T) {

 	app, _, _, _ := newTestApp()
 	require.Nil(t, app.Run([]string{"ntfy", "publish", "ntfytest", "ntfy unit test " + testMessage}))
+	time.Sleep(3 * time.Second) // Since #502, ntfy.sh writes messages to the cache asynchronously, after a timeout of ~1.5s

 	app2, _, stdout, _ := newTestApp()
 	require.Nil(t, app2.Run([]string{"ntfy", "subscribe", "--poll", "ntfytest"}))
@@ -48,6 +53,7 @@ func TestCLI_Publish_All_The_Things(t *testing.T) {
 		"--tags", "tag1,tag2",
 		// No --delay, --email
 		"--click", "https://ntfy.sh",
+		"--icon", "https://ntfy.sh/static/img/ntfy.png",
 		"--attach", "https://f-droid.org/F-Droid.apk",
 		"--filename", "fdroid.apk",
 		"--no-cache",
@@ -69,4 +75,68 @@ func TestCLI_Publish_All_The_Things(t *testing.T) {
 	require.Equal(t, "", m.Attachment.Owner)
 	require.Equal(t, int64(0), m.Attachment.Expires)
 	require.Equal(t, "", m.Attachment.Type)
+	require.Equal(t, "https://ntfy.sh/static/img/ntfy.png", m.Icon)
+}
+
+func TestCLI_Publish_Wait_PID_And_Cmd(t *testing.T) {
+	s, port := test.StartServer(t)
+	defer test.StopServer(t, s, port)
+	topic := fmt.Sprintf("http://127.0.0.1:%d/mytopic", port)
+
+	// Test: sleep 0.5
+	sleep := exec.Command("sleep", "0.5")
+	require.Nil(t, sleep.Start())
+	go sleep.Wait() // Must be called to release resources
+	start := time.Now()
+	app, _, stdout, _ := newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--wait-pid", strconv.Itoa(sleep.Process.Pid), topic}))
+	m := toMessage(t, stdout.String())
+	require.True(t, time.Since(start) >= 500*time.Millisecond)
+	require.Regexp(t, `Process with PID \d+ exited after `, m.Message)
+
+	// Test: PID does not exist
+	app, _, _, _ = newTestApp()
+	err := app.Run([]string{"ntfy", "publish", "--wait-pid", "1234567", topic})
+	require.Error(t, err)
+	require.Equal(t, "process with PID 1234567 not running", err.Error())
+
+	// Test: Successful command (exit 0)
+	start = time.Now()
+	app, _, stdout, _ = newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--wait-cmd", topic, "sleep", "0.5"}))
+	m = toMessage(t, stdout.String())
+	require.True(t, time.Since(start) >= 500*time.Millisecond)
+	require.Contains(t, m.Message, `Command succeeded after `)
+	require.Contains(t, m.Message, `: sleep 0.5`)
+
+	// Test: Failing command (exit 1)
+	app, _, stdout, _ = newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--wait-cmd", topic, "/bin/false", "false doesn't care about its args"}))
+	m = toMessage(t, stdout.String())
+	require.Contains(t, m.Message, `Command failed after `)
+	require.Contains(t, m.Message, `(exit code 1): /bin/false "false doesn't care about its args"`, m.Message)
+
+	// Test: Non-existing command (hard fail!)
+	app, _, _, _ = newTestApp()
+	err = app.Run([]string{"ntfy", "publish", "--wait-cmd", topic, "does-not-exist-no-really", "really though"})
+	require.Error(t, err)
+	require.Equal(t, `command failed: does-not-exist-no-really "really though", error: exec: "does-not-exist-no-really": executable file not found in $PATH`, err.Error())
+
+	// Tests with NTFY_TOPIC set ////
+	require.Nil(t, os.Setenv("NTFY_TOPIC", topic))
+
+	// Test: Successful command with NTFY_TOPIC
+	app, _, stdout, _ = newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--env-topic", "--cmd", "echo", "hi there"}))
+	m = toMessage(t, stdout.String())
+	require.Equal(t, "mytopic", m.Topic)
+
+	// Test: Successful --wait-pid with NTFY_TOPIC
+	sleep = exec.Command("sleep", "0.2")
+	require.Nil(t, sleep.Start())
+	go sleep.Wait() // Must be called to release resources
+	app, _, stdout, _ = newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--env-topic", "--wait-pid", strconv.Itoa(sleep.Process.Pid)}))
+	m = toMessage(t, stdout.String())
+	require.Regexp(t, `Process with PID \d+ exited after .+ms`, m.Message)
 }
--- a/cmd/publish_unix.go
+++ b/cmd/publish_unix.go
@@ -0,0 +1,11 @@
+//go:build darwin || linux || dragonfly || freebsd || netbsd || openbsd
+// +build darwin linux dragonfly freebsd netbsd openbsd
+
+package cmd
+
+import "syscall"
+
+func processExists(pid int) bool {
+	err := syscall.Kill(pid, syscall.Signal(0))
+	return err == nil
+}
--- a/cmd/publish_windows.go
+++ b/cmd/publish_windows.go
@@ -0,0 +1,10 @@
+package cmd
+
+import (
+	"os"
+)
+
+func processExists(pid int) bool {
+	_, err := os.FindProcess(pid)
+	return err == nil
+}
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -1,57 +1,89 @@
+//go:build !noserver
+
 package cmd

 import (
 	"errors"
 	"fmt"
+	"github.com/stripe/stripe-go/v74"
+	"heckel.io/ntfy/user"
+	"io/fs"
+	"math"
+	"net"
+	"net/netip"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+	"time"
+
+	"heckel.io/ntfy/log"
+
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"heckel.io/ntfy/server"
 	"heckel.io/ntfy/util"
-	"log"
-	"math"
-	"net"
-	"strings"
-	"time"
 )

-var flagsServe = []cli.Flag{
-	&cli.StringFlag{Name: "config", Aliases: []string{"c"}, EnvVars: []string{"NTFY_CONFIG_FILE"}, Value: "/etc/ntfy/server.yml", DefaultText: "/etc/ntfy/server.yml", Usage: "config file"},
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "base-url", Aliases: []string{"B"}, EnvVars: []string{"NTFY_BASE_URL"}, Usage: "externally visible base URL for this host (e.g. https://ntfy.sh)"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-http", Aliases: []string{"l"}, EnvVars: []string{"NTFY_LISTEN_HTTP"}, Value: server.DefaultListenHTTP, Usage: "ip:port used to as HTTP listen address"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-https", Aliases: []string{"L"}, EnvVars: []string{"NTFY_LISTEN_HTTPS"}, Usage: "ip:port used to as HTTPS listen address"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-unix", Aliases: []string{"U"}, EnvVars: []string{"NTFY_LISTEN_UNIX"}, Usage: "listen on unix socket path"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "key-file", Aliases: []string{"K"}, EnvVars: []string{"NTFY_KEY_FILE"}, Usage: "private key file, if listen-https is set"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "cert-file", Aliases: []string{"E"}, EnvVars: []string{"NTFY_CERT_FILE"}, Usage: "certificate file, if listen-https is set"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "firebase-key-file", Aliases: []string{"F"}, EnvVars: []string{"NTFY_FIREBASE_KEY_FILE"}, Usage: "Firebase credentials file; if set additionally publish to FCM topic"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-file", Aliases: []string{"C"}, EnvVars: []string{"NTFY_CACHE_FILE"}, Usage: "cache file used for message caching"}),
-	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "cache-duration", Aliases: []string{"b"}, EnvVars: []string{"NTFY_CACHE_DURATION"}, Value: server.DefaultCacheDuration, Usage: "buffer messages for this time to allow `since` requests"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"H"}, EnvVars: []string{"NTFY_AUTH_FILE"}, Usage: "auth database file used for access control"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-access", Aliases: []string{"p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_ACCESS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-cache-dir", EnvVars: []string{"NTFY_ATTACHMENT_CACHE_DIR"}, Usage: "cache directory for attached files"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-total-size-limit", Aliases: []string{"A"}, EnvVars: []string{"NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT"}, DefaultText: "5G", Usage: "limit of the on-disk attachment cache"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-file-size-limit", Aliases: []string{"Y"}, EnvVars: []string{"NTFY_ATTACHMENT_FILE_SIZE_LIMIT"}, DefaultText: "15M", Usage: "per-file attachment size limit (e.g. 300k, 2M, 100M)"}),
-	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "attachment-expiry-duration", Aliases: []string{"X"}, EnvVars: []string{"NTFY_ATTACHMENT_EXPIRY_DURATION"}, Value: server.DefaultAttachmentExpiryDuration, DefaultText: "3h", Usage: "duration after which uploaded attachments will be deleted (e.g. 3h, 20h)"}),
-	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "keepalive-interval", Aliases: []string{"k"}, EnvVars: []string{"NTFY_KEEPALIVE_INTERVAL"}, Value: server.DefaultKeepaliveInterval, Usage: "interval of keepalive messages"}),
-	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "manager-interval", Aliases: []string{"m"}, EnvVars: []string{"NTFY_MANAGER_INTERVAL"}, Value: server.DefaultManagerInterval, Usage: "interval of for message pruning and stats printing"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-sender-addr", EnvVars: []string{"NTFY_SMTP_SENDER_ADDR"}, Usage: "SMTP server address (host:port) for outgoing emails"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-sender-user", EnvVars: []string{"NTFY_SMTP_SENDER_USER"}, Usage: "SMTP user (if e-mail sending is enabled)"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-sender-pass", EnvVars: []string{"NTFY_SMTP_SENDER_PASS"}, Usage: "SMTP password (if e-mail sending is enabled)"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-sender-from", EnvVars: []string{"NTFY_SMTP_SENDER_FROM"}, Usage: "SMTP sender address (if e-mail sending is enabled)"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-server-listen", EnvVars: []string{"NTFY_SMTP_SERVER_LISTEN"}, Usage: "SMTP server address (ip:port) for incoming emails, e.g. :25"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-server-domain", EnvVars: []string{"NTFY_SMTP_SERVER_DOMAIN"}, Usage: "SMTP domain for incoming e-mail, e.g. ntfy.sh"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-server-addr-prefix", EnvVars: []string{"NTFY_SMTP_SERVER_ADDR_PREFIX"}, Usage: "SMTP email address prefix for topics to prevent spam (e.g. 'ntfy-')"}),
-	altsrc.NewIntFlag(&cli.IntFlag{Name: "global-topic-limit", Aliases: []string{"T"}, EnvVars: []string{"NTFY_GLOBAL_TOPIC_LIMIT"}, Value: server.DefaultTotalTopicLimit, Usage: "total number of topics allowed"}),
-	altsrc.NewIntFlag(&cli.IntFlag{Name: "visitor-subscription-limit", EnvVars: []string{"NTFY_VISITOR_SUBSCRIPTION_LIMIT"}, Value: server.DefaultVisitorSubscriptionLimit, Usage: "number of subscriptions per visitor"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "visitor-attachment-total-size-limit", EnvVars: []string{"NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT"}, Value: "100M", Usage: "total storage limit used for attachments per visitor"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "visitor-attachment-daily-bandwidth-limit", EnvVars: []string{"NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT"}, Value: "500M", Usage: "total daily attachment download/upload bandwidth limit per visitor"}),
-	altsrc.NewIntFlag(&cli.IntFlag{Name: "visitor-request-limit-burst", EnvVars: []string{"NTFY_VISITOR_REQUEST_LIMIT_BURST"}, Value: server.DefaultVisitorRequestLimitBurst, Usage: "initial limit of requests per visitor"}),
-	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "visitor-request-limit-replenish", EnvVars: []string{"NTFY_VISITOR_REQUEST_LIMIT_REPLENISH"}, Value: server.DefaultVisitorRequestLimitReplenish, Usage: "interval at which burst limit is replenished (one per x)"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "visitor-request-limit-exempt-hosts", EnvVars: []string{"NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS"}, Value: "", Usage: "hostnames and/or IP addresses of hosts that will be exempt from the visitor request limit"}),
-	altsrc.NewIntFlag(&cli.IntFlag{Name: "visitor-email-limit-burst", EnvVars: []string{"NTFY_VISITOR_EMAIL_LIMIT_BURST"}, Value: server.DefaultVisitorEmailLimitBurst, Usage: "initial limit of e-mails per visitor"}),
-	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "visitor-email-limit-replenish", EnvVars: []string{"NTFY_VISITOR_EMAIL_LIMIT_REPLENISH"}, Value: server.DefaultVisitorEmailLimitReplenish, Usage: "interval at which burst limit is replenished (one per x)"}),
-	altsrc.NewBoolFlag(&cli.BoolFlag{Name: "behind-proxy", Aliases: []string{"P"}, EnvVars: []string{"NTFY_BEHIND_PROXY"}, Value: false, Usage: "if set, use X-Forwarded-For header to determine visitor IP address (for rate limiting)"}),
+func init() {
+	commands = append(commands, cmdServe)
 }

+const (
+	defaultServerConfigFile = "/etc/ntfy/server.yml"
+)
+
+var flagsServe = append(
+	flagsDefault,
+	&cli.StringFlag{Name: "config", Aliases: []string{"c"}, EnvVars: []string{"NTFY_CONFIG_FILE"}, Value: defaultServerConfigFile, DefaultText: defaultServerConfigFile, Usage: "config file"},
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "base-url", Aliases: []string{"base_url", "B"}, EnvVars: []string{"NTFY_BASE_URL"}, Usage: "externally visible base URL for this host (e.g. https://ntfy.sh)"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-http", Aliases: []string{"listen_http", "l"}, EnvVars: []string{"NTFY_LISTEN_HTTP"}, Value: server.DefaultListenHTTP, Usage: "ip:port used to as HTTP listen address"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-https", Aliases: []string{"listen_https", "L"}, EnvVars: []string{"NTFY_LISTEN_HTTPS"}, Usage: "ip:port used to as HTTPS listen address"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-unix", Aliases: []string{"listen_unix", "U"}, EnvVars: []string{"NTFY_LISTEN_UNIX"}, Usage: "listen on unix socket path"}),
+	altsrc.NewIntFlag(&cli.IntFlag{Name: "listen-unix-mode", Aliases: []string{"listen_unix_mode"}, EnvVars: []string{"NTFY_LISTEN_UNIX_MODE"}, DefaultText: "system default", Usage: "file permissions of unix socket, e.g. 0700"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "key-file", Aliases: []string{"key_file", "K"}, EnvVars: []string{"NTFY_KEY_FILE"}, Usage: "private key file, if listen-https is set"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "cert-file", Aliases: []string{"cert_file", "E"}, EnvVars: []string{"NTFY_CERT_FILE"}, Usage: "certificate file, if listen-https is set"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "firebase-key-file", Aliases: []string{"firebase_key_file", "F"}, EnvVars: []string{"NTFY_FIREBASE_KEY_FILE"}, Usage: "Firebase credentials file; if set additionally publish to FCM topic"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-file", Aliases: []string{"cache_file", "C"}, EnvVars: []string{"NTFY_CACHE_FILE"}, Usage: "cache file used for message caching"}),
+	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "cache-duration", Aliases: []string{"cache_duration", "b"}, EnvVars: []string{"NTFY_CACHE_DURATION"}, Value: server.DefaultCacheDuration, Usage: "buffer messages for this time to allow `since` requests"}),
+	altsrc.NewIntFlag(&cli.IntFlag{Name: "cache-batch-size", Aliases: []string{"cache_batch_size"}, EnvVars: []string{"NTFY_BATCH_SIZE"}, Usage: "max size of messages to batch together when writing to message cache (if zero, writes are synchronous)"}),
+	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "cache-batch-timeout", Aliases: []string{"cache_batch_timeout"}, EnvVars: []string{"NTFY_CACHE_BATCH_TIMEOUT"}, Usage: "timeout for batched async writes to the message cache (if zero, writes are synchronous)"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-startup-queries", Aliases: []string{"cache_startup_queries"}, EnvVars: []string{"NTFY_CACHE_STARTUP_QUERIES"}, Usage: "queries run when the cache database is initialized"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"auth_file", "H"}, EnvVars: []string{"NTFY_AUTH_FILE"}, Usage: "auth database file used for access control"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-startup-queries", Aliases: []string{"auth_startup_queries"}, EnvVars: []string{"NTFY_AUTH_STARTUP_QUERIES"}, Usage: "queries run when the auth database is initialized"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-access", Aliases: []string{"auth_default_access", "p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_ACCESS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-cache-dir", Aliases: []string{"attachment_cache_dir"}, EnvVars: []string{"NTFY_ATTACHMENT_CACHE_DIR"}, Usage: "cache directory for attached files"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-total-size-limit", Aliases: []string{"attachment_total_size_limit", "A"}, EnvVars: []string{"NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT"}, DefaultText: "5G", Usage: "limit of the on-disk attachment cache"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-file-size-limit", Aliases: []string{"attachment_file_size_limit", "Y"}, EnvVars: []string{"NTFY_ATTACHMENT_FILE_SIZE_LIMIT"}, DefaultText: "15M", Usage: "per-file attachment size limit (e.g. 300k, 2M, 100M)"}),
+	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "attachment-expiry-duration", Aliases: []string{"attachment_expiry_duration", "X"}, EnvVars: []string{"NTFY_ATTACHMENT_EXPIRY_DURATION"}, Value: server.DefaultAttachmentExpiryDuration, DefaultText: "3h", Usage: "duration after which uploaded attachments will be deleted (e.g. 3h, 20h)"}),
+	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "keepalive-interval", Aliases: []string{"keepalive_interval", "k"}, EnvVars: []string{"NTFY_KEEPALIVE_INTERVAL"}, Value: server.DefaultKeepaliveInterval, Usage: "interval of keepalive messages"}),
+	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "manager-interval", Aliases: []string{"manager_interval", "m"}, EnvVars: []string{"NTFY_MANAGER_INTERVAL"}, Value: server.DefaultManagerInterval, Usage: "interval of for message pruning and stats printing"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "web-root", Aliases: []string{"web_root"}, EnvVars: []string{"NTFY_WEB_ROOT"}, Value: "app", Usage: "sets web root to landing page (home), web app (app) or disabled (disable)"}),
+	altsrc.NewBoolFlag(&cli.BoolFlag{Name: "enable-signup", Aliases: []string{"enable_signup"}, EnvVars: []string{"NTFY_ENABLE_SIGNUP"}, Value: false, Usage: "allows users to sign up via the web app, or API"}),
+	altsrc.NewBoolFlag(&cli.BoolFlag{Name: "enable-login", Aliases: []string{"enable_login"}, EnvVars: []string{"NTFY_ENABLE_LOGIN"}, Value: false, Usage: "allows users to log in via the web app, or API"}),
+	altsrc.NewBoolFlag(&cli.BoolFlag{Name: "enable-reservations", Aliases: []string{"enable_reservations"}, EnvVars: []string{"NTFY_ENABLE_RESERVATIONS"}, Value: false, Usage: "allows users to reserve topics (if their tier allows it)"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "upstream-base-url", Aliases: []string{"upstream_base_url"}, EnvVars: []string{"NTFY_UPSTREAM_BASE_URL"}, Value: "", Usage: "forward poll request to an upstream server, this is needed for iOS push notifications for self-hosted servers"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-sender-addr", Aliases: []string{"smtp_sender_addr"}, EnvVars: []string{"NTFY_SMTP_SENDER_ADDR"}, Usage: "SMTP server address (host:port) for outgoing emails"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-sender-user", Aliases: []string{"smtp_sender_user"}, EnvVars: []string{"NTFY_SMTP_SENDER_USER"}, Usage: "SMTP user (if e-mail sending is enabled)"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-sender-pass", Aliases: []string{"smtp_sender_pass"}, EnvVars: []string{"NTFY_SMTP_SENDER_PASS"}, Usage: "SMTP password (if e-mail sending is enabled)"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-sender-from", Aliases: []string{"smtp_sender_from"}, EnvVars: []string{"NTFY_SMTP_SENDER_FROM"}, Usage: "SMTP sender address (if e-mail sending is enabled)"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-server-listen", Aliases: []string{"smtp_server_listen"}, EnvVars: []string{"NTFY_SMTP_SERVER_LISTEN"}, Usage: "SMTP server address (ip:port) for incoming emails, e.g. :25"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-server-domain", Aliases: []string{"smtp_server_domain"}, EnvVars: []string{"NTFY_SMTP_SERVER_DOMAIN"}, Usage: "SMTP domain for incoming e-mail, e.g. ntfy.sh"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "smtp-server-addr-prefix", Aliases: []string{"smtp_server_addr_prefix"}, EnvVars: []string{"NTFY_SMTP_SERVER_ADDR_PREFIX"}, Usage: "SMTP email address prefix for topics to prevent spam (e.g. 'ntfy-')"}),
+	altsrc.NewIntFlag(&cli.IntFlag{Name: "global-topic-limit", Aliases: []string{"global_topic_limit", "T"}, EnvVars: []string{"NTFY_GLOBAL_TOPIC_LIMIT"}, Value: server.DefaultTotalTopicLimit, Usage: "total number of topics allowed"}),
+	altsrc.NewIntFlag(&cli.IntFlag{Name: "visitor-subscription-limit", Aliases: []string{"visitor_subscription_limit"}, EnvVars: []string{"NTFY_VISITOR_SUBSCRIPTION_LIMIT"}, Value: server.DefaultVisitorSubscriptionLimit, Usage: "number of subscriptions per visitor"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "visitor-attachment-total-size-limit", Aliases: []string{"visitor_attachment_total_size_limit"}, EnvVars: []string{"NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT"}, Value: "100M", Usage: "total storage limit used for attachments per visitor"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "visitor-attachment-daily-bandwidth-limit", Aliases: []string{"visitor_attachment_daily_bandwidth_limit"}, EnvVars: []string{"NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT"}, Value: "500M", Usage: "total daily attachment download/upload bandwidth limit per visitor"}),
+	altsrc.NewIntFlag(&cli.IntFlag{Name: "visitor-request-limit-burst", Aliases: []string{"visitor_request_limit_burst"}, EnvVars: []string{"NTFY_VISITOR_REQUEST_LIMIT_BURST"}, Value: server.DefaultVisitorRequestLimitBurst, Usage: "initial limit of requests per visitor"}),
+	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "visitor-request-limit-replenish", Aliases: []string{"visitor_request_limit_replenish"}, EnvVars: []string{"NTFY_VISITOR_REQUEST_LIMIT_REPLENISH"}, Value: server.DefaultVisitorRequestLimitReplenish, Usage: "interval at which burst limit is replenished (one per x)"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "visitor-request-limit-exempt-hosts", Aliases: []string{"visitor_request_limit_exempt_hosts"}, EnvVars: []string{"NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS"}, Value: "", Usage: "hostnames and/or IP addresses of hosts that will be exempt from the visitor request limit"}),
+	altsrc.NewIntFlag(&cli.IntFlag{Name: "visitor-email-limit-burst", Aliases: []string{"visitor_email_limit_burst"}, EnvVars: []string{"NTFY_VISITOR_EMAIL_LIMIT_BURST"}, Value: server.DefaultVisitorEmailLimitBurst, Usage: "initial limit of e-mails per visitor"}),
+	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "visitor-email-limit-replenish", Aliases: []string{"visitor_email_limit_replenish"}, EnvVars: []string{"NTFY_VISITOR_EMAIL_LIMIT_REPLENISH"}, Value: server.DefaultVisitorEmailLimitReplenish, Usage: "interval at which burst limit is replenished (one per x)"}),
+	altsrc.NewBoolFlag(&cli.BoolFlag{Name: "behind-proxy", Aliases: []string{"behind_proxy", "P"}, EnvVars: []string{"NTFY_BEHIND_PROXY"}, Value: false, Usage: "if set, use X-Forwarded-For header to determine visitor IP address (for rate limiting)"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "stripe-secret-key", Aliases: []string{"stripe_secret_key"}, EnvVars: []string{"NTFY_STRIPE_SECRET_KEY"}, Value: "", Usage: "key used for the Stripe API communication, this enables payments"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "stripe-webhook-key", Aliases: []string{"stripe_webhook_key"}, EnvVars: []string{"NTFY_STRIPE_WEBHOOK_KEY"}, Value: "", Usage: "key required to validate the authenticity of incoming webhooks from Stripe"}),
+)
+
 var cmdServe = &cli.Command{
 	Name:      "serve",
 	Usage:     "Run the ntfy server",
@@ -59,7 +91,7 @@ var cmdServe = &cli.Command{
 	Action:    execServe,
 	Category:  categoryServer,
 	Flags:     flagsServe,
-	Before:    initConfigFileInputSource("config", flagsServe),
+	Before:    initConfigFileInputSourceFunc("config", flagsServe, initLogFunc),
 	Description: `Run the ntfy server and listen for incoming requests

 The command will load the configuration from /etc/ntfy/server.yml. Config options can 
@@ -76,16 +108,22 @@ func execServe(c *cli.Context) error {
 	}

 	// Read all the options
+	config := c.String("config")
 	baseURL := c.String("base-url")
 	listenHTTP := c.String("listen-http")
 	listenHTTPS := c.String("listen-https")
 	listenUnix := c.String("listen-unix")
+	listenUnixMode := c.Int("listen-unix-mode")
 	keyFile := c.String("key-file")
 	certFile := c.String("cert-file")
 	firebaseKeyFile := c.String("firebase-key-file")
 	cacheFile := c.String("cache-file")
 	cacheDuration := c.Duration("cache-duration")
+	cacheStartupQueries := c.String("cache-startup-queries")
+	cacheBatchSize := c.Int("cache-batch-size")
+	cacheBatchTimeout := c.Duration("cache-batch-timeout")
 	authFile := c.String("auth-file")
+	authStartupQueries := c.String("auth-startup-queries")
 	authDefaultAccess := c.String("auth-default-access")
 	attachmentCacheDir := c.String("attachment-cache-dir")
 	attachmentTotalSizeLimitStr := c.String("attachment-total-size-limit")
@@ -93,6 +131,11 @@ func execServe(c *cli.Context) error {
 	attachmentExpiryDuration := c.Duration("attachment-expiry-duration")
 	keepaliveInterval := c.Duration("keepalive-interval")
 	managerInterval := c.Duration("manager-interval")
+	webRoot := c.String("web-root")
+	enableSignup := c.Bool("enable-signup")
+	enableLogin := c.Bool("enable-login")
+	enableReservations := c.Bool("enable-reservations")
+	upstreamBaseURL := c.String("upstream-base-url")
 	smtpSenderAddr := c.String("smtp-sender-addr")
 	smtpSenderUser := c.String("smtp-sender-user")
 	smtpSenderPass := c.String("smtp-sender-pass")
@@ -110,6 +153,8 @@ func execServe(c *cli.Context) error {
 	visitorEmailLimitBurst := c.Int("visitor-email-limit-burst")
 	visitorEmailLimitReplenish := c.Duration("visitor-email-limit-replenish")
 	behindProxy := c.Bool("behind-proxy")
+	stripeSecretKey := c.String("stripe-secret-key")
+	stripeWebhookKey := c.String("stripe-webhook-key")

 	// Check values
 	if firebaseKeyFile != "" && !util.FileExists(firebaseKeyFile) {
@@ -134,13 +179,34 @@ func execServe(c *cli.Context) error {
 		return errors.New("if attachment-cache-dir is set, base-url must also be set")
 	} else if baseURL != "" && !strings.HasPrefix(baseURL, "http://") && !strings.HasPrefix(baseURL, "https://") {
 		return errors.New("if set, base-url must start with http:// or https://")
-	} else if !util.InStringList([]string{"read-write", "read-only", "write-only", "deny-all"}, authDefaultAccess) {
-		return errors.New("if set, auth-default-access must start set to 'read-write', 'read-only', 'write-only' or 'deny-all'")
+	} else if baseURL != "" && strings.HasSuffix(baseURL, "/") {
+		return errors.New("if set, base-url must not end with a slash (/)")
+	} else if !util.Contains([]string{"app", "home", "disable"}, webRoot) {
+		return errors.New("if set, web-root must be 'home' or 'app'")
+	} else if upstreamBaseURL != "" && !strings.HasPrefix(upstreamBaseURL, "http://") && !strings.HasPrefix(upstreamBaseURL, "https://") {
+		return errors.New("if set, upstream-base-url must start with http:// or https://")
+	} else if upstreamBaseURL != "" && strings.HasSuffix(upstreamBaseURL, "/") {
+		return errors.New("if set, upstream-base-url must not end with a slash (/)")
+	} else if upstreamBaseURL != "" && baseURL == "" {
+		return errors.New("if upstream-base-url is set, base-url must also be set")
+	} else if upstreamBaseURL != "" && baseURL != "" && baseURL == upstreamBaseURL {
+		return errors.New("base-url and upstream-base-url cannot be identical, you'll likely want to set upstream-base-url to https://ntfy.sh, see https://ntfy.sh/docs/config/#ios-instant-notifications")
+	} else if authFile == "" && (enableSignup || enableLogin || enableReservations || stripeSecretKey != "") {
+		return errors.New("cannot set enable-signup, enable-login, enable-reserve-topics, or stripe-secret-key if auth-file is not set")
+	} else if enableSignup && !enableLogin {
+		return errors.New("cannot set enable-signup without also setting enable-login")
+	} else if stripeSecretKey != "" && (stripeWebhookKey == "" || baseURL == "") {
+		return errors.New("if stripe-secret-key is set, stripe-webhook-key and base-url must also be set")
 	}

+	webRootIsApp := webRoot == "app"
+	enableWeb := webRoot != "disable"
+
 	// Default auth permissions
-	authDefaultRead := authDefaultAccess == "read-write" || authDefaultAccess == "read-only"
-	authDefaultWrite := authDefaultAccess == "read-write" || authDefaultAccess == "write-only"
+	authDefault, err := user.ParsePermission(authDefaultAccess)
+	if err != nil {
+		return errors.New("if set, auth-default-access must start set to 'read-write', 'read-only', 'write-only' or 'deny-all'")
+	}

 	// Special case: Unset default
 	if listenHTTP == "-" {
@@ -168,16 +234,19 @@ func execServe(c *cli.Context) error {
 	}

 	// Resolve hosts
-	visitorRequestLimitExemptIPs := make([]string, 0)
+	visitorRequestLimitExemptIPs := make([]netip.Prefix, 0)
 	for _, host := range visitorRequestLimitExemptHosts {
-		ips, err := net.LookupIP(host)
+		ips, err := parseIPHostPrefix(host)
 		if err != nil {
-			log.Printf("cannot resolve host %s: %s, ignoring visitor request exemption", host, err.Error())
+			log.Warn("cannot resolve host %s: %s, ignoring visitor request exemption", host, err.Error())
 			continue
 		}
-		for _, ip := range ips {
-			visitorRequestLimitExemptIPs = append(visitorRequestLimitExemptIPs, ip.String())
-		}
+		visitorRequestLimitExemptIPs = append(visitorRequestLimitExemptIPs, ips...)
+	}
+
+	// Stripe things
+	if stripeSecretKey != "" {
+		stripe.Key = stripeSecretKey
 	}

 	// Run server
@@ -186,20 +255,26 @@ func execServe(c *cli.Context) error {
 	conf.ListenHTTP = listenHTTP
 	conf.ListenHTTPS = listenHTTPS
 	conf.ListenUnix = listenUnix
+	conf.ListenUnixMode = fs.FileMode(listenUnixMode)
 	conf.KeyFile = keyFile
 	conf.CertFile = certFile
 	conf.FirebaseKeyFile = firebaseKeyFile
 	conf.CacheFile = cacheFile
 	conf.CacheDuration = cacheDuration
+	conf.CacheStartupQueries = cacheStartupQueries
+	conf.CacheBatchSize = cacheBatchSize
+	conf.CacheBatchTimeout = cacheBatchTimeout
 	conf.AuthFile = authFile
-	conf.AuthDefaultRead = authDefaultRead
-	conf.AuthDefaultWrite = authDefaultWrite
+	conf.AuthStartupQueries = authStartupQueries
+	conf.AuthDefault = authDefault
 	conf.AttachmentCacheDir = attachmentCacheDir
 	conf.AttachmentTotalSizeLimit = attachmentTotalSizeLimit
 	conf.AttachmentFileSizeLimit = attachmentFileSizeLimit
 	conf.AttachmentExpiryDuration = attachmentExpiryDuration
 	conf.KeepaliveInterval = keepaliveInterval
 	conf.ManagerInterval = managerInterval
+	conf.WebRootIsApp = webRootIsApp
+	conf.UpstreamBaseURL = upstreamBaseURL
 	conf.SMTPSenderAddr = smtpSenderAddr
 	conf.SMTPSenderUser = smtpSenderUser
 	conf.SMTPSenderPass = smtpSenderPass
@@ -217,14 +292,25 @@ func execServe(c *cli.Context) error {
 	conf.VisitorEmailLimitBurst = visitorEmailLimitBurst
 	conf.VisitorEmailLimitReplenish = visitorEmailLimitReplenish
 	conf.BehindProxy = behindProxy
+	conf.StripeSecretKey = stripeSecretKey
+	conf.StripeWebhookKey = stripeWebhookKey
+	conf.EnableWeb = enableWeb
+	conf.EnableSignup = enableSignup
+	conf.EnableLogin = enableLogin
+	conf.EnableReservations = enableReservations
+	conf.Version = c.App.Version
+
+	// Set up hot-reloading of config
+	go sigHandlerConfigReload(config)
+
+	// Run server
 	s, err := server.New(conf)
 	if err != nil {
-		log.Fatalln(err)
+		log.Fatal(err)
+	} else if err := s.Run(); err != nil {
+		log.Fatal(err)
 	}
-	if err := s.Run(); err != nil {
-		log.Fatalln(err)
-	}
-	log.Printf("Exiting.")
+	log.Info("Exiting.")
 	return nil
 }

@@ -238,3 +324,53 @@ func parseSize(s string, defaultValue int64) (v int64, err error) {
 	}
 	return v, nil
 }
+
+func sigHandlerConfigReload(config string) {
+	sigs := make(chan os.Signal, 1)
+	signal.Notify(sigs, syscall.SIGHUP)
+	for range sigs {
+		log.Info("Partially hot reloading configuration ...")
+		inputSource, err := newYamlSourceFromFile(config, flagsServe)
+		if err != nil {
+			log.Warn("Hot reload failed: %s", err.Error())
+			continue
+		}
+		reloadLogLevel(inputSource)
+	}
+}
+
+func parseIPHostPrefix(host string) (prefixes []netip.Prefix, err error) {
+	// Try parsing as prefix, e.g. 10.0.1.0/24
+	prefix, err := netip.ParsePrefix(host)
+	if err == nil {
+		prefixes = append(prefixes, prefix.Masked())
+		return prefixes, nil
+	}
+	// Not a prefix, parse as host or IP (LookupHost passes through an IP as is)
+	ips, err := net.LookupHost(host)
+	if err != nil {
+		return nil, err
+	}
+	for _, ipStr := range ips {
+		ip, err := netip.ParseAddr(ipStr)
+		if err == nil {
+			prefix, err := ip.Prefix(ip.BitLen())
+			if err != nil {
+				return nil, fmt.Errorf("%s successfully parsed but unable to make prefix: %s", ip.String(), err.Error())
+			}
+			prefixes = append(prefixes, prefix.Masked())
+		}
+	}
+	return
+}
+
+func reloadLogLevel(inputSource altsrc.InputSourceContext) {
+	newLevelStr, err := inputSource.String("log-level")
+	if err != nil {
+		log.Warn("Cannot load log level: %s", err.Error())
+		return
+	}
+	newLevel := log.ToLevel(newLevelStr)
+	log.SetLevel(newLevel)
+	log.Info("Log level is %s", newLevel.String())
+}
--- a/cmd/serve_test.go
+++ b/cmd/serve_test.go
@@ -2,17 +2,19 @@ package cmd

 import (
 	"fmt"
-	"github.com/gorilla/websocket"
-	"github.com/stretchr/testify/require"
-	"heckel.io/ntfy/client"
-	"heckel.io/ntfy/test"
-	"heckel.io/ntfy/util"
 	"math/rand"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
+
+	"github.com/gorilla/websocket"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"heckel.io/ntfy/client"
+	"heckel.io/ntfy/test"
+	"heckel.io/ntfy/util"
 )

 func init() {
@@ -70,6 +72,22 @@ func TestCLI_Serve_WebSocket(t *testing.T) {
 	require.Equal(t, "mytopic", m.Topic)
 }

+func TestIP_Host_Parsing(t *testing.T) {
+	cases := map[string]string{
+		"1.1.1.1":          "1.1.1.1/32",
+		"fd00::1234":       "fd00::1234/128",
+		"192.168.0.3/24":   "192.168.0.0/24",
+		"10.1.2.3/8":       "10.0.0.0/8",
+		"201:be93::4a6/21": "201:b800::/21",
+	}
+	for q, expectedAnswer := range cases {
+		ips, err := parseIPHostPrefix(q)
+		require.Nil(t, err)
+		assert.Equal(t, 1, len(ips))
+		assert.Equal(t, expectedAnswer, ips[0].String())
+	}
+}
+
 func newEmptyFile(t *testing.T) string {
 	filename := filepath.Join(t.TempDir(), "empty")
 	require.Nil(t, os.WriteFile(filename, []byte{}, 0600))
--- a/cmd/subscribe.go
+++ b/cmd/subscribe.go
@@ -5,14 +5,36 @@ import (
 	"fmt"
 	"github.com/urfave/cli/v2"
 	"heckel.io/ntfy/client"
+	"heckel.io/ntfy/log"
 	"heckel.io/ntfy/util"
-	"log"
 	"os"
 	"os/exec"
 	"os/user"
+	"path/filepath"
+	"sort"
 	"strings"
 )

+func init() {
+	commands = append(commands, cmdSubscribe)
+}
+
+const (
+	clientRootConfigFileUnixAbsolute    = "/etc/ntfy/client.yml"
+	clientUserConfigFileUnixRelative    = "ntfy/client.yml"
+	clientUserConfigFileWindowsRelative = "ntfy\\client.yml"
+)
+
+var flagsSubscribe = append(
+	flagsDefault,
+	&cli.StringFlag{Name: "config", Aliases: []string{"c"}, Usage: "client config file"},
+	&cli.StringFlag{Name: "since", Aliases: []string{"s"}, Usage: "return events since `SINCE` (Unix timestamp, or all)"},
+	&cli.StringFlag{Name: "user", Aliases: []string{"u"}, EnvVars: []string{"NTFY_USER"}, Usage: "username[:password] used to auth against the server"},
+	&cli.BoolFlag{Name: "from-config", Aliases: []string{"from_config", "C"}, Usage: "read subscriptions from config file (service mode)"},
+	&cli.BoolFlag{Name: "poll", Aliases: []string{"p"}, Usage: "return events and exit, do not listen for new events"},
+	&cli.BoolFlag{Name: "scheduled", Aliases: []string{"sched", "S"}, Usage: "also return scheduled/delayed events"},
+)
+
 var cmdSubscribe = &cli.Command{
 	Name:      "subscribe",
 	Aliases:   []string{"sub"},
@@ -20,14 +42,8 @@ var cmdSubscribe = &cli.Command{
 	UsageText: "ntfy subscribe [OPTIONS..] [TOPIC]",
 	Action:    execSubscribe,
 	Category:  categoryClient,
-	Flags: []cli.Flag{
-		&cli.StringFlag{Name: "config", Aliases: []string{"c"}, Usage: "client config file"},
-		&cli.StringFlag{Name: "since", Aliases: []string{"s"}, Usage: "return events since `SINCE` (Unix timestamp, or all)"},
-		&cli.BoolFlag{Name: "from-config", Aliases: []string{"C"}, Usage: "read subscriptions from config file (service mode)"},
-		&cli.BoolFlag{Name: "poll", Aliases: []string{"p"}, Usage: "return events and exit, do not listen for new events"},
-		&cli.BoolFlag{Name: "scheduled", Aliases: []string{"sched", "S"}, Usage: "also return scheduled/delayed events"},
-		&cli.BoolFlag{Name: "verbose", Aliases: []string{"v"}, Usage: "print verbose output"},
-	},
+	Flags:     flagsSubscribe,
+	Before:    initLogFunc,
 	Description: `Subscribe to a topic from a ntfy server, and either print or execute a command for 
 every arriving message. There are 3 modes in which the command can be run:

@@ -40,6 +56,7 @@ ntfy subscribe TOPIC
    ntfy subscribe mytopic            # Prints JSON for incoming messages for ntfy.sh/mytopic
    ntfy sub home.lan/backups         # Subscribe to topic on different server
    ntfy sub --poll home.lan/backups  # Just query for latest messages and exit
+    ntfy sub -u phil:mypass secret    # Subscribe with username/password
  
 ntfy subscribe TOPIC COMMAND
  This executes COMMAND for every incoming messages. The message fields are passed to the
@@ -58,19 +75,17 @@ ntfy subscribe TOPIC COMMAND

  Examples:
    ntfy sub mytopic 'notify-send "$m"'    # Execute command for incoming messages
-    ntfy sub topic1 /my/script.sh          # Execute script for incoming messages
+    ntfy sub topic1 myscript.sh            # Execute script for incoming messages

 ntfy subscribe --from-config
-  Service mode (used in ntfy-client.service). This reads the config file (/etc/ntfy/client.yml 
-  or ~/.config/ntfy/client.yml) and sets up subscriptions for every topic in the "subscribe:" 
-  block (see config file).
+  Service mode (used in ntfy-client.service). This reads the config file and sets up 
+  subscriptions for every topic in the "subscribe:" block (see config file).

  Examples: 
    ntfy sub --from-config                           # Read topics from config file
-    ntfy sub --config=/my/client.yml --from-config   # Read topics from alternate config file
+    ntfy sub --config=myclient.yml --from-config     # Read topics from alternate config file

-The default config file for all client commands is /etc/ntfy/client.yml (if root user),
-or ~/.config/ntfy/client.yml for all other users.`,
+` + clientCommandDescriptionSuffix,
 }

 func execSubscribe(c *cli.Context) error {
@@ -81,6 +96,7 @@ func execSubscribe(c *cli.Context) error {
 	}
 	cl := client.New(conf)
 	since := c.String("since")
+	user := c.String("user")
 	poll := c.Bool("poll")
 	scheduled := c.Bool("scheduled")
 	fromConfig := c.Bool("from-config")
@@ -93,6 +109,23 @@ func execSubscribe(c *cli.Context) error {
 	if since != "" {
 		options = append(options, client.WithSince(since))
 	}
+	if user != "" {
+		var pass string
+		parts := strings.SplitN(user, ":", 2)
+		if len(parts) == 2 {
+			user = parts[0]
+			pass = parts[1]
+		} else {
+			fmt.Fprint(c.App.ErrWriter, "Enter Password: ")
+			p, err := util.ReadPassword(c.App.Reader)
+			if err != nil {
+				return err
+			}
+			pass = string(p)
+			fmt.Fprintf(c.App.ErrWriter, "\r%s\r", strings.Repeat(" ", 20))
+		}
+		options = append(options, client.WithBasicAuth(user, pass))
+	}
 	if poll {
 		options = append(options, client.WithPoll())
 	}
@@ -136,25 +169,47 @@ func doPollSingle(c *cli.Context, cl *client.Client, topic, command string, opti
 }

 func doSubscribe(c *cli.Context, cl *client.Client, conf *client.Config, topic, command string, options ...client.SubscribeOption) error {
-	commands := make(map[string]string) // Subscription ID -> command
-	for _, s := range conf.Subscribe {  // May be nil
+	cmds := make(map[string]string)    // Subscription ID -> command
+	for _, s := range conf.Subscribe { // May be nil
 		topicOptions := append(make([]client.SubscribeOption, 0), options...)
 		for filter, value := range s.If {
 			topicOptions = append(topicOptions, client.WithFilter(filter, value))
 		}
+		var user string
+		var password *string
+		if s.User != "" {
+			user = s.User
+		} else if conf.DefaultUser != "" {
+			user = conf.DefaultUser
+		}
+		if s.Password != nil {
+			password = s.Password
+		} else if conf.DefaultPassword != nil {
+			password = conf.DefaultPassword
+		}
+		if user != "" && password != nil {
+			topicOptions = append(topicOptions, client.WithBasicAuth(user, *password))
+		}
 		subscriptionID := cl.Subscribe(s.Topic, topicOptions...)
-		commands[subscriptionID] = s.Command
+		if s.Command != "" {
+			cmds[subscriptionID] = s.Command
+		} else if conf.DefaultCommand != "" {
+			cmds[subscriptionID] = conf.DefaultCommand
+		} else {
+			cmds[subscriptionID] = ""
+		}
 	}
 	if topic != "" {
 		subscriptionID := cl.Subscribe(topic, options...)
-		commands[subscriptionID] = command
+		cmds[subscriptionID] = command
 	}
 	for m := range cl.Messages {
-		command, ok := commands[m.SubscriptionID]
+		cmd, ok := cmds[m.SubscriptionID]
 		if !ok {
 			continue
 		}
-		printMessageOrRunCommand(c, m, command)
+		log.Debug("%s Dispatching received message: %s", logMessagePrefix(m), m.Raw)
+		printMessageOrRunCommand(c, m, cmd)
 	}
 	return nil
 }
@@ -163,27 +218,27 @@ func printMessageOrRunCommand(c *cli.Context, m *client.Message, command string)
 	if command != "" {
 		runCommand(c, command, m)
 	} else {
+		log.Debug("%s Printing raw message", logMessagePrefix(m))
 		fmt.Fprintln(c.App.Writer, m.Raw)
 	}
 }

 func runCommand(c *cli.Context, command string, m *client.Message) {
 	if err := runCommandInternal(c, command, m); err != nil {
-		fmt.Fprintf(c.App.ErrWriter, "Command failed: %s\n", err.Error())
+		log.Warn("%s Command failed: %s", logMessagePrefix(m), err.Error())
 	}
 }

-func runCommandInternal(c *cli.Context, command string, m *client.Message) error {
-	scriptFile, err := createTmpScript(command)
-	if err != nil {
+func runCommandInternal(c *cli.Context, script string, m *client.Message) error {
+	scriptFile := fmt.Sprintf("%s/ntfy-subscribe-%s.%s", os.TempDir(), util.RandomString(10), scriptExt)
+	log.Debug("%s Running command '%s' via temporary script %s", logMessagePrefix(m), script, scriptFile)
+	script = scriptHeader + script
+	if err := os.WriteFile(scriptFile, []byte(script), 0700); err != nil {
 		return err
 	}
 	defer os.Remove(scriptFile)
-	verbose := c.Bool("verbose")
-	if verbose {
-		log.Printf("[%s] Executing: %s (for message: %s)", util.ShortTopicURL(m.TopicURL), command, m.Raw)
-	}
-	cmd := exec.Command("sh", "-c", scriptFile)
+	log.Debug("%s Executing script %s", logMessagePrefix(m), scriptFile)
+	cmd := exec.Command(scriptLauncher[0], append(scriptLauncher[1:], scriptFile)...)
 	cmd.Stdin = c.App.Reader
 	cmd.Stdout = c.App.Writer
 	cmd.Stderr = c.App.ErrWriter
@@ -191,17 +246,8 @@ func runCommandInternal(c *cli.Context, command string, m *client.Message) error
 	return cmd.Run()
 }

-func createTmpScript(command string) (string, error) {
-	scriptFile := fmt.Sprintf("%s/ntfy-subscribe-%s.sh.tmp", os.TempDir(), util.RandomString(10))
-	script := fmt.Sprintf("#!/bin/sh\n%s", command)
-	if err := os.WriteFile(scriptFile, []byte(script), 0700); err != nil {
-		return "", err
-	}
-	return scriptFile, nil
-}
-
 func envVars(m *client.Message) []string {
-	env := os.Environ()
+	env := make([]string, 0)
 	env = append(env, envVar(m.ID, "NTFY_ID", "id")...)
 	env = append(env, envVar(m.Topic, "NTFY_TOPIC", "topic")...)
 	env = append(env, envVar(fmt.Sprintf("%d", m.Time), "NTFY_TIME", "time")...)
@@ -210,7 +256,11 @@ func envVars(m *client.Message) []string {
 	env = append(env, envVar(fmt.Sprintf("%d", m.Priority), "NTFY_PRIORITY", "priority", "prio", "p")...)
 	env = append(env, envVar(strings.Join(m.Tags, ","), "NTFY_TAGS", "tags", "tag", "ta")...)
 	env = append(env, envVar(m.Raw, "NTFY_RAW", "raw")...)
-	return env
+	sort.Strings(env)
+	if log.IsTrace() {
+		log.Trace("%s With environment:\n%s", logMessagePrefix(m), strings.Join(env, "\n"))
+	}
+	return append(os.Environ(), env...)
 }

 func envVar(value string, vars ...string) []string {
@@ -226,13 +276,30 @@ func loadConfig(c *cli.Context) (*client.Config, error) {
 	if filename != "" {
 		return client.LoadConfig(filename)
 	}
-	u, _ := user.Current()
-	configFile := defaultClientRootConfigFile
-	if u.Uid != "0" {
-		configFile = util.ExpandHome(defaultClientUserConfigFile)
-	}
+	configFile := defaultClientConfigFile()
 	if s, _ := os.Stat(configFile); s != nil {
 		return client.LoadConfig(configFile)
 	}
 	return client.NewConfig(), nil
 }
+
+//lint:ignore U1000 Conditionally used in different builds
+func defaultClientConfigFileUnix() string {
+	u, _ := user.Current()
+	configFile := clientRootConfigFileUnixAbsolute
+	if u.Uid != "0" {
+		homeDir, _ := os.UserConfigDir()
+		return filepath.Join(homeDir, clientUserConfigFileUnixRelative)
+	}
+	return configFile
+}
+
+//lint:ignore U1000 Conditionally used in different builds
+func defaultClientConfigFileWindows() string {
+	homeDir, _ := os.UserConfigDir()
+	return filepath.Join(homeDir, clientUserConfigFileWindowsRelative)
+}
+
+func logMessagePrefix(m *client.Message) string {
+	return fmt.Sprintf("%s/%s", util.ShortTopicURL(m.TopicURL), m.ID)
+}
--- a/cmd/subscribe_darwin.go
+++ b/cmd/subscribe_darwin.go
@@ -0,0 +1,16 @@
+package cmd
+
+const (
+	scriptExt                      = "sh"
+	scriptHeader                   = "#!/bin/sh\n"
+	clientCommandDescriptionSuffix = `The default config file for all client commands is /etc/ntfy/client.yml (if root user),
+or "~/Library/Application Support/ntfy/client.yml" for all other users.`
+)
+
+var (
+	scriptLauncher = []string{"sh", "-c"}
+)
+
+func defaultClientConfigFile() string {
+	return defaultClientConfigFileUnix()
+}
--- a/cmd/subscribe_unix.go
+++ b/cmd/subscribe_unix.go
@@ -0,0 +1,18 @@
+//go:build linux || dragonfly || freebsd || netbsd || openbsd
+
+package cmd
+
+const (
+	scriptExt                      = "sh"
+	scriptHeader                   = "#!/bin/sh\n"
+	clientCommandDescriptionSuffix = `The default config file for all client commands is /etc/ntfy/client.yml (if root user),
+or ~/.config/ntfy/client.yml for all other users.`
+)
+
+var (
+	scriptLauncher = []string{"sh", "-c"}
+)
+
+func defaultClientConfigFile() string {
+	return defaultClientConfigFileUnix()
+}
--- a/cmd/subscribe_windows.go
+++ b/cmd/subscribe_windows.go
@@ -0,0 +1,15 @@
+package cmd
+
+const (
+	scriptExt                      = "bat"
+	scriptHeader                   = ""
+	clientCommandDescriptionSuffix = `The default config file for all client commands is %AppData%\ntfy\client.yml.`
+)
+
+var (
+	scriptLauncher = []string{"cmd.exe", "/Q", "/C"}
+)
+
+func defaultClientConfigFile() string {
+	return defaultClientConfigFileWindows()
+}
--- a/cmd/user.go
+++ b/cmd/user.go
@@ -1,34 +1,52 @@
+//go:build !noserver
+
 package cmd

 import (
 	"crypto/subtle"
 	"errors"
 	"fmt"
+	"heckel.io/ntfy/user"
+	"os"
+	"strings"
+
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
-	"heckel.io/ntfy/auth"
 	"heckel.io/ntfy/util"
-	"strings"
 )

-var flagsUser = userCommandFlags()
+const (
+	tierReset    = "-"
+	createdByCLI = "cli"
+)
+
+func init() {
+	commands = append(commands, cmdUser)
+}
+
+var flagsUser = append(
+	flagsDefault,
+	&cli.StringFlag{Name: "config", Aliases: []string{"c"}, EnvVars: []string{"NTFY_CONFIG_FILE"}, Value: defaultServerConfigFile, DefaultText: defaultServerConfigFile, Usage: "config file"},
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"auth_file", "H"}, EnvVars: []string{"NTFY_AUTH_FILE"}, Usage: "auth database file used for access control"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-access", Aliases: []string{"auth_default_access", "p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_ACCESS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}),
+)
+
 var cmdUser = &cli.Command{
 	Name:      "user",
 	Usage:     "Manage/show users",
 	UsageText: "ntfy user [list|add|remove|change-pass|change-role] ...",
 	Flags:     flagsUser,
-	Before:    initConfigFileInputSource("config", flagsUser),
+	Before:    initConfigFileInputSourceFunc("config", flagsUser, initLogFunc),
 	Category:  categoryServer,
 	Subcommands: []*cli.Command{
 		{
 			Name:      "add",
 			Aliases:   []string{"a"},
 			Usage:     "Adds a new user",
-			UsageText: "ntfy user add [--role=admin|user] USERNAME",
-			Before:    inheritRootReaderFunc,
+			UsageText: "ntfy user add [--role=admin|user] USERNAME\nNTFY_PASSWORD=... ntfy user add [--role=admin|user] USERNAME",
 			Action:    execUserAdd,
 			Flags: []cli.Flag{
-				&cli.StringFlag{Name: "role", Aliases: []string{"r"}, Value: string(auth.RoleUser), Usage: "user role"},
+				&cli.StringFlag{Name: "role", Aliases: []string{"r"}, Value: string(user.RoleUser), Usage: "user role"},
 			},
 			Description: `Add a new user to the ntfy user database.

@@ -37,8 +55,12 @@ granted otherwise by the auth-default-access setting). An admin user has read an
 topics.

 Examples:
-  ntfy user add phil                 # Add regular user phil  
-  ntfy user add --role=admin phil    # Add admin user phil
+  ntfy user add phil                     # Add regular user phil  
+  ntfy user add --role=admin phil        # Add admin user phil
+  NTFY_PASSWORD=... ntfy user add phil   # Add user, using env variable to set password (for scripts)
+
+You may set the NTFY_PASSWORD environment variable to pass the password. This is useful if 
+you are creating users via scripts.
 `,
 		},
 		{
@@ -46,7 +68,6 @@ Examples:
 			Aliases:   []string{"del", "rm"},
 			Usage:     "Removes a user",
 			UsageText: "ntfy user remove USERNAME",
-			Before:    inheritRootReaderFunc,
 			Action:    execUserDel,
 			Description: `Remove a user from the ntfy user database.

@@ -58,8 +79,7 @@ Example:
 			Name:      "change-pass",
 			Aliases:   []string{"chp"},
 			Usage:     "Changes a user's password",
-			UsageText: "ntfy user change-pass USERNAME",
-			Before:    inheritRootReaderFunc,
+			UsageText: "ntfy user change-pass USERNAME\nNTFY_PASSWORD=... ntfy user change-pass USERNAME",
 			Action:    execUserChangePass,
 			Description: `Change the password for the given user.

@@ -67,7 +87,12 @@ The new password will be read from STDIN, and it'll be confirmed by typing
 it twice. 

 Example:
-    ntfy user change-pass phil
+  ntfy user change-pass phil
+  NTFY_PASSWORD=.. ntfy user change-pass phil
+
+You may set the NTFY_PASSWORD environment variable to pass the new password. This is 
+useful if you are updating users via scripts.
+
 `,
 		},
 		{
@@ -75,7 +100,6 @@ Example:
 			Aliases:   []string{"chr"},
 			Usage:     "Changes the role of a user",
 			UsageText: "ntfy user change-role USERNAME ROLE",
-			Before:    inheritRootReaderFunc,
 			Action:    execUserChangeRole,
 			Description: `Change the role for the given user to admin or user.

@@ -91,13 +115,28 @@ user are removed, since they are no longer necessary.
 Example:
  ntfy user change-role phil admin   # Make user phil an admin 
  ntfy user change-role phil user    # Remove admin role from user phil 
+`,
+		},
+		{
+			Name:      "change-tier",
+			Aliases:   []string{"cht"},
+			Usage:     "Changes the tier of a user",
+			UsageText: "ntfy user change-tier USERNAME (TIER|-)",
+			Action:    execUserChangeTier,
+			Description: `Change the tier for the given user.
+
+This command can be used to change the tier of a user. Tiers define usage limits, such
+as messages per day, attachment file sizes, etc.
+
+Example:
+  ntfy user change-tier phil pro   # Change tier to "pro" for user "phil"  
+  ntfy user change-tier phil -     # Remove tier from user "phil" entirely 
 `,
 		},
 		{
 			Name:    "list",
 			Aliases: []string{"l"},
 			Usage:   "Shows a list of users",
-			Before:  inheritRootReaderFunc,
 			Action:  execUserList,
 			Description: `Shows a list of all configured users, including the everyone ('*') user.

@@ -118,37 +157,47 @@ The command allows you to add/remove/change users in the ntfy user database, as
 passwords or roles.

 Examples:
-  ntfy user list                     # Shows list of users (alias: 'ntfy access')                      
-  ntfy user add phil                 # Add regular user phil  
-  ntfy user add --role=admin phil    # Add admin user phil
-  ntfy user del phil                 # Delete user phil
-  ntfy user change-pass phil         # Change password for user phil
-  ntfy user change-role phil admin   # Make user phil an admin 
+  ntfy user list                               # Shows list of users (alias: 'ntfy access')                      
+  ntfy user add phil                           # Add regular user phil  
+  NTFY_PASSWORD=... ntfy user add phil         # As above, using env variable to set password (for scripts)
+  ntfy user add --role=admin phil              # Add admin user phil
+  ntfy user del phil                           # Delete user phil
+  ntfy user change-pass phil                   # Change password for user phil
+  NTFY_PASSWORD=.. ntfy user change-pass phil  # As above, using env variable to set password (for scripts)
+  ntfy user change-role phil admin             # Make user phil an admin 
+
+For the 'ntfy user add' and 'ntfy user change-pass' commands, you may set the NTFY_PASSWORD environment
+variable to pass the new password. This is useful if you are creating/updating users via scripts.
 `,
 }

 func execUserAdd(c *cli.Context) error {
 	username := c.Args().Get(0)
-	role := auth.Role(c.String("role"))
+	role := user.Role(c.String("role"))
+	password := os.Getenv("NTFY_PASSWORD")
 	if username == "" {
 		return errors.New("username expected, type 'ntfy user add --help' for help")
 	} else if username == userEveryone {
 		return errors.New("username not allowed")
-	} else if !auth.AllowedRole(role) {
+	} else if !user.AllowedRole(role) {
 		return errors.New("role must be either 'user' or 'admin'")
 	}
-	manager, err := createAuthManager(c)
+	manager, err := createUserManager(c)
 	if err != nil {
 		return err
 	}
 	if user, _ := manager.User(username); user != nil {
 		return fmt.Errorf("user %s already exists", username)
 	}
-	password, err := readPasswordAndConfirm(c)
-	if err != nil {
-		return err
+	if password == "" {
+		p, err := readPasswordAndConfirm(c)
+		if err != nil {
+			return err
+		}
+
+		password = p
 	}
-	if err := manager.AddUser(username, password, role); err != nil {
+	if err := manager.AddUser(username, password, role, createdByCLI); err != nil {
 		return err
 	}
 	fmt.Fprintf(c.App.ErrWriter, "user %s added with role %s\n", username, role)
@@ -162,11 +211,11 @@ func execUserDel(c *cli.Context) error {
 	} else if username == userEveryone {
 		return errors.New("username not allowed")
 	}
-	manager, err := createAuthManager(c)
+	manager, err := createUserManager(c)
 	if err != nil {
 		return err
 	}
-	if _, err := manager.User(username); err == auth.ErrNotFound {
+	if _, err := manager.User(username); err == user.ErrUserNotFound {
 		return fmt.Errorf("user %s does not exist", username)
 	}
 	if err := manager.RemoveUser(username); err != nil {
@@ -178,21 +227,24 @@ func execUserDel(c *cli.Context) error {

 func execUserChangePass(c *cli.Context) error {
 	username := c.Args().Get(0)
+	password := os.Getenv("NTFY_PASSWORD")
 	if username == "" {
 		return errors.New("username expected, type 'ntfy user change-pass --help' for help")
 	} else if username == userEveryone {
 		return errors.New("username not allowed")
 	}
-	manager, err := createAuthManager(c)
+	manager, err := createUserManager(c)
 	if err != nil {
 		return err
 	}
-	if _, err := manager.User(username); err == auth.ErrNotFound {
+	if _, err := manager.User(username); err == user.ErrUserNotFound {
 		return fmt.Errorf("user %s does not exist", username)
 	}
-	password, err := readPasswordAndConfirm(c)
-	if err != nil {
-		return err
+	if password == "" {
+		password, err = readPasswordAndConfirm(c)
+		if err != nil {
+			return err
+		}
 	}
 	if err := manager.ChangePassword(username, password); err != nil {
 		return err
@@ -203,17 +255,17 @@ func execUserChangePass(c *cli.Context) error {

 func execUserChangeRole(c *cli.Context) error {
 	username := c.Args().Get(0)
-	role := auth.Role(c.Args().Get(1))
-	if username == "" || !auth.AllowedRole(role) {
+	role := user.Role(c.Args().Get(1))
+	if username == "" || !user.AllowedRole(role) {
 		return errors.New("username and new role expected, type 'ntfy user change-role --help' for help")
 	} else if username == userEveryone {
 		return errors.New("username not allowed")
 	}
-	manager, err := createAuthManager(c)
+	manager, err := createUserManager(c)
 	if err != nil {
 		return err
 	}
-	if _, err := manager.User(username); err == auth.ErrNotFound {
+	if _, err := manager.User(username); err == user.ErrUserNotFound {
 		return fmt.Errorf("user %s does not exist", username)
 	}
 	if err := manager.ChangeRole(username, role); err != nil {
@@ -223,8 +275,39 @@ func execUserChangeRole(c *cli.Context) error {
 	return nil
 }

+func execUserChangeTier(c *cli.Context) error {
+	username := c.Args().Get(0)
+	tier := c.Args().Get(1)
+	if username == "" {
+		return errors.New("username and new tier expected, type 'ntfy user change-tier --help' for help")
+	} else if !user.AllowedTier(tier) && tier != tierReset {
+		return errors.New("invalid tier, must be tier code, or - to reset")
+	} else if username == userEveryone {
+		return errors.New("username not allowed")
+	}
+	manager, err := createUserManager(c)
+	if err != nil {
+		return err
+	}
+	if _, err := manager.User(username); err == user.ErrUserNotFound {
+		return fmt.Errorf("user %s does not exist", username)
+	}
+	if tier == tierReset {
+		if err := manager.ResetTier(username); err != nil {
+			return err
+		}
+		fmt.Fprintf(c.App.ErrWriter, "removed tier from user %s\n", username)
+	} else {
+		if err := manager.ChangeTier(username, tier); err != nil {
+			return err
+		}
+		fmt.Fprintf(c.App.ErrWriter, "changed tier for user %s to %s\n", username, tier)
+	}
+	return nil
+}
+
 func execUserList(c *cli.Context) error {
-	manager, err := createAuthManager(c)
+	manager, err := createUserManager(c)
 	if err != nil {
 		return err
 	}
@@ -235,19 +318,20 @@ func execUserList(c *cli.Context) error {
 	return showUsers(c, manager, users)
 }

-func createAuthManager(c *cli.Context) (auth.Manager, error) {
+func createUserManager(c *cli.Context) (*user.Manager, error) {
 	authFile := c.String("auth-file")
+	authStartupQueries := c.String("auth-startup-queries")
 	authDefaultAccess := c.String("auth-default-access")
 	if authFile == "" {
 		return nil, errors.New("option auth-file not set; auth is unconfigured for this server")
 	} else if !util.FileExists(authFile) {
 		return nil, errors.New("auth-file does not exist; please start the server at least once to create it")
-	} else if !util.InStringList([]string{"read-write", "read-only", "write-only", "deny-all"}, authDefaultAccess) {
-		return nil, errors.New("if set, auth-default-access must start set to 'read-write', 'read-only' or 'deny-all'")
 	}
-	authDefaultRead := authDefaultAccess == "read-write" || authDefaultAccess == "read-only"
-	authDefaultWrite := authDefaultAccess == "read-write" || authDefaultAccess == "write-only"
-	return auth.NewSQLiteAuth(authFile, authDefaultRead, authDefaultWrite)
+	authDefault, err := user.ParsePermission(authDefaultAccess)
+	if err != nil {
+		return nil, errors.New("if set, auth-default-access must start set to 'read-write', 'read-only', 'write-only' or 'deny-all'")
+	}
+	return user.NewManager(authFile, authStartupQueries, authDefault)
 }

 func readPasswordAndConfirm(c *cli.Context) (string, error) {
@@ -267,22 +351,3 @@ func readPasswordAndConfirm(c *cli.Context) (string, error) {
 	}
 	return string(password), nil
 }
-
-func userCommandFlags() []cli.Flag {
-	return []cli.Flag{
-		&cli.StringFlag{Name: "config", Aliases: []string{"c"}, EnvVars: []string{"NTFY_CONFIG_FILE"}, Value: "/etc/ntfy/server.yml", DefaultText: "/etc/ntfy/server.yml", Usage: "config file"},
-		altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"H"}, EnvVars: []string{"NTFY_AUTH_FILE"}, Usage: "auth database file used for access control"}),
-		altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-access", Aliases: []string{"p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_ACCESS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}),
-	}
-}
-
-// inheritRootReaderFunc is a workaround for a urfave/cli bug that makes subcommands not inherit the App.Reader.
-// This bug was fixed in master, but not in v2.3.0.
-func inheritRootReaderFunc(ctx *cli.Context) error {
-	for _, c := range ctx.Lineage() {
-		if c.App != nil && c.App.Reader != nil {
-			ctx.App.Reader = c.App.Reader
-		}
-	}
-	return nil
-}
--- a/cmd/user_test.go
+++ b/cmd/user_test.go
@@ -5,6 +5,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"heckel.io/ntfy/server"
 	"heckel.io/ntfy/test"
+	"heckel.io/ntfy/user"
 	"path/filepath"
 	"testing"
 )
@@ -114,8 +115,7 @@ func TestCLI_User_Delete(t *testing.T) {
 func newTestServerWithAuth(t *testing.T) (s *server.Server, conf *server.Config, port int) {
 	conf = server.NewConfig()
 	conf.AuthFile = filepath.Join(t.TempDir(), "user.db")
-	conf.AuthDefaultRead = false
-	conf.AuthDefaultWrite = false
+	conf.AuthDefault = user.PermissionDenyAll
 	s, port = test.StartServerWithConfig(t, conf)
 	return
 }
@@ -125,21 +125,7 @@ func runUserCommand(app *cli.App, conf *server.Config, args ...string) error {
 		"ntfy",
 		"user",
 		"--auth-file=" + conf.AuthFile,
-		"--auth-default-access=" + confToDefaultAccess(conf),
+		"--auth-default-access=" + conf.AuthDefault.String(),
 	}
 	return app.Run(append(userArgs, args...))
 }
-
-func confToDefaultAccess(conf *server.Config) string {
-	var defaultAccess string
-	if conf.AuthDefaultRead && conf.AuthDefaultWrite {
-		defaultAccess = "read-write"
-	} else if conf.AuthDefaultRead && !conf.AuthDefaultWrite {
-		defaultAccess = "read-only"
-	} else if !conf.AuthDefaultRead && conf.AuthDefaultWrite {
-		defaultAccess = "write-only"
-	} else if !conf.AuthDefaultRead && !conf.AuthDefaultWrite {
-		defaultAccess = "deny-all"
-	}
-	return defaultAccess
-}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,17 @@
+version: "2.1"
+services:
+  ntfy:
+    image: binwiederhier/ntfy
+    container_name: ntfy
+    command:
+      - serve
+    environment:
+      - TZ=UTC    # optional: Change to your desired timezone
+    user: UID:GID # optional: Set custom user/group or uid/gid
+    volumes:
+      - /var/cache/ntfy:/var/cache/ntfy
+      - /etc/ntfy:/etc/ntfy
+    ports:
+      - 80:80
+    restart: unless-stopped
+
--- a/docs/config.md
+++ b/docs/config.md
@@ -227,7 +227,7 @@ The easiest way to configure a private instance is to set `auth-default-access`

 === "/etc/ntfy/server.yml"
    ``` yaml
-    auth-file "/var/lib/ntfy/user.db"
+    auth-file: "/var/lib/ntfy/user.db"
    auth-default-access: "deny-all"
    ```

@@ -309,6 +309,25 @@ with the given username/password. Be sure to use HTTPS to avoid eavesdropping an
    ]));
    ```

+### Example: UnifiedPush
+[UnifiedPush](https://unifiedpush.org) requires that the [application server](https://unifiedpush.org/spec/definitions/#application-server) (e.g. Synapse, Fediverse Server, …) 
+has anonymous write access to the [topic](https://unifiedpush.org/spec/definitions/#endpoint) used for push messages. 
+The topic names used by UnifiedPush all start with the `up*` prefix. Please refer to the 
+**[UnifiedPush documentation](https://unifiedpush.org/users/distributors/ntfy/#limit-access-to-some-users)** for more details.
+
+To enable support for UnifiedPush for private servers (i.e. `auth-default-access: "deny-all"`), you should either 
+allow anonymous write access for the entire prefix or explicitly per topic:
+
+=== "Prefix"
+    ```
+    $ ntfy access '*' 'up*' write-only
+    ```
+
+=== "Explicitly"
+    ```
+    $ ntfy access '*' upYzMtZGZiYTY5 write-only
+    ```
+
 ## E-mail notifications
 To allow forwarding messages via e-mail, you can configure an **SMTP server for outgoing messages**. Once configured, 
 you can set the `X-Email` header to [send messages via e-mail](publish.md#e-mail-notifications) (e.g. 
@@ -346,7 +365,7 @@ statuspage.io (though these days most services also support webhooks and HTTP ca
 To configure the SMTP server, you must at least set `smtp-server-listen` and `smtp-server-domain`:

 * `smtp-server-listen` defines the IP address and port the SMTP server will listen on, e.g. `:25` or `1.2.3.4:25`
-* `smtp-server-domain` is the e-mail domain, e.g. `ntfy.sh`
+* `smtp-server-domain` is the e-mail domain, e.g. `ntfy.sh` (must be identical to MX record, see below)
 * `smtp-server-addr-prefix` is an optional prefix for the e-mail addresses to prevent spam. If set to `ntfy-`, for instance,
  only e-mails to `ntfy-$topic@ntfy.sh` will be accepted. If this is not set, all emails to `$topic@ntfy.sh` will be
  accepted (which may obviously be a spam problem).
@@ -369,6 +388,42 @@ configured (in [Amazon Route 53](https://aws.amazon.com/route53/)):
  <figcaption>DNS records for incoming mail</figcaption>
 </figure>

+You can check if everything is working correctly by sending an email as raw SMTP via `nc`. Create a text file, e.g. 
+`email.txt`
+
+```
+EHLO example.com
+MAIL FROM: phil@example.com
+RCPT TO: ntfy-mytopic@ntfy.sh
+DATA
+Subject: Email for you
+Content-Type: text/plain; charset="UTF-8"
+
+Hello from 🇩🇪
+.
+```
+
+And then send the mail via `nc` like this. If you see any lines starting with `451`, those are errors from the 
+ntfy server. Read them carefully.
+
+```
+$ cat email.txt | nc -N ntfy.sh 25
+220 ntfy.sh ESMTP Service Ready
+250-Hello example.com
+...
+250 2.0.0 Roger, accepting mail from <phil@example.com>
+250 2.0.0 I'll make sure <ntfy-mytopic@ntfy.sh> gets this
+```
+
+As for the DNS setup, be sure to verify that `dig MX` and `dig A` are returning results similar to this:
+
+```
+$ dig MX ntfy.sh +short 
+10 mx1.ntfy.sh.
+$ dig A mx1.ntfy.sh +short 
+3.139.215.220
+```
+
 ## Behind a proxy (TLS, etc.)
 !!! warning
    If you are running ntfy behind a proxy, you must set the `behind-proxy` flag. Otherwise, all visitors are
@@ -399,12 +454,22 @@ HTTP challenge. I've found [this guide](https://nandovieira.com/using-lets-encry
 be incredibly helpful.

 ### nginx/Apache2/caddy
-For your convenience, here's a working config that'll help configure things behind a proxy. In this 
-example, ntfy runs on `:2586` and we proxy traffic to it. We also redirect HTTP to HTTPS for GET requests against a topic
+For your convenience, here's a working config that'll help configure things behind a proxy. Be sure to **enable WebSockets**
+by forwarding the `Connection` and `Upgrade` headers accordingly. 
+
+In this example, ntfy runs on `:2586` and we proxy traffic to it. We also redirect HTTP to HTTPS for GET requests against a topic
 or the root domain:

-=== "nginx (/etc/nginx/sites-*/ntfy)"
+=== "nginx (convenient)"
    ```
+    # /etc/nginx/sites-*/ntfy
+    #
+    # This config allows insecure HTTP POST/PUT requests against topics to allow a short curl syntax (without -L
+    # and "https://" prefix). It also disables output buffering, which has worked well for the ntfy.sh server.
+    #
+    # This is pretty much how ntfy.sh is configured. To see the exact configuration,
+    # see https://github.com/binwiederhier/ntfy-ansible/
+
    server {
      listen 80;
      server_name ntfy.sh;
@@ -444,14 +509,17 @@ or the root domain:
    }
    
    server {
-      listen 443 ssl;
+      listen 443 ssl http2;
      server_name ntfy.sh;
    
-      ssl_session_cache builtin:1000 shared:SSL:10m;
-      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-      ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
-      ssl_prefer_server_ciphers on;
-    
+      # See https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6see https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6
+      ssl_session_timeout 1d;
+      ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+      ssl_session_tickets off;
+      ssl_protocols TLSv1.2 TLSv1.3;
+      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+      ssl_prefer_server_ciphers off;
+ 
      ssl_certificate /etc/letsencrypt/live/ntfy.sh/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/ntfy.sh/privkey.pem;
    
@@ -477,23 +545,96 @@ or the root domain:
    }
    ```

-=== "Apache2 (/etc/apache2/sites-*/ntfy.conf)"
+=== "nginx (more secure)"
    ```
+    # /etc/nginx/sites-*/ntfy
+    #
+    # This config requires the use of the -L flag in curl to redirect to HTTPS, and it keeps nginx output buffering
+    # enabled. While recommended, I have had issues with that in the past.
+    
+    server {
+      listen 80;
+      server_name ntfy.sh;
+
+      location / {
+        return 302 https://$http_host$request_uri$is_args$query_string;
+
+        proxy_pass http://127.0.0.1:2586;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_connect_timeout 3m;
+        proxy_send_timeout 3m;
+        proxy_read_timeout 3m;
+
+        client_max_body_size 20m; # Must be >= attachment-file-size-limit in /etc/ntfy/server.yml
+      }
+    }
+    
+    server {
+      listen 443 ssl http2;
+      server_name ntfy.sh;
+    
+      # See https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6see https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6
+      ssl_session_timeout 1d;
+      ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+      ssl_session_tickets off;
+      ssl_protocols TLSv1.2 TLSv1.3;
+      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+      ssl_prefer_server_ciphers off;
+    
+      ssl_certificate /etc/letsencrypt/live/ntfy.sh/fullchain.pem;
+      ssl_certificate_key /etc/letsencrypt/live/ntfy.sh/privkey.pem;
+    
+      location / {
+        proxy_pass http://127.0.0.1:2586;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_connect_timeout 3m;
+        proxy_send_timeout 3m;
+        proxy_read_timeout 3m;
+
+        client_max_body_size 20m; # Must be >= attachment-file-size-limit in /etc/ntfy/server.yml
+      }
+    }
+    ```
+
+=== "Apache2"
+    ```
+    # /etc/apache2/sites-*/ntfy.conf
+
    <VirtualHost *:80>
        ServerName ntfy.sh
-        
-        SetEnv proxy-nokeepalive 1
-        SetEnv proxy-sendchunked 1
-        
+
+        # Proxy connections to ntfy (requires "a2enmod proxy")
        ProxyPass / http://127.0.0.1:2586/
        ProxyPassReverse / http://127.0.0.1:2586/
-        
+
+        SetEnv proxy-nokeepalive 1
+        SetEnv proxy-sendchunked 1
+
        # Higher than the max message size of 4096 bytes
        LimitRequestBody 102400
+
+        # Enable mod_rewrite (requires "a2enmod rewrite")
+        RewriteEngine on
+
+        # WebSockets support (requires "a2enmod rewrite proxy_wstunnel")
+        RewriteCond %{HTTP:Upgrade} websocket [NC]
+        RewriteCond %{HTTP:Connection} upgrade [NC]
+        RewriteRule ^/?(.*) "ws://127.0.0.1:2586/$1" [P,L]
        
        # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want 
        # it to work with curl without the annoying https:// prefix 
-        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} GET
        RewriteRule ^/([-_A-Za-z0-9]{0,64})$ https://%{SERVER_NAME}/$1 [R,L]
    </VirtualHost>
@@ -505,21 +646,24 @@ or the root domain:
        SSLCertificateFile /etc/letsencrypt/live/ntfy.sh/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/ntfy.sh/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
-        
-        SetEnv proxy-nokeepalive 1
-        SetEnv proxy-sendchunked 1
-        
+
+        # Proxy connections to ntfy (requires "a2enmod proxy")
        ProxyPass / http://127.0.0.1:2586/
        ProxyPassReverse / http://127.0.0.1:2586/
-        
+
+        SetEnv proxy-nokeepalive 1
+        SetEnv proxy-sendchunked 1
+
        # Higher than the max message size of 4096 bytes 
        LimitRequestBody 102400
-        
-        # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want 
-        # it to work with curl without the annoying https:// prefix 
+
+        # Enable mod_rewrite (requires "a2enmod rewrite")
        RewriteEngine on
-        RewriteCond %{REQUEST_METHOD} GET
-        RewriteRule ^/([-_A-Za-z0-9]{0,64})$ https://%{SERVER_NAME}/$1 [R,L]
+
+        # WebSockets support (requires "a2enmod rewrite proxy_wstunnel")
+        RewriteCond %{HTTP:Upgrade} websocket [NC]
+        RewriteCond %{HTTP:Connection} upgrade [NC]
+        RewriteRule ^/?(.*) "ws://127.0.0.1:2586/$1" [P,L] 
    </VirtualHost>
    ```

@@ -530,6 +674,15 @@ or the root domain:

    ntfy.sh, http://nfty.sh {
        reverse_proxy 127.0.0.1:2586
+
+        # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
+        # it to work with curl without the annoying https:// prefix
+        @httpget {
+            protocol http
+            method GET
+            path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
+        }
+        redir @httpget https://{host}{uri}
    }
    ```

@@ -560,6 +713,47 @@ Example:
 firebase-key-file: "/etc/ntfy/ntfy-sh-firebase-adminsdk-ahnce-9f4d6f14b5.json"
 ```

+## iOS instant notifications
+Unlike Android, iOS heavily restricts background processing, which sadly makes it impossible to implement instant 
+push notifications without a central server. 
+
+To still support instant notifications on iOS through your self-hosted ntfy server, you have to forward so called `poll_request` 
+messages to the main ntfy.sh server (or any upstream server that's APNS/Firebase connected, if you build your own iOS app),
+which will then forward it to Firebase/APNS.
+
+To configure it, simply set `upstream-base-url` like so:
+
+``` yaml
+upstream-base-url: "https://ntfy.sh"
+```
+
+If set, all incoming messages will publish a poll request to the configured upstream server, containing
+the message ID of the original message, instructing the iOS app to poll this server for the actual message contents.
+
+If `upstream-base-url` is not set, notifications will still eventually get to your device, but delivery can take hours,
+depending on the state of the phone. If you are using your phone, it shouldn't take more than 20-30 minutes though.
+
+In case you're curious, here's an example of the entire flow: 
+
+- In the iOS app, you subscribe to `https://ntfy.example.com/mytopic`
+- The app subscribes to the Firebase topic `6de73be8dfb7d69e...` (the SHA256 of the topic URL)
+- When you publish a message to `https://ntfy.example.com/mytopic`, your ntfy server will publish a 
+  poll request to `https://ntfy.sh/6de73be8dfb7d69e...`. The request from your server to the upstream server 
+  contains only the message ID (in the `X-Poll-ID` header), and the SHA256 checksum of the topic URL (as upstream topic).
+- The ntfy.sh server publishes the poll request message to Firebase, which forwards it to APNS, which forwards it to your iOS device
+- Your iOS device receives the poll request, and fetches the actual message from your server, and then displays it
+
+Here's an example of what the self-hosted server forwards to the upstream server. The request is equivalent to this curl:
+
+```
+curl -X POST -H "X-Poll-ID: s4PdJozxM8na" https://ntfy.sh/6de73be8dfb7d69e32fb2c00c23fe7adbd8b5504406e3068c273aa24cef4055b
+{"id":"4HsClFEuCIcs","time":1654087955,"event":"poll_request","topic":"6de73be8dfb7d69e32fb2c00c23fe7adbd8b5504406e3068c273aa24cef4055b","message":"New message","poll_id":"s4PdJozxM8na"}
+```
+
+Note that the self-hosted server literally sends the message `New message` for every message, even if your message 
+may be `Some other message`. This is so that if iOS cannot talk to the self-hosted server (in time, or at all), 
+it'll show `New message` as a popup.
+
 ## Rate limiting
 !!! info
    Be aware that if you are running ntfy behind a proxy, you must set the `behind-proxy` flag. 
@@ -613,6 +807,23 @@ are enabled):
 * `visitor-email-limit-burst` is the initial bucket of emails each visitor has. This defaults to 16.
 * `visitor-email-limit-replenish` is the rate at which the bucket is refilled (one email per x). Defaults to 1h.

+### Firebase limits
+If [Firebase is configured](#firebase-fcm), all messages are also published to a Firebase topic (unless `Firebase: no` 
+is set). Firebase enforces [its own limits](https://firebase.google.com/docs/cloud-messaging/concept-options#topics_throttling)
+on how many messages can be published. Unfortunately these limits are a little vague and can change depending on the time 
+of day. In practice, I have only ever observed `429 Quota exceeded` responses from Firebase if **too many messages are published to 
+the same topic**. 
+
+In ntfy, if Firebase responds with a 429 after publishing to a topic, the visitor (= IP address) who published the message
+is **banned from publishing to Firebase for 10 minutes** (not configurable). Because publishing to Firebase happens asynchronously,
+there is no indication of the user that this has happened. Non-Firebase subscribers (WebSocket or HTTP stream) are not affected.
+After the 10 minutes are up, messages forwarding to Firebase is resumed for this visitor.
+
+If this ever happens, there will be a log message that looks something like this:
+```
+WARN Firebase quota exceeded (likely for topic), temporarily denying Firebase access to visitor
+```
+
 ## Tuning for scale
 If you're running ntfy for your home server, you probably don't need to worry about scale at all. In its default config,
 if it's not behind a proxy, the ntfy server can keep about **as many connections as the open file limit allows**.
@@ -621,6 +832,29 @@ out [this discussion on Reddit](https://www.reddit.com/r/golang/comments/r9u4ee/

 Depending on *how you run it*, here are a few limits that are relevant:

+### Message cache
+By default, the [message cache](#message-cache) (defined by `cache-file`) uses the SQLite default settings, which means it
+syncs to disk on every write. For personal servers, this is perfectly adequate. For larger installations, such as ntfy.sh,
+the [write-ahead log (WAL)](https://sqlite.org/wal.html) should be enabled, and the sync mode should be adjusted. 
+See [this article](https://phiresky.github.io/blog/2020/sqlite-performance-tuning/) for details.
+
+In addition to that, for very high load servers (such as ntfy.sh), it may be beneficial to write messages to the cache
+in batches, and asynchronously. This can be enabled with the `cache-batch-size` and `cache-batch-timeout`. If you start
+seeing `database locked` messages in the logs, you should probably enable that.
+
+Here's how ntfy.sh has been tuned in the `server.yml` file:
+
+``` yaml
+cache-batch-size: 25
+cache-batch-timeout: "1s"
+cache-startup-queries: |
+    pragma journal_mode = WAL;
+    pragma synchronous = normal;
+    pragma temp_store = memory;
+    pragma busy_timeout = 15000;
+    vacuum;
+```
+
 ### For systemd services
 If you're running ntfy in a systemd service (e.g. for .deb/.rpm packages), the main limiting factor is the
 `LimitNOFILE` setting in the systemd unit. The default open files limit for `ntfy.service` is 10,000. You can override it
@@ -678,8 +912,24 @@ and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-a

 === "/etc/nginx/nginx.conf"
    ```
+    # Rate limit all IP addresses
    http {
-	  limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+	  limit_req_zone $binary_remote_addr zone=one:10m rate=45r/m;
+    }
+
+    # Alternatively, whitelist certain IP addresses
+    http {
+      geo $limited {
+        default 1;
+        116.203.112.46/32 0;
+        132.226.42.65/32 0;
+        ...
+      }
+      map $limited $limitkey {
+        1 $binary_remote_addr;
+        0 "";
+      }
+      limit_req_zone $limitkey zone=one:10m rate=45r/m;
    }
    ```

@@ -708,51 +958,87 @@ and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-a
    action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
    logpath = /var/log/nginx/error.log
    findtime = 600
-    bantime = 7200
+    bantime = 14400
    maxretry = 10
    ```

+## Debugging/tracing
+If something's not working right, you can debug/trace through what the ntfy server is doing by setting the `log-level`
+to `DEBUG` or `TRACE`. The `DEBUG` setting will output information about each published message, but not the message 
+contents. The `TRACE` setting will also print the message contents. 
+
+!!! warning
+    Both options are very verbose and should only be enabled in production for short periods of time. Otherwise, 
+    you're going to run out of disk space pretty quickly.
+
+You can also hot-reload the `log-level` by sending the `SIGHUP` signal to the process after editing the `server.yml` file.
+You can do so by calling `systemctl reload ntfy` (if ntfy is running inside systemd), or by calling `kill -HUP $(pidof ntfy)`. 
+If successful, you'll see something like this:
+
+```
+$ ntfy serve
+2022/06/02 10:29:28 INFO Listening on :2586[http] :1025[smtp], log level is INFO
+2022/06/02 10:29:34 INFO Partially hot reloading configuration ...
+2022/06/02 10:29:34 INFO Log level is TRACE
+```
+
 ## Config options
 Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a
 CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment
 variable before running the `ntfy` command (e.g. `export NTFY_LISTEN_HTTP=:80`).

-| Config option                              | Env variable                                    | Format                                              | Default | Description                                                                                                                                                                                                                     |
-|--------------------------------------------|-------------------------------------------------|-----------------------------------------------------|---------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `base-url`                                 | `NTFY_BASE_URL`                                 | *URL*                                               | -       | Public facing base URL of the service (e.g. `https://ntfy.sh`)                                                                                                                                                                  |
-| `listen-http`                              | `NTFY_LISTEN_HTTP`                              | `[host]:port`                                       | `:80`   | Listen address for the HTTP web server                                                                                                                                                                                          |
-| `listen-https`                             | `NTFY_LISTEN_HTTPS`                             | `[host]:port`                                       | -       | Listen address for the HTTPS web server. If set, you also need to set `key-file` and `cert-file`.                                                                                                                               |
-| `listen-unix`                              | `NTFY_LISTEN_UNIX`                              | *filename*                                          | -       | Path to a Unix socket to listen on                                                                                                                                                                                              |
-| `key-file`                                 | `NTFY_KEY_FILE`                                 | *filename*                                          | -       | HTTPS/TLS private key file, only used if `listen-https` is set.                                                                                                                                                                 |
-| `cert-file`                                | `NTFY_CERT_FILE`                                | *filename*                                          | -       | HTTPS/TLS certificate file, only used if `listen-https` is set.                                                                                                                                                                 |
-| `firebase-key-file`                        | `NTFY_FIREBASE_KEY_FILE`                        | *filename*                                          | -       | If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app. This is optional and only required to save battery when using the Android app. See [Firebase (FCM](#firebase-fcm).                        |
-| `cache-file`                               | `NTFY_CACHE_FILE`                               | *filename*                                          | -       | If set, messages are cached in a local SQLite database instead of only in-memory. This allows for service restarts without losing messages in support of the since= parameter. See [message cache](#message-cache).             |
-| `cache-duration`                           | `NTFY_CACHE_DURATION`                           | *duration*                                          | 12h     | Duration for which messages will be buffered before they are deleted. This is required to support the `since=...` and `poll=1` parameter. Set this to `0` to disable the cache entirely.                                        |
-| `auth-file`                                | `NTFY_AUTH_FILE`                                | *filename*                                          | -       | Auth database file used for access control. If set, enables authentication and access control. See [access control](#access-control).                                                                                           |
-| `auth-default-access`                      | `NTFY_AUTH_DEFAULT_ACCESS`                      | `read-write`, `read-only`, `write-only`, `deny-all` | -       | Default permissions if no matching entries in the auth database are found. Default is `read-write`.                                                                                                                             |
-| `behind-proxy`                             | `NTFY_BEHIND_PROXY`                             | *bool*                                              | false   | If set, the X-Forwarded-For header is used to determine the visitor IP address instead of the remote address of the connection.                                                                                                 |
-| `attachment-cache-dir`                     | `NTFY_ATTACHMENT_CACHE_DIR`                     | *directory*                                         | -       | Cache directory for attached files. To enable attachments, this has to be set.                                                                                                                                                  |
-| `attachment-total-size-limit`              | `NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT`              | *size*                                              | 5G      | Limit of the on-disk attachment cache directory. If the limits is exceeded, new attachments will be rejected.                                                                                                                   |
-| `attachment-file-size-limit`               | `NTFY_ATTACHMENT_FILE_SIZE_LIMIT`               | *size*                                              | 15M     | Per-file attachment size limit (e.g. 300k, 2M, 100M). Larger attachment will be rejected.                                                                                                                                       |
-| `attachment-expiry-duration`               | `NTFY_ATTACHMENT_EXPIRY_DURATION`               | *duration*                                          | 3h      | Duration after which uploaded attachments will be deleted (e.g. 3h, 20h). Strongly affects `visitor-attachment-total-size-limit`.                                                                                               |
-| `smtp-sender-addr`                         | `NTFY_SMTP_SENDER_ADDR`                         | `host:port`                                         | -       | SMTP server address to allow email sending                                                                                                                                                                                      |
-| `smtp-sender-user`                         | `NTFY_SMTP_SENDER_USER`                         | *string*                                            | -       | SMTP user; only used if e-mail sending is enabled                                                                                                                                                                               |
-| `smtp-sender-pass`                         | `NTFY_SMTP_SENDER_PASS`                         | *string*                                            | -       | SMTP password; only used if e-mail sending is enabled                                                                                                                                                                           |
-| `smtp-sender-from`                         | `NTFY_SMTP_SENDER_FROM`                         | *e-mail address*                                    | -       | SMTP sender e-mail address; only used if e-mail sending is enabled                                                                                                                                                              |
-| `smtp-server-listen`                       | `NTFY_SMTP_SERVER_LISTEN`                       | `[ip]:port`                                         | -       | Defines the IP address and port the SMTP server will listen on, e.g. `:25` or `1.2.3.4:25`                                                                                                                                      |
-| `smtp-server-domain`                       | `NTFY_SMTP_SERVER_DOMAIN`                       | *domain name*                                       | -       | SMTP server e-mail domain, e.g. `ntfy.sh`                                                                                                                                                                                       |
-| `smtp-server-addr-prefix`                  | `NTFY_SMTP_SERVER_ADDR_PREFIX`                  | `[ip]:port`                                         | -       | Optional prefix for the e-mail addresses to prevent spam, e.g. `ntfy-`                                                                                                                                                          |
-| `keepalive-interval`                       | `NTFY_KEEPALIVE_INTERVAL`                       | *duration*                                          | 45s     | Interval in which keepalive messages are sent to the client. This is to prevent intermediaries closing the connection for inactivity. Note that the Android app has a hardcoded timeout at 77s, so it should be less than that. |
-| `manager-interval`                         | `$NTFY_MANAGER_INTERVAL`                        | *duration*                                          | 1m      | Interval in which the manager prunes old messages, deletes topics and prints the stats.                                                                                                                                         |
-| `global-topic-limit`                       | `NTFY_GLOBAL_TOPIC_LIMIT`                       | *number*                                            | 15,000  | Rate limiting: Total number of topics before the server rejects new topics.                                                                                                                                                     |
-| `visitor-subscription-limit`               | `NTFY_VISITOR_SUBSCRIPTION_LIMIT`               | *number*                                            | 30      | Rate limiting: Number of subscriptions per visitor (IP address)                                                                                                                                                                 |
-| `visitor-attachment-total-size-limit`      | `NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT`      | *size*                                              | 100M    | Rate limiting: Total storage limit used for attachments per visitor, for all attachments combined. Storage is freed after attachments expire. See `attachment-expiry-duration`.                                                 |
-| `visitor-attachment-daily-bandwidth-limit` | `NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT` | *size*                                              | 500M    | Rate limiting: Total daily attachment download/upload traffic limit per visitor. This is to protect your bandwidth costs from exploding.                                                                                        |
-| `visitor-request-limit-burst`              | `NTFY_VISITOR_REQUEST_LIMIT_BURST`              | *number*                                            | 60      | Rate limiting: Allowed GET/PUT/POST requests per second, per visitor. This setting is the initial bucket of requests each visitor has                                                                                           |
-| `visitor-request-limit-replenish`          | `NTFY_VISITOR_REQUEST_LIMIT_REPLENISH`          | *duration*                                          | 5s      | Rate limiting: Strongly related to `visitor-request-limit-burst`: The rate at which the bucket is refilled                                                                                                                      |
-| `visitor-request-limit-exempt-hosts`       | `NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS`       | *comma-separated host/IP list*                      | -       | Rate limiting: List of hostnames and IPs to be exempt from request rate limiting                                                                                                                                                |
-| `visitor-email-limit-burst`                | `NTFY_VISITOR_EMAIL_LIMIT_BURST`                | *number*                                            | 16      | Rate limiting:Initial limit of e-mails per visitor                                                                                                                                                                              |
-| `visitor-email-limit-replenish`            | `NTFY_VISITOR_EMAIL_LIMIT_REPLENISH`            | *duration*                                          | 1h      | Rate limiting: Strongly related to `visitor-email-limit-burst`: The rate at which the bucket is refilled                                                                                                                        |
+!!! info
+    All config options can also be defined in the `server.yml` file using underscores instead of dashes, e.g. 
+    `cache_duration` and `cache-duration` are both supported. This is to support stricter YAML parsers that do 
+    not support dashes.
+
+| Config option                              | Env variable                                    | Format                                              | Default           | Description                                                                                                                                                                                                                     |
+|--------------------------------------------|-------------------------------------------------|-----------------------------------------------------|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `base-url`                                 | `NTFY_BASE_URL`                                 | *URL*                                               | -                 | Public facing base URL of the service (e.g. `https://ntfy.sh`)                                                                                                                                                                  |
+| `listen-http`                              | `NTFY_LISTEN_HTTP`                              | `[host]:port`                                       | `:80`             | Listen address for the HTTP web server                                                                                                                                                                                          |
+| `listen-https`                             | `NTFY_LISTEN_HTTPS`                             | `[host]:port`                                       | -                 | Listen address for the HTTPS web server. If set, you also need to set `key-file` and `cert-file`.                                                                                                                               |
+| `listen-unix`                              | `NTFY_LISTEN_UNIX`                              | *filename*                                          | -                 | Path to a Unix socket to listen on                                                                                                                                                                                              |
+| `listen-unix-mode`                         | `NTFY_LISTEN_UNIX_MODE`                         | *file mode*                                         | *system default*  | File mode of the Unix socket, e.g. 0700 or 0777                                                                                                                                                                                 |
+| `key-file`                                 | `NTFY_KEY_FILE`                                 | *filename*                                          | -                 | HTTPS/TLS private key file, only used if `listen-https` is set.                                                                                                                                                                 |
+| `cert-file`                                | `NTFY_CERT_FILE`                                | *filename*                                          | -                 | HTTPS/TLS certificate file, only used if `listen-https` is set.                                                                                                                                                                 |
+| `firebase-key-file`                        | `NTFY_FIREBASE_KEY_FILE`                        | *filename*                                          | -                 | If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app. This is optional and only required to save battery when using the Android app. See [Firebase (FCM](#firebase-fcm).                        |
+| `cache-file`                               | `NTFY_CACHE_FILE`                               | *filename*                                          | -                 | If set, messages are cached in a local SQLite database instead of only in-memory. This allows for service restarts without losing messages in support of the since= parameter. See [message cache](#message-cache).             |
+| `cache-duration`                           | `NTFY_CACHE_DURATION`                           | *duration*                                          | 12h               | Duration for which messages will be buffered before they are deleted. This is required to support the `since=...` and `poll=1` parameter. Set this to `0` to disable the cache entirely.                                        |
+| `cache-startup-queries`                    | `NTFY_CACHE_STARTUP_QUERIES`                    | *string (SQL queries)*                              | -                 | SQL queries to run during database startup; this is useful for tuning and [enabling WAL mode](#wal-for-message-cache)                                                                                                           |
+| `cache-batch-size`                         | `NTFY_CACHE_BATCH_SIZE`                         | *int*                                               | 0                 | Max size of messages to batch together when writing to message cache (if zero, writes are synchronous)                                                                                                                          |
+| `cache-batch-timeout`                      | `NTFY_CACHE_BATCH_TIMEOUT`                      | *duration*                                          | 0s                | Timeout for batched async writes to the message cache (if zero, writes are synchronous)                                                                                                                                         |
+| `auth-file`                                | `NTFY_AUTH_FILE`                                | *filename*                                          | -                 | Auth database file used for access control. If set, enables authentication and access control. See [access control](#access-control).                                                                                           |
+| `auth-default-access`                      | `NTFY_AUTH_DEFAULT_ACCESS`                      | `read-write`, `read-only`, `write-only`, `deny-all` | `read-write`      | Default permissions if no matching entries in the auth database are found. Default is `read-write`.                                                                                                                             |
+| `behind-proxy`                             | `NTFY_BEHIND_PROXY`                             | *bool*                                              | false             | If set, the X-Forwarded-For header is used to determine the visitor IP address instead of the remote address of the connection.                                                                                                 |
+| `attachment-cache-dir`                     | `NTFY_ATTACHMENT_CACHE_DIR`                     | *directory*                                         | -                 | Cache directory for attached files. To enable attachments, this has to be set.                                                                                                                                                  |
+| `attachment-total-size-limit`              | `NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT`              | *size*                                              | 5G                | Limit of the on-disk attachment cache directory. If the limits is exceeded, new attachments will be rejected.                                                                                                                   |
+| `attachment-file-size-limit`               | `NTFY_ATTACHMENT_FILE_SIZE_LIMIT`               | *size*                                              | 15M               | Per-file attachment size limit (e.g. 300k, 2M, 100M). Larger attachment will be rejected.                                                                                                                                       |
+| `attachment-expiry-duration`               | `NTFY_ATTACHMENT_EXPIRY_DURATION`               | *duration*                                          | 3h                | Duration after which uploaded attachments will be deleted (e.g. 3h, 20h). Strongly affects `visitor-attachment-total-size-limit`.                                                                                               |
+| `smtp-sender-addr`                         | `NTFY_SMTP_SENDER_ADDR`                         | `host:port`                                         | -                 | SMTP server address to allow email sending                                                                                                                                                                                      |
+| `smtp-sender-user`                         | `NTFY_SMTP_SENDER_USER`                         | *string*                                            | -                 | SMTP user; only used if e-mail sending is enabled                                                                                                                                                                               |
+| `smtp-sender-pass`                         | `NTFY_SMTP_SENDER_PASS`                         | *string*                                            | -                 | SMTP password; only used if e-mail sending is enabled                                                                                                                                                                           |
+| `smtp-sender-from`                         | `NTFY_SMTP_SENDER_FROM`                         | *e-mail address*                                    | -                 | SMTP sender e-mail address; only used if e-mail sending is enabled                                                                                                                                                              |
+| `smtp-server-listen`                       | `NTFY_SMTP_SERVER_LISTEN`                       | `[ip]:port`                                         | -                 | Defines the IP address and port the SMTP server will listen on, e.g. `:25` or `1.2.3.4:25`                                                                                                                                      |
+| `smtp-server-domain`                       | `NTFY_SMTP_SERVER_DOMAIN`                       | *domain name*                                       | -                 | SMTP server e-mail domain, e.g. `ntfy.sh`                                                                                                                                                                                       |
+| `smtp-server-addr-prefix`                  | `NTFY_SMTP_SERVER_ADDR_PREFIX`                  | *string*                                            | -                 | Optional prefix for the e-mail addresses to prevent spam, e.g. `ntfy-`                                                                                                                                                          |
+| `keepalive-interval`                       | `NTFY_KEEPALIVE_INTERVAL`                       | *duration*                                          | 45s               | Interval in which keepalive messages are sent to the client. This is to prevent intermediaries closing the connection for inactivity. Note that the Android app has a hardcoded timeout at 77s, so it should be less than that. |
+| `manager-interval`                         | `NTFY_MANAGER_INTERVAL`                         | *duration*                                          | 1m                | Interval in which the manager prunes old messages, deletes topics and prints the stats.                                                                                                                                         |
+| `global-topic-limit`                       | `NTFY_GLOBAL_TOPIC_LIMIT`                       | *number*                                            | 15,000            | Rate limiting: Total number of topics before the server rejects new topics.                                                                                                                                                     |
+| `upstream-base-url`                        | `NTFY_UPSTREAM_BASE_URL`                        | *URL*                                               | `https://ntfy.sh` | Forward poll request to an upstream server, this is needed for iOS push notifications for self-hosted servers                                                                                                                   |
+| `visitor-attachment-total-size-limit`      | `NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT`      | *size*                                              | 100M              | Rate limiting: Total storage limit used for attachments per visitor, for all attachments combined. Storage is freed after attachments expire. See `attachment-expiry-duration`.                                                 |
+| `visitor-attachment-daily-bandwidth-limit` | `NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT` | *size*                                              | 500M              | Rate limiting: Total daily attachment download/upload traffic limit per visitor. This is to protect your bandwidth costs from exploding.                                                                                        |
+| `visitor-email-limit-burst`                | `NTFY_VISITOR_EMAIL_LIMIT_BURST`                | *number*                                            | 16                | Rate limiting:Initial limit of e-mails per visitor                                                                                                                                                                              |
+| `visitor-email-limit-replenish`            | `NTFY_VISITOR_EMAIL_LIMIT_REPLENISH`            | *duration*                                          | 1h                | Rate limiting: Strongly related to `visitor-email-limit-burst`: The rate at which the bucket is refilled                                                                                                                        |
+| `visitor-request-limit-burst`              | `NTFY_VISITOR_REQUEST_LIMIT_BURST`              | *number*                                            | 60                | Rate limiting: Allowed GET/PUT/POST requests per second, per visitor. This setting is the initial bucket of requests each visitor has                                                                                           |
+| `visitor-request-limit-replenish`          | `NTFY_VISITOR_REQUEST_LIMIT_REPLENISH`          | *duration*                                          | 5s                | Rate limiting: Strongly related to `visitor-request-limit-burst`: The rate at which the bucket is refilled                                                                                                                      |
+| `visitor-request-limit-exempt-hosts`       | `NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS`       | *comma-separated host/IP list*                      | -                 | Rate limiting: List of hostnames and IPs to be exempt from request rate limiting                                                                                                                                                |
+| `visitor-subscription-limit`               | `NTFY_VISITOR_SUBSCRIPTION_LIMIT`               | *number*                                            | 30                | Rate limiting: Number of subscriptions per visitor (IP address)                                                                                                                                                                 |
+| `web-root`                                 | `NTFY_WEB_ROOT`                                 | `app`, `home` or `disable`                          | `app`             | Sets web root to landing page (home), web app (app) or disables the web app entirely (disable)                                                                                                                                  |
+| `enable-signup`                            | `NTFY_SIGNUP`                                   | *boolean* (`true` or `false`)                       | `false`           | Allows users to sign up via the web app, or API                                                                                                                                                                                 |
+| `enable-login`                             | `NTFY_LOGIN`                                    | *boolean* (`true` or `false`)                       | `false`           | Allows users to log in via the web app, or API                                                                                                                                                                                  |
+| `enable-reservations`                      | `NTFY_RESERVATIONS`                             | *boolean* (`true` or `false`)                       | `false`           | Allows users to reserve topics (if their tier allows it)                                                                                                                                                                        |
+| `stripe-secret-key`                        | `NTFY_STRIPE_SECRET_KEY`                        | *string*                                            | -                 | Payments: Key used for the Stripe API communication, this enables payments                                                                                                                                                      |
+| `stripe-webhook-key`                       | `NTFY_STRIPE_WEBHOOK_KEY`                       | *string*                                            | -                 | Payments: Key required to validate the authenticity of incoming webhooks from Stripe                                                                                                                                            |

 The format for a *duration* is: `<number>(smh)`, e.g. 30s, 20m or 1h.   
 The format for a *size* is: `<number>(GMK)`, e.g. 1G, 200M or 4000k.
@@ -780,41 +1066,49 @@ DESCRIPTION:
     ntfy serve --listen-http :8080  # Starts server with alternate port

 OPTIONS:
-   --config value, -c value                          config file (default: /etc/ntfy/server.yml) [$NTFY_CONFIG_FILE]
-   --base-url value, -B value                        externally visible base URL for this host (e.g. https://ntfy.sh) [$NTFY_BASE_URL]
-   --listen-http value, -l value                     ip:port used to as HTTP listen address (default: ":80") [$NTFY_LISTEN_HTTP]
-   --listen-https value, -L value                    ip:port used to as HTTPS listen address [$NTFY_LISTEN_HTTPS]
-   --listen-unix value, -U value                     listen on unix socket path [$NTFY_LISTEN_UNIX]
-   --key-file value, -K value                        private key file, if listen-https is set [$NTFY_KEY_FILE]
-   --cert-file value, -E value                       certificate file, if listen-https is set [$NTFY_CERT_FILE]
-   --firebase-key-file value, -F value               Firebase credentials file; if set additionally publish to FCM topic [$NTFY_FIREBASE_KEY_FILE]
-   --cache-file value, -C value                      cache file used for message caching [$NTFY_CACHE_FILE]
-   --cache-duration since, -b since                  buffer messages for this time to allow since requests (default: 12h0m0s) [$NTFY_CACHE_DURATION]
-   --auth-file value, -H value                       auth database file used for access control [$NTFY_AUTH_FILE]
-   --auth-default-access value, -p value             default permissions if no matching entries in the auth database are found (default: "read-write") [$NTFY_AUTH_DEFAULT_ACCESS]
-   --attachment-cache-dir value                      cache directory for attached files [$NTFY_ATTACHMENT_CACHE_DIR]
-   --attachment-total-size-limit value, -A value     limit of the on-disk attachment cache (default: 5G) [$NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT]
-   --attachment-file-size-limit value, -Y value      per-file attachment size limit (e.g. 300k, 2M, 100M) (default: 15M) [$NTFY_ATTACHMENT_FILE_SIZE_LIMIT]
-   --attachment-expiry-duration value, -X value      duration after which uploaded attachments will be deleted (e.g. 3h, 20h) (default: 3h) [$NTFY_ATTACHMENT_EXPIRY_DURATION]
-   --keepalive-interval value, -k value              interval of keepalive messages (default: 45s) [$NTFY_KEEPALIVE_INTERVAL]
-   --manager-interval value, -m value                interval of for message pruning and stats printing (default: 1m0s) [$NTFY_MANAGER_INTERVAL]
-   --smtp-sender-addr value                          SMTP server address (host:port) for outgoing emails [$NTFY_SMTP_SENDER_ADDR]
-   --smtp-sender-user value                          SMTP user (if e-mail sending is enabled) [$NTFY_SMTP_SENDER_USER]
-   --smtp-sender-pass value                          SMTP password (if e-mail sending is enabled) [$NTFY_SMTP_SENDER_PASS]
-   --smtp-sender-from value                          SMTP sender address (if e-mail sending is enabled) [$NTFY_SMTP_SENDER_FROM]
-   --smtp-server-listen value                        SMTP server address (ip:port) for incoming emails, e.g. :25 [$NTFY_SMTP_SERVER_LISTEN]
-   --smtp-server-domain value                        SMTP domain for incoming e-mail, e.g. ntfy.sh [$NTFY_SMTP_SERVER_DOMAIN]
-   --smtp-server-addr-prefix value                   SMTP email address prefix for topics to prevent spam (e.g. 'ntfy-') [$NTFY_SMTP_SERVER_ADDR_PREFIX]
-   --global-topic-limit value, -T value              total number of topics allowed (default: 15000) [$NTFY_GLOBAL_TOPIC_LIMIT]
-   --visitor-subscription-limit value                number of subscriptions per visitor (default: 30) [$NTFY_VISITOR_SUBSCRIPTION_LIMIT]
-   --visitor-attachment-total-size-limit value       total storage limit used for attachments per visitor (default: "100M") [$NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT]
-   --visitor-attachment-daily-bandwidth-limit value  total daily attachment download/upload bandwidth limit per visitor (default: "500M") [$NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT]
-   --visitor-request-limit-burst value               initial limit of requests per visitor (default: 60) [$NTFY_VISITOR_REQUEST_LIMIT_BURST]
-   --visitor-request-limit-replenish value           interval at which burst limit is replenished (one per x) (default: 5s) [$NTFY_VISITOR_REQUEST_LIMIT_REPLENISH]
-   --visitor-request-limit-exempt-hosts value        hostnames and/or IP addresses of hosts that will be exempt from the visitor request limit [$NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS]
-   --visitor-email-limit-burst value                 initial limit of e-mails per visitor (default: 16) [$NTFY_VISITOR_EMAIL_LIMIT_BURST]
-   --visitor-email-limit-replenish value             interval at which burst limit is replenished (one per x) (default: 1h0m0s) [$NTFY_VISITOR_EMAIL_LIMIT_REPLENISH]
-   --behind-proxy, -P                                if set, use X-Forwarded-For header to determine visitor IP address (for rate limiting) (default: false) [$NTFY_BEHIND_PROXY]
-   --help, -h                                        show help (default: false)
+   --attachment-cache-dir value, --attachment_cache_dir value                                          cache directory for attached files [$NTFY_ATTACHMENT_CACHE_DIR]
+   --attachment-expiry-duration value, --attachment_expiry_duration value, -X value                    duration after which uploaded attachments will be deleted (e.g. 3h, 20h) (default: 3h) [$NTFY_ATTACHMENT_EXPIRY_DURATION]
+   --attachment-file-size-limit value, --attachment_file_size_limit value, -Y value                    per-file attachment size limit (e.g. 300k, 2M, 100M) (default: 15M) [$NTFY_ATTACHMENT_FILE_SIZE_LIMIT]
+   --attachment-total-size-limit value, --attachment_total_size_limit value, -A value                  limit of the on-disk attachment cache (default: 5G) [$NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT]
+   --auth-default-access value, --auth_default_access value, -p value                                  default permissions if no matching entries in the auth database are found (default: "read-write") [$NTFY_AUTH_DEFAULT_ACCESS]
+   --auth-file value, --auth_file value, -H value                                                      auth database file used for access control [$NTFY_AUTH_FILE]
+   --base-url value, --base_url value, -B value                                                        externally visible base URL for this host (e.g. https://ntfy.sh) [$NTFY_BASE_URL]
+   --behind-proxy, --behind_proxy, -P                                                                  if set, use X-Forwarded-For header to determine visitor IP address (for rate limiting) (default: false) [$NTFY_BEHIND_PROXY]
+   --cache-duration since, --cache_duration since, -b since                                            buffer messages for this time to allow since requests (default: 12h0m0s) [$NTFY_CACHE_DURATION]
+   --cache-file value, --cache_file value, -C value                                                    cache file used for message caching [$NTFY_CACHE_FILE]
+   --cache-batch-size value, --cache_batch_size value                                                  max size of messages to batch together when writing to message cache (if zero, writes are synchronous) (default: 0) [$NTFY_BATCH_SIZE]
+   --cache-batch-timeout value, --cache_batch_timeout value                                            timeout for batched async writes to the message cache (if zero, writes are synchronous) (default: 0s) [$NTFY_CACHE_BATCH_TIMEOUT]   
+   --cache-startup-queries value, --cache_startup_queries value                                        queries run when the cache database is initialized [$NTFY_CACHE_STARTUP_QUERIES]
+   --cert-file value, --cert_file value, -E value                                                      certificate file, if listen-https is set [$NTFY_CERT_FILE]
+   --config value, -c value                                                                            config file (default: /etc/ntfy/server.yml) [$NTFY_CONFIG_FILE]
+   --debug, -d                                                                                         enable debug logging (default: false) [$NTFY_DEBUG]
+   --firebase-key-file value, --firebase_key_file value, -F value                                      Firebase credentials file; if set additionally publish to FCM topic [$NTFY_FIREBASE_KEY_FILE]
+   --global-topic-limit value, --global_topic_limit value, -T value                                    total number of topics allowed (default: 15000) [$NTFY_GLOBAL_TOPIC_LIMIT]
+   --keepalive-interval value, --keepalive_interval value, -k value                                    interval of keepalive messages (default: 45s) [$NTFY_KEEPALIVE_INTERVAL]
+   --key-file value, --key_file value, -K value                                                        private key file, if listen-https is set [$NTFY_KEY_FILE]
+   --listen-http value, --listen_http value, -l value                                                  ip:port used to as HTTP listen address (default: ":80") [$NTFY_LISTEN_HTTP]
+   --listen-https value, --listen_https value, -L value                                                ip:port used to as HTTPS listen address [$NTFY_LISTEN_HTTPS]
+   --listen-unix value, --listen_unix value, -U value                                                  listen on unix socket path [$NTFY_LISTEN_UNIX]
+   --log-level value, --log_level value                                                                set log level (default: "INFO") [$NTFY_LOG_LEVEL]
+   --manager-interval value, --manager_interval value, -m value                                        interval of for message pruning and stats printing (default: 1m0s) [$NTFY_MANAGER_INTERVAL]
+   --no-log-dates, --no_log_dates                                                                      disable the date/time prefix (default: false) [$NTFY_NO_LOG_DATES]
+   --smtp-sender-addr value, --smtp_sender_addr value                                                  SMTP server address (host:port) for outgoing emails [$NTFY_SMTP_SENDER_ADDR]
+   --smtp-sender-from value, --smtp_sender_from value                                                  SMTP sender address (if e-mail sending is enabled) [$NTFY_SMTP_SENDER_FROM]
+   --smtp-sender-pass value, --smtp_sender_pass value                                                  SMTP password (if e-mail sending is enabled) [$NTFY_SMTP_SENDER_PASS]
+   --smtp-sender-user value, --smtp_sender_user value                                                  SMTP user (if e-mail sending is enabled) [$NTFY_SMTP_SENDER_USER]
+   --smtp-server-addr-prefix value, --smtp_server_addr_prefix value                                    SMTP email address prefix for topics to prevent spam (e.g. 'ntfy-') [$NTFY_SMTP_SERVER_ADDR_PREFIX]
+   --smtp-server-domain value, --smtp_server_domain value                                              SMTP domain for incoming e-mail, e.g. ntfy.sh [$NTFY_SMTP_SERVER_DOMAIN]
+   --smtp-server-listen value, --smtp_server_listen value                                              SMTP server address (ip:port) for incoming emails, e.g. :25 [$NTFY_SMTP_SERVER_LISTEN]
+   --trace                                                                                             enable tracing (very verbose, be careful) (default: false) [$NTFY_TRACE]
+   --upstream-base-url value, --upstream_base_url value                                                forward poll request to an upstream server, this is needed for iOS push notifications for self-hosted servers [$NTFY_UPSTREAM_BASE_URL]
+   --visitor-attachment-daily-bandwidth-limit value, --visitor_attachment_daily_bandwidth_limit value  total daily attachment download/upload bandwidth limit per visitor (default: "500M") [$NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT]
+   --visitor-attachment-total-size-limit value, --visitor_attachment_total_size_limit value            total storage limit used for attachments per visitor (default: "100M") [$NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT]
+   --visitor-email-limit-burst value, --visitor_email_limit_burst value                                initial limit of e-mails per visitor (default: 16) [$NTFY_VISITOR_EMAIL_LIMIT_BURST]
+   --visitor-email-limit-replenish value, --visitor_email_limit_replenish value                        interval at which burst limit is replenished (one per x) (default: 1h0m0s) [$NTFY_VISITOR_EMAIL_LIMIT_REPLENISH]
+   --visitor-request-limit-burst value, --visitor_request_limit_burst value                            initial limit of requests per visitor (default: 60) [$NTFY_VISITOR_REQUEST_LIMIT_BURST]
+   --visitor-request-limit-exempt-hosts value, --visitor_request_limit_exempt_hosts value              hostnames and/or IP addresses of hosts that will be exempt from the visitor request limit [$NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS]
+   --visitor-request-limit-replenish value, --visitor_request_limit_replenish value                    interval at which burst limit is replenished (one per x) (default: 5s) [$NTFY_VISITOR_REQUEST_LIMIT_REPLENISH]
+   --visitor-subscription-limit value, --visitor_subscription_limit value                              number of subscriptions per visitor (default: 30) [$NTFY_VISITOR_SUBSCRIPTION_LIMIT]
+   --web-root value, --web_root value                                                                  sets web root to landing page (home), web app (app) or disabled (disable) (default: "app") [$NTFY_WEB_ROOT]
 ```

--- a/docs/deprecations.md
+++ b/docs/deprecations.md
@@ -1,11 +1,46 @@
 # Deprecation notices
 This page is used to list deprecation notices for ntfy. Deprecated commands and options will be 
-**removed after ~3 months** from the time they were deprecated.
+**removed after 1-3 months** from the time they were deprecated. How long the feature is deprecated
+before the behavior is changed depends on the severity of the change, and how prominent the feature is.

 ## Active deprecations
+_No active deprecations_
+
+## Previous deprecations
+
+### ntfy CLI: `ntfy publish --env-topic` will be removed
+> Active since 2022-06-20, behavior changed with v1.30.1
+
+The `ntfy publish --env-topic` option will be removed. It'll still be possible to specify a topic via the
+`NTFY_TOPIC` environment variable, but it won't be necessary anymore to specify the `--env-topic` flag.
+
+=== "Before"
+    ```
+    $ NTFY_TOPIC=mytopic ntfy publish --env-topic "this is the message"
+    ```
+
+=== "After"
+    ```
+    $ NTFY_TOPIC=mytopic ntfy publish "this is the message"
+    ```
+
+### <del>Android app: WebSockets will become the default connection protocol</del>
+> Active since 2022-03-13, behavior will not change (deprecation removed 2022-06-20)
+
+Instant delivery connections and connections to self-hosted servers in the Android app were going to switch
+to use the WebSockets protocol by default. It was decided to keep JSON stream as the most compatible default
+and add a notice banner in the Android app instead.
+
+### Android app: Using `since=<timestamp>` instead of `since=<id>`
+> Active since 2022-02-27, behavior changed with v1.14.0
+
+The Android app started using `since=<id>` instead of `since=<timestamp>`, which means as of Android app v1.14.0, 
+it will not work with servers older than v1.16.0 anymore. This is to simplify handling of deduplication in the Android app.
+
+The `since=<timestamp>` endpoint will continue to work. This is merely a notice that the Android app behavior will change.

 ### Running server via `ntfy` (instead of `ntfy serve`)
-> since 2021-12-17
+> Deprecated 2021-12-17, behavior changed with v1.10.0

 As more commands are added to the `ntfy` CLI tool, using just `ntfy` to run the server is not practical
 anymore. Please use `ntfy serve` instead. This also applies to Docker images, as they can also execute more than
--- a/docs/develop.md
+++ b/docs/develop.md
@@ -1,54 +1,306 @@
-# Building
+# Development
+Hurray 🥳 🎉, you are interested in writing code for ntfy! **That's awesome.** 😎
+
+I tried my very best to write up detailed instructions, but if at any point in time you run into issues, don't 
+hesitate to **contact me on [Discord](https://discord.gg/cT7ECsZj9w) or [Matrix](https://matrix.to/#/#ntfy:matrix.org)**.

 ## ntfy server
-The ntfy server source code is available [on GitHub](https://github.com/binwiederhier/ntfy). 
-To quickly build on amd64, you can use `make build-simple`:
+The ntfy server source code is available [on GitHub](https://github.com/binwiederhier/ntfy). The codebase for the
+server consists of three components:

-```
-git clone git@github.com:binwiederhier/ntfy.git
-cd ntfy
-make build-simple
+* **The main server/client** is written in [Go](https://go.dev/) (so you'll need Go). Its main entrypoint is at 
+  [main.go](https://github.com/binwiederhier/ntfy/blob/main/main.go), and the meat you're likely interested in is 
+  in [server.go](https://github.com/binwiederhier/ntfy/blob/main/server/server.go). Notably, the server uses a 
+  [SQLite](https://sqlite.org) library called [go-sqlite3](https://github.com/mattn/go-sqlite3), which requires 
+  [Cgo](https://go.dev/blog/cgo) and `CGO_ENABLED=1` to be set. Otherwise things will not work (see below).
+* **The documentation** is generated by [MkDocs](https://www.mkdocs.org/) and [Material for MkDocs](https://squidfunk.github.io/mkdocs-material/),
+  which is written in [Python](https://www.python.org/). You'll need Python and MkDocs (via `pip`) only if you want to
+  build the docs.
+* **The web app** is written in [React](https://reactjs.org/), using [MUI](https://mui.com/). It uses [Create React App](https://create-react-app.dev/)
+  to build the production build. If you want to modify the web app, you need [nodejs](https://nodejs.org/en/) (for `npm`) 
+  and install all the 100,000 dependencies (*sigh*).
+
+All of these components are built and then **baked into one binary**. 
+
+### Navigating the code
+Code:
+
+* [main.go](https://github.com/binwiederhier/ntfy/blob/main/main.go) - Main entrypoint into the CLI, for both server and client
+* [cmd/](https://github.com/binwiederhier/ntfy/tree/main/cmd) - CLI commands, such as `serve` or `publish`
+* [server/](https://github.com/binwiederhier/ntfy/tree/main/server) - The meat of the server logic
+* [docs/](https://github.com/binwiederhier/ntfy/tree/main/docs) - The [MkDocs](https://www.mkdocs.org/) documentation, also see `mkdocs.yml`
+* [web/](https://github.com/binwiederhier/ntfy/tree/main/web) - The [React](https://reactjs.org/) application, also see `web/package.json`
+
+Build related:
+
+* [Makefile](https://github.com/binwiederhier/ntfy/blob/main/Makefile) - Main entrypoint for all things related to building
+* [.goreleaser.yml](https://github.com/binwiederhier/ntfy/blob/main/.goreleaser.yml) - Describes all build outputs (for [GoReleaser](https://goreleaser.com/))
+* [go.mod](https://github.com/binwiederhier/ntfy/blob/main/go.mod) - Go modules dependency file
+* [mkdocs.yml](https://github.com/binwiederhier/ntfy/blob/main/mkdocs.yml) - Config file for the docs (for [MkDocs](https://www.mkdocs.org/))
+* [web/package.json](https://github.com/binwiederhier/ntfy/blob/main/web/package.json) - Build and dependency file for web app (for npm)
+
+
+The `web/` and `docs/` folder are the sources for web app and documentation. During the build process,
+the generated output is copied to `server/site` (web app and landing page) and `server/docs` (documentation).
+
+### Build/test on Gitpod
+To get a quick working development environment you can use [Gitpod](https://gitpod.io), an in-browser IDE 
+that makes it easy to develop ntfy without having to set up a desktop IDE. For any real development,
+I do suggest a proper IDE like [IntelliJ IDEA](https://www.jetbrains.com/idea/).
+
+[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/binwiederhier/ntfy)
+
+### Build requirements
+
+* [Go](https://go.dev/) (required for main server)
+* [gcc](https://gcc.gnu.org/) (required main server, for SQLite cgo-based bindings)
+* [Make](https://www.gnu.org/software/make/) (required for convenience)
+* [libsqlite3/libsqlite3-dev](https://www.sqlite.org/) (required for main server, for SQLite cgo-based bindings)
+* [GoReleaser](https://goreleaser.com/) (required for a proper main server build)
+* [Python](https://www.python.org/) (for `pip`, only to build the docs) 
+* [nodejs](https://nodejs.org/en/) (for `npm`, only to build the web app)
+
+### Install dependencies
+These steps **assume Ubuntu**. Steps may vary on different Linux distributions.
+
+First, install [Go](https://go.dev/) (see [official instructions](https://go.dev/doc/install)):
+``` shell
+wget https://go.dev/dl/go1.19.1.linux-amd64.tar.gz
+sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.19.1.linux-amd64.tar.gz
+export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin
+go version   # verifies that it worked
 ```

-That'll generate a statically linked binary in `dist/ntfy_linux_amd64/ntfy`.
-
-For all other platforms (including Docker), and for production or other snapshot builds, you should use the amazingly 
-awesome [GoReleaser](https://goreleaser.com/) make targets:
-
-```
-Build:
-  make build                       - Build
-  make build-snapshot              - Build snapshot
-  make build-simple                - Build (using go build, without goreleaser)
-  make clean                       - Clean build folder
-
-Releasing (requires goreleaser):
-  make release                     - Create a release
-  make release-snapshot            - Create a test release
+Install [GoReleaser](https://goreleaser.com/) (see [official instructions](https://goreleaser.com/install/)):
+``` shell
+go install github.com/goreleaser/goreleaser@latest
+goreleaser -v   # verifies that it worked
 ```

-There are currently no platform-specific make targets, so they will build for all platforms (which may take a while).
+Install [nodejs](https://nodejs.org/en/) (see [official instructions](https://nodejs.org/en/download/package-manager/)):
+``` shell
+curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
+sudo apt-get install -y nodejs
+npm -v   # verifies that it worked
+```
+
+Then install a few other things required:
+``` shell
+sudo apt install \
+    build-essential \
+    libsqlite3-dev \
+    gcc-arm-linux-gnueabi \
+    gcc-aarch64-linux-gnu \
+    python3-pip \
+    upx \
+    git
+```
+
+### Check out code
+Now check out via git from the [GitHub repository](https://github.com/binwiederhier/ntfy):
+
+=== "via HTTPS"
+    ``` shell
+    git clone https://github.com/binwiederhier/ntfy.git
+    cd ntfy
+    ```
+
+=== "via SSH"
+    ``` shell
+    git clone git@github.com:binwiederhier/ntfy.git 
+    cd ntfy
+    ```
+
+### Build all the things
+Now you can finally build everything. There are tons of `make` targets, so maybe just review what's there first 
+by typing `make`:
+
+``` shell
+$ make 
+Typical commands (more see below):
+  make build                   - Build web app, documentation and server/client (sloowwww)
+  make cli-linux-amd64         - Build server/client binary (amd64, no web app or docs)
+  make install-linux-amd64     - Install ntfy binary to /usr/bin/ntfy (amd64)
+  make web                     - Build the web app
+  make docs                    - Build the documentation
+  make check                   - Run all tests, vetting/formatting checks and linters
+...
+```
+
+If you want to build the **ntfy binary including web app and docs for all supported architectures** (amd64, armv7, and arm64), 
+you can simply run `make build`:
+
+``` shell
+$ make build
+...
+# This builds web app, docs, and the ntfy binary (for amd64, armv7 and arm64). 
+# This will be SLOW (5+ minutes on my laptop on the first run). Maybe look at the other make targets?
+```
+
+You'll see all the outputs in the `dist/` folder afterwards:
+
+``` bash
+$ find dist 
+dist
+dist/metadata.json
+dist/ntfy_arm64_linux_arm64
+dist/ntfy_arm64_linux_arm64/ntfy
+dist/ntfy_armv7_linux_arm_7
+dist/ntfy_armv7_linux_arm_7/ntfy
+dist/ntfy_amd64_linux_amd64
+dist/ntfy_amd64_linux_amd64/ntfy
+dist/config.yaml
+dist/artifacts.json
+```
+
+If you also want to build the **Debian/RPM packages and the Docker images for all supported architectures**, you can 
+use the `make release-snapshot` target:
+
+``` shell
+$ make release-snapshot
+...
+# This will be REALLY SLOW (sometimes 5+ minutes on my laptop)
+```
+
+During development, you may want to be more picky and build only certain things. Here are a few examples.
+
+### Build the ntfy binary
+To build only the `ntfy` binary **without the web app or documentation**, use the `make cli-...` targets:
+
+``` shell
+$ make
+Build server & client (using GoReleaser, not release version):
+  make cli                        - Build server & client (all architectures)
+  make cli-linux-amd64            - Build server & client (Linux, amd64 only)
+  make cli-linux-armv6            - Build server & client (Linux, armv6 only)
+  make cli-linux-armv7            - Build server & client (Linux, armv7 only)
+  make cli-linux-arm64            - Build server & client (Linux, arm64 only)
+  make cli-windows-amd64          - Build client (Windows, amd64 only)
+  make cli-darwin-all             - Build client (macOS, arm64+amd64 universal binary)
+```
+
+So if you're on an amd64/x86_64-based machine, you may just want to run `make cli-linux-amd64` during testing. On a modern
+system, this shouldn't take longer than 5-10 seconds. I often combine it with `install-linux-amd64` so I can run the binary
+right away:
+
+``` shell
+$ make cli-linux-amd64 install-linux-amd64
+$ ntfy serve
+```
+
+**During development of the main app, you can also just use `go run main.go`**, as long as you run 
+`make cli-deps-static-sites`at least once and `CGO_ENABLED=1`:
+
+``` shell
+$ export CGO_ENABLED=1
+$ make cli-deps-static-sites
+$ go run main.go serve
+2022/03/18 08:43:55 Listening on :2586[http]
+...
+```
+
+If you don't run `cli-deps-static-sites`, you may see an error *`pattern ...: no matching files found`*:
+```
+$ go run main.go serve
+server/server.go:85:13: pattern docs: no matching files found
+```
+
+This is because we use `go:embed` to embed the documentation and web app, so the Go code expects files to be
+present at `server/docs` and `server/site`. If they are not, you'll see the above error. The `cli-deps-static-sites`
+target creates dummy files that ensure that you'll be able to build.
+
+While not officially supported (or released), you can build and run the server **on macOS** as well. Simply run 
+`make cli-darwin-server` to build a binary, or `go run main.go serve` (see above) to run it.
+
+### Build the web app
+The sources for the web app live in `web/`. As long as you have `npm` installed (see above), building the web app 
+is really simple. Just type `make web` and you're in business:
+
+``` shell
+$ make web
+...
+```
+
+This will build the web app using Create React App and then **copy the production build to the `server/site` folder**, so 
+that when you `make cli` (or `make cli-linux-amd64`, ...), you will have the web app included in the `ntfy` binary.
+
+If you're developing on the web app, it's best to just `cd web` and run `npm start` manually. This will open your browser
+at `http://127.0.0.1:3000` with the web app, and as you edit the source files, they will be recompiled and the browser 
+will automatically refresh:
+
+``` shell
+$ cd web
+$ npm start
+```
+
+### Build the docs
+The sources for the docs live in `docs/`. Similarly to the web app, you can simply run `make docs` to build the 
+documentation. As long as you have `mkdocs` installed (see above), this should work fine:
+
+``` shell
+$ make docs
+...
+```
+
+If you are changing the documentation, you should be running `mkdocs serve` directly. This will build the documentation, 
+serve the files at `http://127.0.0.1:8000/`, and rebuild every time you save the source files: 
+
+```
+$ mkdocs serve
+INFO     -  Building documentation...
+INFO     -  Cleaning site directory
+INFO     -  Documentation built in 5.53 seconds
+INFO     -  [16:28:14] Serving on http://127.0.0.1:8000/
+```
+
+Then you can navigate to http://127.0.0.1:8000/ and whenever you change a markdown file in your text editor it'll automatically update.

 ## Android app
 The ntfy Android app source code is available [on GitHub](https://github.com/binwiederhier/ntfy-android).
 The Android app has two flavors:

-* **Google Play:** The `play` flavor includes Firebase (FCM) and requires a Firebase account
+* **Google Play:** The `play` flavor includes [Firebase (FCM)](https://firebase.google.com/) and requires a Firebase account
 * **F-Droid:** The `fdroid` flavor does not include Firebase or Google dependencies

+### Navigating the code
+* [main/](https://github.com/binwiederhier/ntfy-android/tree/main/app/src/main) - Main Android app source code
+* [play/](https://github.com/binwiederhier/ntfy-android/tree/main/app/src/play) - Google Play / Firebase specific code
+* [fdroid/](https://github.com/binwiederhier/ntfy-android/tree/main/app/src/fdroid) - F-Droid Firebase stubs
+* [build.gradle](https://github.com/binwiederhier/ntfy-android/blob/main/app/build.gradle) - Main build file
+
+### IDE/Environment
+You should download [Android Studio](https://developer.android.com/studio) (or [IntelliJ IDEA](https://www.jetbrains.com/idea/) 
+with the relevant Android plugins). Everything else will just be a pain for you. Do yourself a favor. 😀 
+
+### Check out the code
 First check out the repository:

-```
-git clone git@github.com:binwiederhier/ntfy-android.git
-cd ntfy-android
-```
+=== "via HTTPS"
+    ``` shell
+    git clone https://github.com/binwiederhier/ntfy-android.git
+    cd ntfy-android
+    ```
+
+=== "via SSH"
+    ``` shell
+    git clone git@github.com:binwiederhier/ntfy-android.git
+    cd ntfy-android
+    ```

 Then either follow the steps for building with or without Firebase.

-### Building without Firebase (F-Droid flavor)
-Without Firebase, you may want to still change the default `app_base_url` in [strings.xml](https://github.com/binwiederhier/ntfy-android/blob/main/app/src/main/res/values/strings.xml)
+### Build F-Droid flavor (no FCM)
+!!! info
+    I do build the ntfy Android app using IntelliJ IDEA (Android Studio), so I don't know if these Gradle commands will
+    work without issues. Please give me feedback if it does/doesn't work for you.
+
+Without Firebase, you may want to still change the default `app_base_url` in [values.xml](https://github.com/binwiederhier/ntfy-android/blob/main/app/src/main/res/values/values.xml)
 if you're self-hosting the server. Then run:
 ```
+# Remove Google dependencies (FCM)
+sed -i -e '/google-services/d' build.gradle
+sed -i -e '/google-services/d' app/build.gradle
+
 # To build an unsigned .apk (app/build/outputs/apk/fdroid/*.apk)
 ./gradlew assembleFdroidRelease

@@ -56,11 +308,16 @@ if you're self-hosting the server. Then run:
 ./gradlew bundleFdroidRelease
 ```

-### Building with Firebase (FCM, Google Play flavor)
+### Build Play flavor (FCM)
+!!! info
+    I do build the ntfy Android app using IntelliJ IDEA (Android Studio), so I don't know if these Gradle commands will
+    work without issues. Please give me feedback if it does/doesn't work for you.
+
 To build your own version with Firebase, you must:
+
 * Create a Firebase/FCM account
 * Place your account file at `app/google-services.json`
-* And change `app_base_url` in [strings.xml](https://github.com/binwiederhier/ntfy-android/blob/main/app/src/main/res/values/strings.xml)
+* And change `app_base_url` in [values.xml](https://github.com/binwiederhier/ntfy-android/blob/main/app/src/main/res/values/values.xml)
 * Then run:
 ```
 # To build an unsigned .apk (app/build/outputs/apk/play/*.apk)
@@ -69,3 +326,9 @@ To build your own version with Firebase, you must:
 # To build a bundle .aab (app/play/release/*.aab)
 ./gradlew bundlePlayRelease
 ```
+
+## iOS app
+The ntfy iOS app source code is available [on GitHub](https://github.com/binwiederhier/ntfy-ios).
+
+!!! info
+    I haven't had time to move the build instructions here. Please check out the repository instead.
--- a/docs/examples.md
+++ b/docs/examples.md
@@ -4,7 +4,14 @@ There are a million ways to use ntfy, but here are some inspirations. I try to c
 <a href="https://github.com/binwiederhier/ntfy/tree/main/examples">examples on GitHub</a>, so be sure to check
 those out, too.

-## A long process is done: backups, copying data, pipelines, ...
+!!! info
+    Many of these examples were contributed by ntfy users. If you have other examples of how you use ntfy, please
+    [create a pull request](https://github.com/binwiederhier/ntfy/pulls), and I'll happily include it. Also note, that
+    I cannot guarantee that all of these examples are functional. Many of them I have not tried myself.
+
+## Cronjobs
+ntfy is perfect for any kind of cronjobs or just when long processes are done (backups, pipelines, rsync copy commands, ...).
+
 I started adding notifications pretty much all of my scripts. Typically, I just chain the <tt>curl</tt> call
 directly to the command I'm running. The following example will either send <i>Laptop backup succeeded</i>
 or ⚠️ <i>Laptop backup failed</i> directly to my phone:
@@ -16,11 +23,37 @@ rsync -a root@laptop /backups/laptop \
  || curl -H tags:warning -H prio:high -d "Laptop backup failed" ntfy.sh/backups
 ```

-## Server-sent messages in your web app
-Just as you can [subscribe to topics in the Web UI](subscribe/web.md), you can use ntfy in your own
-web application. Check out the <a href="/example.html">live example</a> or just look the source of this page.
+Here's one for the history books. I desperately want the `github.com/ntfy` organization, but all my tickets with
+GitHub have been hopeless. In case it ever becomes available, I want to know immediately.

-## Notify on SSH login
+``` cron
+# Check github/ntfy user
+*/6 * * * * if curl -s https://api.github.com/users/ntfy | grep "Not Found"; then curl -d "github.com/ntfy is available" -H "Tags: tada" -H "Prio: high" ntfy.sh/my-alerts; fi
+```
+
+
+## Low disk space alerts
+Here's a simple cronjob that I use to alert me when the disk space on the root disk is running low. It's simple, but 
+effective. 
+
+``` bash 
+#!/bin/bash
+
+mingigs=10
+avail=$(df | awk '$6 == "/" && $4 < '$mingigs' * 1024*1024 { print $4/1024/1024 }')
+topicurl=https://ntfy.sh/mytopic
+
+if [ -n "$avail" ]; then
+  curl \
+    -d "Only $avail GB available on the root disk. Better clean that up." \
+    -H "Title: Low disk space alert on $(hostname)" \
+    -H "Priority: high" \
+    -H "Tags: warning,cd" \
+    $topicurl
+fi
+```
+
+## SSH login alerts
 Years ago my home server was broken into. That shook me hard, so every time someone logs into any machine that I
 own, I now message myself. Here's an example of how to use <a href="https://en.wikipedia.org/wiki/Linux_PAM">PAM</a>
 to notify yourself on SSH login.
@@ -68,10 +101,474 @@ It looked something like this:
 You can easily integrate ntfy into Ansible, Salt, or Puppet to notify you when runs are done or are highstated.
 One of my co-workers uses the following Ansible task to let him know when things are done:

-```yml
+``` yaml
 - name: Send ntfy.sh update
  uri:
    url: "https://ntfy.sh/{{ ntfy_channel }}"
    method: POST
    body: "{{ inventory_hostname }} reseeding complete"
 ```
+
+There's also a dedicated Ansible action plugin (one which runs on the Ansible controller) called
+[ansible-ntfy](https://github.com/jpmens/ansible-ntfy). The following task posts a message
+to ntfy at its default URL (`attrs` and other attributes are optional):
+
+``` yaml
+- name: "Notify ntfy that we're done"
+  ntfy:
+       msg: "deployment on {{ inventory_hostname }} is complete. 🐄"
+       attrs:
+          tags: [ heavy_check_mark ]
+          priority: 1
+```
+
+## GitHub Actions
+You can send a message during a workflow run with curl. Here is an example sending info about the repo, commit and job status.
+``` yaml
+- name: Actions Ntfy
+  run: |
+    curl \
+      -u ${{ secrets.NTFY_CRED }} \
+      -H "Title: Title here" \
+      -H "Content-Type: text/plain" \
+      -d $'Repo: ${{ github.repository }}\nCommit: ${{ github.sha }}\nRef: ${{ github.ref }}\nStatus: ${{ job.status}}' \
+      ${{ secrets.NTFY_URL }}
+```
+
+## Watchtower (shoutrrr)
+You can use [shoutrrr](https://github.com/containrrr/shoutrrr) generic webhook support to send 
+[Watchtower](https://github.com/containrrr/watchtower/) notifications to your ntfy topic.
+
+Example docker-compose.yml:
+``` yaml
+services:
+  watchtower:
+    image: containrrr/watchtower
+    environment:
+      - WATCHTOWER_NOTIFICATIONS=shoutrrr
+      - WATCHTOWER_NOTIFICATION_URL=generic+https://ntfy.sh/my_watchtower_topic?title=WatchtowerUpdates
+```
+
+Or, if you only want to send notifications using shoutrrr:
+```
+shoutrrr send -u "generic+https://ntfy.sh/my_watchtower_topic?title=WatchtowerUpdates" -m "testMessage"
+```
+
+## Sonarr, Radarr, Lidarr, Readarr, Prowlarr, SABnzbd
+It's possible to use custom scripts for all the *arr services, plus SABnzbd. Notifications for downloads, warnings, grabs etc.
+Some simple bash scripts to achieve this are kindly provided in [nickexyz's repository](https://github.com/nickexyz/ntfy-shellscripts). 
+
+## Node-RED
+You can use the HTTP request node to send messages with [Node-RED](https://nodered.org), some examples:
+
+<details>
+<summary>Example: Send a message (click to expand)</summary>
+
+``` json
+[
+    {
+        "id": "c956e688cc74ad8e",
+        "type": "http request",
+        "z": "fabdd7a3.4045a",
+        "name": "ntfy.sh",
+        "method": "POST",
+        "ret": "txt",
+        "paytoqs": "ignore",
+        "url": "https://ntfy.sh/mytopic",
+        "tls": "",
+        "persist": false,
+        "proxy": "",
+        "authType": "",
+        "senderr": false,
+        "credentials":
+        {
+            "user": "",
+            "password": ""
+        },
+        "x": 590,
+        "y": 3160,
+        "wires":
+        [
+            []
+        ]
+    },
+    {
+        "id": "32ee1eade51fae50",
+        "type": "function",
+        "z": "fabdd7a3.4045a",
+        "name": "data",
+        "func": "msg.payload = \"Something happened\";\nmsg.headers = {};\nmsg.headers['tags'] = 'house';\nmsg.headers['X-Title'] = 'Home Assistant';\n\nreturn msg;",
+        "outputs": 1,
+        "noerr": 0,
+        "initialize": "",
+        "finalize": "",
+        "libs": [],
+        "x": 470,
+        "y": 3160,
+        "wires":
+        [
+            [
+                "c956e688cc74ad8e"
+            ]
+        ]
+    },
+    {
+        "id": "b287e59cd2311815",
+        "type": "inject",
+        "z": "fabdd7a3.4045a",
+        "name": "Manual start",
+        "props":
+        [
+            {
+                "p": "payload"
+            },
+            {
+                "p": "topic",
+                "vt": "str"
+            }
+        ],
+        "repeat": "",
+        "crontab": "",
+        "once": false,
+        "onceDelay": "20",
+        "topic": "",
+        "payload": "",
+        "payloadType": "date",
+        "x": 330,
+        "y": 3160,
+        "wires":
+        [
+            [
+                "32ee1eade51fae50"
+            ]
+        ]
+    }
+]
+```
+
+</details>
+
+![Node red message flow](static/img/nodered-message.png)
+
+<details>
+<summary>Example: Send a picture (click to expand)</summary>
+
+``` json
+[
+    {
+        "id": "d135a13eadeb9d6d",
+        "type": "http request",
+        "z": "fabdd7a3.4045a",
+        "name": "Download image",
+        "method": "GET",
+        "ret": "bin",
+        "paytoqs": "ignore",
+        "url": "https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png",
+        "tls": "",
+        "persist": false,
+        "proxy": "",
+        "authType": "",
+        "senderr": false,
+        "credentials":
+        {
+            "user": "",
+            "password": ""
+        },
+        "x": 490,
+        "y": 3320,
+        "wires":
+        [
+            [
+                "6e75bc41d2ec4a03"
+            ]
+        ]
+    },
+    {
+        "id": "6e75bc41d2ec4a03",
+        "type": "function",
+        "z": "fabdd7a3.4045a",
+        "name": "data",
+        "func": "msg.payload = msg.payload;\nmsg.headers = {};\nmsg.headers['tags'] = 'house';\nmsg.headers['X-Title'] = 'Home Assistant - Picture';\n\nreturn msg;",
+        "outputs": 1,
+        "noerr": 0,
+        "initialize": "",
+        "finalize": "",
+        "libs": [],
+        "x": 650,
+        "y": 3320,
+        "wires":
+        [
+            [
+                "eb160615b6ceda98"
+            ]
+        ]
+    },
+    {
+        "id": "eb160615b6ceda98",
+        "type": "http request",
+        "z": "fabdd7a3.4045a",
+        "name": "ntfy.sh",
+        "method": "PUT",
+        "ret": "bin",
+        "paytoqs": "ignore",
+        "url": "https://ntfy.sh/mytopic",
+        "tls": "",
+        "persist": false,
+        "proxy": "",
+        "authType": "",
+        "senderr": false,
+        "credentials":
+        {
+            "user": "",
+            "password": ""
+        },
+        "x": 770,
+        "y": 3320,
+        "wires":
+        [
+            []
+        ]
+    },
+    {
+        "id": "5b8dbf15c8a7a3a5",
+        "type": "inject",
+        "z": "fabdd7a3.4045a",
+        "name": "Manual start",
+        "props":
+        [
+            {
+                "p": "payload"
+            },
+            {
+                "p": "topic",
+                "vt": "str"
+            }
+        ],
+        "repeat": "",
+        "crontab": "",
+        "once": false,
+        "onceDelay": "20",
+        "topic": "",
+        "payload": "",
+        "payloadType": "date",
+        "x": 310,
+        "y": 3320,
+        "wires":
+        [
+            [
+                "d135a13eadeb9d6d"
+            ]
+        ]
+    }
+]
+```
+
+</details>
+
+![Node red picture flow](static/img/nodered-picture.png)
+
+## Gatus
+To use ntfy with [Gatus](https://github.com/TwiN/gatus), you can use the `ntfy` alerting provider like so:
+
+```yaml
+alerting:
+  ntfy:
+    url: "https://ntfy.sh"
+    topic: "YOUR_NTFY_TOPIC"
+    priority: 3
+```
+
+For more information on using ntfy with Gatus, refer to [Configuring ntfy alerts](https://github.com/TwiN/gatus#configuring-ntfy-alerts).
+
+<details>
+  <summary>Alternative: Using the custom alerting provider</summary>
+
+```yaml
+alerting:
+  custom:
+    url: "https://ntfy.sh"
+    method: "POST"
+    body: |
+      {
+        "topic": "mytopic",
+        "message": "[ENDPOINT_NAME] - [ALERT_DESCRIPTION]",
+        "title": "Gatus",
+        "tags": ["[ALERT_TRIGGERED_OR_RESOLVED]"],
+        "priority": 3
+      }
+    default-alert:
+      enabled: true
+      description: "health check failed"
+      send-on-resolved: true
+      failure-threshold: 3
+      success-threshold: 3
+    placeholders:
+      ALERT_TRIGGERED_OR_RESOLVED:
+        TRIGGERED: "warning"
+        RESOLVED: "white_check_mark"
+```
+
+</details>
+
+
+## Jellyseerr/Overseerr webhook
+Here is an example for [jellyseerr](https://github.com/Fallenbagel/jellyseerr)/[overseerr](https://overseerr.dev/) webhook
+JSON payload. Remember to change the `https://requests.example.com` to your jellyseerr/overseerr URL.
+
+``` json
+{
+    "topic": "requests",
+    "title": "{{event}}",
+    "message": "{{subject}}\n{{message}}\n\nRequested by: {{requestedBy_username}}\n\nStatus: {{media_status}}\nRequest Id: {{request_id}}",
+    "priority": 4,
+    "attach": "{{image}}",
+    "click": "https://requests.example.com/{{media_type}}/{{media_tmdbid}}"
+}
+```
+
+## Home Assistant
+Here is an example for the configuration.yml file to setup a REST notify component.
+Since Home Assistant is going to POST JSON, you need to specify the root of your ntfy resource.
+
+```yaml
+notify:
+  - name: ntfy
+    platform: rest
+    method: POST_JSON
+    data:
+      topic: YOUR_NTFY_TOPIC
+    title_param_name: title
+    message_param_name: message
+    resource: https://ntfy.sh
+```
+
+If you need to authenticate to your ntfy resource, define the authentication, username and password as below:
+
+```yaml
+notify:
+  - name: ntfy
+    platform: rest
+    method: POST_JSON
+    authentication: basic
+    username: YOUR_USERNAME
+    password: YOUR_PASSWORD
+    data:
+      topic: YOUR_NTFY_TOPIC
+    title_param_name: title
+    message_param_name: message
+    resource: https://ntfy.sh
+```
+
+If you need to add any other [ntfy specific parameters](https://ntfy.sh/docs/publish/#publish-as-json) such as priority, tags, etc., add them to the `data` array in the example yml. For example:
+
+```yaml
+notify:
+  - name: ntfy
+    platform: rest
+    method: POST_JSON
+    data:
+      topic: YOUR_NTFY_TOPIC
+      priority: 4
+    title_param_name: title
+    message_param_name: message
+    resource: https://ntfy.sh
+```
+
+## Uptime Kuma
+Go to your [Uptime Kuma](https://github.com/louislam/uptime-kuma) Settings > Notifications, click on **Setup Notification**.
+Then set your desired **title** (e.g. "Uptime Kuma"), **ntfy topic**, **Server URL** and **priority (1-5)**:
+
+<div id="uptimekuma-screenshots" class="screenshots">
+    <a href="../static/img/uptimekuma-settings.png"><img src="../static/img/uptimekuma-settings.png"/></a>
+    <a href="../static/img/uptimekuma-setup.png"><img src="../static/img/uptimekuma-setup.png"/></a>
+</div>
+
+You can now test the notifications and apply them to monitors:
+
+<div id="uptimekuma-monitor-screenshots" class="screenshots">
+    <a href="../static/img/uptimekuma-ios-test.jpg"><img src="../static/img/uptimekuma-ios-test.jpg"/></a>
+    <a href="../static/img/uptimekuma-ios-down.jpg"><img src="../static/img/uptimekuma-ios-down.jpg"/></a>
+    <a href="../static/img/uptimekuma-ios-up.jpg"><img src="../static/img/uptimekuma-ios-up.jpg"/></a>
+</div>
+
+## UptimeRobot
+Go to your [UptimeRobot](https://github.com/uptimerobot) My Settings > Alert Contacts > Add Alert Contact
+Select **Alert Contact Type** = Webhook. Then set your desired **Friendly Name** (e.g. "ntfy-sh-UP"), **URL to Notify**, **POST value** and select checkbox **Send as JSON (application/json)**. Make sure to send the JSON POST request to ntfy.domain.com without the topic name in the url and include the "topic" name in the JSON body.
+
+<div id="uptimerobot-monitor-setup" class="screenshots">
+    <a href="../static/img/uptimerobot-setup.jpg"><img src="../static/img/uptimerobot-setup.jpg"/></a>
+</div>
+
+``` json
+{
+    "topic":"myTopic",
+    "title": "*monitorFriendlyName* *alertTypeFriendlyName*",
+    "message": "*alertDetails*", 
+    "tags": ["green_circle"],
+    "priority": 3,
+    "click": https://uptimerobot.com/dashboard#*monitorID*
+}
+```
+You can create two Alert Contacts each with a different icon and priority, for example:
+
+``` json
+{
+    "topic":"myTopic",
+    "title": "*monitorFriendlyName* *alertTypeFriendlyName*",
+    "message": "*alertDetails*", 
+    "tags": ["red_circle"],
+    "priority": 3,
+    "click": https://uptimerobot.com/dashboard#*monitorID*
+}
+```
+You can now add the created Alerts Contact(s) to the monitor(s) and test the notifications:
+
+<div id="uptimerobot-monitor-screenshots" class="screenshots">
+    <a href="../static/img/uptimerobot-test.jpg"><img src="../static/img/uptimerobot-test.jpg"/></a>
+</div>
+
+
+## Apprise
+ntfy is integrated natively into [Apprise](https://github.com/caronc/apprise) (also check out the 
+[Apprise/ntfy wiki page](https://github.com/caronc/apprise/wiki/Notify_ntfy)).
+
+You can use it like this:
+
+```
+apprise -vv -t "Test Message Title" -b "Test Message Body" \
+   ntfy://mytopic
+```
+
+Or with your own server like this:
+
+```
+apprise -vv -t "Test Message Title" -b "Test Message Body" \
+   ntfy://ntfy.example.com/mytopic
+```
+
+
+## Rundeck
+Rundeck by default sends only HTML email which is not processed by ntfy SMTP server. Append following configurations to 
+[rundeck-config.properties](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html) :
+
+```
+# Template
+rundeck.mail.template.file=/path/to/template.html
+rundeck.mail.template.log.formatted=false
+```
+
+Example `template.html`:
+```html
+<div>Execution ${execution.id} was <b>${execution.status}</b></div>
+<ul>
+    <li><a href="${execution.href}">Execution result</a></li>
+    <li><a href="${job.href}">Job</a></li>
+    <li><a href="${execution.projectHref}">Project: ${execution.project}</a></li>
+    <li><a href="${rundeck.href}">Rundeck</a></li>
+</ul>
+```
+
+Add notification on Rundeck (attachment type must be: `Attached as file to email`):
+![Rundeck](static/img/rundeck.png)
+
+
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -4,27 +4,35 @@
 Who knows. I didn't do a lot of research before making this. It was fun making it.

 ## Can I use this in my app? Will it stay free?
-Yes. As long as you don't abuse it, it'll be available and free of charge. I do not plan on monetizing
-the service.
+Yes. As long as you don't abuse it, it'll be available and free of charge. While I will always allow usage of the ntfy.sh
+server without signup and free of charge, I may also offer paid plans in the future.

 ## What are the uptime guarantees?
-Best effort.
+Best effort. 
+
+ntfy currently runs on a single DigitalOcean droplet, without any scale out strategy or redundancies. When the time comes,
+I'll add scale out features, but for now it is what it is.
+
+In the first year of its life, and to this day (Dec'22), ntfy had **no outages** that I can remember. Other than short 
+blips and some HTTP 500 spikes, it has been rock solid.   
+
+There is a [status page](https://ntfy.statuspage.io/) which is updated based on some automated checks via the amazingly 
+awesome [healthchecks.io](https://healthchecks.io/) (_no affiliation, just a fan_).

 ## What happens if there are multiple subscribers to the same topic?
-As per usual with pub-sub, all subscribers receive notifications if they are
-subscribed to a topic.
+As per usual with pub-sub, all subscribers receive notifications if they are subscribed to a topic.

 ## Will you know what topics exist, can you spy on me?
-If you don't trust me or your messages are sensitive, run your own server. It's <a href="https://github.com/binwiederhier/ntfy">open source</a>.
-That said, the logs do not contain any topic names or other details about you.
-Messages are cached for the duration configured in `server.yml` (12h by default) to facilitate service restarts, message polling and to overcome
-client network disruptions.
+If you don't trust me or your messages are sensitive, run your own server. It's open source.
+That said, the logs do contain topic names and IP addresses, but I don't use them for anything other than
+troubleshooting and rate limiting. Messages are cached for the duration configured in `server.yml` (12h by default) 
+to facilitate service restarts, message polling and to overcome client network disruptions.

 ## Can I self-host it?
-Yes. The server (including this Web UI) can be self-hosted, and the Android app supports adding topics from
+Yes. The server (including this Web UI) can be self-hosted, and the Android/iOS app supports adding topics from
 your own server as well. Check out the [install instructions](install.md).

-## Why is Firebase used?
+## Is Firebase used?
 In addition to caching messages locally and delivering them to long-polling subscribers, all messages are also
 published to Firebase Cloud Messaging (FCM) (if `FirebaseKeyFile` is set, which it is on ntfy.sh). This
 is to facilitate notifications on Android. 
@@ -33,16 +41,37 @@ If you do not care for Firebase, I suggest you install the [F-Droid version](htt
 of the app and [self-host your own ntfy server](install.md).

 ## How much battery does the Android app use?
-If you use the ntfy.sh server and you don't use the [instant delivery](subscribe/phone.md#instant-delivery) feature, 
-the Android app uses no additional battery, since Firebase Cloud Messaging (FCM) is used. If you use your own server, 
-or you use *instant delivery*, the app has to maintain a constant connection to the server, which consumes about 4% of
-battery in 17h of use (on my phone). I use it, and it makes no difference to me.
+If you use the ntfy.sh server, and you don't use the [instant delivery](subscribe/phone.md#instant-delivery) feature, 
+the Android/iOS app uses no additional battery, since Firebase Cloud Messaging (FCM) is used. If you use your own server, 
+or you use *instant delivery* (Android only), the app has to maintain a constant connection to the server, which consumes 
+about 0-1% of battery in 17h of use (on my phone). There has been a ton of testing and improvement around this. I think it's pretty 
+decent now.

 ## What is instant delivery?
 [Instant delivery](subscribe/phone.md#instant-delivery) is a feature in the Android app. If turned on, the app maintains a constant connection to the
-server and listens for incoming notifications. This consumes <a href="#battery-usage">additional battery</a>,
+server and listens for incoming notifications. This consumes additional battery (see above),
 but delivers notifications instantly.

-## Why is there no iOS app (yet)?
-I don't have an iPhone or a Mac, so I didn't make an iOS app yet. It'd be awesome if
-<a href="https://github.com/binwiederhier/ntfy/issues/4">someone else could help out</a>.
+## Can you implement feature X?
+Yes, maybe. Check out [existing GitHub issues](https://github.com/binwiederhier/ntfy/issues) to see if somebody else had
+the same idea before you, or file a new issue. I'll likely get back to you within a few days.
+
+## I'm having issues with iOS, can you help? The iOS app is behind compared to the Android app, can you fix that?
+The iOS is very bare bones and quite frankly a little buggy. I wanted to get something out the door to make the iOS users
+happy, but halfway through I got frustrated with iOS development and paused development. I will eventually get back to
+it, or hopefully, somebody else will come along and help out. Please review the [known issues](known-issues.md) for details.
+
+## Can I disable the web app? Can I protect it with a login screen?
+The web app is a static website without a backend (other than the ntfy API). All data is stored locally in the browser
+cache and local storage. That means it does not need to be protected with a login screen, and it poses no additional 
+security risk. So technically, it does not need to be disabled.
+
+However, if you still want to disable it, you can do so with the `web-root: disable` option in the `server.yml` file. 
+
+Think of the ntfy web app like an Android/iOS app. It is freely available and accessible to anyone, yet useless without
+a proper backend. So as long as you secure your backend with ACLs, exposing the ntfy web app to the Internet is harmless.
+
+## Where can I donate?
+I have just very recently started accepting donations via [GitHub Sponsors](https://github.com/sponsors/binwiederhier).
+I would be humbled if you helped me carry the server and developer account costs. Even small donations are very much
+appreciated.
--- a/docs/index.md
+++ b/docs/index.md
@@ -5,7 +5,7 @@ or POST requests. I use it to notify myself when scripts fail, or long-running c
 ## Step 1: Get the app
 <a href="https://play.google.com/store/apps/details?id=io.heckel.ntfy"><img src="../../static/img/badge-googleplay.png"></a>
 <a href="https://f-droid.org/en/packages/io.heckel.ntfy/"><img src="../../static/img/badge-fdroid.png"></a>
-<a href="https://github.com/binwiederhier/ntfy/issues/4"><img src="../../static/img/badge-appstore.png"></a>
+<a href="https://apps.apple.com/us/app/ntfy/id1625396347"><img src="../../static/img/badge-appstore.png"></a>

 To [receive notifications on your phone](subscribe/phone.md), install the app, either via Google Play or F-Droid.
 Once installed, open it and subscribe to a topic of your choosing. Topics don't have to explicitly be created, so just
@@ -83,7 +83,7 @@ This will create a notification that looks like this:
 </figure>

 That's it. You're all set. Go play and read the rest of the docs. I highly recommend reading at least the page on
-[publishing messages](publish.md), as well as the detailed page on the [Android app](subscribe/phone.md).
+[publishing messages](publish.md), as well as the detailed page on the [Android/iOS app](subscribe/phone.md).

 Here's another video showing the entire process:

--- a/docs/install.md
+++ b/docs/install.md
@@ -13,36 +13,51 @@ The ntfy server comes as a statically linked binary and is shipped as tarball, d
 We support amd64, armv7 and arm64.

 1. Install ntfy using one of the methods described below
-2. Then (optionally) edit `/etc/ntfy/server.yml` for the server (see [configuration](config.md) or [sample server.yml](https://github.com/binwiederhier/ntfy/blob/main/server/server.yml))
-3. Or (optionally) create/edit `~/.config/ntfy/client.yml` (or `/etc/ntfy/client.yml`, see [sample client.yml](https://github.com/binwiederhier/ntfy/blob/main/client/client.yml))
+2. Then (optionally) edit `/etc/ntfy/server.yml` for the server (Linux only, see [configuration](config.md) or [sample server.yml](https://github.com/binwiederhier/ntfy/blob/main/server/server.yml))
+3. Or (optionally) create/edit `~/.config/ntfy/client.yml` (for the non-root user) or `/etc/ntfy/client.yml` (for the root user), see [sample client.yml](https://github.com/binwiederhier/ntfy/blob/main/client/client.yml))

 To run the ntfy server, then just run `ntfy serve` (or `systemctl start ntfy` when using the deb/rpm).
-To send messages, use `ntfy publish`. To subscribe to topics, use `ntfy subscribe` (see [subscribing via CLI][subscribe/cli.md]
+To send messages, use `ntfy publish`. To subscribe to topics, use `ntfy subscribe` (see [subscribing via CLI](subscribe/cli.md)
 for details). 

-## Binaries and packages
+## Linux binaries
 Please check out the [releases page](https://github.com/binwiederhier/ntfy/releases) for binaries and
 deb/rpm packages.

 === "x86_64/amd64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_x86_64.tar.gz
-    sudo tar -C /usr/bin -zxf ntfy_*.tar.gz ntfy
-    sudo ./ntfy serve
+    wget https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_x86_64.tar.gz
+    tar zxvf ntfy_1.30.1_linux_x86_64.tar.gz
+    sudo cp -a ntfy_1.30.1_linux_x86_64/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_1.30.1_linux_x86_64/{client,server}/*.yml /etc/ntfy
+    sudo ntfy serve
+    ```
+
+=== "armv6"
+    ```bash
+    wget https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_armv6.tar.gz
+    tar zxvf ntfy_1.30.1_linux_armv6.tar.gz
+    sudo cp -a ntfy_1.30.1_linux_armv6/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_1.30.1_linux_armv6/{client,server}/*.yml /etc/ntfy
+    sudo ntfy serve
    ```

 === "armv7/armhf"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_armv7.tar.gz
-    sudo tar -C /usr/bin -zxf ntfy_*.tar.gz ntfy
-    sudo ./ntfy serve
+    wget https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_armv7.tar.gz
+    tar zxvf ntfy_1.30.1_linux_armv7.tar.gz
+    sudo cp -a ntfy_1.30.1_linux_armv7/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_1.30.1_linux_armv7/{client,server}/*.yml /etc/ntfy
+    sudo ntfy serve
    ```

 === "arm64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_arm64.tar.gz
-    sudo tar -C /usr/bin -zxf ntfy_*.tar.gz ntfy
-    sudo ./ntfy serve
+    wget https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_arm64.tar.gz
+    tar zxvf ntfy_1.30.1_linux_arm64.tar.gz
+    sudo cp -a ntfy_1.30.1_linux_arm64/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_1.30.1_linux_arm64/{client,server}/*.yml /etc/ntfy
+    sudo ntfy serve
    ```

 ## Debian/Ubuntu repository
@@ -50,9 +65,10 @@ Installation via Debian repository:

 === "x86_64/amd64"
    ```bash
-    curl -sSL https://archive.heckel.io/apt/pubkey.txt | sudo apt-key add -
+    sudo mkdir -p /etc/apt/keyrings
+    curl -fsSL https://archive.heckel.io/apt/pubkey.txt | sudo gpg --dearmor -o /etc/apt/keyrings/archive.heckel.io.gpg
    sudo apt install apt-transport-https
-    sudo sh -c "echo 'deb [arch=amd64] https://archive.heckel.io/apt debian main' \
+    sudo sh -c "echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/archive.heckel.io.gpg] https://archive.heckel.io/apt debian main' \
        > /etc/apt/sources.list.d/archive.heckel.io.list"  
    sudo apt update
    sudo apt install ntfy
@@ -62,10 +78,11 @@ Installation via Debian repository:

 === "armv7/armhf"
    ```bash
-    curl -sSL https://archive.heckel.io/apt/pubkey.txt | sudo apt-key add -
+    sudo mkdir -p /etc/apt/keyrings
+    curl -fsSL https://archive.heckel.io/apt/pubkey.txt | sudo gpg --dearmor -o /etc/apt/keyrings/archive.heckel.io.gpg
    sudo apt install apt-transport-https
-    sudo sh -c "echo 'deb [arch=armhf] https://archive.heckel.io/apt debian main' \
-        > /etc/apt/sources.list.d/archive.heckel.io.list"  
+    sudo sh -c "echo 'deb [arch=armhf signed-by=/etc/apt/keyrings/archive.heckel.io.gpg] https://archive.heckel.io/apt debian main' \
+        > /etc/apt/sources.list.d/archive.heckel.io.list"
    sudo apt update
    sudo apt install ntfy
    sudo systemctl enable ntfy
@@ -74,10 +91,11 @@ Installation via Debian repository:

 === "arm64"
    ```bash
-    curl -sSL https://archive.heckel.io/apt/pubkey.txt | sudo apt-key add -
+    sudo mkdir -p /etc/apt/keyrings
+    curl -fsSL https://archive.heckel.io/apt/pubkey.txt | sudo gpg --dearmor -o /etc/apt/keyrings/archive.heckel.io.gpg
    sudo apt install apt-transport-https
-    sudo sh -c "echo 'deb [arch=arm64] https://archive.heckel.io/apt debian main' \
-        > /etc/apt/sources.list.d/archive.heckel.io.list"  
+    sudo sh -c "echo 'deb [arch=arm64 signed-by=/etc/apt/keyrings/archive.heckel.io.gpg] https://archive.heckel.io/apt debian main' \
+        > /etc/apt/sources.list.d/archive.heckel.io.list"
    sudo apt update
    sudo apt install ntfy
    sudo systemctl enable ntfy
@@ -88,7 +106,15 @@ Manually installing the .deb file:

 === "x86_64/amd64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_amd64.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_amd64.deb
+    sudo dpkg -i ntfy_*.deb
+    sudo systemctl enable ntfy
+    sudo systemctl start ntfy
+    ```
+
+=== "armv6"
+    ```bash
+    wget https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_armv6.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -96,7 +122,7 @@ Manually installing the .deb file:

 === "armv7/armhf"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_armv7.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_armv7.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -104,7 +130,7 @@ Manually installing the .deb file:

 === "arm64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_arm64.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_arm64.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -114,21 +140,28 @@ Manually installing the .deb file:

 === "x86_64/amd64"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_amd64.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_amd64.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```

+=== "armv6"
+    ```bash
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_armv6.rpm
+    sudo systemctl enable ntfy
+    sudo systemctl start ntfy
+    ```
+
 === "armv7/armhf"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_armv7.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_armv7.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```

 === "arm64"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v1.15.0/ntfy_1.15.0_linux_arm64.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_linux_arm64.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```
@@ -146,15 +179,65 @@ cd ntfysh-bin
 makepkg -si
 ```

+## NixOS / Nix
+ntfy is packaged in nixpkgs as `ntfy-sh`. It can be installed by adding the package name to the configuration file and calling `nixos-rebuild`. Alternatively, the following command can be used to install ntfy in the current user environment:
+```
+nix-env -iA ntfy-sh
+```
+
+NixOS also supports [declarative setup of the ntfy server](https://search.nixos.org/options?channel=unstable&show=services.ntfy-sh.enable&from=0&size=50&sort=relevance&type=packages&query=ntfy). 
+
+## macOS
+The [ntfy CLI](subscribe/cli.md) (`ntfy publish` and `ntfy subscribe` only) is supported on macOS as well. 
+To install, please [download the tarball](https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_macOS_all.tar.gz), 
+extract it and place it somewhere in your `PATH` (e.g. `/usr/local/bin/ntfy`). 
+
+If run as `root`, ntfy will look for its config at `/etc/ntfy/client.yml`. For all other users, it'll look for it at 
+`~/Library/Application Support/ntfy/client.yml` (sample included in the tarball).
+
+```bash
+curl -L https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_macOS_all.tar.gz > ntfy_1.30.1_macOS_all.tar.gz
+tar zxvf ntfy_1.30.1_macOS_all.tar.gz
+sudo cp -a ntfy_1.30.1_macOS_all/ntfy /usr/local/bin/ntfy
+mkdir ~/Library/Application\ Support/ntfy 
+cp ntfy_1.30.1_macOS_all/client/client.yml ~/Library/Application\ Support/ntfy/client.yml
+ntfy --help
+```
+
+!!! info
+    There is a [GitHub issue](https://github.com/binwiederhier/ntfy/issues/286) about making ntfy installable via
+    [Homebrew](https://brew.sh/). I'll eventually get to that, but I'd also love if somebody else stepped up to do it. 
+    Also, you can build and run the ntfy server on macOS as well, though I don't officially support that. 
+    Check out the [build instructions](develop.md) for details.
+
+## Windows
+The [ntfy CLI](subscribe/cli.md) (`ntfy publish` and `ntfy subscribe` only) is supported on Windows as well.
+To install, please [download the latest ZIP](https://github.com/binwiederhier/ntfy/releases/download/v1.30.1/ntfy_1.30.1_windows_x86_64.zip),
+extract it and place the `ntfy.exe` binary somewhere in your `%Path%`. 
+
+The default path for the client config file is at `%AppData%\ntfy\client.yml` (not created automatically, sample in the ZIP file).
+
+Also available in [Scoop's](https://scoop.sh) Main repository:
+
+`scoop install ntfy`
+
+!!! info
+    There is currently no installer for Windows, and the binary is not signed. If this is desired, please create a
+    [GitHub issue](https://github.com/binwiederhier/ntfy/issues) to let me know.

 ## Docker
-The [ntfy image](https://hub.docker.com/r/binwiederhier/ntfy) is available for amd64, armv7 and arm64. It should be pretty
-straight forward to use.
+The [ntfy image](https://hub.docker.com/r/binwiederhier/ntfy) is available for amd64, armv6, armv7 and arm64. It should 
+be pretty straight forward to use.

 The server exposes its web UI and the API on port 80, so you need to expose that in Docker. To use the persistent 
 [message cache](config.md#message-cache), you also need to map a volume to `/var/cache/ntfy`. To change other settings, 
 you should map `/etc/ntfy`, so you can edit `/etc/ntfy/server.yml`.

+!!! info
+    Note that the Docker image **does not contain a `/etc/ntfy/server.yml` file**. If you'd like to use a config file, 
+    please manually create one outside the image and map it as a volume, e.g. via `-v /etc/ntfy:/etc/ntfy`. You may
+    use the [`server.yml` file on GitHub](https://github.com/binwiederhier/ntfy/blob/main/server/server.yml) as a template.
+
 Basic usage (no cache or additional config):
 ```
 docker run -p 80:80 -it binwiederhier/ntfy serve
@@ -167,20 +250,45 @@ docker run \
  -p 80:80 \
  -it \
  binwiederhier/ntfy \
-    --cache-file /var/cache/ntfy/cache.db \
-    serve
+    serve \
+    --cache-file /var/cache/ntfy/cache.db
 ```

-With other config options (configured via `/etc/ntfy/server.yml`, see [configuration](config.md) for details):
+With other config options, timezone, and non-root user (configured via `/etc/ntfy/server.yml`, see [configuration](config.md) for details):
 ```bash
 docker run \
  -v /etc/ntfy:/etc/ntfy \
+  -e TZ=UTC \
  -p 80:80 \
+  -u UID:GID \
  -it \
  binwiederhier/ntfy \
  serve
 ```

+Using docker-compose with non-root user:
+```yaml
+version: "2.1"
+
+services:
+  ntfy:
+    image: binwiederhier/ntfy
+    container_name: ntfy
+    command:
+      - serve
+    environment:
+      - TZ=UTC    # optional: set desired timezone
+    user: UID:GID # optional: replace with your own user/group or uid/gid
+    volumes:
+      - /var/cache/ntfy:/var/cache/ntfy
+      - /etc/ntfy:/etc/ntfy
+    ports:
+      - 80:80
+    restart: unless-stopped
+```
+
+If using a non-root user when running the docker version, be sure to chown the server.yml, user.db, and cache.db files to the same uid/gid.
+
 Alternatively, you may wish to build a customized Docker image that can be run with fewer command-line arguments and without delivering the configuration file separately.
 ```
 FROM binwiederhier/ntfy
@@ -189,12 +297,299 @@ ENTRYPOINT ["ntfy", "serve"]
 ```
 This image can be pushed to a container registry and shipped independently. All that's needed when running it is mapping ntfy's port to a host port.

-## Go
-To install via Go, simply run:
+## Kubernetes
+
+The setup for Kubernetes is very similar to that for Docker, and requires a fairly minimal deployment or pod definition to function. There
+are a few options to mix and match, including a deployment without a cache file, a stateful set with a persistent cache, and a standalone
+unmanned pod.
+
+
+=== "deployment"
+    ```yaml
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: ntfy
+    spec:
+      selector:
+        matchLabels:
+          app: ntfy
+      template:
+        metadata:
+          labels:
+            app: ntfy
+        spec:
+          containers:
+          - name: ntfy
+            image: binwiederhier/ntfy
+            args: ["serve"]
+            resources:
+              limits:
+                memory: "128Mi"
+                cpu: "500m"
+            ports:
+            - containerPort: 80
+              name: http
+            volumeMounts:
+            - name: config
+              mountPath: "/etc/ntfy"
+              readOnly: true
+          volumes:
+            - name: config
+              configMap:
+                name: ntfy
+    ---
+    # Basic service for port 80
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: ntfy
+    spec:
+      selector:
+        app: ntfy
+      ports:
+      - port: 80
+        targetPort: 80
+    ```
+
+=== "stateful set"
+    ```yaml
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: ntfy
+    spec:
+      selector:
+        matchLabels:
+          app: ntfy
+      serviceName: ntfy
+      template:
+        metadata:
+          labels:
+            app: ntfy
+        spec:
+          containers:
+          - name: ntfy
+            image: binwiederhier/ntfy
+            args: ["serve", "--cache-file", "/var/cache/ntfy/cache.db"]
+            ports:
+            - containerPort: 80
+              name: http
+            volumeMounts:
+            - name: config
+              mountPath: "/etc/ntfy"
+              readOnly: true
+            - name: cache
+              mountPath: "/var/cache/ntfy"
+          volumes:
+            - name: config
+              configMap:
+                name: ntfy
+      volumeClaimTemplates:
+      - metadata:
+          name: cache
+        spec:
+          accessModes: [ "ReadWriteOnce" ]
+          resources:
+            requests:
+              storage: 1Gi
+    ```
+
+=== "pod"
+    ```yaml
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      labels:
+        app: ntfy
+    spec:
+      containers:
+      - name: ntfy
+        image: binwiederhier/ntfy
+        args: ["serve"]
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 80
+          name: http
+        volumeMounts:
+        - name: config
+          mountPath: "/etc/ntfy"
+          readOnly: true
+      volumes:
+        - name: config
+          configMap:
+            name: ntfy
+    ```
+
+Configuration is relatively straightforward. As an example, a minimal configuration is provided.
+
+=== "resource definition"
+    ```yaml
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: ntfy
+    data:
+      server.yml: |
+        # Template: https://github.com/binwiederhier/ntfy/blob/main/server/server.yml
+        base-url: https://ntfy.sh
+    ```
+
+=== "from-file"
+    ```bash
+    kubectl create configmap ntfy --from-file=server.yml 
+    ```
+
+## Kustomize
+
+ntfy can be deployed in a Kubernetes cluster with [Kustomize](https://github.com/kubernetes-sigs/kustomize), a tool used
+to customize Kubernetes objects using a `kustomization.yaml` file.
+
+1. Create new folder - `ntfy`
+2. Add all files listed below 
+    1. `kustomization.yaml` - stores all configmaps and resources used in a deployment
+    2. `ntfy-deployment.yaml` - define deployment type and its parameters
+    3. `ntfy-pvc.yaml` - describes how [persistent volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) will be created 
+    4. `ntfy-svc.yaml` - expose application to the internal kubernetes network
+    5. `ntfy-ingress.yaml` - expose service to outside the network using [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/)
+    6. `server.yaml` - simple server configuration
+3. Replace **TESTNAMESPACE** within `kustomization.yaml` with designated namespace 
+4. Replace **ntfy.test** within `ntfy-ingress.yaml` with desired DNS name
+5. Apply configuration to cluster set in current context: 
+
 ```bash
-go install heckel.io/ntfy@latest
+kubectl apply -k /ntfy
 ```

-!!! info
-    Please [let me know](https://github.com/binwiederhier/ntfy/issues) if there are any issues with this installation
-    method. The SQLite bindings require CGO and it works for me, but I have the feeling it may not work for everyone.
+=== "kustomization.yaml"
+    ```yaml
+    apiVersion: kustomize.config.k8s.io/v1beta1
+    kind: Kustomization
+    resources:
+      - ntfy-deployment.yaml # deployment definition
+      - ntfy-svc.yaml # service connecting pods to cluster network
+      - ntfy-pvc.yaml # pvc used to store cache and attachment
+      - ntfy-ingress.yaml # ingress definition
+    configMapGenerator: # will parse config from raw config to configmap,it allows for dynamic reload of application if additional app is deployed ie https://github.com/stakater/Reloader
+        - name: server-config
+          files: 
+            - server.yml
+    namespace: TESTNAMESPACE # select namespace for whole application 
+    ```
+=== "ntfy-deployment.yaml"
+    ```yaml
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: ntfy-deployment
+      labels:
+        app: ntfy-deployment
+    spec:
+      revisionHistoryLimit: 1
+      replicas: 1
+      selector:
+        matchLabels:
+          app: ntfy-pod
+      template:
+        metadata:
+          labels:
+            app: ntfy-pod
+        spec:
+          containers:
+            - name: ntfy 
+              image: binwiederhier/ntfy:v1.28.0 # set deployed version
+              args: ["serve"]
+              env:  #example of adjustments made in environmental variables
+                - name: TZ # set timezone
+                  value: XXXXXXX
+                - name: NTFY_DEBUG # enable/disable debug
+                  value: "false"
+                - name: NTFY_LOG_LEVEL # adjust log level
+                  value: INFO
+                - name: NTFY_BASE_URL # add base url
+                  value: XXXXXXXXXX 
+              ports: 
+                - containerPort: 80
+                  name: http-ntfy
+              resources:
+                limits:
+                  memory: 300Mi
+                  cpu:  200m
+                requests:
+                      cpu: 150m
+                      memory: 150Mi
+              volumeMounts:
+                  - mountPath: /etc/ntfy/server.yml
+                    subPath: server.yml
+                    name: config-volume # generated vie configMapGenerator from kustomization file
+                  - mountPath: /var/cache/ntfy
+                    name: cache-volume #cache volume mounted to persistent volume
+            volumes:
+              - name: config-volume
+                configMap:  # uses configmap generator to parse server.yml to configmap
+                  name: server-config
+              - name: cache-volume
+                persistentVolumeClaim: # stores /cache/ntfy in defined pv
+                  claimName: ntfy-pvc
+    ```
+  
+=== "ntfy-pvc.yaml"
+    ```yaml
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: ntfy-pvc
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: local-path # adjust storage if needed
+      resources:
+        requests:
+          storage: 1Gi
+    ```
+
+=== "ntfy-svc.yaml"
+    ```yaml
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: ntfy-svc  
+    spec:
+      type: ClusterIP
+      selector:
+        app: ntfy-pod
+      ports:
+        - name: http-ntfy-out
+          protocol: TCP
+          port: 80
+          targetPort:  http-ntfy
+    ```
+
+=== "ntfy-ingress.yaml"
+    ```yaml
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      name: ntfy-ingress
+    spec:
+      rules:
+        - host: ntfy.test #select own
+          http:
+            paths:
+              - path: /
+                pathType: Prefix
+                backend:
+                  service:
+                    name:  ntfy-svc
+                    port:
+                      number: 80
+    ```
+
+=== "server.yml"
+    ```yaml
+    cache-file: "/var/cache/ntfy/cache.db"
+    attachment-cache-dir: "/var/cache/ntfy/attachments"
+    ```
--- a/docs/integrations.md
+++ b/docs/integrations.md
@@ -0,0 +1,156 @@
+# Integrations + community projects
+
+There are quite a few projects that work with ntfy, integrate ntfy, or have been built around ntfy. It's super exciting to see what you guys have come up with. Feel free to [create a pull request on GitHub](https://github.com/binwiederhier/ntfy/issues) to add your own project here.
+
+I've added a ⭐ to projects or posts that have a significant following, or had a lot of interaction by the community.
+
+## Public ntfy servers
+
+Here's a list of public ntfy servers. As of right now, there is only one official server. The others are provided by the 
+ntfy community. Thanks to everyone running a public server. **You guys rock!**
+
+| URL                                               | Country            |
+|---------------------------------------------------|--------------------|
+| [ntfy.sh](https://ntfy.sh/) (*Official*)          | 🇺🇸 United States |
+| [ntfy.tedomum.net](https://ntfy.tedomum.net/)     | 🇫🇷 France        |
+| [ntfy.jae.fi](https://ntfy.jae.fi/)               | 🇫🇮 Finland       |
+| [ntfy.adminforge.de](https://ntfy.adminforge.de/) | 🇩🇪 Germany       |
+| [ntfy.envs.net](https://ntfy.envs.net)            | 🇩🇪 Germany       |
+
+Please be aware that **server operators can log your messages**. The project also cannot guarantee the reliability
+and uptime of third party servers, so use of each server is **at your own discretion**.
+
+## Official integrations
+
+- [Healthchecks.io](https://healthchecks.io/) ⭐ - Online service for monitoring regularly running tasks such as cron jobs
+- [Apprise](https://github.com/caronc/apprise/wiki/Notify_ntfy) ⭐ - Push notifications that work with just about every platform
+- [Uptime Kuma](https://uptime.kuma.pet/) ⭐ - A self-hosted monitoring tool
+- [Robusta](https://docs.robusta.dev/master/catalog/sinks/webhook.html) ⭐ - open source platform for Kubernetes troubleshooting
+- [borgmatic](https://torsion.org/borgmatic/docs/how-to/monitor-your-backups/#third-party-monitoring-services) ⭐ - configuration-driven backup software for servers and workstations
+- [Radarr](https://radarr.video/) ⭐ - Movie collection manager for Usenet and BitTorrent users
+- [Sonarr](https://sonarr.tv/) ⭐ - PVR for Usenet and BitTorrent users
+- [Gatus](https://gatus.io/) ⭐ - Automated service health dashboard
+- [Automatisch](https://automatisch.io/) ⭐ - Open source Zapier alternative / workflow automation tool
+- [FlexGet](https://flexget.com/Plugins/Notifiers/ntfysh) ⭐ - Multipurpose automation tool for all of your media
+- [Scrt.link](https://scrt.link/) - Share a secret
+- [Platypush](https://docs.platypush.tech/platypush/plugins/ntfy.html) - Automation platform aimed to run on any device that can run Python
+
+## [UnifiedPush](https://unifiedpush.org/users/apps/) integrations
+
+- [Element](https://f-droid.org/packages/im.vector.app/) ⭐ - Matrix client
+- [SchildiChat](https://schildi.chat/android/) ⭐ - Matrix client
+- [Tusky](https://tusky.app/) ⭐ - Fediverse client
+- [Fedilab](https://fedilab.app/) - Fediverse client
+- [FindMyDevice](https://gitlab.com/Nulide/findmydevice/) - Find your Device with an SMS or online with the help of FMDServer
+- [Tox Push Message App](https://github.com/zoff99/tox_push_msg_app) - Tox Push Message App
+
+## Libraries 
+
+- [ntfy-php-library](https://github.com/VerifiedJoseph/ntfy-php-library) - PHP library for sending messages using a ntfy server (PHP)
+- [ntfy-notifier](https://github.com/DAcodedBEAT/ntfy-notifier) - Symfony Notifier integration for ntfy (PHP)
+- [ntfpy](https://github.com/Nevalicjus/ntfpy) - API Wrapper for ntfy.sh (Python)
+- [pyntfy](https://github.com/DP44/pyntfy) - A module for interacting with ntfy notifications (Python)
+- [vntfy](https://github.com/lmangani/vntfy) - Barebone V client for ntfy (V)
+- [ntfy-middleman](https://github.com/nachotp/ntfy-middleman) - Wraps APIs and send notifications using ntfy.sh on schedule (Python)
+- [ntfy-dotnet](https://github.com/nwithan8/ntfy-dotnet) - .NET client library to interact with a ntfy server (C# / .NET)
+- [node-ntfy-publish](https://github.com/cityssm/node-ntfy-publish) - A Node package to publish notifications to an ntfy server (Node)
+- [ntfy](https://github.com/jonocarroll/ntfy) - Wraps the ntfy API with pipe-friendly tooling (R)
+- [ntfy-for-delphi](https://github.com/hazzelnuts/ntfy-for-delphi) - A friendly library to push instant notifications ntfy (Delphi)
+- [ntfy](https://github.com/ffflorian/ntfy) - Send notifications over ntfy (JS)
+
+## CLIs + GUIs
+
+- [ntfy.sh.sh](https://github.com/mininmobile/ntfy.sh.sh) - Run scripts on ntfy.sh events
+- [ntfy Desktop client](https://codeberg.org/zvava/ntfy-desktop) - Cross-platform desktop application for ntfy
+- [ntfy svelte front-end](https://github.com/novatorem/Ntfy) - Front-end built with svelte
+- [wio-ntfy-ticker](https://github.com/nachotp/wio-ntfy-ticker) - Ticker display for a ntfy.sh topic
+- [ntfysh-windows](https://github.com/lucas-bortoli/ntfysh-windows) - A ntfy client for Windows Desktop
+- [ntfyr](https://github.com/haxwithaxe/ntfyr) - A simple commandline tool to send notifications to ntfy
+- [ntfy.py](https://github.com/ioqy/ntfy-client-python) - ntfy.py is a simple nfty.sh client for sending notifications
+
+## Projects + scripts 
+
+- [Grafana-to-ntfy](https://github.com/kittyandrew/grafana-to-ntfy) - Grafana-to-ntfy alerts channel (Rust)
+- [ntfy-long-zsh-command](https://github.com/robfox92/ntfy-long-zsh-command) - Notifies you once a long-running command completes (zsh)
+- [ntfy-shellscripts](https://github.com/nickexyz/ntfy-shellscripts) - A few scripts for the ntfy project (Shell)
+- [QuickStatus](https://github.com/corneliusroot/QuickStatus) - A shell script to alert to any immediate problems upon login (Shell)
+- [ntfy.el](https://github.com/shombando/ntfy) - Send notifications from Emacs (Emacs)
+- [backup-projects](https://gist.github.com/anthonyaxenov/826ba65abbabd5b00196bc3e6af76002) - Stupidly simple backup script for own projects (Shell)
+- [grav-plugin-whistleblower](https://github.com/Himmlisch-Studios/grav-plugin-whistleblower) - Grav CMS plugin to get notifications via ntfy (PHP)
+- [ntfy-server-status](https://github.com/filip2cz/ntfy-server-status) -  Checking if server is online and reporting through ntfy (C)
+- [borg-based backup](https://github.com/davidhi7/backup) - Simple borg-based backup script with notifications based on ntfy.sh or Discord webhooks (Python/Shell)
+- [ntfy.sh *arr script](https://github.com/agent-squirrel/nfty-arr-script) - Quick and hacky script to get sonarr/radarr to notify the ntfy.sh service (Shell)
+- [siteeagle](https://github.com/tpanum/siteeagle) - A small Python script to monitor websites and notify changes (Python)
+- [send_to_phone](https://github.com/whipped-cream/send_to_phone) - Scripts to upload a file to Transfer.sh and ping ntfy with the download link (Python)
+- [ntfy Discord bot](https://github.com/R0dn3yS/ntfy-bot) - WIP ntfy discord bot (TypeScript)
+- [ntfy Discord bot](https://github.com/binwiederhier/ntfy-bot) - ntfy Discord bot (Go)
+- [ntfy Discord bot](https://github.com/jr1221/ntfy_discord_bot) - An advanced modal-based bot for interacting with the ntfy.sh API (Dart)
+- [Bettarr Notifications](https://github.com/NiNiyas/Bettarr-Notifications) - Better Notifications for Sonarr and Radarr (Python)
+- [Notify me the intruders](https://github.com/nothingbutlucas/notify_me_the_intruders) - Notify you if they are intruders or new connections on your network (Shell)
+- [Send GitHub Action to ntfy](https://github.com/NiNiyas/ntfy-action) - Send GitHub Action workflow notifications to ntfy (JS)
+- [aTable/ntfy alertmanager bridge](https://github.com/aTable/ntfy_alertmanager_bridge) - Basic alertmanager bridge to ntfy (JS)
+- [~xenrox/ntfy-alertmanager](https://hub.xenrox.net/~xenrox/ntfy-alertmanager) - A bridge between ntfy and Alertmanager (Go)
+- [pinpox/alertmanager-ntfy](https://github.com/pinpox/alertmanager-ntfy) - Relay prometheus alertmanager alerts to ntfy (Go)
+- [alexbakker/alertmanager-ntfy](https://github.com/alexbakker/alertmanager-ntfy) - Service that forwards Prometheus Alertmanager notifications to ntfy (Go)
+- [restreamchat2ntfy](https://github.com/kurohuku7/restreamchat2ntfy) - Send restream.io chat to ntfy to check on the Meta Quest (JS)
+- [k8s-ntfy-deployment-service](https://github.com/Christian42/k8s-ntfy-deployment-service) - Automatic Kubernetes (k8s) ntfy deployment
+- [huginn-global-entry-notif](https://github.com/kylezoa/huginn-global-entry-notif) - Checks CBP API for available appointments with Huginn (JSON)
+- [ntfyer](https://github.com/KikyTokamuro/ntfyer) - Sending various information to your ntfy topic by time (TypeScript)
+- [git-simple-notifier](https://github.com/plamenjm/git-simple-notifier) - Script running git-log, checking for new repositories (Shell)
+- [ntfy-to-slack](https://github.com/ozskywalker/ntfy-to-slack) - Tool to subscribe to a ntfy topic and send the messages to a Slack webhook (Go)
+- [ansible-ntfy](https://github.com/jpmens/ansible-ntfy) - Ansible action plugin to post JSON messages to ntfy (Python)
+- [ntfy-notification-channel](https://github.com/wijourdil/ntfy-notification-channel) - Laravel Notification channel for ntfy (PHP)
+- [ntfy_on_a_chip](https://github.com/gergepalfi/ntfy_on_a_chip) - ESP8266 and ESP32 client code to communicate with ntfy
+- [ntfy-sdk](https://github.com/yukibtc/ntfy-sdk) - ntfy client library to send notifications (Rust)
+- [ntfy_ynh](https://github.com/YunoHost-Apps/ntfy_ynh) - ntfy app for YunoHost 
+- [drone-ntfy](https://github.com/Clortox/drone-ntfy) - Drone.io plugin for sending ntfy notifications from a pipeline (Shell)
+- [ignition-ntfy-module](https://github.com/Kyvis-Labs/ignition-ntfy-module) - Adds support for sending notifications via a ntfy server to Ignition (Java)
+- [maubot-ntfy](https://gitlab.com/999eagle/maubot-ntfy) - Matrix bot to subscribe to ntfy topics and send messages to Matrix (Python)
+- [ntfy-wrapper](https://github.com/vict0rsch/ntfy-wrapper) - Wrapper around ntfy (Python)
+
+## Blog + forum posts
+
+- [Comment envoyer des notifications push sur votre téléphone facilement et gratuitement?](https://korben.info/notifications-push-telephone.html) - 1/2023
+- [UnifiedPush: a decentralized, open-source push notification protocol](https://f-droid.org/en/2022/12/18/unifiedpush.html) ⭐ - 12/2022
+- [ntfy setup instructions](https://docs.benjamin-altpeter.de/network/vms/1001029-ntfy/) - benjamin-altpeter.de - 12/2022
+- [Ntfy Self-Hosted Push Notifications](https://lachlanlife.net/posts/2022-12-ntfy/) - lachlanlife.net - 12/2022 
+- [ntfy.sh](https://paramdeo.com/til/ntfy-sh) - paramdeo.com - 11/2022
+- [Using ntfy to warn me when my computer is discharging](https://ulysseszh.github.io/programming/2022/11/28/ntfy-warn-discharge.html) - ulysseszh.github.io - 11/2022
+- [ntfy - Push Notification Service](https://dizzytech.de/posts/ntfy/) - dizzytech.de - 11/2022 
+- [Console #132](https://console.substack.com/p/console-132) ⭐ - console.substack.com - 11/2022
+- [MeshCentral - Ntfy Push Notifications ](https://www.youtube.com/watch?v=wyE4rtUd4Bg) - youtube.com - 11/2022
+- [Changelog | Tracking layoffs, tech worker demand still high, ntfy, ...](https://changelog.com/news/tracking-layoffs-tech-worker-demand-still-high-ntfy-devenv-markdoc-mike-bifulco-Y1jW) ⭐ - changelog.com - 11/2022
+- [Pointer | Issue #367](https://www.pointer.io/archives/a9495a2a6f/) - pointer.io - 11/2022
+- [Envie Push Notifications por POST (de graça e sem cadastro)](https://www.tabnews.com.br/filipedeschamps/envie-push-notifications-por-post-de-graca-e-sem-cadastro) - tabnews.com.br - 11/2022
+- [Push Notifications for KDE](https://volkerkrause.eu/2022/11/12/kde-unifiedpush-push-notifications.html) - volkerkrause.eu - 11/2022
+- [TLDR Newsletter Daily Update 2022-11-09](https://tldr.tech/tech/newsletter/2022-11-09) ⭐ - tldr.tech - 11/2022
+- [Ntfy.sh – Send push notifications to your phone via PUT/POST](https://news.ycombinator.com/item?id=33517944) ⭐ - news.ycombinator.com - 11/2022
+- [Ntfy et Jeedom : un plugin](https://lunarok-domotique.com/2022/11/ntfy-et-jeedom/) - lunarok-domotique.com - 11/2022
+- [Crea tu propio servidor de notificaciones con Ntfy](https://blog.parravidales.es/crea-tu-propio-servidor-de-notificaciones-con-ntfy/) - blog.parravidales.es - 11/2022
+- [Zero-cost push notifications to your phone or desktop via PUT/POST ](https://lobste.rs/s/41dq13/zero_cost_push_notifications_your_phone) - lobste.rs - 10/2022
+- [A nifty push notification system: ntfy](https://jpmens.net/2022/10/30/a-nifty-push-notification-system-ntfy/) - jpmens.net - 10/2022 
+- [Alarmanlage der dritten Art (YouTube video)](https://www.youtube.com/watch?v=altb5QLHbaU&feature=youtu.be) - youtube.com - 10/2022
+- [Neue Services: Ntfy, TikTok und RustDesk](https://adminforge.de/tools/neue-services-ntfy-tiktok-und-rustdesk/) - adminforge.de - 9/2022
+- [Ntfy, le service de notifications qu’il vous faut](https://www.cachem.fr/ntfy-le-service-de-notifications-quil-vous-faut/) - cachem.fr - 9/2022
+- [NAS Synology et notifications avec ntfy](https://www.cachem.fr/synology-notifications-ntfy/) - cachem.fr - 9/2022 
+- [Self hosted Mobile Push Notifications using NTFY | Thejesh GN](https://thejeshgn.com/2022/08/23/self-hosted-mobile-push-notifications-using-ntfy/) - thejeshgn.com - 8/2022
+- [Fedora Magazine | 4 cool new projects to try in Copr](https://fedoramagazine.org/4-cool-new-projects-to-try-in-copr-for-august-2022/) - fedoramagazine.org - 8/2022
+- [Docker로 오픈소스 푸시알람 프로젝트 ntfy.sh 설치 및 사용하기.(Feat. Uptimekuma)](https://svrforum.com/svr/398979) - svrforum.com - 8/2022
+- [Easy notifications from R](https://sometimesir.com/posts/easy-notifications-from-r/) - sometimesir.com - 6/2022
+- [ntfy is finally coming to iOS, and Matrix/UnifiedPush gateway support](https://www.reddit.com/r/selfhosted/comments/vdzvxi/ntfy_is_finally_coming_to_ios_with_full/) ⭐ - reddit.com - 6/2022
+- [Install guide (with Docker)](https://chowdera.com/2022/150/202205301257379077.html) - chowdera.com - 5/2022
+- [无需注册的通知服务ntfy](https://blog.csdn.net/wbsu2004/article/details/125040247) - blog.csdn.net - 5/2022
+- [Updated review post (Jan-Lukas Else)](https://jlelse.blog/thoughts/2022/04/ntfy) - jlelse.blog - 4/2022
+- [Using ntfy and Tasker together](https://lachlanlife.net/posts/2022-04-tasker-ntfy/) - lachlanlife.net - 4/2022 
+- [Reddit feature update post](https://www.reddit.com/r/selfhosted/comments/uetlso/ntfy_is_a_tool_to_send_push_notifications_to_your/) ⭐ - reddit.com - 4/2022
+- [無料で簡単に通知の送受信ができつつオープンソースでセルフホストも可能な「ntfy」を使ってみた](https://gigazine.net/news/20220404-ntfy-push-notification/) - gigazine.net - 4/2022
+- [Pocketmags ntfy review](https://pocketmags.com/us/linux-format-magazine/march-2022/articles/1104187/ntfy) - pocketmags.com - 3/2022
+- [Reddit web app release post](https://www.reddit.com/r/selfhosted/comments/tc0p0u/say_hello_to_the_brand_new_ntfysh_web_app_push/) ⭐ - reddit.com- 3/2022
+- [Lemmy post (Jakob)](https://lemmy.eus/post/15541) - lemmy.eus - 1/2022
+- [Reddit UnifiedPush release post](https://www.reddit.com/r/selfhosted/comments/s5jylf/my_open_source_notification_android_app_and/) ⭐ - reddit.com - 1/2022
+- [ntfy: send notifications from your computer to your phone](https://rs1.es/tutorials/2022/01/19/ntfy-send-notifications-phone.html) - rs1.es - 1/2022
+- [Short ntfy review (Jan-Lukas Else)](https://jlelse.blog/links/2021/12/ntfy-sh) - jlelse.blog - 12/2021
+- [Free MacroDroid webhook alternative (FrameXX)](https://www.macrodroidforum.com/index.php?threads/ntfy-sh-free-macrodroid-webhook-alternative.1505/) - macrodroidforum.com - 12/2021
+- [ntfy otro sistema de notificaciones pub-sub simple basado en HTTP](https://ugeek.github.io/blog/post/2021-11-05-ntfy-sh-otro-sistema-de-notificaciones-pub-sub-simple-basado-en-http.html) - ugeek.github.io - 11/2021
+- [Show HN: A tool to send push notifications to your phone, written in Go](https://news.ycombinator.com/item?id=29715464) ⭐ - news.ycombinator.com - 12/2021
+- [Reddit selfhostable post](https://www.reddit.com/r/selfhosted/comments/qxlsm9/my_open_source_notification_android_app_and/) ⭐ - reddit.com - 11/2021
--- a/docs/known-issues.md
+++ b/docs/known-issues.md
@@ -0,0 +1,28 @@
+# Known issues
+This is an incomplete list of known issues with the ntfy server, Android app, and iOS app. You can find a complete
+list [on GitHub](https://github.com/binwiederhier/ntfy/labels/%F0%9F%AA%B2%20bug), but I thought it may be helpful
+to have the prominent ones here to link to.
+
+## iOS app not refreshing (see [#267](https://github.com/binwiederhier/ntfy/issues/267))
+For some (many?) users, the iOS app is not refreshing the view when new notifications come in. Until you manually
+swipe down, you do not see the newly arrived messages, even though the popup appeared before.
+
+This is caused by some weirdness between the Notification Service Extension (NSE), SwiftUI and Core Data. I am entirely
+clueless on how to fix it, sadly, as it is ephemeral and now clear to me what is causing it.
+
+Please send experienced iOS developers my way to help me figure this out.
+
+## iOS app not receiving notifications (anymore)
+If notifications do not show up at all anymore, there are a few causes for it (that I know of):
+
+**Firebase+APNS are being weird and buggy**:    
+If this is the case, usually it helps to **remove the topic/subscription and re-add it**. That will force Firebase to 
+re-subscribe to the Firebase topic.
+
+**Self-hosted only: No `upstream-base-url` set, or `base-url` mismatch**:   
+To make self-hosted servers work with the iOS
+app, I had to do some horrible things (see [iOS instant notifications](config.md#ios-instant-notifications) for details).
+Be sure that in your selfhosted server:
+
+* Set `upstream-base-url: "https://ntfy.sh"` (**not your own hostname!**)
+* Ensure that the URL you set in `base-url` **matches exactly** what you set the Default Server in iOS to 
--- a/docs/privacy.md
+++ b/docs/privacy.md
@@ -8,5 +8,5 @@ any outside service. All data is exclusively used to make the service function p
 I use is Firebase Cloud Messaging (FCM) service, which is required to provide instant Android notifications (see
 [FAQ](faq.md) for details). To avoid FCM altogether, download the F-Droid version.

-The web server does not log or otherwise store request paths, remote IP addresses or even topics or messages,
-aside from a short on-disk cache to support service restarts.
+For debugging purposes, the ntfy server may temporarily log request paths, remote IP addresses or even topics 
+or messages, though typically this is turned off.
--- a/docs/publish.md
+++ b/docs/publish.md
--- a/docs/releases.md
+++ b/docs/releases.md
@@ -0,0 +1,913 @@
+# Release notes
+Binaries for all releases can be found on the GitHub releases pages for the [ntfy server](https://github.com/binwiederhier/ntfy/releases)
+and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/releases).
+
+## ntfy server v1.31.0 (UNRELEASED)
+
+**Features:**
+
+* Preliminary `/v1/health` API endpoint for service monitoring (no ticket)
+* Add basic health check to `Dockerfile` ([#555](https://github.com/binwiederhier/ntfy/pull/555), thanks to [@bt90](https://github.com/bt90))
+
+**Bug fixes + maintenance:**
+
+* Fix `chown` issues with RHEL-like based systems ([#566](https://github.com/binwiederhier/ntfy/issues/566)/[#565](https://github.com/binwiederhier/ntfy/pull/565), thanks to [@danieldemus](https://github.com/danieldemus))
+* Removed `upx` (binary packing) for all builds due to false virus warnings ([#576](https://github.com/binwiederhier/ntfy/issues/576), thanks to [@shawnhwei](https://github.com/shawnhwei) for reporting)
+
+**Documentation:**
+
+* Add HTTP/2 and TLSv1.3 support to nginx docs ([#553](https://github.com/binwiederhier/ntfy/issues/553), thanks to [@bt90](https://github.com/bt90))
+* Small wording change for `client.yml` ([#562](https://github.com/binwiederhier/ntfy/pull/562), thanks to [@fleopaulD](https://github.com/fleopaulD))
+* Fix K8s install docs ([#582](https://github.com/binwiederhier/ntfy/pull/582), thanks to [@Remedan](https://github.com/Remedan))
+
+## ntfy server v1.30.1
+Released December 23, 2022 🎅
+
+This is a special holiday edition version of ntfy, with all sorts of holiday fun and games, and hidden quests.
+Nahh, just kidding. This release is an intermediate release mainly to eliminate warnings in the logs, so I can
+roll out the TLSv1.3, HTTP/2 and Unix mode changes on ntfy.sh (see [#552](https://github.com/binwiederhier/ntfy/issues/552)).
+
+**Features:**
+
+* Web: Generate random topic name button ([#453](https://github.com/binwiederhier/ntfy/issues/453), thanks to [@yardenshoham](https://github.com/yardenshoham))
+* Add [Gitpod config](https://github.com/binwiederhier/ntfy/blob/main/.gitpod.yml) ([#540](https://github.com/binwiederhier/ntfy/pull/540), thanks to [@yardenshoham](https://github.com/yardenshoham)) 
+
+**Bug fixes + maintenance:**
+
+* Remove `--env-topic` option from `ntfy publish` as per [deprecation](deprecations.md) (no ticket)
+* Prepared statements for message cache writes ([#542](https://github.com/binwiederhier/ntfy/pull/542), thanks to [@nicois](https://github.com/nicois))
+* Do not warn about invalid IP address when behind proxy in unix socket mode (relates to [#552](https://github.com/binwiederhier/ntfy/issues/552))
+* Upgrade nginx/ntfy config on ntfy.sh to work with TLSv1.3, HTTP/2 ([#552](https://github.com/binwiederhier/ntfy/issues/552), thanks to [@bt90](https://github.com/bt90))
+
+## ntfy Android app v1.16.0
+Released December 11, 2022
+
+This is a feature and platform/dependency upgrade release. You can now have per-subscription notification settings
+(including sounds, DND, etc.), and you can make notifications continue ringing until they are dismissed. There's also
+support for thematic/adaptive launcher icon for Android 13.
+
+There are a few more Android 13 specific things, as well as many bug fixes: No more crashes from large images, no more
+opening the wrong subscription, and we also fixed the icon color issue.
+
+**Features:**
+
+* Custom per-subscription notification settings incl. sounds, DND, etc. ([#6](https://github.com/binwiederhier/ntfy/issues/6), thanks to [@doits](https://github.com/doits))
+* Insistent notifications that ring until dismissed ([#417](https://github.com/binwiederhier/ntfy/issues/417), thanks to [@danmed](https://github.com/danmed) for reporting)
+* Add thematic/adaptive launcher icon ([#513](https://github.com/binwiederhier/ntfy/issues/513), thanks to [@daedric7](https://github.com/daedric7) for reporting)
+
+**Bug fixes + maintenance:**
+
+* Upgrade Android dependencies and build toolchain to SDK 33 (no ticket)
+* Simplify F-Droid build: Disable tasks for Google Services ([#516](https://github.com/binwiederhier/ntfy/issues/516), thanks to [@markosopcic](https://github.com/markosopcic))
+* Android 13: Ask for permission to post notifications ([#508](https://github.com/binwiederhier/ntfy/issues/508))
+* Android 13: Do not allow swiping away the foreground notification ([#521](https://github.com/binwiederhier/ntfy/issues/521), thanks to [@alexhorner](https://github.com/alexhorner) for reporting)
+* Android 5 (SDK 21): Fix crash on unsubscribing ([#528](https://github.com/binwiederhier/ntfy/issues/528), thanks to Roger M.)
+* Remove timestamp when copying message text ([#471](https://github.com/binwiederhier/ntfy/issues/471), thanks to [@wunter8](https://github.com/wunter8))
+* Fix auto-delete if some icons do not exist anymore ([#506](https://github.com/binwiederhier/ntfy/issues/506))
+* Fix notification icon color ([#480](https://github.com/binwiederhier/ntfy/issues/480), thanks to [@s-h-a-r-d](https://github.com/s-h-a-r-d) for reporting)
+* Fix topics do not re-subscribe to Firebase after restoring from backup ([#511](https://github.com/binwiederhier/ntfy/issues/511))
+* Fix crashes from large images ([#474](https://github.com/binwiederhier/ntfy/issues/474), thanks to [@daedric7](https://github.com/daedric7) for reporting)
+* Fix notification click opens wrong subscription ([#261](https://github.com/binwiederhier/ntfy/issues/261), thanks to [@SMAW](https://github.com/SMAW) for reporting)
+* Fix Firebase-only "link expired" issue ([#529](https://github.com/binwiederhier/ntfy/issues/529))
+* Remove "Install .apk" feature in Google Play variant due to policy change ([#531](https://github.com/binwiederhier/ntfy/issues/531))
+* Add donate button (no ticket)
+
+**Additional translations:**
+
+* Korean (thanks to [@YJSofta0f97461d82447ac](https://hosted.weblate.org/user/YJSofta0f97461d82447ac/))
+* Portuguese (thanks to [@victormagalhaess](https://hosted.weblate.org/user/victormagalhaess/))
+
+## ntfy server v1.29.1
+Released November 17, 2022
+
+This is mostly a bugfix release to address the high load on ntfy.sh. There are now two new options that allow
+synchronous batch-writing of messages to the cache. This avoids database locking, and subsequent pileups of waiting
+requests.
+
+**Bug fixes:**
+
+* High-load servers: Allow asynchronous batch-writing of messages to cache via `cache-batch-*` options ([#498](https://github.com/binwiederhier/ntfy/issues/498)/[#502](https://github.com/binwiederhier/ntfy/pull/502))
+* Sender column in cache.db shows invalid IP ([#503](https://github.com/binwiederhier/ntfy/issues/503))
+
+**Documentation:**
+
+* GitHub Actions example ([#492](https://github.com/binwiederhier/ntfy/pull/492), thanks to [@ksurl](https://github.com/ksurl))
+* UnifiedPush ACL clarification ([#497](https://github.com/binwiederhier/ntfy/issues/497), thanks to [@bt90](https://github.com/bt90)) 
+* Install instructions for Kustomize ([#463](https://github.com/binwiederhier/ntfy/pull/463), thanks to [@l-maciej](https://github.com/l-maciej))
+
+**Other things:**
+
+* Put ntfy.sh docs on GitHub pages to reduce AWS outbound traffic cost ([#491](https://github.com/binwiederhier/ntfy/issues/491))
+* The ntfy.sh server hardware was upgraded to a bigger box. If you'd like to help out carrying the server cost, **[sponsorships and donations](https://github.com/sponsors/binwiederhier)** 💸 would be very much appreciated
+
+## ntfy server v1.29.0
+Released November 12, 2022
+
+This release adds the ability to add rate limit exemptions for IP ranges instead of just specific IP addresses. It also fixes 
+a few bugs in the web app and the CLI and adds lots of new examples and install instructions.
+
+Thanks to [some love on HN](https://news.ycombinator.com/item?id=33517944), we got so many new ntfy users trying out ntfy
+and joining the [chat rooms](https://github.com/binwiederhier/ntfy#chat--forum). **Welcome to the ntfy community to all of you!** 
+We also got a ton of new **[sponsors and donations](https://github.com/sponsors/binwiederhier)** 💸, which is amazing. I'd like to thank
+all of you for believing in the project, and for helping me pay the server cost. The HN spike increased the AWS cost quite a bit.
+
+**Features:**
+
+* Allow IP CIDRs in `visitor-request-limit-exempt-hosts` ([#423](https://github.com/binwiederhier/ntfy/issues/423), thanks to [@karmanyaahm](https://github.com/karmanyaahm))
+
+**Bug fixes + maintenance:**
+
+* Subscriptions can now have a display name ([#370](https://github.com/binwiederhier/ntfy/issues/370), thanks to [@tfheen](https://github.com/tfheen) for reporting)
+* Bump Go version to Go 18.x ([#422](https://github.com/binwiederhier/ntfy/issues/422))
+* Web: Strip trailing slash when subscribing ([#428](https://github.com/binwiederhier/ntfy/issues/428), thanks to [@raining1123](https://github.com/raining1123) for reporting, and [@wunter8](https://github.com/wunter8) for fixing)
+* Web: Strip trailing slash after server URL in publish dialog ([#441](https://github.com/binwiederhier/ntfy/issues/441), thanks to [@wunter8](https://github.com/wunter8))
+* Allow empty passwords in `client.yml` ([#374](https://github.com/binwiederhier/ntfy/issues/374), thanks to [@cyqsimon](https://github.com/cyqsimon) for reporting, and [@wunter8](https://github.com/wunter8) for fixing)
+* `ntfy pub` will now use default username and password from `client.yml` ([#431](https://github.com/binwiederhier/ntfy/issues/431), thanks to [@wunter8](https://github.com/wunter8) for fixing)
+* Make `ntfy sub` work with `NTFY_USER` env variable ([#447](https://github.com/binwiederhier/ntfy/pull/447), thanks to [SuperSandro2000](https://github.com/SuperSandro2000))
+* Web: Disallow GET/HEAD requests with body in actions ([#468](https://github.com/binwiederhier/ntfy/issues/468), thanks to [@ollien](https://github.com/ollien))
+
+**Documentation:**
+
+* Updated developer docs, bump nodejs and go version ([#414](https://github.com/binwiederhier/ntfy/issues/414), thanks to [@YJSoft](https://github.com/YJSoft) for reporting)
+* Officially document `?auth=..` query parameter ([#433](https://github.com/binwiederhier/ntfy/pull/433), thanks to [@wunter8](https://github.com/wunter8))
+* Added Rundeck example ([#427](https://github.com/binwiederhier/ntfy/pull/427), thanks to [@demogorgonz](https://github.com/demogorgonz))
+* Fix Debian installation instructions ([#237](https://github.com/binwiederhier/ntfy/issues/237), thanks to [@Joeharrison94](https://github.com/Joeharrison94) for reporting)
+* Updated [example](https://ntfy.sh/docs/examples/#gatus) with official [Gatus](https://github.com/TwiN/gatus) integration (thanks to [@TwiN](https://github.com/TwiN))
+* Added [Kubernetes install instructions](https://ntfy.sh/docs/install/#kubernetes) ([#452](https://github.com/binwiederhier/ntfy/pull/452), thanks to [@gmemstr](https://github.com/gmemstr))
+* Added [additional NixOS links for self-hosting](https://ntfy.sh/docs/install/#nixos-nix) ([#462](https://github.com/binwiederhier/ntfy/pull/462), thanks to [@wamserma](https://github.com/wamserma))
+* Added additional [more secure nginx config example](https://ntfy.sh/docs/config/#nginxapache2caddy) ([#451](https://github.com/binwiederhier/ntfy/pull/451), thanks to [SuperSandro2000](https://github.com/SuperSandro2000))
+* Minor fixes in the config table ([#470](https://github.com/binwiederhier/ntfy/pull/470), thanks to [snh](https://github.com/snh))
+* Fix broken link ([#476](https://github.com/binwiederhier/ntfy/pull/476), thanks to [@shuuji3](https://github.com/shuuji3))
+
+**Additional translations:**
+
+* Korean (thanks to [@YJSofta0f97461d82447ac](https://hosted.weblate.org/user/YJSofta0f97461d82447ac/))
+
+**Sponsorships:**:
+
+Thank you to the amazing folks who decided to [sponsor ntfy](https://github.com/sponsors/binwiederhier). Thank you for 
+helping carry the cost of the public server and developer licenses, and more importantly: Thank you for believing in ntfy! 
+You guys rock! 
+
+A list of all the sponsors can be found in the [README](https://github.com/binwiederhier/ntfy/blob/main/README.md).
+
+## ntfy Android app v1.14.0 
+Released September 27, 2022
+
+This release adds the ability to set a custom icon to each notification, as well as a display name to subscriptions. We
+also moved the action buttons in the detail view to a more logical place, fixed a bunch of bugs, and added four more
+languages. Hurray!
+
+**Features:**
+
+* Subscriptions can now have a display name ([#313](https://github.com/binwiederhier/ntfy/issues/313), thanks to [@wunter8](https://github.com/wunter8))
+* Display name for UnifiedPush subscriptions ([#355](https://github.com/binwiederhier/ntfy/issues/355), thanks to [@wunter8](https://github.com/wunter8))
+* Polling is now done with `since=<id>` API, which makes deduping easier ([#165](https://github.com/binwiederhier/ntfy/issues/165))
+* Turned JSON stream deprecation banner into "Use WebSockets" banner (no ticket)
+* Move action buttons in notification cards ([#236](https://github.com/binwiederhier/ntfy/issues/236), thanks to [@wunter8](https://github.com/wunter8))
+* Icons can be set for each individual notification ([#126](https://github.com/binwiederhier/ntfy/issues/126), thanks to [@wunter8](https://github.com/wunter8))
+
+**Bug fixes:**
+
+* Long-click selecting of notifications doesn't scroll to the top anymore ([#235](https://github.com/binwiederhier/ntfy/issues/235), thanks to [@wunter8](https://github.com/wunter8))
+* Add attachment and click URL extras to MESSAGE_RECEIVED broadcast ([#329](https://github.com/binwiederhier/ntfy/issues/329), thanks to [@wunter8](https://github.com/wunter8))
+* Accessibility: Clear/choose service URL button in base URL dropdown now has a label ([#292](https://github.com/binwiederhier/ntfy/issues/292), thanks to [@mhameed](https://github.com/mhameed) for reporting)
+
+**Additional translations:**
+
+* Italian (thanks to [@Genio2003](https://hosted.weblate.org/user/Genio2003/))
+* Dutch (thanks to [@SchoNie](https://hosted.weblate.org/user/SchoNie/))
+* Ukranian (thanks to [@v.kopitsa](https://hosted.weblate.org/user/v.kopitsa/))
+* Polish (thanks to [@Namax0r](https://hosted.weblate.org/user/Namax0r/))
+
+Thank you to [@wunter8](https://github.com/wunter8) for proactively picking up some Android tickets, and fixing them! You rock!
+
+## ntfy server v1.28.0
+Released September 27, 2022
+
+This release primarily adds icon support for the Android app, and adds a display name to subscriptions in the web app.
+Aside from that, we fixed a few random bugs, most importantly the `Priority` header bug that allows the use behind
+Cloudflare. We also added a ton of documentation. Most prominently, an [integrations + projects page](https://ntfy.sh/docs/integrations/).
+
+As of now, I also have started accepting **[donations and sponsorships](https://github.com/sponsors/binwiederhier)** 💸. 
+I would be very humbled if you consider donating.
+
+**Features:**
+
+* Subscription display name for the web app ([#348](https://github.com/binwiederhier/ntfy/pull/348))
+* Allow setting socket permissions via `--listen-unix-mode` ([#356](https://github.com/binwiederhier/ntfy/pull/356), thanks to [@koro666](https://github.com/koro666))
+* Icons can be set for each individual notification ([#126](https://github.com/binwiederhier/ntfy/issues/126), thanks to [@wunter8](https://github.com/wunter8))
+* CLI: Allow default username/password in `client.yml` ([#372](https://github.com/binwiederhier/ntfy/pull/372), thanks to [@wunter8](https://github.com/wunter8))
+* Build support for other Unix systems ([#393](https://github.com/binwiederhier/ntfy/pull/393), thanks to [@la-ninpre](https://github.com/la-ninpre))
+
+**Bug fixes:**
+
+* `ntfy user` commands don't work with `auth_file` but works with `auth-file` ([#344](https://github.com/binwiederhier/ntfy/issues/344), thanks to [@Histalek](https://github.com/Histalek) for reporting)
+* Ignore new draft HTTP `Priority` header  ([#351](https://github.com/binwiederhier/ntfy/issues/351), thanks to [@ksurl](https://github.com/ksurl) for reporting)
+* Delete expired attachments based on mod time instead of DB entry to avoid races (no ticket)
+* Better logging for Matrix push key errors ([#384](https://github.com/binwiederhier/ntfy/pull/384), thanks to [@christophehenry](https://github.com/christophehenry))
+* Web: Switched "Pop" and "Pop Swoosh" sounds ([#352](https://github.com/binwiederhier/ntfy/issues/352), thanks to [@coma-toast](https://github.com/coma-toast) for reporting)
+
+**Documentation:**
+
+* Added [integrations + projects page](https://ntfy.sh/docs/integrations/) (**so many integrations, whoa!**)
+* Added example for [UptimeRobot](https://ntfy.sh/docs/examples/#uptimerobot)
+* Fix some PowerShell publish docs ([#345](https://github.com/binwiederhier/ntfy/pull/345), thanks to [@noahpeltier](https://github.com/noahpeltier))
+* Clarified Docker install instructions ([#361](https://github.com/binwiederhier/ntfy/issues/361), thanks to [@barart](https://github.com/barart) for reporting)
+* Mismatched quotation marks ([#392](https://github.com/binwiederhier/ntfy/pull/392)], thanks to [@connorlanigan](https://github.com/connorlanigan))
+
+**Additional translations:**
+
+* Ukranian (thanks to [@v.kopitsa](https://hosted.weblate.org/user/v.kopitsa/))
+* Polish (thanks to [@Namax0r](https://hosted.weblate.org/user/Namax0r/))
+
+## ntfy server v1.27.2
+Released June 23, 2022
+
+This release brings two new CLI options to wait for a command to finish, or for a PID to exit. It also adds more detail
+to trace debug output. Aside from other bugs, it fixes a performance issue that occurred in large installations every 
+minute or so, due to competing stats gathering (personal installations will likely be unaffected by this). 
+
+**Features:**
+
+* Add `cache-startup-queries` option to allow custom [SQLite performance tuning](config.md#wal-for-message-cache) (no ticket)
+* ntfy CLI can now [wait for a command or PID](subscribe/cli.md#wait-for-pidcommand) before publishing ([#263](https://github.com/binwiederhier/ntfy/issues/263), thanks to the [original ntfy](https://github.com/dschep/ntfy) for the idea)
+* Trace: Log entire HTTP request to simplify debugging (no ticket)
+* Allow setting user password via `NTFY_PASSWORD` env variable ([#327](https://github.com/binwiederhier/ntfy/pull/327), thanks to [@Kenix3](https://github.com/Kenix3))
+
+**Bug fixes:**
+
+* Fix slow requests due to excessive locking ([#338](https://github.com/binwiederhier/ntfy/issues/338))
+* Return HTTP 500 for `GET /_matrix/push/v1/notify` when `base-url` is not configured (no ticket)
+* Disallow setting `upstream-base-url` to the same value as `base-url` ([#334](https://github.com/binwiederhier/ntfy/issues/334), thanks to [@oester](https://github.com/oester) for reporting)
+* Fix `since=<id>` implementation for multiple topics ([#336](https://github.com/binwiederhier/ntfy/issues/336), thanks to [@karmanyaahm](https://github.com/karmanyaahm) for reporting)
+* Simple parsing in `Actions` header now supports settings Android `intent=` key ([#341](https://github.com/binwiederhier/ntfy/pull/341), thanks to [@wunter8](https://github.com/wunter8))
+
+**Deprecations:**
+
+* The `ntfy publish --env-topic` option is deprecated as of now (see [deprecations](deprecations.md) for details)
+
+## ntfy server v1.26.0
+Released June 16, 2022
+
+This release adds a Matrix Push Gateway directly into ntfy, to make self-hosting a Matrix server easier. The Windows
+CLI is now available via Scoop, and ntfy is now natively supported in Uptime Kuma. 
+
+**Features:**
+
+* ntfy now is a [Matrix Push Gateway](https://spec.matrix.org/v1.2/push-gateway-api/) (in combination with [UnifiedPush](https://unifiedpush.org) as the [Provider Push Protocol](https://unifiedpush.org/developers/gateway/), [#319](https://github.com/binwiederhier/ntfy/issues/319)/[#326](https://github.com/binwiederhier/ntfy/pull/326), thanks to [@MayeulC](https://github.com/MayeulC) for reporting)
+* Windows CLI is now available via [Scoop](https://scoop.sh) ([ScoopInstaller#3594](https://github.com/ScoopInstaller/Main/pull/3594), [#311](https://github.com/binwiederhier/ntfy/pull/311), [#269](https://github.com/binwiederhier/ntfy/issues/269), thanks to [@kzshantonu](https://github.com/kzshantonu))
+* [Uptime Kuma](https://github.com/louislam/uptime-kuma) now allows publishing to ntfy ([uptime-kuma#1674](https://github.com/louislam/uptime-kuma/pull/1674), thanks to [@philippdormann](https://github.com/philippdormann))
+* Display ntfy version in `ntfy serve` command  ([#314](https://github.com/binwiederhier/ntfy/issues/314), thanks to [@poblabs](https://github.com/poblabs))
+
+**Bug fixes:**
+
+* Web app: Show "notifications not supported" alert on HTTP ([#323](https://github.com/binwiederhier/ntfy/issues/323), thanks to [@milksteakjellybeans](https://github.com/milksteakjellybeans) for reporting)
+* Use last address in `X-Forwarded-For` header as visitor address ([#328](https://github.com/binwiederhier/ntfy/issues/328))
+
+**Documentation**
+
+* Added [example](examples.md) for [Uptime Kuma](https://github.com/louislam/uptime-kuma) integration ([#315](https://github.com/binwiederhier/ntfy/pull/315), thanks to [@philippdormann](https://github.com/philippdormann))
+* Fix Docker install instructions  ([#320](https://github.com/binwiederhier/ntfy/issues/320), thanks to [@milksteakjellybeans](https://github.com/milksteakjellybeans) for reporting)
+* Add clarifying comments to base-url ([#322](https://github.com/binwiederhier/ntfy/issues/322), thanks to [@milksteakjellybeans](https://github.com/milksteakjellybeans) for reporting)
+* Update FAQ for iOS app ([#321](https://github.com/binwiederhier/ntfy/issues/321), thanks to [@milksteakjellybeans](https://github.com/milksteakjellybeans) for reporting)
+
+## ntfy iOS app v1.2
+Released June 16, 2022
+
+This release adds support for authentication/authorization for self-hosted servers. It also allows you to
+set your server as the default server for new topics.
+
+**Features:**
+
+* Support for auth and user management ([#277](https://github.com/binwiederhier/ntfy/issues/277))
+* Ability to add default server ([#295](https://github.com/binwiederhier/ntfy/issues/295))
+
+**Bug fixes:**
+
+* Add validation for selfhosted server URL ([#290](https://github.com/binwiederhier/ntfy/issues/290))
+
+## ntfy server v1.25.2
+Released June 2, 2022
+
+This release adds the ability to set a log level to facilitate easier debugging of live systems. It also solves a 
+production problem with a few over-users that resulted in Firebase quota problems (only applying to the over-users). 
+We now block visitors from using Firebase if they trigger a quota exceeded response.
+
+On top of that, we updated the Firebase SDK and are now building the release in GitHub Actions. We've also got two
+more translations: Chinese/Simplified and Dutch.
+
+**Features:**
+
+* Advanced logging, with different log levels and hot reloading of the log level ([#284](https://github.com/binwiederhier/ntfy/pull/284))
+
+**Bugs**:
+
+* Respect Firebase "quota exceeded" response for topics, block Firebase publishing for user for 10min ([#289](https://github.com/binwiederhier/ntfy/issues/289))
+* Fix documentation header blue header due to mkdocs-material theme update (no ticket) 
+
+**Maintenance:**
+
+* Upgrade Firebase Admin SDK to 4.x ([#274](https://github.com/binwiederhier/ntfy/issues/274))
+* CI: Build from pipeline instead of locally ([#36](https://github.com/binwiederhier/ntfy/issues/36))
+
+**Documentation**:
+
+* ⚠️ [Privacy policy](privacy.md) updated to reflect additional debug/tracing feature (no ticket)
+* [Examples](examples.md) for [Home Assistant](https://www.home-assistant.io/) ([#282](https://github.com/binwiederhier/ntfy/pull/282), thanks to [@poblabs](https://github.com/poblabs))
+* Install instructions for [NixOS/Nix](https://ntfy.sh/docs/install/#nixos-nix) ([#282](https://github.com/binwiederhier/ntfy/pull/282), thanks to [@arjan-s](https://github.com/arjan-s))
+* Clarify `poll_request` wording for [iOS push notifications](https://ntfy.sh/docs/config/#ios-instant-notifications) ([#300](https://github.com/binwiederhier/ntfy/issues/300), thanks to [@prabirshrestha](https://github.com/prabirshrestha) for reporting)
+* Example for using ntfy with docker-compose.yml without root privileges ([#304](https://github.com/binwiederhier/ntfy/pull/304), thanks to [@ksurl](https://github.com/ksurl))
+
+**Additional translations:**
+
+* Chinese/Simplified (thanks to [@yufei.im](https://hosted.weblate.org/user/yufei.im/))
+* Dutch (thanks to [@SchoNie](https://hosted.weblate.org/user/SchoNie/))
+
+## ntfy iOS app v1.1
+Released May 31, 2022
+
+In this release of the iOS app, we add message priorities (mapped to iOS interruption levels), tags and emojis,
+action buttons to open websites or perform HTTP requests (in the notification and the detail view), a custom click
+action when the notification is tapped, and various other fixes.
+
+It also adds support for self-hosted servers (albeit not supporting auth yet). The self-hosted server needs to be
+configured to forward poll requests to upstream ntfy.sh for push notifications to work (see [iOS push notifications](https://ntfy.sh/docs/config/#ios-instant-notifications)
+for details).
+
+**Features:**
+
+* [Message priority](https://ntfy.sh/docs/publish/#message-priority) support (no ticket)
+* [Tags/emojis](https://ntfy.sh/docs/publish/#tags-emojis) support (no ticket)
+* [Action buttons](https://ntfy.sh/docs/publish/#action-buttons) support (no ticket)
+* [Click action](https://ntfy.sh/docs/publish/#click-action) support (no ticket)
+* Open topic when notification clicked (no ticket)
+* Notification now makes a sound and vibrates (no ticket)
+* Cancel notifications when navigating to topic (no ticket)
+* iOS 14.0 support (no ticket, [PR#1](https://github.com/binwiederhier/ntfy-ios/pull/1), thanks to [@callum-99](https://github.com/callum-99))
+
+**Bug fixes:**
+
+* iOS UI not always updating properly ([#267](https://github.com/binwiederhier/ntfy/issues/267))
+
+## ntfy server v1.24.0
+Released May 28, 2022
+
+This release of the ntfy server brings supporting features for the ntfy iOS app. Most importantly, it
+enables support for self-hosted servers in combination with the iOS app. This is to overcome the restrictive
+Apple development environment.
+
+**Features:**
+
+* Regularly send Firebase keepalive messages to ~poll topic to support self-hosted servers (no ticket)
+* Add subscribe filter to query exact messages by ID (no ticket)
+* Support for `poll_request` messages to support [iOS push notifications](https://ntfy.sh/docs/config/#ios-instant-notifications) for self-hosted servers (no ticket)
+
+**Bug fixes:**
+
+* Support emails without `Content-Type` ([#265](https://github.com/binwiederhier/ntfy/issues/265), thanks to [@dmbonsall](https://github.com/dmbonsall))
+
+**Additional translations:**
+
+* Italian (thanks to [@Genio2003](https://hosted.weblate.org/user/Genio2003/))
+
+## ntfy iOS app v1.0
+Released May 25, 2022
+
+This is the first version of the ntfy iOS app. It supports only ntfy.sh (no selfhosted servers) and only messages + title
+(no priority, tags, attachments, ...). I'll rapidly add (hopefully) most of the other ntfy features, and then I'll focus
+on self-hosted servers.
+
+The app is now available in the [App Store](https://apps.apple.com/us/app/ntfy/id1625396347).
+
+**Tickets:**
+
+* iOS app ([#4](https://github.com/binwiederhier/ntfy/issues/4), see also: [TestFlight summary](https://github.com/binwiederhier/ntfy/issues/4#issuecomment-1133767150))
+
+**Thanks:**
+
+* Thank you to all the testers who tried out the app. You guys gave me the confidence that it's ready to release (albeit with
+  some known issues which will be addressed in follow-up releases).
+
+## ntfy server v1.23.0
+Released May 21, 2022
+
+This release ships a CLI for Windows and macOS, as well as the ability to disable the web app entirely. On top of that, 
+it adds support for APNs, the iOS messaging service. This is needed for the (soon to be released) iOS app.
+
+**Features:**
+
+* [Windows](https://ntfy.sh/docs/install/#windows) and [macOS](https://ntfy.sh/docs/install/#macos) builds for the [ntfy CLI](https://ntfy.sh/docs/subscribe/cli/) ([#112](https://github.com/binwiederhier/ntfy/issues/112))
+* Ability to disable the web app entirely ([#238](https://github.com/binwiederhier/ntfy/issues/238)/[#249](https://github.com/binwiederhier/ntfy/pull/249), thanks to [@Curid](https://github.com/Curid))
+* Add APNs config to Firebase messages to support [iOS app](https://github.com/binwiederhier/ntfy/issues/4) ([#247](https://github.com/binwiederhier/ntfy/pull/247), thanks to [@Copephobia](https://github.com/Copephobia))
+
+**Bug fixes:**
+
+* Support underscores in server.yml config options ([#255](https://github.com/binwiederhier/ntfy/issues/255), thanks to [@ajdelgado](https://github.com/ajdelgado))
+* Force MAKEFLAGS to --jobs=1 in `Makefile` ([#257](https://github.com/binwiederhier/ntfy/pull/257), thanks to [@oddlama](https://github.com/oddlama))
+
+**Documentation:**
+
+* Typo in install instructions ([#252](https://github.com/binwiederhier/ntfy/pull/252)/[#251](https://github.com/binwiederhier/ntfy/issues/251), thanks to [@oddlama](https://github.com/oddlama))
+* Fix typo in private server example ([#262](https://github.com/binwiederhier/ntfy/pull/262), thanks to [@MayeulC](https://github.com/MayeulC))
+* [Examples](examples.md) for [jellyseerr](https://github.com/Fallenbagel/jellyseerr)/[overseerr](https://overseerr.dev/) ([#264](https://github.com/binwiederhier/ntfy/pull/264), thanks to [@Fallenbagel](https://github.com/Fallenbagel))
+
+**Additional translations:**
+
+* Portuguese/Brazil (thanks to [@tiagotriques](https://hosted.weblate.org/user/tiagotriques/) and [@pireshenrique22](https://hosted.weblate.org/user/pireshenrique22/))
+
+Thank you to the many translators, who helped translate the new strings so quickly. I am humbled and amazed by your help.  
+
+## ntfy Android app v1.13.0
+Released May 11, 2022
+
+This release brings a slightly altered design for the detail view, featuring a card layout to make notifications more easily
+distinguishable from one another. It also ships per-topic settings that allow overriding minimum priority, auto delete threshold
+and custom icons. Aside from that, we've got tons of bug fixes as usual.
+
+**Features:**
+
+* Per-subscription settings, custom subscription icons ([#155](https://github.com/binwiederhier/ntfy/issues/155), thanks to [@mztiq](https://github.com/mztiq) for reporting)
+* Cards in notification detail view ([#175](https://github.com/binwiederhier/ntfy/issues/175), thanks to [@cmeis](https://github.com/cmeis) for reporting)
+
+**Bug fixes:**
+
+* Accurate naming of "mute notifications" from "pause notifications" ([#224](https://github.com/binwiederhier/ntfy/issues/224), thanks to [@shadow00](https://github.com/shadow00) for reporting)
+* Make messages with links selectable ([#226](https://github.com/binwiederhier/ntfy/issues/226), thanks to [@StoyanDimitrov](https://github.com/StoyanDimitrov) for reporting)
+* Restoring topics or settings from backup doesn't work ([#223](https://github.com/binwiederhier/ntfy/issues/223), thanks to [@shadow00](https://github.com/shadow00) for reporting)
+* Fix app icon on old Android versions ([#128](https://github.com/binwiederhier/ntfy/issues/128), thanks to [@shadow00](https://github.com/shadow00) for reporting)
+* Fix races in UnifiedPush registration ([#230](https://github.com/binwiederhier/ntfy/issues/230), thanks to @Jakob for reporting)
+* Prevent view action from crashing the app ([#233](https://github.com/binwiederhier/ntfy/issues/233))
+* Prevent long topic names and icons from overlapping ([#240](https://github.com/binwiederhier/ntfy/issues/240), thanks to [@cmeis](https://github.com/cmeis) for reporting)
+
+**Additional translations:**
+
+* Dutch (*incomplete*, thanks to [@diony](https://hosted.weblate.org/user/diony/))
+
+**Thank you:**
+
+Thanks to [@cmeis](https://github.com/cmeis), [@StoyanDimitrov](https://github.com/StoyanDimitrov), [@Fallenbagel](https://github.com/Fallenbagel) for testing, and
+to [@Joeharrison94](https://github.com/Joeharrison94) for the input. And thank you very much to all the translators for catching up so quickly.
+
+## ntfy server v1.22.0
+Released May 7, 2022
+
+This release makes the web app more accessible to people with disabilities, and introduces a "mark as read" icon in the web app.
+It also fixes a curious bug with WebSockets and Apache and makes the notification sounds in the web app a little quieter.
+
+We've also improved the documentation a little and added translations for three more languages.
+
+**Features:**
+
+* Make web app more accessible ([#217](https://github.com/binwiederhier/ntfy/issues/217))
+* Better parsing of the user actions, allowing quotes (no ticket)
+* Add "mark as read" icon button to notification ([#243](https://github.com/binwiederhier/ntfy/pull/243), thanks to [@wunter8](https://github.com/wunter8))
+
+**Bug fixes:**
+
+* `Upgrade` header check is now case in-sensitive ([#228](https://github.com/binwiederhier/ntfy/issues/228), thanks to [@wunter8](https://github.com/wunter8) for finding it)
+* Made web app sounds quieter ([#222](https://github.com/binwiederhier/ntfy/issues/222))
+* Add "private browsing"-specific error message for Firefox/Safari ([#208](https://github.com/binwiederhier/ntfy/issues/208), thanks to [@julianfoad](https://github.com/julianfoad) for reporting)
+
+**Documentation:**
+
+* Improved caddy configuration (no ticket, thanks to @Stnby)
+* Additional multi-line examples on the [publish page](https://ntfy.sh/docs/publish/) ([#234](https://github.com/binwiederhier/ntfy/pull/234), thanks to [@aTable](https://github.com/aTable))
+* Fixed PowerShell auth example to use UTF-8 ([#242](https://github.com/binwiederhier/ntfy/pull/242), thanks to [@SMAW](https://github.com/SMAW))
+
+**Additional translations:**
+
+* Czech (thanks to [@waclaw66](https://hosted.weblate.org/user/waclaw66/))
+* French (thanks to [@nathanaelhoun](https://hosted.weblate.org/user/nathanaelhoun/))
+* Hungarian (thanks to [@agocsdaniel](https://hosted.weblate.org/user/agocsdaniel/))
+
+**Thanks for testing:**
+
+Thanks to [@wunter8](https://github.com/wunter8) for testing.
+
+## ntfy Android app v1.12.0
+Released Apr 25, 2022
+
+The main feature in this Android release is [Action Buttons](https://ntfy.sh/docs/publish/#action-buttons), a feature
+that allows users to add actions to the notifications. Actions can be to view a website or app, send a broadcast, or
+send a HTTP request. 
+
+We also added support for [ntfy:// deep links](https://ntfy.sh/docs/subscribe/phone/#ntfy-links), added three more 
+languages and fixed a ton of bugs. 
+
+**Features:**
+
+* Custom notification [action buttons](https://ntfy.sh/docs/publish/#action-buttons) ([#134](https://github.com/binwiederhier/ntfy/issues/134),
+  thanks to [@mrherman](https://github.com/mrherman) for reporting)
+* Support for [ntfy:// deep links](https://ntfy.sh/docs/subscribe/phone/#ntfy-links) ([#20](https://github.com/binwiederhier/ntfy/issues/20), thanks
+  to [@Copephobia](https://github.com/Copephobia) for reporting)
+* [Fastlane metadata](https://hosted.weblate.org/projects/ntfy/android-fastlane/) can now be translated too ([#198](https://github.com/binwiederhier/ntfy/issues/198),
+  thanks to [@StoyanDimitrov](https://github.com/StoyanDimitrov) for reporting)
+* Channel settings option to configure DND override, sounds, etc. ([#91](https://github.com/binwiederhier/ntfy/issues/91))
+
+**Bug fixes:**
+
+* Validate URLs when changing default server and server in user management ([#193](https://github.com/binwiederhier/ntfy/issues/193),
+  thanks to [@StoyanDimitrov](https://github.com/StoyanDimitrov) for reporting)
+* Error in sending test notification in different languages ([#209](https://github.com/binwiederhier/ntfy/issues/209),
+  thanks to [@StoyanDimitrov](https://github.com/StoyanDimitrov) for reporting)
+* "[x] Instant delivery in doze mode" checkbox does not work properly ([#211](https://github.com/binwiederhier/ntfy/issues/211))
+* Disallow "http" GET/HEAD actions with body ([#221](https://github.com/binwiederhier/ntfy/issues/221), thanks to
+  [@cmeis](https://github.com/cmeis) for reporting)
+* Action "view" with "clear=true" does not work on some phones ([#220](https://github.com/binwiederhier/ntfy/issues/220), thanks to
+  [@cmeis](https://github.com/cmeis) for reporting)
+* Do not group foreground service notification with others ([#219](https://github.com/binwiederhier/ntfy/issues/219), thanks to
+  [@s-h-a-r-d](https://github.com/s-h-a-r-d) for reporting)
+
+**Additional translations:**
+
+* Czech (thanks to [@waclaw66](https://hosted.weblate.org/user/waclaw66/))
+* French (thanks to [@nathanaelhoun](https://hosted.weblate.org/user/nathanaelhoun/))
+* Japanese (thanks to [@shak](https://hosted.weblate.org/user/shak/))
+* Russian (thanks to [@flamey](https://hosted.weblate.org/user/flamey/) and [@ilya.mikheev.coder](https://hosted.weblate.org/user/ilya.mikheev.coder/))
+
+**Thanks for testing:**
+
+Thanks to [@s-h-a-r-d](https://github.com/s-h-a-r-d) (aka @Shard), [@cmeis](https://github.com/cmeis),
+@poblabs, and everyone I forgot for testing.
+
+## ntfy server v1.21.2
+Released Apr 24, 2022
+
+In this release, the web app got translation support and was translated into 9 languages already 🇧🇬 🇩🇪 🇺🇸 🌎. 
+It also re-adds support for ARMv6, and adds server-side support for Action Buttons. [Action Buttons](https://ntfy.sh/docs/publish/#action-buttons)
+is a feature that will be released in the Android app soon. It allows users to add actions to the notifications. 
+Limited support is available in the web app.
+
+**Features:**
+
+* Custom notification [action buttons](https://ntfy.sh/docs/publish/#action-buttons) ([#134](https://github.com/binwiederhier/ntfy/issues/134),
+  thanks to [@mrherman](https://github.com/mrherman) for reporting)
+* Added ARMv6 build ([#200](https://github.com/binwiederhier/ntfy/issues/200), thanks to [@jcrubioa](https://github.com/jcrubioa) for reporting)
+* Web app internationalization support 🇧🇬 🇩🇪 🇺🇸 🌎 ([#189](https://github.com/binwiederhier/ntfy/issues/189))
+
+**Bug fixes:**
+
+* Web app: English language strings fixes, additional descriptions for settings ([#203](https://github.com/binwiederhier/ntfy/issues/203), thanks to [@StoyanDimitrov](https://github.com/StoyanDimitrov))
+* Web app: Show error message snackbar when sending test notification fails ([#205](https://github.com/binwiederhier/ntfy/issues/205), thanks to [@cmeis](https://github.com/cmeis))
+* Web app: basic URL validation in user management ([#204](https://github.com/binwiederhier/ntfy/issues/204), thanks to [@cmeis](https://github.com/cmeis))
+* Disallow "http" GET/HEAD actions with body ([#221](https://github.com/binwiederhier/ntfy/issues/221), thanks to
+  [@cmeis](https://github.com/cmeis) for reporting)
+
+**Translations (web app):**
+
+* Bulgarian (thanks to [@StoyanDimitrov](https://github.com/StoyanDimitrov))
+* German (thanks to [@cmeis](https://github.com/cmeis))
+* Indonesian (thanks to [@linerly](https://hosted.weblate.org/user/linerly/))
+* Japanese (thanks to [@shak](https://hosted.weblate.org/user/shak/))
+* Norwegian Bokmål (thanks to [@comradekingu](https://github.com/comradekingu))
+* Russian (thanks to [@flamey](https://hosted.weblate.org/user/flamey/) and [@ilya.mikheev.coder](https://hosted.weblate.org/user/ilya.mikheev.coder/))
+* Spanish (thanks to [@rogeliodh](https://github.com/rogeliodh))
+* Turkish (thanks to [@ersen](https://ersen.moe/))
+
+**Integrations:**
+
+[Apprise](https://github.com/caronc/apprise) support was fully released in [v0.9.8.2](https://github.com/caronc/apprise/releases/tag/v0.9.8.2)
+of Apprise. Thanks to [@particledecay](https://github.com/particledecay) and [@caronc](https://github.com/caronc) for their fantastic work. 
+You can try it yourself like this (detailed usage in the [Apprise wiki](https://github.com/caronc/apprise/wiki/Notify_ntfy)):
+
+```
+pip3 install apprise
+apprise -b "Hi there" ntfys://mytopic
+```
+
+## ntfy Android app v1.11.0
+Released Apr 7, 2022
+
+**Features:**
+
+* Download attachments to cache folder ([#181](https://github.com/binwiederhier/ntfy/issues/181))
+* Regularly delete attachments for deleted notifications ([#142](https://github.com/binwiederhier/ntfy/issues/142))
+* Translations to different languages ([#188](https://github.com/binwiederhier/ntfy/issues/188), thanks to
+  [@StoyanDimitrov](https://github.com/StoyanDimitrov) for initiating things)
+
+**Bug fixes:**
+
+* IllegalStateException: Failed to build unique file ([#177](https://github.com/binwiederhier/ntfy/issues/177), thanks to [@Fallenbagel](https://github.com/Fallenbagel) for reporting)
+* SQLiteConstraintException: Crash during UP registration ([#185](https://github.com/binwiederhier/ntfy/issues/185))
+* Refresh preferences screen after settings import (#183, thanks to [@cmeis](https://github.com/cmeis) for reporting)
+* Add priority strings to strings.xml to make it translatable (#192, thanks to [@StoyanDimitrov](https://github.com/StoyanDimitrov))
+
+**Translations:**
+
+* English language improvements (thanks to [@comradekingu](https://github.com/comradekingu))
+* Bulgarian (thanks to [@StoyanDimitrov](https://github.com/StoyanDimitrov))
+* Chinese/Simplified (thanks to [@poi](https://hosted.weblate.org/user/poi) and [@PeterCxy](https://hosted.weblate.org/user/PeterCxy))
+* Dutch (*incomplete*, thanks to [@diony](https://hosted.weblate.org/user/diony))
+* French (thanks to [@Kusoneko](https://kusoneko.moe/) and [@mlcsthor](https://hosted.weblate.org/user/mlcsthor/))
+* German (thanks to [@cmeis](https://github.com/cmeis))
+* Italian (thanks to [@theTranslator](https://hosted.weblate.org/user/theTranslator/))
+* Indonesian (thanks to [@linerly](https://hosted.weblate.org/user/linerly/))
+* Norwegian Bokmål (*incomplete*, thanks to [@comradekingu](https://github.com/comradekingu))
+* Portuguese/Brazil (thanks to [@LW](https://hosted.weblate.org/user/LW/))
+* Spanish (thanks to [@rogeliodh](https://github.com/rogeliodh))
+* Turkish (thanks to [@ersen](https://ersen.moe/))
+
+**Thanks:**
+
+* Many thanks to [@cmeis](https://github.com/cmeis), [@Fallenbagel](https://github.com/Fallenbagel), [@Joeharrison94](https://github.com/Joeharrison94),
+  and [@rogeliodh](https://github.com/rogeliodh) for input on the new attachment logic, and for testing the release
+
+## ntfy server v1.20.0
+Released Apr 6, 2022
+
+**Features:**:
+
+* Added message bar and publish dialog ([#196](https://github.com/binwiederhier/ntfy/issues/196)) 
+
+**Bug fixes:**
+
+* Added `EXPOSE 80/tcp` to Dockerfile to support auto-discovery in [Traefik](https://traefik.io/) ([#195](https://github.com/binwiederhier/ntfy/issues/195), thanks to [@s-h-a-r-d](https://github.com/s-h-a-r-d))
+
+**Documentation:**
+
+* Added docker-compose example to [install instructions](install.md#docker) ([#194](https://github.com/binwiederhier/ntfy/pull/194), thanks to [@s-h-a-r-d](https://github.com/s-h-a-r-d))
+
+**Integrations:**
+
+* [Apprise](https://github.com/caronc/apprise) has added integration into ntfy ([#99](https://github.com/binwiederhier/ntfy/issues/99), [apprise#524](https://github.com/caronc/apprise/pull/524),
+  thanks to [@particledecay](https://github.com/particledecay) and [@caronc](https://github.com/caronc) for their fantastic work)
+
+## ntfy server v1.19.0
+Released Mar 30, 2022
+
+**Bug fixes:**
+
+* Do not pack binary with `upx` for armv7/arm64 due to `illegal instruction` errors ([#191](https://github.com/binwiederhier/ntfy/issues/191), thanks to [@iexos](https://github.com/iexos))
+* Do not allow comma in topic name in publish via GET endpoint (no ticket)
+* Add "Access-Control-Allow-Origin: *" for attachments (no ticket, thanks to @FrameXX)
+* Make pruning run again in web app ([#186](https://github.com/binwiederhier/ntfy/issues/186))
+* Added missing params `delay` and `email` to publish as JSON body (no ticket)
+
+**Documentation:**
+
+* Improved [e-mail publishing](config.md#e-mail-publishing) documentation
+
+## ntfy server v1.18.1
+Released Mar 21, 2022   
+_This release ships no features or bug fixes. It's merely a documentation update._
+
+**Documentation:**
+
+* Overhaul of [developer documentation](https://ntfy.sh/docs/develop/)
+* PowerShell examples for [publish documentation](https://ntfy.sh/docs/publish/) ([#138](https://github.com/binwiederhier/ntfy/issues/138), thanks to [@Joeharrison94](https://github.com/Joeharrison94))
+* Additional examples for [NodeRED, Gatus, Sonarr, Radarr, ...](https://ntfy.sh/docs/examples/) (thanks to [@nickexyz](https://github.com/nickexyz))
+* Fixes in developer instructions (thanks to [@Fallenbagel](https://github.com/Fallenbagel) for reporting)
+
+## ntfy Android app v1.10.0
+Released Mar 21, 2022
+
+**Features:**
+
+* Support for UnifiedPush 2.0 specification (bytes messages, [#130](https://github.com/binwiederhier/ntfy/issues/130))
+* Export/import settings and subscriptions ([#115](https://github.com/binwiederhier/ntfy/issues/115), thanks [@cmeis](https://github.com/cmeis) for reporting)
+* Open "Click" link when tapping notification ([#110](https://github.com/binwiederhier/ntfy/issues/110), thanks [@cmeis](https://github.com/cmeis) for reporting)
+* JSON stream deprecation banner ([#164](https://github.com/binwiederhier/ntfy/issues/164))
+
+**Bug fixes:**
+
+* Display locale-specific times, with AM/PM or 24h format ([#140](https://github.com/binwiederhier/ntfy/issues/140), thanks [@hl2guide](https://github.com/hl2guide) for reporting)
+
+## ntfy server v1.18.0
+Released Mar 16, 2022
+
+**Features:**
+
+* [Publish messages as JSON](https://ntfy.sh/docs/publish/#publish-as-json) ([#133](https://github.com/binwiederhier/ntfy/issues/133), 
+  thanks [@cmeis](https://github.com/cmeis) for reporting, thanks to [@Joeharrison94](https://github.com/Joeharrison94) and 
+  [@Fallenbagel](https://github.com/Fallenbagel) for testing)
+
+**Bug fixes:**
+
+* rpm: do not overwrite server.yaml on package upgrade ([#166](https://github.com/binwiederhier/ntfy/issues/166), thanks [@waclaw66](https://github.com/waclaw66) for reporting)
+* Typo in [ntfy.sh/announcements](https://ntfy.sh/announcements) topic ([#170](https://github.com/binwiederhier/ntfy/pull/170), thanks to [@sandebert](https://github.com/sandebert))
+* Readme image URL fixes ([#156](https://github.com/binwiederhier/ntfy/pull/156), thanks to [@ChaseCares](https://github.com/ChaseCares))
+
+**Deprecations:**
+
+* Removed the ability to run server as `ntfy` (as opposed to `ntfy serve`) as per [deprecation](deprecations.md)
+
+## ntfy server v1.17.1
+Released Mar 12, 2022
+
+**Bug fixes:**
+
+* Replace `crypto.subtle` with `hashCode` to errors with Brave/FF-Windows (#157, thanks for reporting @arminus)
+
+## ntfy server v1.17.0
+Released Mar 11, 2022
+
+**Features & bug fixes:**
+
+* Replace [web app](https://ntfy.sh/app) with a React/MUI-based web app from the 21st century (#111)
+* Web UI broken with auth (#132, thanks for reporting @arminus)
+* Send static web resources as `Content-Encoding: gzip`, i.e. docs and web app (no ticket)
+* Add support for auth via `?auth=...` query param, used by WebSocket in web app (no ticket) 
+
+## ntfy server v1.16.0
+Released Feb 27, 2022
+
+**Features & Bug fixes:**
+
+* Add [auth support](https://ntfy.sh/docs/subscribe/cli/#authentication) for subscribing with CLI (#147/#148, thanks @lrabane)
+* Add support for [?since=<id>](https://ntfy.sh/docs/subscribe/api/#fetch-cached-messages) (#151, thanks for reporting @nachotp)
+
+**Documentation:**
+
+* Add [watchtower/shoutrr examples](https://ntfy.sh/docs/examples/#watchtower-notifications-shoutrrr) (#150, thanks @rogeliodh)
+* Add [release notes](https://ntfy.sh/docs/releases/)
+
+**Technical notes:**
+
+* As of this release, message IDs will be 12 characters long (as opposed to 10 characters). This is to be able to 
+  distinguish them from Unix timestamps for #151.
+
+## ntfy Android app v1.9.1
+Released Feb 16, 2022
+
+**Features:**
+
+* Share to topic feature (#131, thanks u/emptymatrix for reporting)
+* Ability to pick a default server (#127, thanks to @poblabs for reporting and testing)
+* Automatically delete notifications (#71, thanks @arjan-s for reporting)
+* Dark theme: Improvements around style and contrast (#119, thanks @kzshantonu for reporting)
+
+**Bug fixes:**
+
+* Do not attempt to download attachments if they are already expired (#135)
+* Fixed crash in AddFragment as seen per stack trace in Play Console (no ticket)
+
+**Other thanks:**
+
+* Thanks to @rogeliodh, @cmeis and @poblabs for testing
+
+## ntfy server v1.15.0
+Released Feb 14, 2022
+
+**Features & bug fixes:**
+
+* Compress binaries with `upx` (#137)
+* Add `visitor-request-limit-exempt-hosts` to exempt friendly hosts from rate limits (#144)
+* Double default requests per second limit from 1 per 10s to 1 per 5s (no ticket)
+* Convert `\n` to new line for `X-Message` header as prep for sharing feature (see #136)
+* Reduce bcrypt cost to 10 to make auth timing more reasonable on slow servers (no ticket)
+* Docs update to include [public test topics](https://ntfy.sh/docs/publish/#public-topics) (no ticket)
+
+## ntfy server v1.14.1
+Released Feb 9, 2022
+
+**Bug fixes:**
+
+* Fix ARMv8 Docker build (#113, thanks to @djmaze)
+* No other significant changes
+
+## ntfy Android app v1.8.1
+Released Feb 6, 2022
+
+**Features:**
+
+* Support [auth / access control](https://ntfy.sh/docs/config/#access-control) (#19, thanks to @cmeis, @drsprite/@poblabs, 
+  @gedw99, @karmanyaahm, @Mek101, @gc-ss, @julianfoad, @nmoseman, Jakob, PeterCxy, Techlosopher)
+* Export/upload log now allows censored/uncensored logs (no ticket)
+* Removed wake lock (except for notification dispatching, no ticket)
+* Swipe to remove notifications (#117)
+
+**Bug fixes:**
+
+* Fix download issues on SDK 29 "Movement not allowed" (#116, thanks Jakob)
+* Fix for Android 12 crashes (#124, thanks @eskilop)
+* Fix WebSocket retry logic bug with multiple servers (no ticket)
+* Fix race in refresh logic leading to duplicate connections (no ticket)
+* Fix scrolling issue in subscribe to topic dialog (#131, thanks @arminus)
+* Fix base URL text field color in dark mode, and size with large fonts (no ticket)
+* Fix action bar color in dark mode (make black, no ticket)
+
+**Notes:**
+
+* Foundational work for per-subscription settings
+
+## ntfy server v1.14.0
+Released Feb 3, 2022
+
+**Features**:
+
+* Server-side for [authentication & authorization](https://ntfy.sh/docs/config/#access-control) (#19, thanks for testing @cmeis, and for input from @gedw99, @karmanyaahm, @Mek101, @gc-ss, @julianfoad, @nmoseman, Jakob, PeterCxy, Techlosopher)
+* Support `NTFY_TOPIC` env variable in `ntfy publish` (#103)
+
+**Bug fixes**:
+
+* Binary UnifiedPush messages should not be converted to attachments (part 1, #101)
+
+**Docs**:
+
+* Clarification regarding attachments (#118, thanks @xnumad)
+
+## ntfy Android app v1.7.1
+Released Jan 21, 2022
+
+**New features:**
+
+* Battery improvements: wakelock disabled by default (#76)
+* Dark mode: Allow changing app appearance (#102)
+* Report logs: Copy/export logs to help troubleshooting (#94)
+* WebSockets (experimental): Use WebSockets to subscribe to topics (#96, #100, #97)
+* Show battery optimization banner (#105)
+
+**Bug fixes:**
+
+* (Partial) support for binary UnifiedPush messages (#101)
+
+**Notes:**
+
+* The foreground wakelock is now disabled by default
+* The service restarter is now scheduled every 3h instead of every 6h
+
+## ntfy server v1.13.0
+Released Jan 16, 2022
+
+**Features:**
+
+* [Websockets](https://ntfy.sh/docs/subscribe/api/#websockets) endpoint
+* Listen on Unix socket, see [config option](https://ntfy.sh/docs/config/#config-options) `listen-unix`
+
+## ntfy Android app v1.6.0
+Released Jan 14, 2022
+
+**New features:**
+
+* Attachments: Send files to the phone (#25, #15)
+* Click action: Add a click action URL to notifications (#85)
+* Battery optimization: Allow disabling persistent wake-lock (#76, thanks @MatMaul)
+* Recognize imported user CA certificate for self-hosted servers (#87, thanks @keith24)
+* Remove mentions of "instant delivery" from F-Droid to make it less confusing (no ticket)
+
+**Bug fixes:**
+
+* Subscription "muted until" was not always respected (#90)
+* Fix two stack traces reported by Play console vitals (no ticket)
+* Truncate FCM messages >4,000 bytes, prefer instant messages (#84)
+
+## ntfy server v1.12.1
+Released Jan 14, 2022
+
+**Bug fixes:**
+
+* Fix security issue with attachment peaking (#93)
+
+## ntfy server v1.12.0
+Released Jan 13, 2022
+
+**Features:**
+
+* [Attachments](https://ntfy.sh/docs/publish/#attachments) (#25, #15)
+* [Click action](https://ntfy.sh/docs/publish/#click-action) (#85)
+* Increase FCM priority for high/max priority messages (#70)
+
+**Bug fixes:**
+
+* Make postinst script work properly for rpm-based systems (#83, thanks @cmeis)
+* Truncate FCM messages longer than 4000 bytes (#84)
+* Fix `listen-https` port (no ticket)
+
+## ntfy Android app v1.5.2
+Released Jan 3, 2022
+
+**New features:**
+
+* Allow using ntfy as UnifiedPush distributor (#9)
+* Support for longer message up to 4096 bytes (#77)
+* Minimum priority: show notifications only if priority X or higher (#79)
+* Allowing disabling broadcasts in global settings (#80)
+
+**Bug fixes:**
+
+* Allow int/long extras for SEND_MESSAGE intent (#57)
+* Various battery improvement fixes (#76)
+
+## ntfy server v1.11.2
+Released Jan 1, 2022
+
+**Features & bug fixes:**
+
+* Increase message limit to 4096 bytes (4k) #77
+* Docs for [UnifiedPush](https://unifiedpush.org) #9
+* Increase keepalive interval to 55s #76
+* Increase Firebase keepalive to 3 hours #76
+
+## ntfy server v1.10.0
+Released Dec 28, 2021
+
+**Features & bug fixes:**
+
+* [Publish messages via e-mail](ntfy.sh/docs/publish/#e-mail-publishing) #66
+* Server-side work to support [unifiedpush.org](https://unifiedpush.org) #64
+* Fixing the Santa bug #65
+
+## Older releases
+For older releases, check out the GitHub releases pages for the [ntfy server](https://github.com/binwiederhier/ntfy/releases)
+and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/releases).
--- a/docs/static/css/extra.css
+++ b/docs/static/css/extra.css
@@ -1,13 +1,21 @@
-:root {
-    --md-primary-fg-color:        #3a9784;
-    --md-primary-fg-color--light: #3a9784;
-    --md-primary-fg-color--dark:  #3a9784;
+:root > * {
+    --md-primary-fg-color:        #338574;
+    --md-primary-fg-color--light: #338574;
+    --md-primary-fg-color--dark:  #338574;
 }

 .md-header__button.md-logo :is(img, svg) {
    width: unset !important;
 }

+header {
+    background: linear-gradient(150deg, rgba(51,133,116,1) 0%, rgba(86,189,168,1) 100%);     filter: drop-shadow(0 5px 10px #ccc);
+}
+
+.md-header__topic:first-child {
+    font-weight: 400;
+}
+
 .md-typeset h4 {
    font-weight: 500 !important;
    margin: 0 !important;
@@ -56,7 +64,8 @@ figure video {
 }

 .screenshots img {
-    height: 230px;
+    max-height: 230px;
+    max-width: 300px;
    margin: 3px;
    border-radius: 5px;
    filter: drop-shadow(2px 2px 2px #ddd);
--- a/docs/static/img/android-screenshot-icon.png
+++ b/docs/static/img/android-screenshot-icon.png
--- a/docs/static/img/android-screenshot-notification-actions.png
+++ b/docs/static/img/android-screenshot-notification-actions.png
--- a/docs/static/img/android-screenshot-notification-details.jpg
+++ b/docs/static/img/android-screenshot-notification-details.jpg
--- a/docs/static/img/android-screenshot-notification-multiline.jpg
+++ b/docs/static/img/android-screenshot-notification-multiline.jpg
--- a/docs/static/img/android-screenshot-notification-settings.png
+++ b/docs/static/img/android-screenshot-notification-settings.png
--- a/docs/static/img/android-screenshot-share-1.jpg
+++ b/docs/static/img/android-screenshot-share-1.jpg
--- a/docs/static/img/android-screenshot-share-2.jpg
+++ b/docs/static/img/android-screenshot-share-2.jpg
--- a/docs/static/img/nodered-message.png
+++ b/docs/static/img/nodered-message.png
--- a/docs/static/img/nodered-picture.png
+++ b/docs/static/img/nodered-picture.png
--- a/docs/static/img/rundeck.png
+++ b/docs/static/img/rundeck.png
--- a/docs/static/img/uptimekuma-ios-down.jpg
+++ b/docs/static/img/uptimekuma-ios-down.jpg
--- a/docs/static/img/uptimekuma-ios-test.jpg
+++ b/docs/static/img/uptimekuma-ios-test.jpg
--- a/docs/static/img/uptimekuma-ios-up.jpg
+++ b/docs/static/img/uptimekuma-ios-up.jpg
--- a/docs/static/img/uptimekuma-settings.png
+++ b/docs/static/img/uptimekuma-settings.png
--- a/docs/static/img/uptimekuma-setup.png
+++ b/docs/static/img/uptimekuma-setup.png
--- a/docs/static/img/uptimerobot-setup.jpg
+++ b/docs/static/img/uptimerobot-setup.jpg
--- a/docs/static/img/uptimerobot-test.jpg
+++ b/docs/static/img/uptimerobot-test.jpg
--- a/docs/static/img/web-detail.png
+++ b/docs/static/img/web-detail.png
--- a/docs/static/img/web-subscribe.png
+++ b/docs/static/img/web-subscribe.png
--- a/docs/static/js/extra.js
+++ b/docs/static/js/extra.js
@@ -1,8 +1,8 @@
 // Link tabs, as per https://facelessuser.github.io/pymdown-extensions/extensions/tabbed/#linked-tabs

-const savedTab = localStorage.getItem('savedTab')
-const tabs = document.querySelectorAll(".tabbed-set > input")
-for (const tab of tabs) {
+const savedCodeTab = localStorage.getItem('savedTab')
+const codeTabs = document.querySelectorAll(".tabbed-set > input")
+for (const tab of codeTabs) {
    tab.addEventListener("click", () => {
        const current = document.querySelector(`label[for=${tab.id}]`)
        const pos = current.getBoundingClientRect().top
@@ -25,7 +25,7 @@ for (const tab of tabs) {
    // Select saved tab
    const current = document.querySelector(`label[for=${tab.id}]`)
    const labelContent = current.innerHTML
-    if (savedTab === labelContent) {
+    if (savedCodeTab === labelContent) {
        tab.checked = true
    }
 }
--- a/docs/subscribe/api.md
+++ b/docs/subscribe/api.md
@@ -87,7 +87,7 @@ recommended way to subscribe to a topic**. The notable exception is JavaScript,
 ### Subscribe as SSE stream
 Using [EventSource](https://developer.mozilla.org/en-US/docs/Web/API/EventSource) in JavaScript, you can consume
 notifications via a [Server-Sent Events (SSE)](https://en.wikipedia.org/wiki/Server-sent_events) stream. It's incredibly 
-easy to use. Here's what it looks like. You may also want to check out the [live example](/example.html).
+easy to use. Here's what it looks like. You may also want to check out the [full example on GitHub](https://github.com/binwiederhier/ntfy/tree/main/examples/web-example-eventsource).

 === "Command line (curl)"
    ```
@@ -247,11 +247,13 @@ curl -s "ntfy.sh/mytopic/json?poll=1"
 ### Fetch cached messages
 Messages may be cached for a couple of hours (see [message caching](../config.md#message-cache)) to account for network
 interruptions of subscribers. If the server has configured message caching, you can read back what you missed by using 
-the `since=` query parameter. It takes either a duration (e.g. `10m` or `30s`), a Unix timestamp (e.g. `1635528757`) 
-or `all` (all cached messages).
+the `since=` query parameter. It takes a duration (e.g. `10m` or `30s`), a Unix timestamp (e.g. `1635528757`),
+a message ID (e.g. `nFS3knfcQ1xe`), or `all` (all cached messages).

 ```
 curl -s "ntfy.sh/mytopic/json?since=10m"
+curl -s "ntfy.sh/mytopic/json?since=1645970742"
+curl -s "ntfy.sh/mytopic/json?since=nFS3knfcQ1xe"
 ```

 ### Fetch scheduled messages
@@ -265,7 +267,7 @@ curl -s "ntfy.sh/mytopic/json?poll=1&sched=1"
 ```

 ### Filter messages
-You can filter which messages are returned based on the well-known message fields `message`, `title`, `priority` and
+You can filter which messages are returned based on the well-known message fields `id`, `message`, `title`, `priority` and
 `tags`. Here's an example that only returns messages of high or urgent priority that contains the both tags 
 "zfs-error" and "error". Note that the `priority` filter is a logical OR and the `tags` filter is a logical AND. 

@@ -278,12 +280,13 @@ $ curl "ntfy.sh/alerts/json?priority=high&tags=zfs-error"

 Available filters (all case-insensitive):

-| Filter variable | Alias                     | Example                            | Description                                                             |
-|-----------------|---------------------------|------------------------------------|-------------------------------------------------------------------------|
-| `message`       | `X-Message`, `m`          | `ntfy.sh/mytopic?message=lalala`   | Only return messages that match this exact message string               |
-| `title`         | `X-Title`, `t`            | `ntfy.sh/mytopic?title=some+title` | Only return messages that match this exact title string                 |
-| `priority`      | `X-Priority`, `prio`, `p` | `ntfy.sh/mytopic?p=high,urgent`    | Only return messages that match *any priority listed* (comma-separated) |
-| `tags`          | `X-Tags`, `tag`, `ta`     | `ntfy.sh/mytopic?tags=error,alert` | Only return messages that match *all listed tags* (comma-separated)     |
+| Filter variable | Alias                     | Example                                       | Description                                                             |
+|-----------------|---------------------------|-----------------------------------------------|-------------------------------------------------------------------------|
+| `id`            | `X-ID`                    | `ntfy.sh/mytopic/json?poll=1&id=pbkiz8SD7ZxG` | Only return messages that match this exact message ID                   |
+| `message`       | `X-Message`, `m`          | `ntfy.sh/mytopic/json?message=lalala`         | Only return messages that match this exact message string               |
+| `title`         | `X-Title`, `t`            | `ntfy.sh/mytopic/json?title=some+title`       | Only return messages that match this exact title string                 |
+| `priority`      | `X-Priority`, `prio`, `p` | `ntfy.sh/mytopic/json?p=high,urgent`          | Only return messages that match *any priority listed* (comma-separated) |
+| `tags`          | `X-Tags`, `tag`, `ta`     | `ntfy.sh/mytopic?/jsontags=error,alert`       | Only return messages that match *all listed tags* (comma-separated)     |

 ### Subscribe to multiple topics
 It's possible to subscribe to multiple topics in one HTTP call by providing a comma-separated list of topics 
@@ -299,13 +302,12 @@ $ curl -s ntfy.sh/mytopic1,mytopic2/json
 ### Authentication
 Depending on whether the server is configured to support [access control](../config.md#access-control), some topics
 may be read/write protected so that only users with the correct credentials can subscribe or publish to them.
-To publish/subscribe to protected topics, you can use [Basic Auth](https://en.wikipedia.org/wiki/Basic_access_authentication)
-with a valid username/password. For your self-hosted server, **be sure to use HTTPS to avoid eavesdropping** and exposing
-your password.
+To publish/subscribe to protected topics, you can:

-```
-curl -u phil:mypass -s "https://ntfy.example.com/mytopic/json"
-```
+* Use [basic auth](../publish.md#basic-auth), e.g. `Authorization: Basic dGVzdHVzZXI6ZmFrZXBhc3N3b3Jk`
+* or use the [`auth` query parameter](../publish.md#query-param), e.g. `?auth=QmFzaWMgZEdWemRIVnpaWEk2Wm1GclpYQmhjM04zYjNKaw`
+
+Please refer to the [publishing documentation](../publish.md#authentication) for additional details.

 ## JSON message format
 Both the [`/json` endpoint](#subscribe-as-json-stream) and the [`/sse` endpoint](#subscribe-as-sse-stream) return a JSON
@@ -313,18 +315,20 @@ format of the message. It's very straight forward:

 **Message**:

-| Field        | Required | Type                                              | Example               | Description                                                                                                                          |
-|--------------|----------|---------------------------------------------------|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------|
-| `id`         | ✔️       | *string*                                          | `hwQ2YpKdmg`          | Randomly chosen message identifier                                                                                                   |
-| `time`       | ✔️       | *number*                                          | `1635528741`          | Message date time, as Unix time stamp                                                                                                |  
-| `event`      | ✔️       | `open`, `keepalive`, `message`, or `poll_request` | `message`             | Message type, typically you'd be only interested in `message`                                                                        |
-| `topic`      | ✔️       | *string*                                          | `topic1,topic2`       | Comma-separated list of topics the message is associated with; only one for all `message` events, but may be a list in `open` events |
-| `message`    | -        | *string*                                          | `Some message`        | Message body; always present in `message` events                                                                                     |
-| `title`      | -        | *string*                                          | `Some title`          | Message [title](../publish.md#message-title); if not set defaults to `ntfy.sh/<topic>`                                               |
-| `tags`       | -        | *string array*                                    | `["tag1","tag2"]`     | List of [tags](../publish.md#tags-emojis) that may or not map to emojis                                                              |
-| `priority`   | -        | *1, 2, 3, 4, or 5*                                | `4`                   | Message [priority](../publish.md#message-priority) with 1=min, 3=default and 5=max                                                   |
-| `click`      | -        | *URL*                                             | `https://example.com` | Website opened when notification is [clicked](../publish.md#click-action)                                                            |
-| `attachment` | -        | *JSON object*                                     | *see below*           | Details about an attachment (name, URL, size, ...)                                                                                   |
+| Field        | Required | Type                                              | Example                                               | Description                                                                                                                          |
+|--------------|----------|---------------------------------------------------|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| `id`         | ✔️       | *string*                                          | `hwQ2YpKdmg`                                          | Randomly chosen message identifier                                                                                                   |
+| `time`       | ✔️       | *number*                                          | `1635528741`                                          | Message date time, as Unix time stamp                                                                                                |  
+| `expires`    | ✔️       | *number*                                          | `1673542291`                                          | Unix time stamp indicating when the message will be deleted                                                                          |  
+| `event`      | ✔️       | `open`, `keepalive`, `message`, or `poll_request` | `message`                                             | Message type, typically you'd be only interested in `message`                                                                        |
+| `topic`      | ✔️       | *string*                                          | `topic1,topic2`                                       | Comma-separated list of topics the message is associated with; only one for all `message` events, but may be a list in `open` events |
+| `message`    | -        | *string*                                          | `Some message`                                        | Message body; always present in `message` events                                                                                     |
+| `title`      | -        | *string*                                          | `Some title`                                          | Message [title](../publish.md#message-title); if not set defaults to `ntfy.sh/<topic>`                                               |
+| `tags`       | -        | *string array*                                    | `["tag1","tag2"]`                                     | List of [tags](../publish.md#tags-emojis) that may or not map to emojis                                                              |
+| `priority`   | -        | *1, 2, 3, 4, or 5*                                | `4`                                                   | Message [priority](../publish.md#message-priority) with 1=min, 3=default and 5=max                                                   |
+| `click`      | -        | *URL*                                             | `https://example.com`                                 | Website opened when notification is [clicked](../publish.md#click-action)                                                            |
+| `actions`    | -        | *JSON array*                                      | *see [actions buttons](../publish.md#action-buttons)* | [Action buttons](../publish.md#action-buttons) that can be displayed in the notification                                             |
+| `attachment` | -        | *JSON object*                                     | *see below*                                           | Details about an attachment (name, URL, size, ...)                                                                                   |

 **Attachment** (part of the message, see [attachments](../publish.md#attachments) for details):

@@ -343,6 +347,7 @@ Here's an example for each message type:
    {
        "id": "sPs71M8A2T",
        "time": 1643935928,
+        "expires": 1643936928,
        "event": "message",
        "topic": "mytopic",
        "priority": 5,
@@ -369,6 +374,7 @@ Here's an example for each message type:
    {
        "id": "wze9zgqK41",
        "time": 1638542110,
+        "expires": 1638543112,
        "event": "message",
        "topic": "phil_alerts",
        "message": "Remote access to phils-laptop detected. Act right away."
@@ -395,7 +401,6 @@ Here's an example for each message type:
    }
    ```    

-
 === "Poll request message"
    ``` json
    {
@@ -413,7 +418,9 @@ and can be passed as **HTTP headers** or **query parameters in the URL**. They a
 | Parameter   | Aliases (case-insensitive) | Description                                                                     |
 |-------------|----------------------------|---------------------------------------------------------------------------------|
 | `poll`      | `X-Poll`, `po`             | Return cached messages and close connection                                     |
+| `since`     | `X-Since`, `si`            | Return cached messages since timestamp, duration or message ID                  |
 | `scheduled` | `X-Scheduled`, `sched`     | Include scheduled/delayed messages in message list                              |
+| `id`        | `X-ID`                     | Filter: Only return messages that match this exact message ID                   |
 | `message`   | `X-Message`, `m`           | Filter: Only return messages that match this exact message string               |
 | `title`     | `X-Title`, `t`             | Filter: Only return messages that match this exact title string                 |
 | `priority`  | `X-Priority`, `prio`, `p`  | Filter: Only return messages that match *any priority listed* (comma-separated) |
--- a/docs/subscribe/cli.md
+++ b/docs/subscribe/cli.md
@@ -56,6 +56,71 @@ quick ones:
    ntfy pub mywebhook
    ```

+### Attaching a local file
+You can easily upload and attach a local file to a notification:
+
+```
+$ ntfy pub --file README.md mytopic | jq .
+{
+  "id": "meIlClVLABJQ",
+  "time": 1655825460,
+  "event": "message",
+  "topic": "mytopic",
+  "message": "You received a file: README.md",
+  "attachment": {
+    "name": "README.md",
+    "type": "text/plain; charset=utf-8",
+    "size": 2892,
+    "expires": 1655836260,
+    "url": "https://ntfy.sh/file/meIlClVLABJQ.txt"
+  }
+}
+```
+
+### Wait for PID/command
+If you have a long-running command and want to **publish a notification when the command completes**, 
+you may wrap it with `ntfy publish --wait-cmd` (aliases: `--cmd`, `--done`). Or, if you forgot to wrap it, and the
+command is already running, you can wait for the process to complete with `ntfy publish --wait-pid` (alias: `--pid`).
+
+Run a command and wait for it to complete (here: `rsync ...`):
+
+```
+$ ntfy pub --wait-cmd mytopic rsync -av ./ root@example.com:/backups/ | jq .
+{
+  "id": "Re0rWXZQM8WB",
+  "time": 1655825624,
+  "event": "message",
+  "topic": "mytopic",
+  "message": "Command succeeded after 56.553s: rsync -av ./ root@example.com:/backups/"
+}
+```
+
+Or, if you already started the long-running process and want to wait for it using its process ID (PID), you can do this:
+
+=== "Using a PID directly"
+    ```
+    $ ntfy pub --wait-pid 8458 mytopic | jq .
+    {
+      "id": "orM6hJKNYkWb",
+      "time": 1655825827,
+      "event": "message",
+      "topic": "mytopic",
+      "message": "Process with PID 8458 exited after 2.003s"
+    }
+    ```
+
+=== "Using a `pidof`"
+    ```
+    $ ntfy pub --wait-pid $(pidof rsync) mytopic | jq .
+    {
+      "id": "orM6hJKNYkWb",
+      "time": 1655825827,
+      "event": "message",
+      "topic": "mytopic",
+      "message": "Process with PID 8458 exited after 2.003s"
+    }
+    ```
+
 ## Subscribe to topics
 You can subscribe to topics using `ntfy subscribe`. Depending on how it is called, this command
 will either print or execute a command for every arriving message. There are a few different ways 
@@ -123,7 +188,7 @@ which will read the `subscribe` config from the config file. Please also check o

 Here's an example config file that subscribes to three different topics, executing a different command for each of them:

-=== "~/.config/ntfy/client.yml"
+=== "~/.config/ntfy/client.yml (Linux)"
    ```yaml
    subscribe:
    - topic: echo-this
@@ -145,12 +210,42 @@ Here's an example config file that subscribes to three different topics, executi
            fi
    ```

+
+=== "~/Library/Application Support/ntfy/client.yml (macOS)"
+    ```yaml
+    subscribe:
+      - topic: echo-this
+        command: 'echo "Message received: $message"'
+      - topic: alerts
+        command: osascript -e "display notification \"$message\""
+        if:
+          priority: high,urgent
+      - topic: calc
+        command: open -a Calculator
+    ```
+
+=== "%AppData%\ntfy\client.yml (Windows)"
+    ```yaml
+    subscribe:
+    - topic: echo-this
+      command: 'echo Message received: %message%'
+    - topic: alerts
+      command: |
+        notifu /m "%NTFY_MESSAGE%"
+        exit 0
+      if:
+        priority: high,urgent
+    - topic: calc
+      command: calc
+    ```
+
 In this example, when `ntfy subscribe --from-config` is executed:

 * Messages to `echo-this` simply echos to standard out
-* Messages to `alerts` display as desktop notification for high priority messages using [notify-send](https://manpages.ubuntu.com/manpages/focal/man1/notify-send.1.html)
-* Messages to `calc` open the gnome calculator 😀 (*because, why not*)
-* Messages to `print-temp` execute an inline script and print the CPU temperature
+* Messages to `alerts` display as desktop notification for high priority messages using [notify-send](https://manpages.ubuntu.com/manpages/focal/man1/notify-send.1.html) (Linux), 
+  [notifu](https://www.paralint.com/projects/notifu/) (Windows) or `osascript` (macOS) 
+* Messages to `calc` open the calculator 😀 (*because, why not*)
+* Messages to `print-temp` execute an inline script and print the CPU temperature (Linux version only)

 I hope this shows how powerful this command is. Here's a short video that demonstrates the above example:

@@ -159,6 +254,14 @@ I hope this shows how powerful this command is. Here's a short video that demons
  <figcaption>Execute all the things</figcaption>
 </figure>

+If most (or all) of your subscription usernames, passwords, and commands are the same, you can specify a `default-user`, `default-password`, and `default-command` at the top of the
+`client.yml`. If a subscription does not specify a username/password to use or does not have a command, the defaults will be used, otherwise, the subscription settings will
+override the defaults.
+
+!!! warning
+    Because the `default-user` and `default-password` will be sent for each topic that does not have its own username/password (even if the topic does not require authentication),
+    be sure that the servers/topics you subscribe to use HTTPS to prevent leaking the username and password.
+
 ### Using the systemd service
 You can use the `ntfy-client` systemd service (see [ntfy-client.service](https://github.com/binwiederhier/ntfy/blob/main/client/ntfy-client.service))
 to subscribe to multiple topics just like in the example above. The service is automatically installed (but not started)
@@ -196,3 +299,27 @@ EOF
 sudo systemctl daemon-reload
 sudo systemctl restart ntfy-client
 ```
+
+
+### Authentication
+Depending on whether the server is configured to support [access control](../config.md#access-control), some topics
+may be read/write protected so that only users with the correct credentials can subscribe or publish to them.
+To publish/subscribe to protected topics, you can use [Basic Auth](https://en.wikipedia.org/wiki/Basic_access_authentication)
+with a valid username/password. For your self-hosted server, **be sure to use HTTPS to avoid eavesdropping** and exposing
+your password. 
+
+You can either add your username and password to the configuration file:
+=== "~/.config/ntfy/client.yml"
+	```yaml
+	 - topic: secret
+	   command: 'notify-send "$m"'
+	   user: phill
+	   password: mypass
+	```
+
+Or with the `ntfy subscibe` command:
+```
+ntfy subscribe \
+  -u phil:mypass \
+  ntfy.example.com/mysecrets
+```
--- a/docs/subscribe/phone.md
+++ b/docs/subscribe/phone.md
@@ -1,14 +1,16 @@
 # Subscribe from your phone
-You can use the [ntfy Android App](https://play.google.com/store/apps/details?id=io.heckel.ntfy) to receive 
-notifications directly on your phone. Just like the server, this app is also [open source](https://github.com/binwiederhier/ntfy-android).
-Since I don't have an iPhone or a Mac, I didn't make an iOS app yet. I'd be awesome if [someone else could help out](https://github.com/binwiederhier/ntfy/issues/4).
+You can use the ntfy [Android App](https://play.google.com/store/apps/details?id=io.heckel.ntfy) or [iOS app](https://apps.apple.com/us/app/ntfy/id1625396347)
+to receive notifications directly on your phone. Just like the server, this app is also open source, and the code is available
+on GitHub ([Android](https://github.com/binwiederhier/ntfy-android), [iOS](https://github.com/binwiederhier/ntfy-ios)). Feel free to 
+contribute, or [build your own](../develop.md).

 <a href="https://play.google.com/store/apps/details?id=io.heckel.ntfy"><img src="../../static/img/badge-googleplay.png"></a>
 <a href="https://f-droid.org/en/packages/io.heckel.ntfy/"><img src="../../static/img/badge-fdroid.png"></a>
+<a href="https://apps.apple.com/us/app/ntfy/id1625396347"><img src="../../static/img/badge-appstore.png"></a>

 You can get the Android app from both [Google Play](https://play.google.com/store/apps/details?id=io.heckel.ntfy) and 
 from [F-Droid](https://f-droid.org/en/packages/io.heckel.ntfy/). Both are largely identical, with the one exception that
-the F-Droid flavor does not use Firebase.
+the F-Droid flavor does not use Firebase. The iOS app can be downloaded from the [App Store](https://apps.apple.com/us/app/ntfy/id1625396347).

 ## Overview
 A picture is worth a thousand words. Here are a few screenshots showing what the app looks like. It's all pretty
@@ -31,7 +33,9 @@ If those screenshots are still not enough, here's a video:
 </figure>

 ## Message priority
-When you [publish messages](../publish.md#message-priority) to a topic, you can define a priority. This priority defines
+_Supported on:_ :material-android: :material-apple:
+
+When you [publish messages](../publish.md#message-priority) to a topic, you can **define a priority**. This priority defines
 how urgently Android will notify you about the notification, and whether they make a sound and/or vibrate.

 By default, messages with default priority or higher (>= 3) will vibrate and make a sound. Messages with high or urgent
@@ -42,15 +46,25 @@ priority (>= 4) will also show as pop-over, like so:
  <figcaption>High and urgent notifications show as pop-over</figcaption>
 </figure>

-You can change these settings in Android by long-pressing on the app, and tapping "Notifications". You can then configure
-the settings (and custom sounds or vibration) for each of the priorities:
+You can change these settings in Android by long-pressing on the app, and tapping "Notifications", or from the "Settings"
+menu under "Channel settings". There is one notification channel for each priority:

 <figure markdown>
-  ![notification settings](../static/img/android-notification-settings.png){ width=500 }
+  ![notification settings](../static/img/android-screenshot-notification-settings.png){ width=500 }
+  <figcaption>Per-priority channels</figcaption>
+</figure>
+
+Per notification channel, you can configure a **channel-specific sound**, whether to **override the Do Not Disturb (DND)**
+setting, and other settings such as popover or notification dot:
+
+<figure markdown>
+  ![channel details](../static/img/android-screenshot-notification-details.jpg){ width=500 }
  <figcaption>Per-priority sound/vibration settings</figcaption>
 </figure>

 ## Instant delivery
+_Supported on:_ :material-android:
+
 Instant delivery allows you to receive messages on your phone instantly, **even when your phone is in doze mode**, i.e. 
 when the screen turns off, and you leave it on the desk for a while. This is achieved with a foreground service, which 
 you'll see as a permanent notification that looks like this:
@@ -80,9 +94,43 @@ notifications. Firebase is overall pretty bad at delivering messages in time, bu
 The ntfy Android app uses Firebase only for the main host `ntfy.sh`, and only in the Google Play flavor of the app.
 It won't use Firebase for any self-hosted servers, and not at all in the the F-Droid flavor.

+## Share to topic
+_Supported on:_ :material-android:
+
+You can share files to a topic using Android's "Share" feature. This works in almost any app that supports sharing files
+or text, and it's useful for sending yourself links, files or other things. The feature remembers a few of the last topics
+you shared content to and lists them at the bottom.
+
+The feature is pretty self-explanatory, and one picture says more than a thousand words. So here are two pictures:
+
+<div id="share-to-topic-screenshots" class="screenshots">
+    <a href="../../static/img/android-screenshot-share-1.jpg"><img src="../../static/img/android-screenshot-share-1.jpg"/></a>
+    <a href="../../static/img/android-screenshot-share-2.jpg"><img src="../../static/img/android-screenshot-share-2.jpg"/></a>
+</div>
+
+## ntfy:// links
+_Supported on:_ :material-android:
+
+The ntfy Android app supports deep linking directly to topics. This is useful when integrating with [automation apps](#automation-apps)
+such as [MacroDroid](https://play.google.com/store/apps/details?id=com.arlosoft.macrodroid) or [Tasker](https://play.google.com/store/apps/details?id=net.dinglisch.android.taskerm),
+or to simply directly link to a topic from a mobile website. 
+
+!!! info
+    Android deep linking of http/https links is very brittle and limited, which is why something like `https://<host>/<topic>/subscribe` is 
+    **not possible**, and instead `ntfy://` links have to be used. More details in [issue #20](https://github.com/binwiederhier/ntfy/issues/20).
+
+**Supported link formats:**
+
+| Link format                                                                   | Example                                   | Description                                                                                                                                                                                         |
+|-------------------------------------------------------------------------------|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <span style="white-space: nowrap">`ntfy://<host>/<topic>`</span>              | `ntfy://ntfy.sh/mytopic`                  | Directly opens the Android app detail view for the given topic and server. Subscribes to the topic if not already subscribed. This is equivalent to the web view `https://ntfy.sh/mytopic` (HTTPS!) |
+| <span style="white-space: nowrap">`ntfy://<host>/<topic>?secure=false`</span> | `ntfy://example.com/mytopic?secure=false` | Same as above, except that this will use HTTP instead of HTTPS as topic URL. This is equivalent to the web view `http://example.com/mytopic` (HTTP!)                                                |
+
 ## Integrations

 ### UnifiedPush
+_Supported on:_ :material-android:
+
 [UnifiedPush](https://unifiedpush.org) is a standard for receiving push notifications without using the Google-owned
 [Firebase Cloud Messaging (FCM)](https://firebase.google.com/docs/cloud-messaging) service. It puts push notifications 
 in the control of the user. ntfy can act as a **UnifiedPush distributor**, forwarding messages to apps that support it. 
@@ -98,6 +146,8 @@ to handle messages. Here's an example with [FluffyChat](https://fluffychat.im/):
 </div>

 ### Automation apps
+_Supported on:_ :material-android:
+
 The ntfy Android app integrates nicely with automation apps such as [MacroDroid](https://play.google.com/store/apps/details?id=com.arlosoft.macrodroid)
 or [Tasker](https://play.google.com/store/apps/details?id=net.dinglisch.android.taskerm). Using Android intents, you can
 **react to incoming messages**, as well as **send messages**.
@@ -130,19 +180,27 @@ notification popups:

 Here's a list of extras you can access. Most likely, you'll want to filter for `topic` and react on `message`:

-| Extra name | Type | Example | Description |
-|---|---|---|---|
-| `id` | *string* | `bP8dMjO8ig` | Randomly chosen message identifier (likely not very useful for task automation) |
-| `base_url` | *string* | `https://ntfy.sh` | Root URL of the ntfy server this message came from |
-| `topic` ❤️ | *string* | `mytopic` | Topic name; **you'll likely want to filter for a specific topic** |
-| `muted` | *bool* | `true` | Indicates whether the subscription was muted in the app |
-| `muted_str` | *string (`true` or `false`)* | `true` | Same as `muted`, but as string `true` or `false` |
-| `time` | *int* | `1635528741` | Message date time, as Unix time stamp |
-| `title` | *string* | `Some title` | Message [title](../publish.md#message-title); may be empty if not set |
-| `message` ❤️ | *string* | `Some message` | Message body; **this is likely what you're interested in** |
-| `tags` | *string* | `tag1,tag2,..` | Comma-separated list of [tags](../publish.md#tags-emojis) |
-| `tags_map` | *string* | `0=tag1,1=tag2,..` | Map of tags to make it easier to map first, second, ... tag |
-| `priority` | *int (between 1-5)* | `4` | Message [priority](../publish.md#message-priority) with 1=min, 3=default and 5=max |
+| Extra name           | Type                         | Example                                  | Description                                                                        |
+|----------------------|------------------------------|------------------------------------------|------------------------------------------------------------------------------------|
+| `id`                 | *String*                     | `bP8dMjO8ig`                             | Randomly chosen message identifier (likely not very useful for task automation)    |
+| `base_url`           | *String*                     | `https://ntfy.sh`                        | Root URL of the ntfy server this message came from                                 |
+| `topic` ❤️           | *String*                     | `mytopic`                                | Topic name; **you'll likely want to filter for a specific topic**                  |
+| `muted`              | *Boolean*                    | `true`                                   | Indicates whether the subscription was muted in the app                            |
+| `muted_str`          | *String (`true` or `false`)* | `true`                                   | Same as `muted`, but as string `true` or `false`                                   |
+| `time`               | *Int*                        | `1635528741`                             | Message date time, as Unix time stamp                                              |
+| `title`              | *String*                     | `Some title`                             | Message [title](../publish.md#message-title); may be empty if not set              |
+| `message` ❤️         | *String*                     | `Some message`                           | Message body; **this is likely what you're interested in**                         |
+| `message_bytes`      | *ByteArray*                  | `(binary data)`                          | Message body as binary data                                                        |
+| `encoding`️          | *String*                     | -                                        | Message encoding (empty or "base64")                                               |
+| `tags`               | *String*                     | `tag1,tag2,..`                           | Comma-separated list of [tags](../publish.md#tags-emojis)                          |
+| `tags_map`           | *String*                     | `0=tag1,1=tag2,..`                       | Map of tags to make it easier to map first, second, ... tag                        |
+| `priority`           | *Int (between 1-5)*          | `4`                                      | Message [priority](../publish.md#message-priority) with 1=min, 3=default and 5=max |
+| `click`              | *String*                     | `https://google.com`                     | [Click action](../publish.md#click-action) URL, or empty if not set                |
+| `attachment_name`    | *String*                     | `attachment.jpg`                         | Filename of the attachment; may be empty if not set                                |
+| `attachment_type`    | *String*                     | `image/jpeg`                             | Mime type of the attachment; may be empty if not set                               |
+| `attachment_size`    | *Long*                       | `9923111`                                | Size in bytes of the attachment; may be zero if not set                            |
+| `attachment_expires` | *Long*                       | `1655514244`                             | Expiry date as Unix timestamp of the attachment URL; may be zero if not set        |
+| `attachment_url`     | *String*                     | `https://ntfy.sh/file/afUbjadfl7ErP.jpg` | URL of the attachment; may be empty if not set                                     |

 #### Send messages using intents
 To send messages from other apps (such as [MacroDroid](https://play.google.com/store/apps/details?id=com.arlosoft.macrodroid)
@@ -164,17 +222,11 @@ Here's what that looks like:

 The following intent extras are supported when for the intent with the `io.heckel.ntfy.SEND_MESSAGE` action:

-| Extra name | Required | Type | Example | Description |
-|---|---|---|---|---|
-| `base_url` | - | *string* | `https://ntfy.sh` | Root URL of the ntfy server this message came from, defaults to `https://ntfy.sh` |
-| `topic` ❤️ | ✔ | *string* | `mytopic` | Topic name; **you must set this** |
-| `title` | - | *string* | `Some title` | Message [title](../publish.md#message-title); may be empty if not set |
-| `message` ❤️ | ✔ | *string* | `Some message` | Message body; **you must set this** |
-| `tags` | - | *string* | `tag1,tag2,..` | Comma-separated list of [tags](../publish.md#tags-emojis) |
-| `priority` | - | *string or int (between 1-5)* | `4` | Message [priority](../publish.md#message-priority) with 1=min, 3=default and 5=max |
-
-## iPhone/iOS
-I almost feel devious for putting the *Download on the App Store* button on this page. Currently, there is no iOS app
-for ntfy, but it's in the works. You can track the status on GitHub.
-
-<a href="https://github.com/binwiederhier/ntfy/issues/4"><img src="../../static/img/badge-appstore.png"></a>
+| Extra name   | Required | Type                          | Example           | Description                                                                        |
+|--------------|----------|-------------------------------|-------------------|------------------------------------------------------------------------------------|
+| `base_url`   | -        | *String*                      | `https://ntfy.sh` | Root URL of the ntfy server this message came from, defaults to `https://ntfy.sh`  |
+| `topic` ❤️   | ✔        | *String*                      | `mytopic`         | Topic name; **you must set this**                                                  |
+| `title`      | -        | *String*                      | `Some title`      | Message [title](../publish.md#message-title); may be empty if not set              |
+| `message` ❤️ | ✔        | *String*                      | `Some message`    | Message body; **you must set this**                                                |
+| `tags`       | -        | *String*                      | `tag1,tag2,..`    | Comma-separated list of [tags](../publish.md#tags-emojis)                          |
+| `priority`   | -        | *String or Int (between 1-5)* | `4`               | Message [priority](../publish.md#message-priority) with 1=min, 3=default and 5=max |
--- a/docs/subscribe/web.md
+++ b/docs/subscribe/web.md
@@ -6,9 +6,9 @@ keep a connection open and listen for incoming notifications.
 To learn how to send messages, check out the [publishing page](../publish.md).

 <div id="web-screenshots" class="screenshots">
-    <a href="../../static/img/web-subscribe.png"><img src="../../static/img/web-subscribe.png"/></a>
-    <a href="../../static/img/web-notification.png"><img src="../../static/img/web-notification.png"/></a>
    <a href="../../static/img/web-detail.png"><img src="../../static/img/web-detail.png"/></a> 
+    <a href="../../static/img/web-notification.png"><img src="../../static/img/web-notification.png"/></a>
+    <a href="../../static/img/web-subscribe.png"><img src="../../static/img/web-subscribe.png"/></a>
 </div>

 To keep receiving desktop notifications from ntfy, you need to keep the website open. What I do, and what I highly recommend,
--- a/go.mod
+++ b/go.mod
@@ -1,51 +1,65 @@
 module heckel.io/ntfy

-go 1.17
+go 1.18

 require (
-	cloud.google.com/go/firestore v1.6.1 // indirect
-	cloud.google.com/go/storage v1.19.0 // indirect
-	firebase.google.com/go v3.13.0+incompatible
-	github.com/BurntSushi/toml v1.0.0 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	cloud.google.com/go/firestore v1.9.0 // indirect
+	cloud.google.com/go/storage v1.28.1 // indirect
+	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/emersion/go-smtp v0.15.0
-	github.com/gabriel-vasile/mimetype v1.4.0
-	github.com/gorilla/websocket v1.4.2
-	github.com/mattn/go-sqlite3 v1.14.11
-	github.com/olebedev/when v0.0.0-20211212231525-59bd4edcf9d6
-	github.com/stretchr/testify v1.7.0
-	github.com/urfave/cli/v2 v2.3.0
-	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
-	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
-	google.golang.org/api v0.67.0
+	github.com/gabriel-vasile/mimetype v1.4.1
+	github.com/gorilla/websocket v1.5.0
+	github.com/mattn/go-sqlite3 v1.14.16
+	github.com/olebedev/when v0.0.0-20221205223600-4d190b02b8d8
+	github.com/stretchr/testify v1.8.1
+	github.com/urfave/cli/v2 v2.23.7
+	golang.org/x/crypto v0.4.0
+	golang.org/x/oauth2 v0.3.0 // indirect
+	golang.org/x/sync v0.1.0
+	golang.org/x/term v0.3.0
+	golang.org/x/time v0.3.0
+	google.golang.org/api v0.105.0
 	gopkg.in/yaml.v2 v2.4.0
 )

+require github.com/pkg/errors v0.9.1 // indirect
+
 require (
-	cloud.google.com/go v0.100.2 // indirect
-	cloud.google.com/go/compute v1.2.0 // indirect
-	cloud.google.com/go/iam v0.1.1 // indirect
-	github.com/AlekSi/pointer v1.0.0 // indirect
+	firebase.google.com/go/v4 v4.10.0
+	github.com/stripe/stripe-go/v74 v74.5.0
+)
+
+require (
+	cloud.google.com/go v0.107.0 // indirect
+	cloud.google.com/go/compute v1.14.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/iam v0.9.0 // indirect
+	cloud.google.com/go/longrunning v0.3.0 // indirect
+	github.com/AlekSi/pointer v1.2.0 // indirect
+	github.com/MicahParks/keyfunc v1.9.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emersion/go-sasl v0.0.0-20211008083017-0b9dcfb154ac // indirect
+	github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.3 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.7 // indirect
-	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect
+	github.com/googleapis/gax-go/v2 v2.7.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	go.opencensus.io v0.23.0 // indirect
-	golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d // indirect
-	golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	golang.org/x/net v0.4.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220203182621-f4ae394cde3f // indirect
-	google.golang.org/grpc v1.44.0 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+	google.golang.org/appengine/v2 v2.0.2 // indirect
+	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
+	google.golang.org/grpc v1.51.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,625 +1,190 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
-cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY=
-cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM=
-cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY=
-cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ=
-cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
-cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
-cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
-cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
-cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U=
-cloud.google.com/go v0.100.2 h1:t9Iw5QH5v4XtlEQaCtUY7x6sCABps8sW0acw7e2WQ6Y=
-cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow=
-cloud.google.com/go/compute v1.2.0 h1:EKki8sSdvDU0OO9mAXGwPXOTOgPz2l08R0/IutDH11I=
-cloud.google.com/go/compute v1.2.0/go.mod h1:xlogom/6gr8RJGBe7nT2eGsQYAFUbbv8dbC29qE3Xmw=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/firestore v1.6.1 h1:8rBq3zRjnHx8UtBvaOWqBB1xq9jH6/wltfQLlTMh2Fw=
-cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY=
-cloud.google.com/go/iam v0.1.1 h1:4CapQyNFjiksks1/x7jsvsygFPhihslYk5GptIrlX68=
-cloud.google.com/go/iam v0.1.1/go.mod h1:CKqrcnI/suGpybEHxZ7BMehL0oA4LpdyJdUlTl9jVMw=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-cloud.google.com/go/storage v1.19.0 h1:XOQSnPJD8hRtZJ3VdCyK0mBZsGGImrzPAMbSWcHSe6Q=
-cloud.google.com/go/storage v1.19.0/go.mod h1:6rgiTRjOqI/Zd9YKimub5TIB4d+p3LH33V3ZE1DMuUM=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-firebase.google.com/go v3.13.0+incompatible h1:3TdYC3DDi6aHn20qoRkxwGqNgdjtblwVAyRLQwGn/+4=
-firebase.google.com/go v3.13.0+incompatible/go.mod h1:xlah6XbEyW6tbfSklcfe5FHJIwjt8toICdV5Wh9ptHs=
-github.com/AlekSi/pointer v1.0.0 h1:KWCWzsvFxNLcmM5XmiqHsGTTsuwZMsLFwWF9Y+//bNE=
-github.com/AlekSi/pointer v1.0.0/go.mod h1:1kjywbfcPFCmncIxtk6fIEub6LKrfMz3gc5QKVOSOA8=
+cloud.google.com/go v0.107.0 h1:qkj22L7bgkl6vIeZDlOY2po43Mx/TIa2Wsa7VR+PEww=
+cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I=
+cloud.google.com/go/compute v1.14.0 h1:hfm2+FfxVmnRlh6LpB7cg1ZNU+5edAHmW679JePztk0=
+cloud.google.com/go/compute v1.14.0/go.mod h1:YfLtxrj9sU4Yxv+sXzZkyPjEyPBZfXHUvjxega5vAdo=
+cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
+cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/firestore v1.9.0 h1:IBlRyxgGySXu5VuW0RgGFlTtLukSnNkpDiEOMkQkmpA=
+cloud.google.com/go/firestore v1.9.0/go.mod h1:HMkjKHNTtRyZNiMzu7YAsLr9K3X2udY2AMwDaMEQiiE=
+cloud.google.com/go/iam v0.9.0 h1:bK6Or6mxhuL8lnj1i9j0yMo2wE/IeTO2cWlfUrf/TZs=
+cloud.google.com/go/iam v0.9.0/go.mod h1:nXAECrMt2qHpF6RZUZseteD6QyanL68reN4OXPw0UWM=
+cloud.google.com/go/longrunning v0.3.0 h1:NjljC+FYPV3uh5/OwWT6pVU+doBqMg2x/rZlE+CamDs=
+cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc=
+cloud.google.com/go/storage v1.28.1 h1:F5QDG5ChchaAVQhINh24U99OWHURqrW8OmQcGKXcbgI=
+cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
+firebase.google.com/go/v4 v4.10.0 h1:dgK/8uwfJbzc5LZK/GyRRfIkZEDObN9q0kgEXsjlXN4=
+firebase.google.com/go/v4 v4.10.0/go.mod h1:m0gLwPY9fxKggizzglgCNWOGnFnVPifLpqZzo5u3e/A=
+github.com/AlekSi/pointer v1.2.0 h1:glcy/gc4h8HnG2Z3ZECSzZ1IX1x2JxRVuDzaJwQE0+w=
+github.com/AlekSi/pointer v1.2.0/go.mod h1:gZGfd3dpW4vEc/UlyfKKi1roIqcCgwOIvb0tSNSBle0=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU=
-github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID3+o=
+github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.1 h1:r/myEWzV9lfsM1tFLgDyu0atFtJ1fXn261LKYj/3DxU=
-github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
-github.com/emersion/go-sasl v0.0.0-20211008083017-0b9dcfb154ac h1:tn/OQ2PmwQ0XFVgAHfjlLyqMewry25Rz7jWnVoh4Ggs=
-github.com/emersion/go-sasl v0.0.0-20211008083017-0b9dcfb154ac/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead h1:fI1Jck0vUrXT8bnphprS1EoVRe2Q5CKCX8iDlpqjQ/Y=
+github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
 github.com/emersion/go-smtp v0.15.0 h1:3+hMGMGrqP/lqd7qoxZc1hTU8LY8gHV9RFGWlqSDmP8=
 github.com/emersion/go-smtp v0.15.0/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/gabriel-vasile/mimetype v1.4.0 h1:Cn9dkdYsMIu56tGho+fqzh7XmvY2YyGU0FnbhiOsEro=
-github.com/gabriel-vasile/mimetype v1.4.0/go.mod h1:fA8fi6KUiG7MgQQ+mEWotXoEOvmxRtOJlERCzSmRvr8=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/gabriel-vasile/mimetype v1.4.1 h1:TRWk7se+TOjCYgRth7+1/OYLNiRNIotknkFtf/dnN7Q=
+github.com/gabriel-vasile/mimetype v1.4.1/go.mod h1:05Vi0w3Y9c/lNvJOdmIwvrrAhX3rYhfQQCaf9VJcv7M=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
+github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ=
-github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
-github.com/googleapis/gax-go/v2 v2.1.1 h1:dp3bWCh+PPO1zjRRiCSczJav13sBvG4UhNyVTa1KqdU=
-github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
-github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/mattn/go-sqlite3 v1.14.11 h1:gt+cp9c0XGqe9S/wAHTL3n/7MqY+siPWgWJgqdsFrzQ=
-github.com/mattn/go-sqlite3 v1.14.11/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/olebedev/when v0.0.0-20211212231525-59bd4edcf9d6 h1:oDSPaYiL2dbjcArLrFS8ANtwgJMyOLzvQCZon+XmFsk=
-github.com/olebedev/when v0.0.0-20211212231525-59bd4edcf9d6/go.mod h1:DPucAeQGDPUzYUt+NaWw6qsF5SFapWWToxEiVDh2aV0=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.2.1 h1:RY7tHKZcRlk788d5WSo/e83gOyyy742E8GSs771ySpg=
+github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
+github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ=
+github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
+github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/olebedev/when v0.0.0-20221205223600-4d190b02b8d8 h1:0uFGkScHef2Xd8g74BMHU1jFcnKEm0PzrPn4CluQ9FI=
+github.com/olebedev/when v0.0.0-20221205223600-4d190b02b8d8/go.mod h1:T0THb4kP9D3NNqlvCwIG4GyUioTAzEhB4RNVzig/43E=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
-github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stripe/stripe-go/v74 v74.5.0 h1:YyqTvVQdS34KYGCfVB87EMn9eDV3FCFkSwfdOQhiVL4=
+github.com/stripe/stripe-go/v74 v74.5.0/go.mod h1:5PoXNp30AJ3tGq57ZcFuaMylzNi8KpwlrYAFmO1fHZw=
+github.com/urfave/cli/v2 v2.23.7 h1:YHDQ46s3VghFHFf1DdF+Sh7H4RqhcM+t0TmZRJx4oJY=
+github.com/urfave/cli/v2 v2.23.7/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
+github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
+github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8=
+golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210505024714-0287a6fb4125/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d h1:LO7XpTYMwTqxjLcGWPijK3vRXg1aWdlNOVOHRq45d7c=
-golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220708220712-1185a9018129/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
+golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.3.0 h1:6l90koy8/LaBLmLu8jpHeHexzMwEita0zFfYlggy2F8=
+golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 h1:XDXtA5hveEEV8JB2l7nhMTp3t3cHp9ZpwcdjqyEWLlo=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 h1:GZokNIeuVkl3aZHJchRrr13WCsols02MLUcz1U9is6M=
-golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
-google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
-google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
-google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
-google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
-google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
-google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU=
-google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
-google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
-google.golang.org/api v0.64.0/go.mod h1:931CdxA8Rm4t6zqTFGSsgwbAEZ2+GMYurbndwSimebM=
-google.golang.org/api v0.65.0/go.mod h1:ArYhxgGadlWmqO1IqVujw6Cs8IdD33bTmzKo2Sh+cbg=
-google.golang.org/api v0.66.0/go.mod h1:I1dmXYpX7HGwz/ejRxwQp2qj5bFAz93HiCU1C1oYd9M=
-google.golang.org/api v0.67.0 h1:lYaaLa+x3VVUhtosaK9xihwQ9H9KRa557REHwwZ2orM=
-google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
+golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
+golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+google.golang.org/api v0.105.0 h1:t6P9Jj+6XTn4U9I2wycQai6Q/Kz7iOT+QzjJ3G2V4x8=
+google.golang.org/api v0.105.0/go.mod h1:qh7eD5FJks5+BcE+cjBIm6Gz8vioK7EHvnlniqXBnqI=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine/v2 v2.0.2 h1:MSqyWy2shDLwG7chbwBJ5uMyw6SNqJzhJHNDwYB0Akk=
+google.golang.org/appengine/v2 v2.0.2/go.mod h1:PkgRUWz4o1XOvbqtWTkBtCitEJ5Tp4HoVEdMMYQR/8E=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
-google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
-google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211223182754-3ac035c7e7cb/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220111164026-67b88f271998/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220114231437-d2e6a121cae0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220118154757-00ab72f36ad5/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220201184016-50beb8ab5c44/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220203182621-f4ae394cde3f h1:w9Sx4FBkwsN0jMZz8E42tMdmhZ5b2Z/vFx2LKAxxI9o=
-google.golang.org/genproto v0.0.0-20220203182621-f4ae394cde3f/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef h1:uQ2vjV/sHTsWSqdKeLqmwitzgvjMl7o4IdtHwUDXSJY=
+google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.44.0 h1:weqSxi/TMs1SqFRMHCtBgXRs8k3X39QIDEZ0pRcttUg=
-google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
+google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U=
+google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -628,29 +193,17 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
+google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
--- a/log/log.go
+++ b/log/log.go
@@ -0,0 +1,129 @@
+package log
+
+import (
+	"log"
+	"strings"
+	"sync"
+)
+
+// Level is a well-known log level, as defined below
+type Level int
+
+// Well known log levels
+const (
+	TraceLevel Level = iota
+	DebugLevel
+	InfoLevel
+	WarnLevel
+	ErrorLevel
+)
+
+func (l Level) String() string {
+	switch l {
+	case TraceLevel:
+		return "TRACE"
+	case DebugLevel:
+		return "DEBUG"
+	case InfoLevel:
+		return "INFO"
+	case WarnLevel:
+		return "WARN"
+	case ErrorLevel:
+		return "ERROR"
+	}
+	return "unknown"
+}
+
+var (
+	level = InfoLevel
+	mu    = &sync.Mutex{}
+)
+
+// Trace prints the given message, if the current log level is TRACE
+func Trace(message string, v ...any) {
+	logIf(TraceLevel, message, v...)
+}
+
+// Debug prints the given message, if the current log level is DEBUG or lower
+func Debug(message string, v ...any) {
+	logIf(DebugLevel, message, v...)
+}
+
+// Info prints the given message, if the current log level is INFO or lower
+func Info(message string, v ...any) {
+	logIf(InfoLevel, message, v...)
+}
+
+// Warn prints the given message, if the current log level is WARN or lower
+func Warn(message string, v ...any) {
+	logIf(WarnLevel, message, v...)
+}
+
+// Error prints the given message, if the current log level is ERROR or lower
+func Error(message string, v ...any) {
+	logIf(ErrorLevel, message, v...)
+}
+
+// Fatal prints the given message, and exits the program
+func Fatal(v ...any) {
+	log.Fatalln(v...)
+}
+
+// CurrentLevel returns the current log level
+func CurrentLevel() Level {
+	mu.Lock()
+	defer mu.Unlock()
+	return level
+}
+
+// SetLevel sets a new log level
+func SetLevel(newLevel Level) {
+	mu.Lock()
+	defer mu.Unlock()
+	level = newLevel
+}
+
+// DisableDates disables the date/time prefix
+func DisableDates() {
+	log.SetFlags(0)
+}
+
+// ToLevel converts a string to a Level. It returns InfoLevel if the string
+// does not match any known log levels.
+func ToLevel(s string) Level {
+	switch strings.ToUpper(s) {
+	case "TRACE":
+		return TraceLevel
+	case "DEBUG":
+		return DebugLevel
+	case "INFO":
+		return InfoLevel
+	case "WARN", "WARNING":
+		return WarnLevel
+	case "ERROR":
+		return ErrorLevel
+	default:
+		return InfoLevel
+	}
+}
+
+// Loggable returns true if the given log level is lower or equal to the current log level
+func Loggable(l Level) bool {
+	return CurrentLevel() <= l
+}
+
+// IsTrace returns true if the current log level is TraceLevel
+func IsTrace() bool {
+	return Loggable(TraceLevel)
+}
+
+// IsDebug returns true if the current log level is DebugLevel or below
+func IsDebug() bool {
+	return Loggable(DebugLevel)
+}
+
+func logIf(l Level, message string, v ...any) {
+	if CurrentLevel() <= l {
+		log.Printf(l.String()+" "+message, v...)
+	}
+}
--- a/main.go
+++ b/main.go
@@ -19,10 +19,11 @@ func main() {
 Try 'ntfy COMMAND --help' or https://ntfy.sh/docs/ for more information.

 To report a bug, open an issue on GitHub: https://github.com/binwiederhier/ntfy/issues.
-If you want to chat, simply join the Discord server: https://discord.gg/cT7ECsZj9w.
+If you want to chat, simply join the Discord server (https://discord.gg/cT7ECsZj9w), or
+the Matrix room (https://matrix.to/#/#ntfy:matrix.org).

 ntfy %s (%s), runtime %s, built at %s
-Copyright (C) 2021 Philipp C. Heckel, licensed under Apache License 2.0 & GPLv2
+Copyright (C) 2022 Philipp C. Heckel, licensed under Apache License 2.0 & GPLv2
 `, version, commit[:7], runtime.Version(), date)

 	app := cmd.New()
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -61,6 +61,9 @@ markdown_extensions:
      custom_checkbox: true
  - attr_list
  - md_in_html
+  - pymdownx.emoji:
+      emoji_index: !!python/name:materialx.emoji.twemoji
+      emoji_generator: !!python/name:materialx.emoji.to_svg

 plugins:
  - search
@@ -82,7 +85,10 @@ nav:
 - "Other things":
  - "FAQs": faq.md
  - "Examples": examples.md
+  - "Integrations + projects": integrations.md
+  - "Release notes": releases.md
  - "Emojis 🥳 🎉": emojis.md
+  - "Known issues": known-issues.md
  - "Deprecation notices": deprecations.md
  - "Development": develop.md
  - "Privacy policy": privacy.md
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,9 +1,3 @@
 # The documentation uses 'mkdocs', which is written in Python
-
-# See https://github.com/squidfunk/mkdocs-material/issues/2030
-jinja2>=2.11.1
-
-# mkdocs
-mkdocs
 mkdocs-material
 mkdocs-minify-plugin
--- a/scripts/emoji-convert.sh
+++ b/scripts/emoji-convert.sh
@@ -10,7 +10,7 @@ if [ -z "$1" ]; then
    echo "Syntax: $0 FILE.(js|json|md)"
    echo "Example:"
    echo "  $0 emoji-converted.json"
-    echo "  $0 $ROOTDIR/server/static/js/emoji.js"
+    echo "  $0 $ROOTDIR/web/src/app/emojis.js"
    echo "  $0 $ROOTDIR/docs/emojis.md"
    exit 1
 fi
@@ -18,8 +18,8 @@ fi
 if [[ "$1" == *.js ]]; then
  echo -n "// This file is generated by scripts/emoji-convert.sh to reduce the size
 // Original data source: https://github.com/github/gemoji/blob/master/db/emoji.json
-const rawEmojis = " > "$1"
-    cat "$SCRIPTDIR/emoji.json" | jq -rc 'map({emoji: .emoji,aliases: .aliases})' >> "$1"
+export const rawEmojis = " > "$1"
+    cat "$SCRIPTDIR/emoji.json" | jq -rc 'map({emoji: .emoji, aliases: .aliases, tags: .tags, category: .category, description: .description, unicode_version: .unicode_version})' >> "$1"
 elif [[ "$1" == *.md ]]; then
  echo "# Emoji reference

--- a/scripts/postinst.sh
+++ b/scripts/postinst.sh
@@ -7,8 +7,9 @@ set -e
 if [ "$1" = "configure" ] || [ "$1" -ge 1 ]; then
  if [ -d /run/systemd/system ]; then
    # Create ntfy user/group
-    id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy
-    chown ntfy.ntfy /var/cache/ntfy /var/cache/ntfy/attachments /var/lib/ntfy
+    groupadd -f ntfy
+    id ntfy >/dev/null 2>&1 || useradd --system --no-create-home -g ntfy ntfy
+    chown ntfy:ntfy /var/cache/ntfy /var/cache/ntfy/attachments /var/lib/ntfy
    chmod 700 /var/cache/ntfy /var/cache/ntfy/attachments /var/lib/ntfy

    # Hack to change permissions on cache file
@@ -16,7 +17,7 @@ if [ "$1" = "configure" ] || [ "$1" -ge 1 ]; then
    if [ -f "$configfile" ]; then
      cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: ["'"'"']?([^"'"'"']+)["'"'"']?/ && print $1')" # Oh my, see #47
      if [ -n "$cachefile" ]; then
-        chown ntfy.ntfy "$cachefile" || true
+        chown ntfy:ntfy "$cachefile" || true
        chmod 600 "$cachefile" || true
      fi
    fi
--- a/server/actions.go
+++ b/server/actions.go
@@ -0,0 +1,311 @@
+package server
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"heckel.io/ntfy/util"
+	"regexp"
+	"strings"
+	"unicode/utf8"
+)
+
+const (
+	actionIDLength = 10
+	actionEOF      = rune(0)
+	actionsMax     = 3
+)
+
+const (
+	actionView      = "view"
+	actionBroadcast = "broadcast"
+	actionHTTP      = "http"
+)
+
+var (
+	actionsAll      = []string{actionView, actionBroadcast, actionHTTP}
+	actionsWithURL  = []string{actionView, actionHTTP}
+	actionsKeyRegex = regexp.MustCompile(`^([-.\w]+)\s*=\s*`)
+)
+
+type actionParser struct {
+	input string
+	pos   int
+}
+
+// parseActions parses the actions string as described in https://ntfy.sh/docs/publish/#action-buttons.
+// It supports both a JSON representation (if the string begins with "[", see parseActionsFromJSON),
+// and the "simple" format, which is more human-readable, but harder to parse (see parseActionsFromSimple).
+func parseActions(s string) (actions []*action, err error) {
+	// Parse JSON or simple format
+	s = strings.TrimSpace(s)
+	if strings.HasPrefix(s, "[") {
+		actions, err = parseActionsFromJSON(s)
+	} else {
+		actions, err = parseActionsFromSimple(s)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Add ID field, ensure correct uppercase/lowercase
+	for i := range actions {
+		actions[i].ID = util.RandomString(actionIDLength)
+		actions[i].Action = strings.ToLower(actions[i].Action)
+		actions[i].Method = strings.ToUpper(actions[i].Method)
+	}
+
+	// Validate
+	if len(actions) > actionsMax {
+		return nil, fmt.Errorf("only %d actions allowed", actionsMax)
+	}
+	for _, action := range actions {
+		if !util.Contains(actionsAll, action.Action) {
+			return nil, fmt.Errorf("parameter 'action' cannot be '%s', valid values are 'view', 'broadcast' and 'http'", action.Action)
+		} else if action.Label == "" {
+			return nil, fmt.Errorf("parameter 'label' is required")
+		} else if util.Contains(actionsWithURL, action.Action) && action.URL == "" {
+			return nil, fmt.Errorf("parameter 'url' is required for action '%s'", action.Action)
+		} else if action.Action == actionHTTP && util.Contains([]string{"GET", "HEAD"}, action.Method) && action.Body != "" {
+			return nil, fmt.Errorf("parameter 'body' cannot be set if method is %s", action.Method)
+		}
+	}
+
+	return actions, nil
+}
+
+// parseActionsFromJSON converts a JSON array into an array of actions
+func parseActionsFromJSON(s string) ([]*action, error) {
+	actions := make([]*action, 0)
+	if err := json.Unmarshal([]byte(s), &actions); err != nil {
+		return nil, fmt.Errorf("JSON error: %w", err)
+	}
+	return actions, nil
+}
+
+// parseActionsFromSimple parses the "simple" actions string (as described in
+// https://ntfy.sh/docs/publish/#action-buttons), into an array of actions.
+//
+// It can parse an actions string like this:
+//
+//	view, "Look ma, commas and \"quotes\" too", url=https://..; action=broadcast, ...
+//
+// It works by advancing the position ("pos") through the input string ("input").
+//
+// The parser is heavily inspired by https://go.dev/src/text/template/parse/lex.go (which
+// is described by Rob Pike in this video: https://www.youtube.com/watch?v=HxaD_trXwRE),
+// though it does not use state functions at all.
+//
+// Other resources:
+//
+//	https://adampresley.github.io/2015/04/12/writing-a-lexer-and-parser-in-go-part-1.html
+//	https://github.com/adampresley/sample-ini-parser/blob/master/services/lexer/lexer/Lexer.go
+//	https://github.com/benbjohnson/sql-parser/blob/master/scanner.go
+//	https://blog.gopheracademy.com/advent-2014/parsers-lexers/
+func parseActionsFromSimple(s string) ([]*action, error) {
+	if !utf8.ValidString(s) {
+		return nil, errors.New("invalid utf-8 string")
+	}
+	parser := &actionParser{
+		pos:   0,
+		input: s,
+	}
+	return parser.Parse()
+}
+
+// Parse loops trough parseAction() until the end of the string is reached
+func (p *actionParser) Parse() ([]*action, error) {
+	actions := make([]*action, 0)
+	for !p.eof() {
+		a, err := p.parseAction()
+		if err != nil {
+			return nil, err
+		}
+		actions = append(actions, a)
+	}
+	return actions, nil
+}
+
+// parseAction parses the individual sections of an action using parseSection into key/value pairs,
+// and then uses populateAction to interpret the keys/values. The function terminates
+// when EOF or ";" is reached.
+func (p *actionParser) parseAction() (*action, error) {
+	a := newAction()
+	section := 0
+	for {
+		key, value, last, err := p.parseSection()
+		if err != nil {
+			return nil, err
+		}
+		if err := populateAction(a, section, key, value); err != nil {
+			return nil, err
+		}
+		p.slurpSpaces()
+		if last {
+			return a, nil
+		}
+		section++
+	}
+}
+
+// populateAction is the "business logic" of the parser. It applies the key/value
+// pair to the action instance.
+func populateAction(newAction *action, section int, key, value string) error {
+	// Auto-expand keys based on their index
+	if key == "" && section == 0 {
+		key = "action"
+	} else if key == "" && section == 1 {
+		key = "label"
+	} else if key == "" && section == 2 && util.Contains(actionsWithURL, newAction.Action) {
+		key = "url"
+	}
+
+	// Validate
+	if key == "" {
+		return fmt.Errorf("term '%s' unknown", value)
+	}
+
+	// Populate
+	if strings.HasPrefix(key, "headers.") {
+		newAction.Headers[strings.TrimPrefix(key, "headers.")] = value
+	} else if strings.HasPrefix(key, "extras.") {
+		newAction.Extras[strings.TrimPrefix(key, "extras.")] = value
+	} else {
+		switch strings.ToLower(key) {
+		case "action":
+			newAction.Action = value
+		case "label":
+			newAction.Label = value
+		case "clear":
+			lvalue := strings.ToLower(value)
+			if !util.Contains([]string{"true", "yes", "1", "false", "no", "0"}, lvalue) {
+				return fmt.Errorf("parameter 'clear' cannot be '%s', only boolean values are allowed (true/yes/1/false/no/0)", value)
+			}
+			newAction.Clear = lvalue == "true" || lvalue == "yes" || lvalue == "1"
+		case "url":
+			newAction.URL = value
+		case "method":
+			newAction.Method = value
+		case "body":
+			newAction.Body = value
+		case "intent":
+			newAction.Intent = value
+		default:
+			return fmt.Errorf("key '%s' unknown", key)
+		}
+	}
+	return nil
+}
+
+// parseSection parses a section ("key=value") and returns a key/value pair. It terminates
+// when EOF or "," is reached.
+func (p *actionParser) parseSection() (key string, value string, last bool, err error) {
+	p.slurpSpaces()
+	key = p.parseKey()
+	r, w := p.peek()
+	if isSectionEnd(r) {
+		p.pos += w
+		last = isLastSection(r)
+		return
+	} else if r == '"' || r == '\'' {
+		value, last, err = p.parseQuotedValue(r)
+		return
+	}
+	value, last = p.parseValue()
+	return
+}
+
+// parseKey uses a regex to determine whether the current position is a key definition ("key =")
+// and returns the key if it is, or an empty string otherwise.
+func (p *actionParser) parseKey() string {
+	matches := actionsKeyRegex.FindStringSubmatch(p.input[p.pos:])
+	if len(matches) == 2 {
+		p.pos += len(matches[0])
+		return matches[1]
+	}
+	return ""
+}
+
+// parseValue reads the input until EOF, "," or ";" and returns the value string. Unlike parseQuotedValue,
+// this function does not support "," or ";" in the value itself, and spaces in the beginning and end of the
+// string are trimmed.
+func (p *actionParser) parseValue() (value string, last bool) {
+	start := p.pos
+	for {
+		r, w := p.peek()
+		if isSectionEnd(r) {
+			last = isLastSection(r)
+			value = strings.TrimSpace(p.input[start:p.pos])
+			p.pos += w
+			return
+		}
+		p.pos += w
+	}
+}
+
+// parseQuotedValue reads the input until it finds an unescaped end quote character ("), and then
+// advances the position beyond the section end. It supports quoting strings using backslash (\).
+func (p *actionParser) parseQuotedValue(quote rune) (value string, last bool, err error) {
+	p.pos++
+	start := p.pos
+	var prev rune
+	for {
+		r, w := p.peek()
+		if r == actionEOF {
+			err = fmt.Errorf("unexpected end of input, quote started at position %d", start)
+			return
+		} else if r == quote && prev != '\\' {
+			value = strings.ReplaceAll(p.input[start:p.pos], "\\"+string(quote), string(quote)) // \" -> "
+			p.pos += w
+
+			// Advance until section end (after "," or ";")
+			p.slurpSpaces()
+			r, w := p.peek()
+			last = isLastSection(r)
+			if !isSectionEnd(r) {
+				err = fmt.Errorf("unexpected character '%c' at position %d", r, p.pos)
+				return
+			}
+			p.pos += w
+			return
+		}
+		prev = r
+		p.pos += w
+	}
+}
+
+// slurpSpaces reads all space characters and advances the position
+func (p *actionParser) slurpSpaces() {
+	for {
+		r, w := p.peek()
+		if r == actionEOF || !isSpace(r) {
+			return
+		}
+		p.pos += w
+	}
+}
+
+// peek returns the next run and its width
+func (p *actionParser) peek() (rune, int) {
+	if p.eof() {
+		return actionEOF, 0
+	}
+	return utf8.DecodeRuneInString(p.input[p.pos:])
+}
+
+// eof returns true if the end of the input has been reached
+func (p *actionParser) eof() bool {
+	return p.pos >= len(p.input)
+}
+
+func isSpace(r rune) bool {
+	return r == ' ' || r == '\t' || r == '\r' || r == '\n'
+}
+
+func isSectionEnd(r rune) bool {
+	return r == actionEOF || r == ';' || r == ','
+}
+
+func isLastSection(r rune) bool {
+	return r == actionEOF || r == ';'
+}
--- a/server/actions_test.go
+++ b/server/actions_test.go
@@ -0,0 +1,184 @@
+package server
+
+import (
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestParseActions(t *testing.T) {
+	actions, err := parseActions("[]")
+	require.Nil(t, err)
+	require.Empty(t, actions)
+
+	// Basic test
+	actions, err = parseActions("action=http, label=Open door, url=https://door.lan/open; view, Show portal, https://door.lan")
+	require.Nil(t, err)
+	require.Equal(t, 2, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, "Open door", actions[0].Label)
+	require.Equal(t, "https://door.lan/open", actions[0].URL)
+	require.Equal(t, "view", actions[1].Action)
+	require.Equal(t, "Show portal", actions[1].Label)
+	require.Equal(t, "https://door.lan", actions[1].URL)
+
+	// JSON
+	actions, err = parseActions(`[{"action":"http","label":"Open door","url":"https://door.lan/open"}, {"action":"view","label":"Show portal","url":"https://door.lan"}]`)
+	require.Nil(t, err)
+	require.Equal(t, 2, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, "Open door", actions[0].Label)
+	require.Equal(t, "https://door.lan/open", actions[0].URL)
+	require.Equal(t, "view", actions[1].Action)
+	require.Equal(t, "Show portal", actions[1].Label)
+	require.Equal(t, "https://door.lan", actions[1].URL)
+
+	// Other params
+	actions, err = parseActions("action=http, label=Open door, url=https://door.lan/open, body=this is a body, method=PUT")
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, "Open door", actions[0].Label)
+	require.Equal(t, "https://door.lan/open", actions[0].URL)
+	require.Equal(t, "PUT", actions[0].Method)
+	require.Equal(t, "this is a body", actions[0].Body)
+
+	// Extras with underscores
+	actions, err = parseActions("action=broadcast, label=Do a thing, extras.command=some command, extras.some_param=a parameter")
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "broadcast", actions[0].Action)
+	require.Equal(t, "Do a thing", actions[0].Label)
+	require.Equal(t, 2, len(actions[0].Extras))
+	require.Equal(t, "some command", actions[0].Extras["command"])
+	require.Equal(t, "a parameter", actions[0].Extras["some_param"])
+
+	// Broadcast action with intent
+	actions, err = parseActions("action=broadcast, label=Do a thing, intent=io.heckel.ntfy.TEST_INTENT")
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "broadcast", actions[0].Action)
+	require.Equal(t, "Do a thing", actions[0].Label)
+	require.Equal(t, "io.heckel.ntfy.TEST_INTENT", actions[0].Intent)
+
+	// Headers with dashes
+	actions, err = parseActions("action=http, label=Send request, url=http://example.com, method=GET, headers.Content-Type=application/json, headers.Authorization=Basic sdasffsf")
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, "Send request", actions[0].Label)
+	require.Equal(t, 2, len(actions[0].Headers))
+	require.Equal(t, "application/json", actions[0].Headers["Content-Type"])
+	require.Equal(t, "Basic sdasffsf", actions[0].Headers["Authorization"])
+
+	// Quotes
+	actions, err = parseActions(`action=http, "Look ma, \"quotes\"; and semicolons", url=http://example.com`)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, `Look ma, "quotes"; and semicolons`, actions[0].Label)
+	require.Equal(t, `http://example.com`, actions[0].URL)
+
+	// Single quotes
+	actions, err = parseActions(`action=http, '"quotes" and \'single quotes\'', url=http://example.com`)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, `"quotes" and 'single quotes'`, actions[0].Label)
+	require.Equal(t, `http://example.com`, actions[0].URL)
+
+	// Single quotes (JSON)
+	actions, err = parseActions(`action=http, Post it, url=http://example.com, body='{"temperature": 65}'`)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, "Post it", actions[0].Label)
+	require.Equal(t, `http://example.com`, actions[0].URL)
+	require.Equal(t, `{"temperature": 65}`, actions[0].Body)
+
+	// Out of order
+	actions, err = parseActions(`label="Out of order!" , action="http", url=http://example.com`)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, `Out of order!`, actions[0].Label)
+	require.Equal(t, `http://example.com`, actions[0].URL)
+
+	// Spaces
+	actions, err = parseActions(`action = http, label = 'this is a label', url = "http://google.com"`)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, `this is a label`, actions[0].Label)
+	require.Equal(t, `http://google.com`, actions[0].URL)
+
+	// Non-ASCII
+	actions, err = parseActions(`action = http, 'Кохайтеся а не воюйте, 💙🫤', url = "http://google.com"`)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, `Кохайтеся а не воюйте, 💙🫤`, actions[0].Label)
+	require.Equal(t, `http://google.com`, actions[0].URL)
+
+	// Multiple actions, awkward spacing
+	actions, err = parseActions(`http , 'Make love, not war 💙🫤' , https://ntfy.sh ; view, " yo ", https://x.org, clear=true`)
+	require.Nil(t, err)
+	require.Equal(t, 2, len(actions))
+	require.Equal(t, "http", actions[0].Action)
+	require.Equal(t, `Make love, not war 💙🫤`, actions[0].Label)
+	require.Equal(t, `https://ntfy.sh`, actions[0].URL)
+	require.Equal(t, false, actions[0].Clear)
+	require.Equal(t, "view", actions[1].Action)
+	require.Equal(t, " yo ", actions[1].Label)
+	require.Equal(t, `https://x.org`, actions[1].URL)
+	require.Equal(t, true, actions[1].Clear)
+
+	// Invalid syntax
+	_, err = parseActions(`label="Out of order!" x, action="http", url=http://example.com`)
+	require.EqualError(t, err, "unexpected character 'x' at position 22")
+
+	_, err = parseActions(`label="", action="http", url=http://example.com`)
+	require.EqualError(t, err, "parameter 'label' is required")
+
+	_, err = parseActions(`label=, action="http", url=http://example.com`)
+	require.EqualError(t, err, "parameter 'label' is required")
+
+	_, err = parseActions(`label="xx", action="http", url=http://example.com, what is this anyway`)
+	require.EqualError(t, err, "term 'what is this anyway' unknown")
+
+	_, err = parseActions(`fdsfdsf`)
+	require.EqualError(t, err, "parameter 'action' cannot be 'fdsfdsf', valid values are 'view', 'broadcast' and 'http'")
+
+	_, err = parseActions(`aaa=a, "bbb, 'ccc, ddd, eee "`)
+	require.EqualError(t, err, "key 'aaa' unknown")
+
+	_, err = parseActions(`action=http, label="omg the end quote is missing`)
+	require.EqualError(t, err, "unexpected end of input, quote started at position 20")
+
+	_, err = parseActions(`;;;;`)
+	require.EqualError(t, err, "only 3 actions allowed")
+
+	_, err = parseActions(`,,,,,,;;`)
+	require.EqualError(t, err, "term '' unknown")
+
+	_, err = parseActions(`''";,;"`)
+	require.EqualError(t, err, "unexpected character '\"' at position 2")
+
+	_, err = parseActions(`action=http, label=a label, body=somebody`)
+	require.EqualError(t, err, "parameter 'url' is required for action 'http'")
+
+	_, err = parseActions(`action=http, label=a label, url=http://ntfy.sh, method=HEAD, body=somebody`)
+	require.EqualError(t, err, "parameter 'body' cannot be set if method is HEAD")
+
+	_, err = parseActions(`[ invalid json ]`)
+	require.EqualError(t, err, "JSON error: invalid character 'i' looking for beginning of value")
+
+	_, err = parseActions(`[ { "some": "object" } ]`)
+	require.EqualError(t, err, "parameter 'action' cannot be '', valid values are 'view', 'broadcast' and 'http'")
+
+	_, err = parseActions("\x00\x01\xFFx\xFE")
+	require.EqualError(t, err, "invalid utf-8 string")
+
+	_, err = parseActions(`http, label, http://x.org, clear=x`)
+	require.EqualError(t, err, "parameter 'clear' cannot be 'x', only boolean values are allowed (true/yes/1/false/no/0)")
+
+}
--- a/server/cache.go
+++ b/server/cache.go
@@ -1,25 +0,0 @@
-package server
-
-import (
-	"errors"
-	_ "github.com/mattn/go-sqlite3" // SQLite driver
-	"time"
-)
-
-var (
-	errUnexpectedMessageType = errors.New("unexpected message type")
-)
-
-// cache implements a cache for messages of type "message" events,
-// i.e. message structs with the Event messageEvent.
-type cache interface {
-	AddMessage(m *message) error
-	Messages(topic string, since sinceTime, scheduled bool) ([]*message, error)
-	MessagesDue() ([]*message, error)
-	MessageCount(topic string) (int, error)
-	Topics() (map[string]*topic, error)
-	Prune(olderThan time.Time) error
-	MarkPublished(m *message) error
-	AttachmentsSize(owner string) (int64, error)
-	AttachmentsExpired() ([]string, error)
-}
--- a/server/cache_mem.go
+++ b/server/cache_mem.go
@@ -1,165 +0,0 @@
-package server
-
-import (
-	"sort"
-	"sync"
-	"time"
-)
-
-type memCache struct {
-	messages  map[string][]*message
-	scheduled map[string]*message // Message ID -> message
-	nop       bool
-	mu        sync.Mutex
-}
-
-var _ cache = (*memCache)(nil)
-
-// newMemCache creates an in-memory cache
-func newMemCache() *memCache {
-	return &memCache{
-		messages:  make(map[string][]*message),
-		scheduled: make(map[string]*message),
-		nop:       false,
-	}
-}
-
-// newNopCache creates an in-memory cache that discards all messages;
-// it is always empty and can be used if caching is entirely disabled
-func newNopCache() *memCache {
-	return &memCache{
-		messages:  make(map[string][]*message),
-		scheduled: make(map[string]*message),
-		nop:       true,
-	}
-}
-
-func (c *memCache) AddMessage(m *message) error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.nop {
-		return nil
-	}
-	if m.Event != messageEvent {
-		return errUnexpectedMessageType
-	}
-	if _, ok := c.messages[m.Topic]; !ok {
-		c.messages[m.Topic] = make([]*message, 0)
-	}
-	delayed := m.Time > time.Now().Unix()
-	if delayed {
-		c.scheduled[m.ID] = m
-	}
-	c.messages[m.Topic] = append(c.messages[m.Topic], m)
-	return nil
-}
-
-func (c *memCache) Messages(topic string, since sinceTime, scheduled bool) ([]*message, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if _, ok := c.messages[topic]; !ok || since.IsNone() {
-		return make([]*message, 0), nil
-	}
-	messages := make([]*message, 0)
-	for _, m := range c.messages[topic] {
-		_, messageScheduled := c.scheduled[m.ID]
-		include := m.Time >= since.Time().Unix() && (!messageScheduled || scheduled)
-		if include {
-			messages = append(messages, m)
-		}
-	}
-	sort.Slice(messages, func(i, j int) bool {
-		return messages[i].Time < messages[j].Time
-	})
-	return messages, nil
-}
-
-func (c *memCache) MessagesDue() ([]*message, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	messages := make([]*message, 0)
-	for _, m := range c.scheduled {
-		due := time.Now().Unix() >= m.Time
-		if due {
-			messages = append(messages, m)
-		}
-	}
-	sort.Slice(messages, func(i, j int) bool {
-		return messages[i].Time < messages[j].Time
-	})
-	return messages, nil
-}
-
-func (c *memCache) MarkPublished(m *message) error {
-	c.mu.Lock()
-	delete(c.scheduled, m.ID)
-	c.mu.Unlock()
-	return nil
-}
-
-func (c *memCache) MessageCount(topic string) (int, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if _, ok := c.messages[topic]; !ok {
-		return 0, nil
-	}
-	return len(c.messages[topic]), nil
-}
-
-func (c *memCache) Topics() (map[string]*topic, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	topics := make(map[string]*topic)
-	for topic := range c.messages {
-		topics[topic] = newTopic(topic)
-	}
-	return topics, nil
-}
-
-func (c *memCache) Prune(olderThan time.Time) error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	for topic := range c.messages {
-		c.pruneTopic(topic, olderThan)
-	}
-	return nil
-}
-
-func (c *memCache) AttachmentsSize(owner string) (int64, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	var size int64
-	for topic := range c.messages {
-		for _, m := range c.messages[topic] {
-			counted := m.Attachment != nil && m.Attachment.Owner == owner && m.Attachment.Expires > time.Now().Unix()
-			if counted {
-				size += m.Attachment.Size
-			}
-		}
-	}
-	return size, nil
-}
-
-func (c *memCache) AttachmentsExpired() ([]string, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	ids := make([]string, 0)
-	for topic := range c.messages {
-		for _, m := range c.messages[topic] {
-			if m.Attachment != nil && m.Attachment.Expires > 0 && m.Attachment.Expires < time.Now().Unix() {
-				ids = append(ids, m.ID)
-			}
-		}
-	}
-	return ids, nil
-}
-
-func (c *memCache) pruneTopic(topic string, olderThan time.Time) {
-	messages := make([]*message, 0)
-	for _, m := range c.messages[topic] {
-		if m.Time >= olderThan.Unix() {
-			messages = append(messages, m)
-		}
-	}
-	c.messages[topic] = messages
-}
--- a/server/cache_mem_test.go
+++ b/server/cache_mem_test.go
@@ -1,43 +0,0 @@
-package server
-
-import (
-	"github.com/stretchr/testify/assert"
-	"testing"
-)
-
-func TestMemCache_Messages(t *testing.T) {
-	testCacheMessages(t, newMemCache())
-}
-
-func TestMemCache_MessagesScheduled(t *testing.T) {
-	testCacheMessagesScheduled(t, newMemCache())
-}
-
-func TestMemCache_Topics(t *testing.T) {
-	testCacheTopics(t, newMemCache())
-}
-
-func TestMemCache_MessagesTagsPrioAndTitle(t *testing.T) {
-	testCacheMessagesTagsPrioAndTitle(t, newMemCache())
-}
-
-func TestMemCache_Prune(t *testing.T) {
-	testCachePrune(t, newMemCache())
-}
-
-func TestMemCache_Attachments(t *testing.T) {
-	testCacheAttachments(t, newMemCache())
-}
-
-func TestMemCache_NopCache(t *testing.T) {
-	c := newNopCache()
-	assert.Nil(t, c.AddMessage(newDefaultMessage("mytopic", "my message")))
-
-	messages, err := c.Messages("mytopic", sinceAllMessages, false)
-	assert.Nil(t, err)
-	assert.Empty(t, messages)
-
-	topics, err := c.Topics()
-	assert.Nil(t, err)
-	assert.Empty(t, topics)
-}
--- a/server/cache_sqlite.go
+++ b/server/cache_sqlite.go
@@ -1,438 +0,0 @@
-package server
-
-import (
-	"database/sql"
-	"errors"
-	"fmt"
-	_ "github.com/mattn/go-sqlite3" // SQLite driver
-	"log"
-	"strings"
-	"time"
-)
-
-// Messages cache
-const (
-	createMessagesTableQuery = `
-		BEGIN;
-		CREATE TABLE IF NOT EXISTS messages (
-			id TEXT PRIMARY KEY,
-			time INT NOT NULL,
-			topic TEXT NOT NULL,
-			message TEXT NOT NULL,
-			title TEXT NOT NULL,
-			priority INT NOT NULL,
-			tags TEXT NOT NULL,
-			click TEXT NOT NULL,
-			attachment_name TEXT NOT NULL,
-			attachment_type TEXT NOT NULL,
-			attachment_size INT NOT NULL,
-			attachment_expires INT NOT NULL,
-			attachment_url TEXT NOT NULL,
-			attachment_owner TEXT NOT NULL,
-			encoding TEXT NOT NULL,
-			published INT NOT NULL
-		);
-		CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
-		COMMIT;
-	`
-	insertMessageQuery = `
-		INSERT INTO messages (id, time, topic, message, title, priority, tags, click, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, attachment_owner, encoding, published) 
-		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-	`
-	pruneMessagesQuery           = `DELETE FROM messages WHERE time < ? AND published = 1`
-	selectMessagesSinceTimeQuery = `
-		SELECT id, time, topic, message, title, priority, tags, click, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, attachment_owner, encoding
-		FROM messages 
-		WHERE topic = ? AND time >= ? AND published = 1
-		ORDER BY time ASC
-	`
-	selectMessagesSinceTimeIncludeScheduledQuery = `
-		SELECT id, time, topic, message, title, priority, tags, click, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, attachment_owner, encoding
-		FROM messages 
-		WHERE topic = ? AND time >= ?
-		ORDER BY time ASC
-	`
-	selectMessagesDueQuery = `
-		SELECT id, time, topic, message, title, priority, tags, click, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, attachment_owner, encoding
-		FROM messages 
-		WHERE time <= ? AND published = 0
-	`
-	updateMessagePublishedQuery     = `UPDATE messages SET published = 1 WHERE id = ?`
-	selectMessagesCountQuery        = `SELECT COUNT(*) FROM messages`
-	selectMessageCountForTopicQuery = `SELECT COUNT(*) FROM messages WHERE topic = ?`
-	selectTopicsQuery               = `SELECT topic FROM messages GROUP BY topic`
-	selectAttachmentsSizeQuery      = `SELECT IFNULL(SUM(attachment_size), 0) FROM messages WHERE attachment_owner = ? AND attachment_expires >= ?`
-	selectAttachmentsExpiredQuery   = `SELECT id FROM messages WHERE attachment_expires > 0 AND attachment_expires < ?`
-)
-
-// Schema management queries
-const (
-	currentSchemaVersion          = 4
-	createSchemaVersionTableQuery = `
-		CREATE TABLE IF NOT EXISTS schemaVersion (
-			id INT PRIMARY KEY,
-			version INT NOT NULL
-		);
-	`
-	insertSchemaVersion      = `INSERT INTO schemaVersion VALUES (1, ?)`
-	updateSchemaVersion      = `UPDATE schemaVersion SET version = ? WHERE id = 1`
-	selectSchemaVersionQuery = `SELECT version FROM schemaVersion WHERE id = 1`
-
-	// 0 -> 1
-	migrate0To1AlterMessagesTableQuery = `
-		BEGIN;
-		ALTER TABLE messages ADD COLUMN title TEXT NOT NULL DEFAULT('');
-		ALTER TABLE messages ADD COLUMN priority INT NOT NULL DEFAULT(0);
-		ALTER TABLE messages ADD COLUMN tags TEXT NOT NULL DEFAULT('');
-		COMMIT;
-	`
-
-	// 1 -> 2
-	migrate1To2AlterMessagesTableQuery = `
-		ALTER TABLE messages ADD COLUMN published INT NOT NULL DEFAULT(1);
-	`
-
-	// 2 -> 3
-	migrate2To3AlterMessagesTableQuery = `
-		BEGIN;
-		ALTER TABLE messages ADD COLUMN click TEXT NOT NULL DEFAULT('');
-		ALTER TABLE messages ADD COLUMN attachment_name TEXT NOT NULL DEFAULT('');
-		ALTER TABLE messages ADD COLUMN attachment_type TEXT NOT NULL DEFAULT('');
-		ALTER TABLE messages ADD COLUMN attachment_size INT NOT NULL DEFAULT('0');
-		ALTER TABLE messages ADD COLUMN attachment_expires INT NOT NULL DEFAULT('0');
-		ALTER TABLE messages ADD COLUMN attachment_owner TEXT NOT NULL DEFAULT('');
-		ALTER TABLE messages ADD COLUMN attachment_url TEXT NOT NULL DEFAULT('');
-		COMMIT;
-	`
-	// 3 -> 4
-	migrate3To4AlterMessagesTableQuery = `
-		ALTER TABLE messages ADD COLUMN encoding TEXT NOT NULL DEFAULT('');
-	`
-)
-
-type sqliteCache struct {
-	db *sql.DB
-}
-
-var _ cache = (*sqliteCache)(nil)
-
-func newSqliteCache(filename string) (*sqliteCache, error) {
-	db, err := sql.Open("sqlite3", filename)
-	if err != nil {
-		return nil, err
-	}
-	if err := setupCacheDB(db); err != nil {
-		return nil, err
-	}
-	return &sqliteCache{
-		db: db,
-	}, nil
-}
-
-func (c *sqliteCache) AddMessage(m *message) error {
-	if m.Event != messageEvent {
-		return errUnexpectedMessageType
-	}
-	published := m.Time <= time.Now().Unix()
-	tags := strings.Join(m.Tags, ",")
-	var attachmentName, attachmentType, attachmentURL, attachmentOwner string
-	var attachmentSize, attachmentExpires int64
-	if m.Attachment != nil {
-		attachmentName = m.Attachment.Name
-		attachmentType = m.Attachment.Type
-		attachmentSize = m.Attachment.Size
-		attachmentExpires = m.Attachment.Expires
-		attachmentURL = m.Attachment.URL
-		attachmentOwner = m.Attachment.Owner
-	}
-	_, err := c.db.Exec(
-		insertMessageQuery,
-		m.ID,
-		m.Time,
-		m.Topic,
-		m.Message,
-		m.Title,
-		m.Priority,
-		tags,
-		m.Click,
-		attachmentName,
-		attachmentType,
-		attachmentSize,
-		attachmentExpires,
-		attachmentURL,
-		attachmentOwner,
-		m.Encoding,
-		published,
-	)
-	return err
-}
-
-func (c *sqliteCache) Messages(topic string, since sinceTime, scheduled bool) ([]*message, error) {
-	if since.IsNone() {
-		return make([]*message, 0), nil
-	}
-	var rows *sql.Rows
-	var err error
-	if scheduled {
-		rows, err = c.db.Query(selectMessagesSinceTimeIncludeScheduledQuery, topic, since.Time().Unix())
-	} else {
-		rows, err = c.db.Query(selectMessagesSinceTimeQuery, topic, since.Time().Unix())
-	}
-	if err != nil {
-		return nil, err
-	}
-	return readMessages(rows)
-}
-
-func (c *sqliteCache) MessagesDue() ([]*message, error) {
-	rows, err := c.db.Query(selectMessagesDueQuery, time.Now().Unix())
-	if err != nil {
-		return nil, err
-	}
-	return readMessages(rows)
-}
-
-func (c *sqliteCache) MarkPublished(m *message) error {
-	_, err := c.db.Exec(updateMessagePublishedQuery, m.ID)
-	return err
-}
-
-func (c *sqliteCache) MessageCount(topic string) (int, error) {
-	rows, err := c.db.Query(selectMessageCountForTopicQuery, topic)
-	if err != nil {
-		return 0, err
-	}
-	defer rows.Close()
-	var count int
-	if !rows.Next() {
-		return 0, errors.New("no rows found")
-	}
-	if err := rows.Scan(&count); err != nil {
-		return 0, err
-	} else if err := rows.Err(); err != nil {
-		return 0, err
-	}
-	return count, nil
-}
-
-func (c *sqliteCache) Topics() (map[string]*topic, error) {
-	rows, err := c.db.Query(selectTopicsQuery)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	topics := make(map[string]*topic)
-	for rows.Next() {
-		var id string
-		if err := rows.Scan(&id); err != nil {
-			return nil, err
-		}
-		topics[id] = newTopic(id)
-	}
-	if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	return topics, nil
-}
-
-func (c *sqliteCache) Prune(olderThan time.Time) error {
-	_, err := c.db.Exec(pruneMessagesQuery, olderThan.Unix())
-	return err
-}
-
-func (c *sqliteCache) AttachmentsSize(owner string) (int64, error) {
-	rows, err := c.db.Query(selectAttachmentsSizeQuery, owner, time.Now().Unix())
-	if err != nil {
-		return 0, err
-	}
-	defer rows.Close()
-	var size int64
-	if !rows.Next() {
-		return 0, errors.New("no rows found")
-	}
-	if err := rows.Scan(&size); err != nil {
-		return 0, err
-	} else if err := rows.Err(); err != nil {
-		return 0, err
-	}
-	return size, nil
-}
-
-func (c *sqliteCache) AttachmentsExpired() ([]string, error) {
-	rows, err := c.db.Query(selectAttachmentsExpiredQuery, time.Now().Unix())
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	ids := make([]string, 0)
-	for rows.Next() {
-		var id string
-		if err := rows.Scan(&id); err != nil {
-			return nil, err
-		}
-		ids = append(ids, id)
-	}
-	if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	return ids, nil
-}
-
-func readMessages(rows *sql.Rows) ([]*message, error) {
-	defer rows.Close()
-	messages := make([]*message, 0)
-	for rows.Next() {
-		var timestamp, attachmentSize, attachmentExpires int64
-		var priority int
-		var id, topic, msg, title, tagsStr, click, attachmentName, attachmentType, attachmentURL, attachmentOwner, encoding string
-		err := rows.Scan(
-			&id,
-			&timestamp,
-			&topic,
-			&msg,
-			&title,
-			&priority,
-			&tagsStr,
-			&click,
-			&attachmentName,
-			&attachmentType,
-			&attachmentSize,
-			&attachmentExpires,
-			&attachmentURL,
-			&attachmentOwner,
-			&encoding,
-		)
-		if err != nil {
-			return nil, err
-		}
-		var tags []string
-		if tagsStr != "" {
-			tags = strings.Split(tagsStr, ",")
-		}
-		var att *attachment
-		if attachmentName != "" && attachmentURL != "" {
-			att = &attachment{
-				Name:    attachmentName,
-				Type:    attachmentType,
-				Size:    attachmentSize,
-				Expires: attachmentExpires,
-				URL:     attachmentURL,
-				Owner:   attachmentOwner,
-			}
-		}
-		messages = append(messages, &message{
-			ID:         id,
-			Time:       timestamp,
-			Event:      messageEvent,
-			Topic:      topic,
-			Message:    msg,
-			Title:      title,
-			Priority:   priority,
-			Tags:       tags,
-			Click:      click,
-			Attachment: att,
-			Encoding:   encoding,
-		})
-	}
-	if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	return messages, nil
-}
-
-func setupCacheDB(db *sql.DB) error {
-	// If 'messages' table does not exist, this must be a new database
-	rowsMC, err := db.Query(selectMessagesCountQuery)
-	if err != nil {
-		return setupNewCacheDB(db)
-	}
-	rowsMC.Close()
-
-	// If 'messages' table exists, check 'schemaVersion' table
-	schemaVersion := 0
-	rowsSV, err := db.Query(selectSchemaVersionQuery)
-	if err == nil {
-		defer rowsSV.Close()
-		if !rowsSV.Next() {
-			return errors.New("cannot determine schema version: cache file may be corrupt")
-		}
-		if err := rowsSV.Scan(&schemaVersion); err != nil {
-			return err
-		}
-		rowsSV.Close()
-	}
-
-	// Do migrations
-	if schemaVersion == currentSchemaVersion {
-		return nil
-	} else if schemaVersion == 0 {
-		return migrateFrom0(db)
-	} else if schemaVersion == 1 {
-		return migrateFrom1(db)
-	} else if schemaVersion == 2 {
-		return migrateFrom2(db)
-	} else if schemaVersion == 3 {
-		return migrateFrom3(db)
-	}
-	return fmt.Errorf("unexpected schema version found: %d", schemaVersion)
-}
-
-func setupNewCacheDB(db *sql.DB) error {
-	if _, err := db.Exec(createMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(createSchemaVersionTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(insertSchemaVersion, currentSchemaVersion); err != nil {
-		return err
-	}
-	return nil
-}
-
-func migrateFrom0(db *sql.DB) error {
-	log.Print("Migrating cache database schema: from 0 to 1")
-	if _, err := db.Exec(migrate0To1AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(createSchemaVersionTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(insertSchemaVersion, 1); err != nil {
-		return err
-	}
-	return migrateFrom1(db)
-}
-
-func migrateFrom1(db *sql.DB) error {
-	log.Print("Migrating cache database schema: from 1 to 2")
-	if _, err := db.Exec(migrate1To2AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(updateSchemaVersion, 2); err != nil {
-		return err
-	}
-	return migrateFrom2(db)
-}
-
-func migrateFrom2(db *sql.DB) error {
-	log.Print("Migrating cache database schema: from 2 to 3")
-	if _, err := db.Exec(migrate2To3AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(updateSchemaVersion, 3); err != nil {
-		return err
-	}
-	return migrateFrom3(db)
-}
-
-func migrateFrom3(db *sql.DB) error {
-	log.Print("Migrating cache database schema: from 3 to 4")
-	if _, err := db.Exec(migrate3To4AlterMessagesTableQuery); err != nil {
-		return err
-	}
-	if _, err := db.Exec(updateSchemaVersion, 4); err != nil {
-		return err
-	}
-	return nil // Update this when a new version is added
-}
--- a/server/cache_sqlite_test.go
+++ b/server/cache_sqlite_test.go
@@ -1,158 +0,0 @@
-package server
-
-import (
-	"database/sql"
-	"fmt"
-	"github.com/stretchr/testify/require"
-	"path/filepath"
-	"testing"
-	"time"
-)
-
-func TestSqliteCache_Messages(t *testing.T) {
-	testCacheMessages(t, newSqliteTestCache(t))
-}
-
-func TestSqliteCache_MessagesScheduled(t *testing.T) {
-	testCacheMessagesScheduled(t, newSqliteTestCache(t))
-}
-
-func TestSqliteCache_Topics(t *testing.T) {
-	testCacheTopics(t, newSqliteTestCache(t))
-}
-
-func TestSqliteCache_MessagesTagsPrioAndTitle(t *testing.T) {
-	testCacheMessagesTagsPrioAndTitle(t, newSqliteTestCache(t))
-}
-
-func TestSqliteCache_Prune(t *testing.T) {
-	testCachePrune(t, newSqliteTestCache(t))
-}
-
-func TestSqliteCache_Attachments(t *testing.T) {
-	testCacheAttachments(t, newSqliteTestCache(t))
-}
-
-func TestSqliteCache_Migration_From0(t *testing.T) {
-	filename := newSqliteTestCacheFile(t)
-	db, err := sql.Open("sqlite3", filename)
-	require.Nil(t, err)
-
-	// Create "version 0" schema
-	_, err = db.Exec(`
-		BEGIN;
-		CREATE TABLE IF NOT EXISTS messages (
-			id VARCHAR(20) PRIMARY KEY,
-			time INT NOT NULL,
-			topic VARCHAR(64) NOT NULL,
-			message VARCHAR(1024) NOT NULL
-		);
-		CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
-		COMMIT;
-	`)
-	require.Nil(t, err)
-
-	// Insert a bunch of messages
-	for i := 0; i < 10; i++ {
-		_, err = db.Exec(`INSERT INTO messages (id, time, topic, message) VALUES (?, ?, ?, ?)`,
-			fmt.Sprintf("abcd%d", i), time.Now().Unix(), "mytopic", fmt.Sprintf("some message %d", i))
-		require.Nil(t, err)
-	}
-	require.Nil(t, db.Close())
-
-	// Create cache to trigger migration
-	c := newSqliteTestCacheFromFile(t, filename)
-	checkSchemaVersion(t, c.db)
-
-	messages, err := c.Messages("mytopic", sinceAllMessages, false)
-	require.Nil(t, err)
-	require.Equal(t, 10, len(messages))
-	require.Equal(t, "some message 5", messages[5].Message)
-	require.Equal(t, "", messages[5].Title)
-	require.Nil(t, messages[5].Tags)
-	require.Equal(t, 0, messages[5].Priority)
-}
-
-func TestSqliteCache_Migration_From1(t *testing.T) {
-	filename := newSqliteTestCacheFile(t)
-	db, err := sql.Open("sqlite3", filename)
-	require.Nil(t, err)
-
-	// Create "version 1" schema
-	_, err = db.Exec(`
-		CREATE TABLE IF NOT EXISTS messages (
-			id VARCHAR(20) PRIMARY KEY,
-			time INT NOT NULL,
-			topic VARCHAR(64) NOT NULL,
-			message VARCHAR(512) NOT NULL,
-			title VARCHAR(256) NOT NULL,
-			priority INT NOT NULL,
-			tags VARCHAR(256) NOT NULL
-		);
-		CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
-		CREATE TABLE IF NOT EXISTS schemaVersion (
-			id INT PRIMARY KEY,
-			version INT NOT NULL
-		);		
-		INSERT INTO schemaVersion (id, version) VALUES (1, 1);
-	`)
-	require.Nil(t, err)
-
-	// Insert a bunch of messages
-	for i := 0; i < 10; i++ {
-		_, err = db.Exec(`INSERT INTO messages (id, time, topic, message, title, priority, tags) VALUES (?, ?, ?, ?, ?, ?, ?)`,
-			fmt.Sprintf("abcd%d", i), time.Now().Unix(), "mytopic", fmt.Sprintf("some message %d", i), "", 0, "")
-		require.Nil(t, err)
-	}
-	require.Nil(t, db.Close())
-
-	// Create cache to trigger migration
-	c := newSqliteTestCacheFromFile(t, filename)
-	checkSchemaVersion(t, c.db)
-
-	// Add delayed message
-	delayedMessage := newDefaultMessage("mytopic", "some delayed message")
-	delayedMessage.Time = time.Now().Add(time.Minute).Unix()
-	require.Nil(t, c.AddMessage(delayedMessage))
-
-	// 10, not 11!
-	messages, err := c.Messages("mytopic", sinceAllMessages, false)
-	require.Nil(t, err)
-	require.Equal(t, 10, len(messages))
-
-	// 11!
-	messages, err = c.Messages("mytopic", sinceAllMessages, true)
-	require.Nil(t, err)
-	require.Equal(t, 11, len(messages))
-}
-
-func checkSchemaVersion(t *testing.T, db *sql.DB) {
-	rows, err := db.Query(`SELECT version FROM schemaVersion`)
-	require.Nil(t, err)
-	require.True(t, rows.Next())
-
-	var schemaVersion int
-	require.Nil(t, rows.Scan(&schemaVersion))
-	require.Equal(t, currentSchemaVersion, schemaVersion)
-	require.Nil(t, rows.Close())
-}
-
-func newSqliteTestCache(t *testing.T) *sqliteCache {
-	c, err := newSqliteCache(newSqliteTestCacheFile(t))
-	if err != nil {
-		t.Fatal(err)
-	}
-	return c
-}
-
-func newSqliteTestCacheFile(t *testing.T) string {
-	return filepath.Join(t.TempDir(), "cache.db")
-}
-
-func newSqliteTestCacheFromFile(t *testing.T, filename string) *sqliteCache {
-	c, err := newSqliteCache(filename)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return c
-}
--- a/server/cache_test.go
+++ b/server/cache_test.go
@@ -1,222 +0,0 @@
-package server
-
-import (
-	"github.com/stretchr/testify/require"
-	"testing"
-	"time"
-)
-
-func testCacheMessages(t *testing.T, c cache) {
-	m1 := newDefaultMessage("mytopic", "my message")
-	m1.Time = 1
-
-	m2 := newDefaultMessage("mytopic", "my other message")
-	m2.Time = 2
-
-	require.Nil(t, c.AddMessage(m1))
-	require.Nil(t, c.AddMessage(newDefaultMessage("example", "my example message")))
-	require.Nil(t, c.AddMessage(m2))
-
-	// Adding invalid
-	require.Equal(t, errUnexpectedMessageType, c.AddMessage(newKeepaliveMessage("mytopic"))) // These should not be added!
-	require.Equal(t, errUnexpectedMessageType, c.AddMessage(newOpenMessage("example")))      // These should not be added!
-
-	// mytopic: count
-	count, err := c.MessageCount("mytopic")
-	require.Nil(t, err)
-	require.Equal(t, 2, count)
-
-	// mytopic: since all
-	messages, _ := c.Messages("mytopic", sinceAllMessages, false)
-	require.Equal(t, 2, len(messages))
-	require.Equal(t, "my message", messages[0].Message)
-	require.Equal(t, "mytopic", messages[0].Topic)
-	require.Equal(t, messageEvent, messages[0].Event)
-	require.Equal(t, "", messages[0].Title)
-	require.Equal(t, 0, messages[0].Priority)
-	require.Nil(t, messages[0].Tags)
-	require.Equal(t, "my other message", messages[1].Message)
-
-	// mytopic: since none
-	messages, _ = c.Messages("mytopic", sinceNoMessages, false)
-	require.Empty(t, messages)
-
-	// mytopic: since 2
-	messages, _ = c.Messages("mytopic", sinceTime(time.Unix(2, 0)), false)
-	require.Equal(t, 1, len(messages))
-	require.Equal(t, "my other message", messages[0].Message)
-
-	// example: count
-	count, err = c.MessageCount("example")
-	require.Nil(t, err)
-	require.Equal(t, 1, count)
-
-	// example: since all
-	messages, _ = c.Messages("example", sinceAllMessages, false)
-	require.Equal(t, "my example message", messages[0].Message)
-
-	// non-existing: count
-	count, err = c.MessageCount("doesnotexist")
-	require.Nil(t, err)
-	require.Equal(t, 0, count)
-
-	// non-existing: since all
-	messages, _ = c.Messages("doesnotexist", sinceAllMessages, false)
-	require.Empty(t, messages)
-}
-
-func testCacheTopics(t *testing.T, c cache) {
-	require.Nil(t, c.AddMessage(newDefaultMessage("topic1", "my example message")))
-	require.Nil(t, c.AddMessage(newDefaultMessage("topic2", "message 1")))
-	require.Nil(t, c.AddMessage(newDefaultMessage("topic2", "message 2")))
-	require.Nil(t, c.AddMessage(newDefaultMessage("topic2", "message 3")))
-
-	topics, err := c.Topics()
-	if err != nil {
-		t.Fatal(err)
-	}
-	require.Equal(t, 2, len(topics))
-	require.Equal(t, "topic1", topics["topic1"].ID)
-	require.Equal(t, "topic2", topics["topic2"].ID)
-}
-
-func testCachePrune(t *testing.T, c cache) {
-	m1 := newDefaultMessage("mytopic", "my message")
-	m1.Time = 1
-
-	m2 := newDefaultMessage("mytopic", "my other message")
-	m2.Time = 2
-
-	m3 := newDefaultMessage("another_topic", "and another one")
-	m3.Time = 1
-
-	require.Nil(t, c.AddMessage(m1))
-	require.Nil(t, c.AddMessage(m2))
-	require.Nil(t, c.AddMessage(m3))
-	require.Nil(t, c.Prune(time.Unix(2, 0)))
-
-	count, err := c.MessageCount("mytopic")
-	require.Nil(t, err)
-	require.Equal(t, 1, count)
-
-	count, err = c.MessageCount("another_topic")
-	require.Nil(t, err)
-	require.Equal(t, 0, count)
-
-	messages, err := c.Messages("mytopic", sinceAllMessages, false)
-	require.Nil(t, err)
-	require.Equal(t, 1, len(messages))
-	require.Equal(t, "my other message", messages[0].Message)
-}
-
-func testCacheMessagesTagsPrioAndTitle(t *testing.T, c cache) {
-	m := newDefaultMessage("mytopic", "some message")
-	m.Tags = []string{"tag1", "tag2"}
-	m.Priority = 5
-	m.Title = "some title"
-	require.Nil(t, c.AddMessage(m))
-
-	messages, _ := c.Messages("mytopic", sinceAllMessages, false)
-	require.Equal(t, []string{"tag1", "tag2"}, messages[0].Tags)
-	require.Equal(t, 5, messages[0].Priority)
-	require.Equal(t, "some title", messages[0].Title)
-}
-
-func testCacheMessagesScheduled(t *testing.T, c cache) {
-	m1 := newDefaultMessage("mytopic", "message 1")
-	m2 := newDefaultMessage("mytopic", "message 2")
-	m2.Time = time.Now().Add(time.Hour).Unix()
-	m3 := newDefaultMessage("mytopic", "message 3")
-	m3.Time = time.Now().Add(time.Minute).Unix() // earlier than m2!
-	m4 := newDefaultMessage("mytopic2", "message 4")
-	m4.Time = time.Now().Add(time.Minute).Unix()
-	require.Nil(t, c.AddMessage(m1))
-	require.Nil(t, c.AddMessage(m2))
-	require.Nil(t, c.AddMessage(m3))
-
-	messages, _ := c.Messages("mytopic", sinceAllMessages, false) // exclude scheduled
-	require.Equal(t, 1, len(messages))
-	require.Equal(t, "message 1", messages[0].Message)
-
-	messages, _ = c.Messages("mytopic", sinceAllMessages, true) // include scheduled
-	require.Equal(t, 3, len(messages))
-	require.Equal(t, "message 1", messages[0].Message)
-	require.Equal(t, "message 3", messages[1].Message) // Order!
-	require.Equal(t, "message 2", messages[2].Message)
-
-	messages, _ = c.MessagesDue()
-	require.Empty(t, messages)
-}
-
-func testCacheAttachments(t *testing.T, c cache) {
-	expires1 := time.Now().Add(-4 * time.Hour).Unix()
-	m := newDefaultMessage("mytopic", "flower for you")
-	m.ID = "m1"
-	m.Attachment = &attachment{
-		Name:    "flower.jpg",
-		Type:    "image/jpeg",
-		Size:    5000,
-		Expires: expires1,
-		URL:     "https://ntfy.sh/file/AbDeFgJhal.jpg",
-		Owner:   "1.2.3.4",
-	}
-	require.Nil(t, c.AddMessage(m))
-
-	expires2 := time.Now().Add(2 * time.Hour).Unix() // Future
-	m = newDefaultMessage("mytopic", "sending you a car")
-	m.ID = "m2"
-	m.Attachment = &attachment{
-		Name:    "car.jpg",
-		Type:    "image/jpeg",
-		Size:    10000,
-		Expires: expires2,
-		URL:     "https://ntfy.sh/file/aCaRURL.jpg",
-		Owner:   "1.2.3.4",
-	}
-	require.Nil(t, c.AddMessage(m))
-
-	expires3 := time.Now().Add(1 * time.Hour).Unix() // Future
-	m = newDefaultMessage("another-topic", "sending you another car")
-	m.ID = "m3"
-	m.Attachment = &attachment{
-		Name:    "another-car.jpg",
-		Type:    "image/jpeg",
-		Size:    20000,
-		Expires: expires3,
-		URL:     "https://ntfy.sh/file/zakaDHFW.jpg",
-		Owner:   "1.2.3.4",
-	}
-	require.Nil(t, c.AddMessage(m))
-
-	messages, err := c.Messages("mytopic", sinceAllMessages, false)
-	require.Nil(t, err)
-	require.Equal(t, 2, len(messages))
-
-	require.Equal(t, "flower for you", messages[0].Message)
-	require.Equal(t, "flower.jpg", messages[0].Attachment.Name)
-	require.Equal(t, "image/jpeg", messages[0].Attachment.Type)
-	require.Equal(t, int64(5000), messages[0].Attachment.Size)
-	require.Equal(t, expires1, messages[0].Attachment.Expires)
-	require.Equal(t, "https://ntfy.sh/file/AbDeFgJhal.jpg", messages[0].Attachment.URL)
-	require.Equal(t, "1.2.3.4", messages[0].Attachment.Owner)
-
-	require.Equal(t, "sending you a car", messages[1].Message)
-	require.Equal(t, "car.jpg", messages[1].Attachment.Name)
-	require.Equal(t, "image/jpeg", messages[1].Attachment.Type)
-	require.Equal(t, int64(10000), messages[1].Attachment.Size)
-	require.Equal(t, expires2, messages[1].Attachment.Expires)
-	require.Equal(t, "https://ntfy.sh/file/aCaRURL.jpg", messages[1].Attachment.URL)
-	require.Equal(t, "1.2.3.4", messages[1].Attachment.Owner)
-
-	size, err := c.AttachmentsSize("1.2.3.4")
-	require.Nil(t, err)
-	require.Equal(t, int64(30000), size)
-
-	size, err = c.AttachmentsSize("5.6.7.8")
-	require.Nil(t, err)
-	require.Equal(t, int64(0), size)
-
-	ids, err := c.AttachmentsExpired()
-	require.Nil(t, err)
-	require.Equal(t, []string{"m1"}, ids)
-}
--- a/server/config.go
+++ b/server/config.go
@@ -1,19 +1,25 @@
 package server

 import (
+	"heckel.io/ntfy/user"
+	"io/fs"
+	"net/netip"
 	"time"
 )

 // Defines default config settings (excluding limits, see below)
 const (
-	DefaultListenHTTP                = ":80"
-	DefaultCacheDuration             = 12 * time.Hour
-	DefaultKeepaliveInterval         = 45 * time.Second // Not too frequently to save battery (Android read timeout used to be 77s!)
-	DefaultManagerInterval           = time.Minute
-	DefaultAtSenderInterval          = 10 * time.Second
-	DefaultMinDelay                  = 10 * time.Second
-	DefaultMaxDelay                  = 3 * 24 * time.Hour
-	DefaultFirebaseKeepaliveInterval = 3 * time.Hour // Not too frequently to save battery
+	DefaultListenHTTP                           = ":80"
+	DefaultCacheDuration                        = 12 * time.Hour
+	DefaultKeepaliveInterval                    = 45 * time.Second // Not too frequently to save battery (Android read timeout used to be 77s!)
+	DefaultManagerInterval                      = time.Minute
+	DefaultDelayedSenderInterval                = 10 * time.Second
+	DefaultMinDelay                             = 10 * time.Second
+	DefaultMaxDelay                             = 3 * 24 * time.Hour
+	DefaultFirebaseKeepaliveInterval            = 3 * time.Hour    // ~control topic (Android), not too frequently to save battery
+	DefaultFirebasePollInterval                 = 20 * time.Minute // ~poll topic (iOS), max. 2-3 times per hour (see docs)
+	DefaultFirebaseQuotaExceededPenaltyDuration = 10 * time.Minute // Time that over-users are locked out of Firebase if it returns "quota exceeded"
+	DefaultStripePriceCacheDuration             = time.Hour        // Time to keep Stripe prices cached in memory before a refresh is needed
 )

 // Defines all global and per-visitor limits
@@ -40,32 +46,47 @@ const (
 	DefaultVisitorRequestLimitReplenish         = 5 * time.Second
 	DefaultVisitorEmailLimitBurst               = 16
 	DefaultVisitorEmailLimitReplenish           = time.Hour
+	DefaultVisitorAccountCreateLimitBurst       = 3
+	DefaultVisitorAccountCreateLimitReplenish   = 24 * time.Hour
 	DefaultVisitorAttachmentTotalSizeLimit      = 100 * 1024 * 1024 // 100 MB
 	DefaultVisitorAttachmentDailyBandwidthLimit = 500 * 1024 * 1024 // 500 MB
 )

+var (
+	// DefaultVisitorStatsResetTime defines the time at which visitor stats are reset (wall clock only)
+	DefaultVisitorStatsResetTime = time.Date(0, 0, 0, 0, 0, 0, 0, time.UTC)
+)
+
 // Config is the main config struct for the application. Use New to instantiate a default config struct.
 type Config struct {
 	BaseURL                              string
 	ListenHTTP                           string
 	ListenHTTPS                          string
 	ListenUnix                           string
+	ListenUnixMode                       fs.FileMode
 	KeyFile                              string
 	CertFile                             string
 	FirebaseKeyFile                      string
 	CacheFile                            string
 	CacheDuration                        time.Duration
+	CacheStartupQueries                  string
+	CacheBatchSize                       int
+	CacheBatchTimeout                    time.Duration
 	AuthFile                             string
-	AuthDefaultRead                      bool
-	AuthDefaultWrite                     bool
+	AuthStartupQueries                   string
+	AuthDefault                          user.Permission
 	AttachmentCacheDir                   string
 	AttachmentTotalSizeLimit             int64
 	AttachmentFileSizeLimit              int64
 	AttachmentExpiryDuration             time.Duration
 	KeepaliveInterval                    time.Duration
 	ManagerInterval                      time.Duration
-	AtSenderInterval                     time.Duration
+	WebRootIsApp                         bool
+	DelayedSenderInterval                time.Duration
 	FirebaseKeepaliveInterval            time.Duration
+	FirebasePollInterval                 time.Duration
+	FirebaseQuotaExceededPenaltyDuration time.Duration
+	UpstreamBaseURL                      string
 	SMTPSenderAddr                       string
 	SMTPSenderUser                       string
 	SMTPSenderPass                       string
@@ -83,10 +104,22 @@ type Config struct {
 	VisitorAttachmentDailyBandwidthLimit int
 	VisitorRequestLimitBurst             int
 	VisitorRequestLimitReplenish         time.Duration
-	VisitorRequestExemptIPAddrs          []string
+	VisitorRequestExemptIPAddrs          []netip.Prefix
 	VisitorEmailLimitBurst               int
 	VisitorEmailLimitReplenish           time.Duration
+	VisitorAccountCreateLimitBurst       int
+	VisitorAccountCreateLimitReplenish   time.Duration
+	VisitorStatsResetTime                time.Time // Time of the day at which to reset visitor stats
 	BehindProxy                          bool
+	StripeSecretKey                      string
+	StripeWebhookKey                     string
+	StripePriceCacheDuration             time.Duration
+	EnableWeb                            bool
+	EnableSignup                         bool // Enable creation of accounts via API and UI
+	EnableLogin                          bool
+	EnableReservations                   bool   // Allow users with role "user" to own/reserve topics
+	AccessControlAllowOrigin             string // CORS header field to restrict access from web clients
+	Version                              string // injected by App
 }

 // NewConfig instantiates a default new server config
@@ -96,34 +129,62 @@ func NewConfig() *Config {
 		ListenHTTP:                           DefaultListenHTTP,
 		ListenHTTPS:                          "",
 		ListenUnix:                           "",
+		ListenUnixMode:                       0,
 		KeyFile:                              "",
 		CertFile:                             "",
 		FirebaseKeyFile:                      "",
 		CacheFile:                            "",
 		CacheDuration:                        DefaultCacheDuration,
+		CacheStartupQueries:                  "",
+		CacheBatchSize:                       0,
+		CacheBatchTimeout:                    0,
 		AuthFile:                             "",
-		AuthDefaultRead:                      true,
-		AuthDefaultWrite:                     true,
+		AuthStartupQueries:                   "",
+		AuthDefault:                          user.NewPermission(true, true),
 		AttachmentCacheDir:                   "",
 		AttachmentTotalSizeLimit:             DefaultAttachmentTotalSizeLimit,
 		AttachmentFileSizeLimit:              DefaultAttachmentFileSizeLimit,
 		AttachmentExpiryDuration:             DefaultAttachmentExpiryDuration,
 		KeepaliveInterval:                    DefaultKeepaliveInterval,
 		ManagerInterval:                      DefaultManagerInterval,
+		WebRootIsApp:                         false,
+		DelayedSenderInterval:                DefaultDelayedSenderInterval,
+		FirebaseKeepaliveInterval:            DefaultFirebaseKeepaliveInterval,
+		FirebasePollInterval:                 DefaultFirebasePollInterval,
+		FirebaseQuotaExceededPenaltyDuration: DefaultFirebaseQuotaExceededPenaltyDuration,
+		UpstreamBaseURL:                      "",
+		SMTPSenderAddr:                       "",
+		SMTPSenderUser:                       "",
+		SMTPSenderPass:                       "",
+		SMTPSenderFrom:                       "",
+		SMTPServerListen:                     "",
+		SMTPServerDomain:                     "",
+		SMTPServerAddrPrefix:                 "",
 		MessageLimit:                         DefaultMessageLengthLimit,
 		MinDelay:                             DefaultMinDelay,
 		MaxDelay:                             DefaultMaxDelay,
-		AtSenderInterval:                     DefaultAtSenderInterval,
-		FirebaseKeepaliveInterval:            DefaultFirebaseKeepaliveInterval,
 		TotalTopicLimit:                      DefaultTotalTopicLimit,
+		TotalAttachmentSizeLimit:             0,
 		VisitorSubscriptionLimit:             DefaultVisitorSubscriptionLimit,
 		VisitorAttachmentTotalSizeLimit:      DefaultVisitorAttachmentTotalSizeLimit,
 		VisitorAttachmentDailyBandwidthLimit: DefaultVisitorAttachmentDailyBandwidthLimit,
 		VisitorRequestLimitBurst:             DefaultVisitorRequestLimitBurst,
 		VisitorRequestLimitReplenish:         DefaultVisitorRequestLimitReplenish,
-		VisitorRequestExemptIPAddrs:          make([]string, 0),
+		VisitorRequestExemptIPAddrs:          make([]netip.Prefix, 0),
 		VisitorEmailLimitBurst:               DefaultVisitorEmailLimitBurst,
 		VisitorEmailLimitReplenish:           DefaultVisitorEmailLimitReplenish,
+		VisitorAccountCreateLimitBurst:       DefaultVisitorAccountCreateLimitBurst,
+		VisitorAccountCreateLimitReplenish:   DefaultVisitorAccountCreateLimitReplenish,
+		VisitorStatsResetTime:                DefaultVisitorStatsResetTime,
 		BehindProxy:                          false,
+		StripeSecretKey:                      "",
+		StripeWebhookKey:                     "",
+		StripePriceCacheDuration:             DefaultStripePriceCacheDuration,
+		EnableWeb:                            true,
+		EnableSignup:                         false,
+		EnableLogin:                          false,
+		EnableReservations:                   false,
+		AccessControlAllowOrigin:             "*",
+		Version:                              "",
 	}
 }
--- a/server/errors.go
+++ b/server/errors.go
@@ -2,6 +2,7 @@ package server

 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 )

@@ -22,6 +23,15 @@ func (e errHTTP) JSON() string {
 	return string(b)
 }

+func wrapErrHTTP(err *errHTTP, message string, args ...any) *errHTTP {
+	return &errHTTP{
+		Code:     err.Code,
+		HTTPCode: err.HTTPCode,
+		Message:  fmt.Sprintf("%s, %s", err.Message, fmt.Sprintf(message, args...)),
+		Link:     err.Link,
+	}
+}
+
 var (
 	errHTTPBadRequestEmailDisabled                   = &errHTTP{40001, http.StatusBadRequest, "e-mail notifications are not enabled", "https://ntfy.sh/docs/config/#e-mail-notifications"}
 	errHTTPBadRequestDelayNoCache                    = &errHTTP{40002, http.StatusBadRequest, "cannot disable cache for delayed message", ""}
@@ -31,22 +41,43 @@ var (
 	errHTTPBadRequestDelayTooLarge                   = &errHTTP{40006, http.StatusBadRequest, "invalid delay parameter: too large, please refer to the docs", "https://ntfy.sh/docs/publish/#scheduled-delivery"}
 	errHTTPBadRequestPriorityInvalid                 = &errHTTP{40007, http.StatusBadRequest, "invalid priority parameter", "https://ntfy.sh/docs/publish/#message-priority"}
 	errHTTPBadRequestSinceInvalid                    = &errHTTP{40008, http.StatusBadRequest, "invalid since parameter", "https://ntfy.sh/docs/subscribe/api/#fetch-cached-messages"}
-	errHTTPBadRequestTopicInvalid                    = &errHTTP{40009, http.StatusBadRequest, "invalid topic: path invalid", ""}
-	errHTTPBadRequestTopicDisallowed                 = &errHTTP{40010, http.StatusBadRequest, "invalid topic: topic name is disallowed", ""}
+	errHTTPBadRequestTopicInvalid                    = &errHTTP{40009, http.StatusBadRequest, "invalid request: topic invalid", ""}
+	errHTTPBadRequestTopicDisallowed                 = &errHTTP{40010, http.StatusBadRequest, "invalid request: topic name is disallowed", ""}
 	errHTTPBadRequestMessageNotUTF8                  = &errHTTP{40011, http.StatusBadRequest, "invalid message: message must be UTF-8 encoded", ""}
-	errHTTPBadRequestAttachmentTooLarge              = &errHTTP{40012, http.StatusBadRequest, "invalid request: attachment too large, or bandwidth limit reached", ""}
-	errHTTPBadRequestAttachmentURLInvalid            = &errHTTP{40013, http.StatusBadRequest, "invalid request: attachment URL is invalid", ""}
-	errHTTPBadRequestAttachmentsDisallowed           = &errHTTP{40014, http.StatusBadRequest, "invalid request: attachments not allowed", ""}
-	errHTTPBadRequestAttachmentsExpiryBeforeDelivery = &errHTTP{40015, http.StatusBadRequest, "invalid request: attachment expiry before delayed delivery date", ""}
-	errHTTPBadRequestWebSocketsUpgradeHeaderMissing  = &errHTTP{40016, http.StatusBadRequest, "invalid request: client not using the websocket protocol", ""}
+	errHTTPBadRequestAttachmentURLInvalid            = &errHTTP{40013, http.StatusBadRequest, "invalid request: attachment URL is invalid", "https://ntfy.sh/docs/publish/#attachments"}
+	errHTTPBadRequestAttachmentsDisallowed           = &errHTTP{40014, http.StatusBadRequest, "invalid request: attachments not allowed", "https://ntfy.sh/docs/config/#attachments"}
+	errHTTPBadRequestAttachmentsExpiryBeforeDelivery = &errHTTP{40015, http.StatusBadRequest, "invalid request: attachment expiry before delayed delivery date", "https://ntfy.sh/docs/publish/#scheduled-delivery"}
+	errHTTPBadRequestWebSocketsUpgradeHeaderMissing  = &errHTTP{40016, http.StatusBadRequest, "invalid request: client not using the websocket protocol", "https://ntfy.sh/docs/subscribe/api/#websockets"}
+	errHTTPBadRequestMessageJSONInvalid              = &errHTTP{40017, http.StatusBadRequest, "invalid request: request body must be message JSON", "https://ntfy.sh/docs/publish/#publish-as-json"}
+	errHTTPBadRequestActionsInvalid                  = &errHTTP{40018, http.StatusBadRequest, "invalid request: actions invalid", "https://ntfy.sh/docs/publish/#action-buttons"}
+	errHTTPBadRequestMatrixMessageInvalid            = &errHTTP{40019, http.StatusBadRequest, "invalid request: Matrix JSON invalid", "https://ntfy.sh/docs/publish/#matrix-gateway"}
+	errHTTPBadRequestMatrixPushkeyBaseURLMismatch    = &errHTTP{40020, http.StatusBadRequest, "invalid request: push key must be prefixed with base URL", "https://ntfy.sh/docs/publish/#matrix-gateway"}
+	errHTTPBadRequestIconURLInvalid                  = &errHTTP{40021, http.StatusBadRequest, "invalid request: icon URL is invalid", "https://ntfy.sh/docs/publish/#icons"}
+	errHTTPBadRequestSignupNotEnabled                = &errHTTP{40022, http.StatusBadRequest, "invalid request: signup not enabled", "https://ntfy.sh/docs/config"}
+	errHTTPBadRequestNoTokenProvided                 = &errHTTP{40023, http.StatusBadRequest, "invalid request: no token provided", ""}
+	errHTTPBadRequestJSONInvalid                     = &errHTTP{40024, http.StatusBadRequest, "invalid request: request body must be valid JSON", ""}
+	errHTTPBadRequestPermissionInvalid               = &errHTTP{40025, http.StatusBadRequest, "invalid request: incorrect permission string", ""}
+	errHTTPBadRequestMakesNoSenseForAdmin            = &errHTTP{40026, http.StatusBadRequest, "invalid request: this makes no sense for admins", ""}
+	errHTTPBadRequestNotAPaidUser                    = &errHTTP{40027, http.StatusBadRequest, "invalid request: not a paid user", ""}
+	errHTTPBadRequestBillingRequestInvalid           = &errHTTP{40028, http.StatusBadRequest, "invalid request: not a valid billing request", ""}
+	errHTTPBadRequestBillingSubscriptionExists       = &errHTTP{40029, http.StatusBadRequest, "invalid request: billing subscription already exists", ""}
 	errHTTPNotFound                                  = &errHTTP{40401, http.StatusNotFound, "page not found", ""}
 	errHTTPUnauthorized                              = &errHTTP{40101, http.StatusUnauthorized, "unauthorized", "https://ntfy.sh/docs/publish/#authentication"}
 	errHTTPForbidden                                 = &errHTTP{40301, http.StatusForbidden, "forbidden", "https://ntfy.sh/docs/publish/#authentication"}
+	errHTTPConflictUserExists                        = &errHTTP{40901, http.StatusConflict, "conflict: user already exists", ""}
+	errHTTPConflictTopicReserved                     = &errHTTP{40902, http.StatusConflict, "conflict: access control entry for topic or topic pattern already exists", ""}
+	errHTTPEntityTooLargeAttachment                  = &errHTTP{41301, http.StatusRequestEntityTooLarge, "attachment too large, or bandwidth limit reached", "https://ntfy.sh/docs/publish/#limitations"}
+	errHTTPEntityTooLargeMatrixRequest               = &errHTTP{41302, http.StatusRequestEntityTooLarge, "Matrix request is larger than the max allowed length", ""}
+	errHTTPEntityTooLargeJSONBody                    = &errHTTP{41303, http.StatusRequestEntityTooLarge, "JSON body too large", ""}
 	errHTTPTooManyRequestsLimitRequests              = &errHTTP{42901, http.StatusTooManyRequests, "limit reached: too many requests, please be nice", "https://ntfy.sh/docs/publish/#limitations"}
 	errHTTPTooManyRequestsLimitEmails                = &errHTTP{42902, http.StatusTooManyRequests, "limit reached: too many emails, please be nice", "https://ntfy.sh/docs/publish/#limitations"}
 	errHTTPTooManyRequestsLimitSubscriptions         = &errHTTP{42903, http.StatusTooManyRequests, "limit reached: too many active subscriptions, please be nice", "https://ntfy.sh/docs/publish/#limitations"}
 	errHTTPTooManyRequestsLimitTotalTopics           = &errHTTP{42904, http.StatusTooManyRequests, "limit reached: the total number of topics on the server has been reached, please contact the admin", "https://ntfy.sh/docs/publish/#limitations"}
-	errHTTPTooManyRequestsAttachmentBandwidthLimit   = &errHTTP{42905, http.StatusTooManyRequests, "too many requests: daily bandwidth limit reached", "https://ntfy.sh/docs/publish/#limitations"}
+	errHTTPTooManyRequestsLimitAttachmentBandwidth   = &errHTTP{42905, http.StatusTooManyRequests, "limit reached: daily bandwidth", "https://ntfy.sh/docs/publish/#limitations"}
+	errHTTPTooManyRequestsLimitAccountCreation       = &errHTTP{42906, http.StatusTooManyRequests, "limit reached: too many accounts created", "https://ntfy.sh/docs/publish/#limitations"} // FIXME document limit
+	errHTTPTooManyRequestsLimitReservations          = &errHTTP{42907, http.StatusTooManyRequests, "limit reached: too many topic reservations for this user", ""}
+	errHTTPTooManyRequestsLimitMessages              = &errHTTP{42908, http.StatusTooManyRequests, "limit reached: too many messages", "https://ntfy.sh/docs/publish/#limitations"}
 	errHTTPInternalError                             = &errHTTP{50001, http.StatusInternalServerError, "internal server error", ""}
-	errHTTPInternalErrorInvalidFilePath              = &errHTTP{50002, http.StatusInternalServerError, "internal server error: invalid file path", ""}
+	errHTTPInternalErrorInvalidPath                  = &errHTTP{50002, http.StatusInternalServerError, "internal server error: invalid path", ""}
+	errHTTPInternalErrorMissingBaseURL               = &errHTTP{50003, http.StatusInternalServerError, "internal server error: base-url must be be configured for this feature", "https://ntfy.sh/docs/config/"}
 )
--- a/server/example.html
+++ b/server/example.html
@@ -1,56 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <title>ntfy.sh: EventSource Example</title>
-    <meta name="robots" content="noindex, nofollow" />
-    <style>
-        body { font-size: 1.2em; line-height: 130%; }
-        #events { font-family: monospace; }
-    </style>
-</head>
-<body>
-<h1>ntfy.sh: EventSource Example</h1>
-<p>
-    This is an example showing how to use <a href="https://ntfy.sh">ntfy.sh</a> with
-    <a href="https://developer.mozilla.org/en-US/docs/Web/API/EventSource">EventSource</a>.<br/>
-    This example doesn't need a server. You can just save the HTML page and run it from anywhere.
-</p>
-<button id="publishButton">Send test notification</button>
-<p><b>Log:</b></p>
-<div id="events"></div>
-
-<script type="text/javascript">
-    const publishURL = `https://ntfy.sh/example`;
-    const subscribeURL = `https://ntfy.sh/example/sse`;
-    const events = document.getElementById('events');
-    const eventSource = new EventSource(subscribeURL);
-
-    // Publish button
-    document.getElementById("publishButton").onclick = () => {
-        fetch(publishURL, {
-            method: 'POST', // works with PUT as well, though that sends an OPTIONS request too!
-            body: `It is ${new Date().toString()}. This is a test.`
-        })
-    };
-
-    // Incoming events
-    eventSource.onopen = () => {
-        let event = document.createElement('div');
-        event.innerHTML = `EventSource connected to ${subscribeURL}`;
-        events.appendChild(event);
-    };
-    eventSource.onerror = (e) => {
-        let event = document.createElement('div');
-        event.innerHTML = `EventSource error: Failed to connect to ${subscribeURL}`;
-        events.appendChild(event);
-    };
-    eventSource.onmessage = (e) => {
-        let event = document.createElement('div');
-        event.innerHTML = e.data;
-        events.appendChild(event);
-    };
-</script>
-
-</body>
-</html>
--- a/server/file_cache.go
+++ b/server/file_cache.go
@@ -2,6 +2,8 @@ package server

 import (
 	"errors"
+	"fmt"
+	"heckel.io/ntfy/log"
 	"heckel.io/ntfy/util"
 	"io"
 	"os"
@@ -11,7 +13,7 @@ import (
 )

 var (
-	fileIDRegex      = regexp.MustCompile(`^[-_A-Za-z0-9]+$`)
+	fileIDRegex      = regexp.MustCompile(fmt.Sprintf(`^[-_A-Za-z0-9]{%d}$`, messageIDLength))
 	errInvalidFileID = errors.New("invalid file ID")
 	errFileExists    = errors.New("file exists")
 )
@@ -20,11 +22,10 @@ type fileCache struct {
 	dir              string
 	totalSizeCurrent int64
 	totalSizeLimit   int64
-	fileSizeLimit    int64
 	mu               sync.Mutex
 }

-func newFileCache(dir string, totalSizeLimit int64, fileSizeLimit int64) (*fileCache, error) {
+func newFileCache(dir string, totalSizeLimit int64) (*fileCache, error) {
 	if err := os.MkdirAll(dir, 0700); err != nil {
 		return nil, err
 	}
@@ -36,7 +37,6 @@ func newFileCache(dir string, totalSizeLimit int64, fileSizeLimit int64) (*fileC
 		dir:              dir,
 		totalSizeCurrent: size,
 		totalSizeLimit:   totalSizeLimit,
-		fileSizeLimit:    fileSizeLimit,
 	}, nil
 }

@@ -53,7 +53,7 @@ func (c *fileCache) Write(id string, in io.Reader, limiters ...util.Limiter) (in
 		return 0, err
 	}
 	defer f.Close()
-	limiters = append(limiters, util.NewFixedLimiter(c.Remaining()), util.NewFixedLimiter(c.fileSizeLimit))
+	limiters = append(limiters, util.NewFixedLimiter(c.Remaining()))
 	limitWriter := util.NewLimitWriter(f, limiters...)
 	size, err := io.Copy(limitWriter, in)
 	if err != nil {
@@ -75,8 +75,11 @@ func (c *fileCache) Remove(ids ...string) error {
 		if !fileIDRegex.MatchString(id) {
 			return errInvalidFileID
 		}
+		log.Debug("File Cache: Deleting attachment %s", id)
 		file := filepath.Join(c.dir, id)
-		_ = os.Remove(file) // Best effort delete
+		if err := os.Remove(file); err != nil {
+			log.Debug("File Cache: Error deleting attachment %s: %s", id, err.Error())
+		}
 	}
 	size, err := dirSize(c.dir)
 	if err != nil {
--- a/server/file_cache_test.go
+++ b/server/file_cache_test.go
@@ -16,10 +16,10 @@ var (

 func TestFileCache_Write_Success(t *testing.T) {
 	dir, c := newTestFileCache(t)
-	size, err := c.Write("abc", strings.NewReader("normal file"), util.NewFixedLimiter(999))
+	size, err := c.Write("abcdefghijkl", strings.NewReader("normal file"), util.NewFixedLimiter(999))
 	require.Nil(t, err)
 	require.Equal(t, int64(11), size)
-	require.Equal(t, "normal file", readFile(t, dir+"/abc"))
+	require.Equal(t, "normal file", readFile(t, dir+"/abcdefghijkl"))
 	require.Equal(t, int64(11), c.Size())
 	require.Equal(t, int64(10229), c.Remaining())
 }
@@ -27,18 +27,18 @@ func TestFileCache_Write_Success(t *testing.T) {
 func TestFileCache_Write_Remove_Success(t *testing.T) {
 	dir, c := newTestFileCache(t) // max = 10k (10240), each = 1k (1024)
 	for i := 0; i < 10; i++ {     // 10x999 = 9990
-		size, err := c.Write(fmt.Sprintf("abc%d", i), bytes.NewReader(make([]byte, 999)))
+		size, err := c.Write(fmt.Sprintf("abcdefghijk%d", i), bytes.NewReader(make([]byte, 999)))
 		require.Nil(t, err)
 		require.Equal(t, int64(999), size)
 	}
 	require.Equal(t, int64(9990), c.Size())
 	require.Equal(t, int64(250), c.Remaining())
-	require.FileExists(t, dir+"/abc1")
-	require.FileExists(t, dir+"/abc5")
+	require.FileExists(t, dir+"/abcdefghijk1")
+	require.FileExists(t, dir+"/abcdefghijk5")

-	require.Nil(t, c.Remove("abc1", "abc5"))
-	require.NoFileExists(t, dir+"/abc1")
-	require.NoFileExists(t, dir+"/abc5")
+	require.Nil(t, c.Remove("abcdefghijk1", "abcdefghijk5"))
+	require.NoFileExists(t, dir+"/abcdefghijk1")
+	require.NoFileExists(t, dir+"/abcdefghijk5")
 	require.Equal(t, int64(7992), c.Size())
 	require.Equal(t, int64(2248), c.Remaining())
 }
@@ -46,32 +46,25 @@ func TestFileCache_Write_Remove_Success(t *testing.T) {
 func TestFileCache_Write_FailedTotalSizeLimit(t *testing.T) {
 	dir, c := newTestFileCache(t)
 	for i := 0; i < 10; i++ {
-		size, err := c.Write(fmt.Sprintf("abc%d", i), bytes.NewReader(oneKilobyteArray))
+		size, err := c.Write(fmt.Sprintf("abcdefghijk%d", i), bytes.NewReader(oneKilobyteArray))
 		require.Nil(t, err)
 		require.Equal(t, int64(1024), size)
 	}
-	_, err := c.Write("abc11", bytes.NewReader(oneKilobyteArray))
+	_, err := c.Write("abcdefghijkX", bytes.NewReader(oneKilobyteArray))
 	require.Equal(t, util.ErrLimitReached, err)
-	require.NoFileExists(t, dir+"/abc11")
-}
-
-func TestFileCache_Write_FailedFileSizeLimit(t *testing.T) {
-	dir, c := newTestFileCache(t)
-	_, err := c.Write("abc", bytes.NewReader(make([]byte, 1025)))
-	require.Equal(t, util.ErrLimitReached, err)
-	require.NoFileExists(t, dir+"/abc")
+	require.NoFileExists(t, dir+"/abcdefghijkX")
 }

 func TestFileCache_Write_FailedAdditionalLimiter(t *testing.T) {
 	dir, c := newTestFileCache(t)
-	_, err := c.Write("abc", bytes.NewReader(make([]byte, 1001)), util.NewFixedLimiter(1000))
+	_, err := c.Write("abcdefghijkl", bytes.NewReader(make([]byte, 1001)), util.NewFixedLimiter(1000))
 	require.Equal(t, util.ErrLimitReached, err)
-	require.NoFileExists(t, dir+"/abc")
+	require.NoFileExists(t, dir+"/abcdefghijkl")
 }

 func newTestFileCache(t *testing.T) (dir string, cache *fileCache) {
 	dir = t.TempDir()
-	cache, err := newFileCache(dir, 10*1024, 1*1024)
+	cache, err := newFileCache(dir, 10*1024)
 	require.Nil(t, err)
 	return dir, cache
 }
--- a/server/message_cache.go
+++ b/server/message_cache.go
@@ -0,0 +1,860 @@
+package server
+
+import (
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/netip"
+	"strings"
+	"time"
+
+	_ "github.com/mattn/go-sqlite3" // SQLite driver
+	"heckel.io/ntfy/log"
+	"heckel.io/ntfy/util"
+)
+
+var (
+	errUnexpectedMessageType = errors.New("unexpected message type")
+)
+
+// Messages cache
+const (
+	createMessagesTableQuery = `
+		BEGIN;
+		CREATE TABLE IF NOT EXISTS messages (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			mid TEXT NOT NULL,
+			time INT NOT NULL,
+			expires INT NOT NULL,
+			topic TEXT NOT NULL,
+			message TEXT NOT NULL,
+			title TEXT NOT NULL,
+			priority INT NOT NULL,
+			tags TEXT NOT NULL,
+			click TEXT NOT NULL,
+			icon TEXT NOT NULL,			
+			actions TEXT NOT NULL,
+			attachment_name TEXT NOT NULL,
+			attachment_type TEXT NOT NULL,
+			attachment_size INT NOT NULL,
+			attachment_expires INT NOT NULL,
+			attachment_url TEXT NOT NULL,
+			attachment_deleted INT NOT NULL,
+			sender TEXT NOT NULL,
+			user TEXT NOT NULL,
+			encoding TEXT NOT NULL,
+			published INT NOT NULL
+		);
+		CREATE INDEX IF NOT EXISTS idx_mid ON messages (mid);
+		CREATE INDEX IF NOT EXISTS idx_time ON messages (time);
+		CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
+		CREATE INDEX IF NOT EXISTS idx_expires ON messages (expires);
+		CREATE INDEX IF NOT EXISTS idx_attachment_expires ON messages (attachment_expires);
+		COMMIT;
+	`
+	insertMessageQuery = `
+		INSERT INTO messages (mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, attachment_deleted, sender, user, encoding, published)
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+	`
+	deleteMessageQuery                = `DELETE FROM messages WHERE mid = ?`
+	updateMessagesForTopicExpiryQuery = `UPDATE messages SET expires = ? WHERE topic = ?`
+	selectRowIDFromMessageID          = `SELECT id FROM messages WHERE mid = ?` // Do not include topic, see #336 and TestServer_PollSinceID_MultipleTopics
+	selectMessagesSinceTimeQuery      = `
+		SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, encoding
+		FROM messages 
+		WHERE topic = ? AND time >= ? AND published = 1
+		ORDER BY time, id
+	`
+	selectMessagesSinceTimeIncludeScheduledQuery = `
+		SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, encoding
+		FROM messages 
+		WHERE topic = ? AND time >= ?
+		ORDER BY time, id
+	`
+	selectMessagesSinceIDQuery = `
+		SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, encoding
+		FROM messages 
+		WHERE topic = ? AND id > ? AND published = 1 
+		ORDER BY time, id
+	`
+	selectMessagesSinceIDIncludeScheduledQuery = `
+		SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, encoding
+		FROM messages 
+		WHERE topic = ? AND (id > ? OR published = 0)
+		ORDER BY time, id
+	`
+	selectMessagesDueQuery = `
+		SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, encoding
+		FROM messages 
+		WHERE time <= ? AND published = 0
+		ORDER BY time, id
+	`
+	selectMessagesExpiredQuery      = `SELECT mid FROM messages WHERE expires <= ? AND published = 1`
+	updateMessagePublishedQuery     = `UPDATE messages SET published = 1 WHERE mid = ?`
+	selectMessagesCountQuery        = `SELECT COUNT(*) FROM messages`
+	selectMessageCountPerTopicQuery = `SELECT topic, COUNT(*) FROM messages GROUP BY topic`
+	selectTopicsQuery               = `SELECT topic FROM messages GROUP BY topic`
+
+	updateAttachmentDeleted            = `UPDATE messages SET attachment_deleted = 1 WHERE mid = ?`
+	selectAttachmentsExpiredQuery      = `SELECT mid FROM messages WHERE attachment_expires > 0 AND attachment_expires <= ? AND attachment_deleted = 0`
+	selectAttachmentsSizeBySenderQuery = `SELECT IFNULL(SUM(attachment_size), 0) FROM messages WHERE sender = ? AND attachment_expires >= ?`
+	selectAttachmentsSizeByUserQuery   = `SELECT IFNULL(SUM(attachment_size), 0) FROM messages WHERE user = ? AND attachment_expires >= ?`
+)
+
+// Schema management queries
+const (
+	currentSchemaVersion          = 10
+	createSchemaVersionTableQuery = `
+		CREATE TABLE IF NOT EXISTS schemaVersion (
+			id INT PRIMARY KEY,
+			version INT NOT NULL
+		);
+	`
+	insertSchemaVersion      = `INSERT INTO schemaVersion VALUES (1, ?)`
+	updateSchemaVersion      = `UPDATE schemaVersion SET version = ? WHERE id = 1`
+	selectSchemaVersionQuery = `SELECT version FROM schemaVersion WHERE id = 1`
+
+	// 0 -> 1
+	migrate0To1AlterMessagesTableQuery = `
+		BEGIN;
+		ALTER TABLE messages ADD COLUMN title TEXT NOT NULL DEFAULT('');
+		ALTER TABLE messages ADD COLUMN priority INT NOT NULL DEFAULT(0);
+		ALTER TABLE messages ADD COLUMN tags TEXT NOT NULL DEFAULT('');
+		COMMIT;
+	`
+
+	// 1 -> 2
+	migrate1To2AlterMessagesTableQuery = `
+		ALTER TABLE messages ADD COLUMN published INT NOT NULL DEFAULT(1);
+	`
+
+	// 2 -> 3
+	migrate2To3AlterMessagesTableQuery = `
+		BEGIN;
+		ALTER TABLE messages ADD COLUMN click TEXT NOT NULL DEFAULT('');
+		ALTER TABLE messages ADD COLUMN attachment_name TEXT NOT NULL DEFAULT('');
+		ALTER TABLE messages ADD COLUMN attachment_type TEXT NOT NULL DEFAULT('');
+		ALTER TABLE messages ADD COLUMN attachment_size INT NOT NULL DEFAULT('0');
+		ALTER TABLE messages ADD COLUMN attachment_expires INT NOT NULL DEFAULT('0');
+		ALTER TABLE messages ADD COLUMN attachment_owner TEXT NOT NULL DEFAULT('');
+		ALTER TABLE messages ADD COLUMN attachment_url TEXT NOT NULL DEFAULT('');
+		COMMIT;
+	`
+	// 3 -> 4
+	migrate3To4AlterMessagesTableQuery = `
+		ALTER TABLE messages ADD COLUMN encoding TEXT NOT NULL DEFAULT('');
+	`
+
+	// 4 -> 5
+	migrate4To5AlterMessagesTableQuery = `
+		BEGIN;
+		CREATE TABLE IF NOT EXISTS messages_new (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			mid TEXT NOT NULL,
+			time INT NOT NULL,
+			topic TEXT NOT NULL,
+			message TEXT NOT NULL,
+			title TEXT NOT NULL,
+			priority INT NOT NULL,
+			tags TEXT NOT NULL,
+			click TEXT NOT NULL,
+			attachment_name TEXT NOT NULL,
+			attachment_type TEXT NOT NULL,
+			attachment_size INT NOT NULL,
+			attachment_expires INT NOT NULL,
+			attachment_url TEXT NOT NULL,
+			attachment_owner TEXT NOT NULL,
+			encoding TEXT NOT NULL,
+			published INT NOT NULL
+		);
+		CREATE INDEX IF NOT EXISTS idx_mid ON messages_new (mid);
+		CREATE INDEX IF NOT EXISTS idx_topic ON messages_new (topic);
+		INSERT 
+			INTO messages_new (
+				mid, time, topic, message, title, priority, tags, click, attachment_name, attachment_type, 
+				attachment_size, attachment_expires, attachment_url, attachment_owner, encoding, published)
+			SELECT
+				id, time, topic, message, title, priority, tags, click, attachment_name, attachment_type, 
+				attachment_size, attachment_expires, attachment_url, attachment_owner, encoding, published
+			FROM messages;
+		DROP TABLE messages;
+		ALTER TABLE messages_new RENAME TO messages;
+		COMMIT;
+	`
+
+	// 5 -> 6
+	migrate5To6AlterMessagesTableQuery = `
+		ALTER TABLE messages ADD COLUMN actions TEXT NOT NULL DEFAULT('');
+	`
+
+	// 6 -> 7
+	migrate6To7AlterMessagesTableQuery = `
+		ALTER TABLE messages RENAME COLUMN attachment_owner TO sender;
+	`
+
+	// 7 -> 8
+	migrate7To8AlterMessagesTableQuery = `
+		ALTER TABLE messages ADD COLUMN icon TEXT NOT NULL DEFAULT('');
+	`
+
+	// 8 -> 9
+	migrate8To9AlterMessagesTableQuery = `
+		CREATE INDEX IF NOT EXISTS idx_time ON messages (time);	
+	`
+
+	// 9 -> 10
+	migrate9To10AlterMessagesTableQuery = `
+		ALTER TABLE messages ADD COLUMN user TEXT NOT NULL DEFAULT('');
+		ALTER TABLE messages ADD COLUMN attachment_deleted INT NOT NULL DEFAULT('0');
+		ALTER TABLE messages ADD COLUMN expires INT NOT NULL DEFAULT('0');
+		CREATE INDEX IF NOT EXISTS idx_expires ON messages (expires);
+		CREATE INDEX IF NOT EXISTS idx_attachment_expires ON messages (attachment_expires);
+	`
+	migrate9To10UpdateMessageExpiryQuery = `UPDATE messages SET expires = time + ?`
+)
+
+var (
+	migrations = map[int]func(db *sql.DB, cacheDuration time.Duration) error{
+		0: migrateFrom0,
+		1: migrateFrom1,
+		2: migrateFrom2,
+		3: migrateFrom3,
+		4: migrateFrom4,
+		5: migrateFrom5,
+		6: migrateFrom6,
+		7: migrateFrom7,
+		8: migrateFrom8,
+		9: migrateFrom9,
+	}
+)
+
+type messageCache struct {
+	db    *sql.DB
+	queue *util.BatchingQueue[*message]
+	nop   bool
+}
+
+// newSqliteCache creates a SQLite file-backed cache
+func newSqliteCache(filename, startupQueries string, cacheDuration time.Duration, batchSize int, batchTimeout time.Duration, nop bool) (*messageCache, error) {
+	db, err := sql.Open("sqlite3", filename)
+	if err != nil {
+		return nil, err
+	}
+	if err := setupDB(db, startupQueries, cacheDuration); err != nil {
+		return nil, err
+	}
+	var queue *util.BatchingQueue[*message]
+	if batchSize > 0 || batchTimeout > 0 {
+		queue = util.NewBatchingQueue[*message](batchSize, batchTimeout)
+	}
+	cache := &messageCache{
+		db:    db,
+		queue: queue,
+		nop:   nop,
+	}
+	go cache.processMessageBatches()
+	return cache, nil
+}
+
+// newMemCache creates an in-memory cache
+func newMemCache() (*messageCache, error) {
+	return newSqliteCache(createMemoryFilename(), "", 0, 0, 0, false)
+}
+
+// newNopCache creates an in-memory cache that discards all messages;
+// it is always empty and can be used if caching is entirely disabled
+func newNopCache() (*messageCache, error) {
+	return newSqliteCache(createMemoryFilename(), "", 0, 0, 0, true)
+}
+
+// createMemoryFilename creates a unique memory filename to use for the SQLite backend.
+// From mattn/go-sqlite3: "Each connection to ":memory:" opens a brand new in-memory
+// sql database, so if the stdlib's sql engine happens to open another connection and
+// you've only specified ":memory:", that connection will see a brand new database.
+// A workaround is to use "file::memory:?cache=shared" (or "file:foobar?mode=memory&cache=shared").
+// Every connection to this string will point to the same in-memory database."
+func createMemoryFilename() string {
+	return fmt.Sprintf("file:%s?mode=memory&cache=shared", util.RandomString(10))
+}
+
+// AddMessage stores a message to the message cache synchronously, or queues it to be stored at a later date asyncronously.
+// The message is queued only if "batchSize" or "batchTimeout" are passed to the constructor.
+func (c *messageCache) AddMessage(m *message) error {
+	if c.queue != nil {
+		c.queue.Enqueue(m)
+		return nil
+	}
+	return c.addMessages([]*message{m})
+}
+
+// addMessages synchronously stores a match of messages. If the database is locked, the transaction waits until
+// SQLite's busy_timeout is exceeded before erroring out.
+func (c *messageCache) addMessages(ms []*message) error {
+	if c.nop {
+		return nil
+	}
+	if len(ms) == 0 {
+		return nil
+	}
+	start := time.Now()
+	tx, err := c.db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+	stmt, err := tx.Prepare(insertMessageQuery)
+	if err != nil {
+		return err
+	}
+	defer stmt.Close()
+	for _, m := range ms {
+		if m.Event != messageEvent {
+			return errUnexpectedMessageType
+		}
+		published := m.Time <= time.Now().Unix()
+		tags := strings.Join(m.Tags, ",")
+		var attachmentName, attachmentType, attachmentURL string
+		var attachmentSize, attachmentExpires, attachmentDeleted int64
+		if m.Attachment != nil {
+			attachmentName = m.Attachment.Name
+			attachmentType = m.Attachment.Type
+			attachmentSize = m.Attachment.Size
+			attachmentExpires = m.Attachment.Expires
+			attachmentURL = m.Attachment.URL
+		}
+		var actionsStr string
+		if len(m.Actions) > 0 {
+			actionsBytes, err := json.Marshal(m.Actions)
+			if err != nil {
+				return err
+			}
+			actionsStr = string(actionsBytes)
+		}
+		var sender string
+		if m.Sender.IsValid() {
+			sender = m.Sender.String()
+		}
+		_, err := stmt.Exec(
+			m.ID,
+			m.Time,
+			m.Expires,
+			m.Topic,
+			m.Message,
+			m.Title,
+			m.Priority,
+			tags,
+			m.Click,
+			m.Icon,
+			actionsStr,
+			attachmentName,
+			attachmentType,
+			attachmentSize,
+			attachmentExpires,
+			attachmentURL,
+			attachmentDeleted, // Always zero
+			sender,
+			m.User,
+			m.Encoding,
+			published,
+		)
+		if err != nil {
+			return err
+		}
+	}
+	if err := tx.Commit(); err != nil {
+		log.Error("Message Cache: Writing %d message(s) failed (took %v)", len(ms), time.Since(start))
+		return err
+	}
+	log.Debug("Message Cache: Wrote %d message(s) in %v", len(ms), time.Since(start))
+	return nil
+}
+
+func (c *messageCache) Messages(topic string, since sinceMarker, scheduled bool) ([]*message, error) {
+	if since.IsNone() {
+		return make([]*message, 0), nil
+	} else if since.IsID() {
+		return c.messagesSinceID(topic, since, scheduled)
+	}
+	return c.messagesSinceTime(topic, since, scheduled)
+}
+
+func (c *messageCache) messagesSinceTime(topic string, since sinceMarker, scheduled bool) ([]*message, error) {
+	var rows *sql.Rows
+	var err error
+	if scheduled {
+		rows, err = c.db.Query(selectMessagesSinceTimeIncludeScheduledQuery, topic, since.Time().Unix())
+	} else {
+		rows, err = c.db.Query(selectMessagesSinceTimeQuery, topic, since.Time().Unix())
+	}
+	if err != nil {
+		return nil, err
+	}
+	return readMessages(rows)
+}
+
+func (c *messageCache) messagesSinceID(topic string, since sinceMarker, scheduled bool) ([]*message, error) {
+	idrows, err := c.db.Query(selectRowIDFromMessageID, since.ID())
+	if err != nil {
+		return nil, err
+	}
+	defer idrows.Close()
+	if !idrows.Next() {
+		return c.messagesSinceTime(topic, sinceAllMessages, scheduled)
+	}
+	var rowID int64
+	if err := idrows.Scan(&rowID); err != nil {
+		return nil, err
+	}
+	idrows.Close()
+	var rows *sql.Rows
+	if scheduled {
+		rows, err = c.db.Query(selectMessagesSinceIDIncludeScheduledQuery, topic, rowID)
+	} else {
+		rows, err = c.db.Query(selectMessagesSinceIDQuery, topic, rowID)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return readMessages(rows)
+}
+
+func (c *messageCache) MessagesDue() ([]*message, error) {
+	rows, err := c.db.Query(selectMessagesDueQuery, time.Now().Unix())
+	if err != nil {
+		return nil, err
+	}
+	return readMessages(rows)
+}
+
+// MessagesExpired returns a list of IDs for messages that have expires (should be deleted)
+func (c *messageCache) MessagesExpired() ([]string, error) {
+	rows, err := c.db.Query(selectMessagesExpiredQuery, time.Now().Unix())
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	ids := make([]string, 0)
+	for rows.Next() {
+		var id string
+		if err := rows.Scan(&id); err != nil {
+			return nil, err
+		}
+		ids = append(ids, id)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return ids, nil
+}
+
+func (c *messageCache) MarkPublished(m *message) error {
+	_, err := c.db.Exec(updateMessagePublishedQuery, m.ID)
+	return err
+}
+
+func (c *messageCache) MessageCounts() (map[string]int, error) {
+	rows, err := c.db.Query(selectMessageCountPerTopicQuery)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var topic string
+	var count int
+	counts := make(map[string]int)
+	for rows.Next() {
+		if err := rows.Scan(&topic, &count); err != nil {
+			return nil, err
+		} else if err := rows.Err(); err != nil {
+			return nil, err
+		}
+		counts[topic] = count
+	}
+	return counts, nil
+}
+
+func (c *messageCache) Topics() (map[string]*topic, error) {
+	rows, err := c.db.Query(selectTopicsQuery)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	topics := make(map[string]*topic)
+	for rows.Next() {
+		var id string
+		if err := rows.Scan(&id); err != nil {
+			return nil, err
+		}
+		topics[id] = newTopic(id)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return topics, nil
+}
+
+func (c *messageCache) DeleteMessages(ids ...string) error {
+	tx, err := c.db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+	for _, id := range ids {
+		if _, err := tx.Exec(deleteMessageQuery, id); err != nil {
+			return err
+		}
+	}
+	return tx.Commit()
+}
+
+func (c *messageCache) ExpireMessages(topics ...string) error {
+	tx, err := c.db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+	for _, t := range topics {
+		if _, err := tx.Exec(updateMessagesForTopicExpiryQuery, time.Now().Unix(), t); err != nil {
+			return err
+		}
+	}
+	return tx.Commit()
+}
+
+func (c *messageCache) AttachmentsExpired() ([]string, error) {
+	rows, err := c.db.Query(selectAttachmentsExpiredQuery, time.Now().Unix())
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	ids := make([]string, 0)
+	for rows.Next() {
+		var id string
+		if err := rows.Scan(&id); err != nil {
+			return nil, err
+		}
+		ids = append(ids, id)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return ids, nil
+}
+
+func (c *messageCache) MarkAttachmentsDeleted(ids ...string) error {
+	tx, err := c.db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+	for _, id := range ids {
+		if _, err := tx.Exec(updateAttachmentDeleted, id); err != nil {
+			return err
+		}
+	}
+	return tx.Commit()
+}
+
+func (c *messageCache) AttachmentBytesUsedBySender(sender string) (int64, error) {
+	rows, err := c.db.Query(selectAttachmentsSizeBySenderQuery, sender, time.Now().Unix())
+	if err != nil {
+		return 0, err
+	}
+	return c.readAttachmentBytesUsed(rows)
+}
+
+func (c *messageCache) AttachmentBytesUsedByUser(user string) (int64, error) {
+	rows, err := c.db.Query(selectAttachmentsSizeByUserQuery, user, time.Now().Unix())
+	if err != nil {
+		return 0, err
+	}
+	return c.readAttachmentBytesUsed(rows)
+}
+
+func (c *messageCache) readAttachmentBytesUsed(rows *sql.Rows) (int64, error) {
+	defer rows.Close()
+	var size int64
+	if !rows.Next() {
+		return 0, errors.New("no rows found")
+	}
+	if err := rows.Scan(&size); err != nil {
+		return 0, err
+	} else if err := rows.Err(); err != nil {
+		return 0, err
+	}
+	return size, nil
+}
+
+func (c *messageCache) processMessageBatches() {
+	if c.queue == nil {
+		return
+	}
+	for messages := range c.queue.Dequeue() {
+		if err := c.addMessages(messages); err != nil {
+			log.Error("Message Cache: %s", err.Error())
+		}
+	}
+}
+
+func readMessages(rows *sql.Rows) ([]*message, error) {
+	defer rows.Close()
+	messages := make([]*message, 0)
+	for rows.Next() {
+		var timestamp, expires, attachmentSize, attachmentExpires int64
+		var priority int
+		var id, topic, msg, title, tagsStr, click, icon, actionsStr, attachmentName, attachmentType, attachmentURL, sender, user, encoding string
+		err := rows.Scan(
+			&id,
+			&timestamp,
+			&expires,
+			&topic,
+			&msg,
+			&title,
+			&priority,
+			&tagsStr,
+			&click,
+			&icon,
+			&actionsStr,
+			&attachmentName,
+			&attachmentType,
+			&attachmentSize,
+			&attachmentExpires,
+			&attachmentURL,
+			&sender,
+			&user,
+			&encoding,
+		)
+		if err != nil {
+			return nil, err
+		}
+		var tags []string
+		if tagsStr != "" {
+			tags = strings.Split(tagsStr, ",")
+		}
+		var actions []*action
+		if actionsStr != "" {
+			if err := json.Unmarshal([]byte(actionsStr), &actions); err != nil {
+				return nil, err
+			}
+		}
+		senderIP, err := netip.ParseAddr(sender)
+		if err != nil {
+			senderIP = netip.Addr{} // if no IP stored in database, return invalid address
+		}
+		var att *attachment
+		if attachmentName != "" && attachmentURL != "" {
+			att = &attachment{
+				Name:    attachmentName,
+				Type:    attachmentType,
+				Size:    attachmentSize,
+				Expires: attachmentExpires,
+				URL:     attachmentURL,
+			}
+		}
+		messages = append(messages, &message{
+			ID:         id,
+			Time:       timestamp,
+			Expires:    expires,
+			Event:      messageEvent,
+			Topic:      topic,
+			Message:    msg,
+			Title:      title,
+			Priority:   priority,
+			Tags:       tags,
+			Click:      click,
+			Icon:       icon,
+			Actions:    actions,
+			Attachment: att,
+			Sender:     senderIP, // Must parse assuming database must be correct
+			User:       user,
+			Encoding:   encoding,
+		})
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return messages, nil
+}
+
+func setupDB(db *sql.DB, startupQueries string, cacheDuration time.Duration) error {
+	// Run startup queries
+	if startupQueries != "" {
+		if _, err := db.Exec(startupQueries); err != nil {
+			return err
+		}
+	}
+
+	// If 'messages' table does not exist, this must be a new database
+	rowsMC, err := db.Query(selectMessagesCountQuery)
+	if err != nil {
+		return setupNewCacheDB(db)
+	}
+	rowsMC.Close()
+
+	// If 'messages' table exists, check 'schemaVersion' table
+	schemaVersion := 0
+	rowsSV, err := db.Query(selectSchemaVersionQuery)
+	if err == nil {
+		defer rowsSV.Close()
+		if !rowsSV.Next() {
+			return errors.New("cannot determine schema version: cache file may be corrupt")
+		}
+		if err := rowsSV.Scan(&schemaVersion); err != nil {
+			return err
+		}
+		rowsSV.Close()
+	}
+
+	// Do migrations
+	if schemaVersion == currentSchemaVersion {
+		return nil
+	} else if schemaVersion > currentSchemaVersion {
+		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, currentSchemaVersion)
+	}
+	for i := schemaVersion; i < currentSchemaVersion; i++ {
+		fn, ok := migrations[i]
+		if !ok {
+			return fmt.Errorf("cannot find migration step from schema version %d to %d", i, i+1)
+		} else if err := fn(db, cacheDuration); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func setupNewCacheDB(db *sql.DB) error {
+	if _, err := db.Exec(createMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(createSchemaVersionTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(insertSchemaVersion, currentSchemaVersion); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom0(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 0 to 1")
+	if _, err := db.Exec(migrate0To1AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(createSchemaVersionTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(insertSchemaVersion, 1); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom1(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 1 to 2")
+	if _, err := db.Exec(migrate1To2AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(updateSchemaVersion, 2); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom2(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 2 to 3")
+	if _, err := db.Exec(migrate2To3AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(updateSchemaVersion, 3); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom3(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 3 to 4")
+	if _, err := db.Exec(migrate3To4AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(updateSchemaVersion, 4); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom4(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 4 to 5")
+	if _, err := db.Exec(migrate4To5AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(updateSchemaVersion, 5); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom5(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 5 to 6")
+	if _, err := db.Exec(migrate5To6AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(updateSchemaVersion, 6); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom6(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 6 to 7")
+	if _, err := db.Exec(migrate6To7AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(updateSchemaVersion, 7); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom7(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 7 to 8")
+	if _, err := db.Exec(migrate7To8AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(updateSchemaVersion, 8); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom8(db *sql.DB, _ time.Duration) error {
+	log.Info("Migrating cache database schema: from 8 to 9")
+	if _, err := db.Exec(migrate8To9AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := db.Exec(updateSchemaVersion, 9); err != nil {
+		return err
+	}
+	return nil
+}
+
+func migrateFrom9(db *sql.DB, cacheDuration time.Duration) error {
+	log.Info("Migrating cache database schema: from 9 to 10")
+	tx, err := db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+	if _, err := tx.Exec(migrate9To10AlterMessagesTableQuery); err != nil {
+		return err
+	}
+	if _, err := tx.Exec(migrate9To10UpdateMessageExpiryQuery, int64(cacheDuration.Seconds())); err != nil {
+		return err
+	}
+	if _, err := tx.Exec(updateSchemaVersion, 10); err != nil {
+		return err
+	}
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+	return nil // Update this when a new version is added
+}
--- a/server/message_cache_test.go
+++ b/server/message_cache_test.go
@@ -0,0 +1,714 @@
+package server
+
+import (
+	"database/sql"
+	"fmt"
+	"net/netip"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	exampleIP1234 = netip.MustParseAddr("1.2.3.4")
+)
+
+func TestSqliteCache_Messages(t *testing.T) {
+	testCacheMessages(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_Messages(t *testing.T) {
+	testCacheMessages(t, newMemTestCache(t))
+}
+
+func testCacheMessages(t *testing.T, c *messageCache) {
+	m1 := newDefaultMessage("mytopic", "my message")
+	m1.Time = 1
+
+	m2 := newDefaultMessage("mytopic", "my other message")
+	m2.Time = 2
+
+	require.Nil(t, c.AddMessage(m1))
+	require.Nil(t, c.AddMessage(newDefaultMessage("example", "my example message")))
+	require.Nil(t, c.AddMessage(m2))
+
+	// Adding invalid
+	require.Equal(t, errUnexpectedMessageType, c.AddMessage(newKeepaliveMessage("mytopic"))) // These should not be added!
+	require.Equal(t, errUnexpectedMessageType, c.AddMessage(newOpenMessage("example")))      // These should not be added!
+
+	// mytopic: count
+	counts, err := c.MessageCounts()
+	require.Nil(t, err)
+	require.Equal(t, 2, counts["mytopic"])
+
+	// mytopic: since all
+	messages, _ := c.Messages("mytopic", sinceAllMessages, false)
+	require.Equal(t, 2, len(messages))
+	require.Equal(t, "my message", messages[0].Message)
+	require.Equal(t, "mytopic", messages[0].Topic)
+	require.Equal(t, messageEvent, messages[0].Event)
+	require.Equal(t, "", messages[0].Title)
+	require.Equal(t, 0, messages[0].Priority)
+	require.Nil(t, messages[0].Tags)
+	require.Equal(t, "my other message", messages[1].Message)
+
+	// mytopic: since none
+	messages, _ = c.Messages("mytopic", sinceNoMessages, false)
+	require.Empty(t, messages)
+
+	// mytopic: since m1 (by ID)
+	messages, _ = c.Messages("mytopic", newSinceID(m1.ID), false)
+	require.Equal(t, 1, len(messages))
+	require.Equal(t, m2.ID, messages[0].ID)
+	require.Equal(t, "my other message", messages[0].Message)
+	require.Equal(t, "mytopic", messages[0].Topic)
+
+	// mytopic: since 2
+	messages, _ = c.Messages("mytopic", newSinceTime(2), false)
+	require.Equal(t, 1, len(messages))
+	require.Equal(t, "my other message", messages[0].Message)
+
+	// example: count
+	counts, err = c.MessageCounts()
+	require.Nil(t, err)
+	require.Equal(t, 1, counts["example"])
+
+	// example: since all
+	messages, _ = c.Messages("example", sinceAllMessages, false)
+	require.Equal(t, "my example message", messages[0].Message)
+
+	// non-existing: count
+	counts, err = c.MessageCounts()
+	require.Nil(t, err)
+	require.Equal(t, 0, counts["doesnotexist"])
+
+	// non-existing: since all
+	messages, _ = c.Messages("doesnotexist", sinceAllMessages, false)
+	require.Empty(t, messages)
+}
+
+func TestSqliteCache_MessagesScheduled(t *testing.T) {
+	testCacheMessagesScheduled(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_MessagesScheduled(t *testing.T) {
+	testCacheMessagesScheduled(t, newMemTestCache(t))
+}
+
+func testCacheMessagesScheduled(t *testing.T, c *messageCache) {
+	m1 := newDefaultMessage("mytopic", "message 1")
+	m2 := newDefaultMessage("mytopic", "message 2")
+	m2.Time = time.Now().Add(time.Hour).Unix()
+	m3 := newDefaultMessage("mytopic", "message 3")
+	m3.Time = time.Now().Add(time.Minute).Unix() // earlier than m2!
+	m4 := newDefaultMessage("mytopic2", "message 4")
+	m4.Time = time.Now().Add(time.Minute).Unix()
+	require.Nil(t, c.AddMessage(m1))
+	require.Nil(t, c.AddMessage(m2))
+	require.Nil(t, c.AddMessage(m3))
+
+	messages, _ := c.Messages("mytopic", sinceAllMessages, false) // exclude scheduled
+	require.Equal(t, 1, len(messages))
+	require.Equal(t, "message 1", messages[0].Message)
+
+	messages, _ = c.Messages("mytopic", sinceAllMessages, true) // include scheduled
+	require.Equal(t, 3, len(messages))
+	require.Equal(t, "message 1", messages[0].Message)
+	require.Equal(t, "message 3", messages[1].Message) // Order!
+	require.Equal(t, "message 2", messages[2].Message)
+
+	messages, _ = c.MessagesDue()
+	require.Empty(t, messages)
+}
+
+func TestSqliteCache_Topics(t *testing.T) {
+	testCacheTopics(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_Topics(t *testing.T) {
+	testCacheTopics(t, newMemTestCache(t))
+}
+
+func testCacheTopics(t *testing.T, c *messageCache) {
+	require.Nil(t, c.AddMessage(newDefaultMessage("topic1", "my example message")))
+	require.Nil(t, c.AddMessage(newDefaultMessage("topic2", "message 1")))
+	require.Nil(t, c.AddMessage(newDefaultMessage("topic2", "message 2")))
+	require.Nil(t, c.AddMessage(newDefaultMessage("topic2", "message 3")))
+
+	topics, err := c.Topics()
+	if err != nil {
+		t.Fatal(err)
+	}
+	require.Equal(t, 2, len(topics))
+	require.Equal(t, "topic1", topics["topic1"].ID)
+	require.Equal(t, "topic2", topics["topic2"].ID)
+}
+
+func TestSqliteCache_MessagesTagsPrioAndTitle(t *testing.T) {
+	testCacheMessagesTagsPrioAndTitle(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_MessagesTagsPrioAndTitle(t *testing.T) {
+	testCacheMessagesTagsPrioAndTitle(t, newMemTestCache(t))
+}
+
+func testCacheMessagesTagsPrioAndTitle(t *testing.T, c *messageCache) {
+	m := newDefaultMessage("mytopic", "some message")
+	m.Tags = []string{"tag1", "tag2"}
+	m.Priority = 5
+	m.Title = "some title"
+	require.Nil(t, c.AddMessage(m))
+
+	messages, _ := c.Messages("mytopic", sinceAllMessages, false)
+	require.Equal(t, []string{"tag1", "tag2"}, messages[0].Tags)
+	require.Equal(t, 5, messages[0].Priority)
+	require.Equal(t, "some title", messages[0].Title)
+}
+
+func TestSqliteCache_MessagesSinceID(t *testing.T) {
+	testCacheMessagesSinceID(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_MessagesSinceID(t *testing.T) {
+	testCacheMessagesSinceID(t, newMemTestCache(t))
+}
+
+func testCacheMessagesSinceID(t *testing.T, c *messageCache) {
+	m1 := newDefaultMessage("mytopic", "message 1")
+	m1.Time = 100
+	m2 := newDefaultMessage("mytopic", "message 2")
+	m2.Time = 200
+	m3 := newDefaultMessage("mytopic", "message 3")
+	m3.Time = time.Now().Add(time.Hour).Unix() // Scheduled, in the future, later than m7 and m5
+	m4 := newDefaultMessage("mytopic", "message 4")
+	m4.Time = 400
+	m5 := newDefaultMessage("mytopic", "message 5")
+	m5.Time = time.Now().Add(time.Minute).Unix() // Scheduled, in the future, later than m7
+	m6 := newDefaultMessage("mytopic", "message 6")
+	m6.Time = 600
+	m7 := newDefaultMessage("mytopic", "message 7")
+	m7.Time = 700
+
+	require.Nil(t, c.AddMessage(m1))
+	require.Nil(t, c.AddMessage(m2))
+	require.Nil(t, c.AddMessage(m3))
+	require.Nil(t, c.AddMessage(m4))
+	require.Nil(t, c.AddMessage(m5))
+	require.Nil(t, c.AddMessage(m6))
+	require.Nil(t, c.AddMessage(m7))
+
+	// Case 1: Since ID exists, exclude scheduled
+	messages, _ := c.Messages("mytopic", newSinceID(m2.ID), false)
+	require.Equal(t, 3, len(messages))
+	require.Equal(t, "message 4", messages[0].Message)
+	require.Equal(t, "message 6", messages[1].Message) // Not scheduled m3/m5!
+	require.Equal(t, "message 7", messages[2].Message)
+
+	// Case 2: Since ID exists, include scheduled
+	messages, _ = c.Messages("mytopic", newSinceID(m2.ID), true)
+	require.Equal(t, 5, len(messages))
+	require.Equal(t, "message 4", messages[0].Message)
+	require.Equal(t, "message 6", messages[1].Message)
+	require.Equal(t, "message 7", messages[2].Message)
+	require.Equal(t, "message 5", messages[3].Message) // Order!
+	require.Equal(t, "message 3", messages[4].Message) // Order!
+
+	// Case 3: Since ID does not exist (-> Return all messages), include scheduled
+	messages, _ = c.Messages("mytopic", newSinceID("doesntexist"), true)
+	require.Equal(t, 7, len(messages))
+	require.Equal(t, "message 1", messages[0].Message)
+	require.Equal(t, "message 2", messages[1].Message)
+	require.Equal(t, "message 4", messages[2].Message)
+	require.Equal(t, "message 6", messages[3].Message)
+	require.Equal(t, "message 7", messages[4].Message)
+	require.Equal(t, "message 5", messages[5].Message) // Order!
+	require.Equal(t, "message 3", messages[6].Message) // Order!
+
+	// Case 4: Since ID exists and is last message (-> Return no messages), exclude scheduled
+	messages, _ = c.Messages("mytopic", newSinceID(m7.ID), false)
+	require.Equal(t, 0, len(messages))
+
+	// Case 5: Since ID exists and is last message (-> Return no messages), include scheduled
+	messages, _ = c.Messages("mytopic", newSinceID(m7.ID), true)
+	require.Equal(t, 2, len(messages))
+	require.Equal(t, "message 5", messages[0].Message)
+	require.Equal(t, "message 3", messages[1].Message)
+}
+
+func TestSqliteCache_Prune(t *testing.T) {
+	testCachePrune(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_Prune(t *testing.T) {
+	testCachePrune(t, newMemTestCache(t))
+}
+
+func testCachePrune(t *testing.T, c *messageCache) {
+	now := time.Now().Unix()
+
+	m1 := newDefaultMessage("mytopic", "my message")
+	m1.Time = now - 10
+	m1.Expires = now - 5
+
+	m2 := newDefaultMessage("mytopic", "my other message")
+	m2.Time = now - 5
+	m2.Expires = now + 5 // In the future
+
+	m3 := newDefaultMessage("another_topic", "and another one")
+	m3.Time = now - 12
+	m3.Expires = now - 2
+
+	require.Nil(t, c.AddMessage(m1))
+	require.Nil(t, c.AddMessage(m2))
+	require.Nil(t, c.AddMessage(m3))
+
+	counts, err := c.MessageCounts()
+	require.Nil(t, err)
+	require.Equal(t, 2, counts["mytopic"])
+	require.Equal(t, 1, counts["another_topic"])
+
+	expiredMessageIDs, err := c.MessagesExpired()
+	require.Nil(t, err)
+	require.Nil(t, c.DeleteMessages(expiredMessageIDs...))
+
+	counts, err = c.MessageCounts()
+	require.Nil(t, err)
+	require.Equal(t, 1, counts["mytopic"])
+	require.Equal(t, 0, counts["another_topic"])
+
+	messages, err := c.Messages("mytopic", sinceAllMessages, false)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(messages))
+	require.Equal(t, "my other message", messages[0].Message)
+}
+
+func TestSqliteCache_Attachments(t *testing.T) {
+	testCacheAttachments(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_Attachments(t *testing.T) {
+	testCacheAttachments(t, newMemTestCache(t))
+}
+
+func testCacheAttachments(t *testing.T, c *messageCache) {
+	expires1 := time.Now().Add(-4 * time.Hour).Unix()
+	m := newDefaultMessage("mytopic", "flower for you")
+	m.ID = "m1"
+	m.Sender = exampleIP1234
+	m.Attachment = &attachment{
+		Name:    "flower.jpg",
+		Type:    "image/jpeg",
+		Size:    5000,
+		Expires: expires1,
+		URL:     "https://ntfy.sh/file/AbDeFgJhal.jpg",
+	}
+	require.Nil(t, c.AddMessage(m))
+
+	expires2 := time.Now().Add(2 * time.Hour).Unix() // Future
+	m = newDefaultMessage("mytopic", "sending you a car")
+	m.ID = "m2"
+	m.Sender = exampleIP1234
+	m.Attachment = &attachment{
+		Name:    "car.jpg",
+		Type:    "image/jpeg",
+		Size:    10000,
+		Expires: expires2,
+		URL:     "https://ntfy.sh/file/aCaRURL.jpg",
+	}
+	require.Nil(t, c.AddMessage(m))
+
+	expires3 := time.Now().Add(1 * time.Hour).Unix() // Future
+	m = newDefaultMessage("another-topic", "sending you another car")
+	m.ID = "m3"
+	m.Sender = exampleIP1234
+	m.Attachment = &attachment{
+		Name:    "another-car.jpg",
+		Type:    "image/jpeg",
+		Size:    20000,
+		Expires: expires3,
+		URL:     "https://ntfy.sh/file/zakaDHFW.jpg",
+	}
+	require.Nil(t, c.AddMessage(m))
+
+	messages, err := c.Messages("mytopic", sinceAllMessages, false)
+	require.Nil(t, err)
+	require.Equal(t, 2, len(messages))
+
+	require.Equal(t, "flower for you", messages[0].Message)
+	require.Equal(t, "flower.jpg", messages[0].Attachment.Name)
+	require.Equal(t, "image/jpeg", messages[0].Attachment.Type)
+	require.Equal(t, int64(5000), messages[0].Attachment.Size)
+	require.Equal(t, expires1, messages[0].Attachment.Expires)
+	require.Equal(t, "https://ntfy.sh/file/AbDeFgJhal.jpg", messages[0].Attachment.URL)
+	require.Equal(t, "1.2.3.4", messages[0].Sender.String())
+
+	require.Equal(t, "sending you a car", messages[1].Message)
+	require.Equal(t, "car.jpg", messages[1].Attachment.Name)
+	require.Equal(t, "image/jpeg", messages[1].Attachment.Type)
+	require.Equal(t, int64(10000), messages[1].Attachment.Size)
+	require.Equal(t, expires2, messages[1].Attachment.Expires)
+	require.Equal(t, "https://ntfy.sh/file/aCaRURL.jpg", messages[1].Attachment.URL)
+	require.Equal(t, "1.2.3.4", messages[1].Sender.String())
+
+	size, err := c.AttachmentBytesUsedBySender("1.2.3.4")
+	require.Nil(t, err)
+	require.Equal(t, int64(30000), size)
+
+	size, err = c.AttachmentBytesUsedBySender("5.6.7.8")
+	require.Nil(t, err)
+	require.Equal(t, int64(0), size)
+}
+
+func TestSqliteCache_Attachments_Expired(t *testing.T) {
+	testCacheAttachmentsExpired(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_Attachments_Expired(t *testing.T) {
+	testCacheAttachmentsExpired(t, newMemTestCache(t))
+}
+
+func testCacheAttachmentsExpired(t *testing.T, c *messageCache) {
+	m := newDefaultMessage("mytopic", "flower for you")
+	m.ID = "m1"
+	m.Expires = time.Now().Add(time.Hour).Unix()
+	require.Nil(t, c.AddMessage(m))
+
+	m = newDefaultMessage("mytopic", "message with attachment")
+	m.ID = "m2"
+	m.Expires = time.Now().Add(2 * time.Hour).Unix()
+	m.Attachment = &attachment{
+		Name:    "car.jpg",
+		Type:    "image/jpeg",
+		Size:    10000,
+		Expires: time.Now().Add(2 * time.Hour).Unix(),
+		URL:     "https://ntfy.sh/file/aCaRURL.jpg",
+	}
+	require.Nil(t, c.AddMessage(m))
+
+	m = newDefaultMessage("mytopic", "message with external attachment")
+	m.ID = "m3"
+	m.Expires = time.Now().Add(2 * time.Hour).Unix()
+	m.Attachment = &attachment{
+		Name:    "car.jpg",
+		Type:    "image/jpeg",
+		Expires: 0, // Unknown!
+		URL:     "https://somedomain.com/car.jpg",
+	}
+	require.Nil(t, c.AddMessage(m))
+
+	m = newDefaultMessage("mytopic2", "message with expired attachment")
+	m.ID = "m4"
+	m.Expires = time.Now().Add(2 * time.Hour).Unix()
+	m.Attachment = &attachment{
+		Name:    "expired-car.jpg",
+		Type:    "image/jpeg",
+		Size:    20000,
+		Expires: time.Now().Add(-1 * time.Hour).Unix(),
+		URL:     "https://ntfy.sh/file/aCaRURL.jpg",
+	}
+	require.Nil(t, c.AddMessage(m))
+
+	ids, err := c.AttachmentsExpired()
+	require.Nil(t, err)
+	require.Equal(t, 1, len(ids))
+	require.Equal(t, "m4", ids[0])
+}
+
+func TestSqliteCache_Migration_From0(t *testing.T) {
+	filename := newSqliteTestCacheFile(t)
+	db, err := sql.Open("sqlite3", filename)
+	require.Nil(t, err)
+
+	// Create "version 0" schema
+	_, err = db.Exec(`
+		BEGIN;
+		CREATE TABLE IF NOT EXISTS messages (
+			id VARCHAR(20) PRIMARY KEY,
+			time INT NOT NULL,
+			topic VARCHAR(64) NOT NULL,
+			message VARCHAR(1024) NOT NULL
+		);
+		CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
+		COMMIT;
+	`)
+	require.Nil(t, err)
+
+	// Insert a bunch of messages
+	for i := 0; i < 10; i++ {
+		_, err = db.Exec(`INSERT INTO messages (id, time, topic, message) VALUES (?, ?, ?, ?)`,
+			fmt.Sprintf("abcd%d", i), time.Now().Unix(), "mytopic", fmt.Sprintf("some message %d", i))
+		require.Nil(t, err)
+	}
+	require.Nil(t, db.Close())
+
+	// Create cache to trigger migration
+	c := newSqliteTestCacheFromFile(t, filename, "")
+	checkSchemaVersion(t, c.db)
+
+	messages, err := c.Messages("mytopic", sinceAllMessages, false)
+	require.Nil(t, err)
+	require.Equal(t, 10, len(messages))
+	require.Equal(t, "some message 5", messages[5].Message)
+	require.Equal(t, "", messages[5].Title)
+	require.Nil(t, messages[5].Tags)
+	require.Equal(t, 0, messages[5].Priority)
+}
+
+func TestSqliteCache_Migration_From1(t *testing.T) {
+	filename := newSqliteTestCacheFile(t)
+	db, err := sql.Open("sqlite3", filename)
+	require.Nil(t, err)
+
+	// Create "version 1" schema
+	_, err = db.Exec(`
+		CREATE TABLE IF NOT EXISTS messages (
+			id VARCHAR(20) PRIMARY KEY,
+			time INT NOT NULL,
+			topic VARCHAR(64) NOT NULL,
+			message VARCHAR(512) NOT NULL,
+			title VARCHAR(256) NOT NULL,
+			priority INT NOT NULL,
+			tags VARCHAR(256) NOT NULL
+		);
+		CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
+		CREATE TABLE IF NOT EXISTS schemaVersion (
+			id INT PRIMARY KEY,
+			version INT NOT NULL
+		);		
+		INSERT INTO schemaVersion (id, version) VALUES (1, 1);
+	`)
+	require.Nil(t, err)
+
+	// Insert a bunch of messages
+	for i := 0; i < 10; i++ {
+		_, err = db.Exec(`INSERT INTO messages (id, time, topic, message, title, priority, tags) VALUES (?, ?, ?, ?, ?, ?, ?)`,
+			fmt.Sprintf("abcd%d", i), time.Now().Unix(), "mytopic", fmt.Sprintf("some message %d", i), "", 0, "")
+		require.Nil(t, err)
+	}
+	require.Nil(t, db.Close())
+
+	// Create cache to trigger migration
+	c := newSqliteTestCacheFromFile(t, filename, "")
+	checkSchemaVersion(t, c.db)
+
+	// Add delayed message
+	delayedMessage := newDefaultMessage("mytopic", "some delayed message")
+	delayedMessage.Time = time.Now().Add(time.Minute).Unix()
+	require.Nil(t, c.AddMessage(delayedMessage))
+
+	// 10, not 11!
+	messages, err := c.Messages("mytopic", sinceAllMessages, false)
+	require.Nil(t, err)
+	require.Equal(t, 10, len(messages))
+
+	// 11!
+	messages, err = c.Messages("mytopic", sinceAllMessages, true)
+	require.Nil(t, err)
+	require.Equal(t, 11, len(messages))
+}
+
+func TestSqliteCache_Migration_From9(t *testing.T) {
+	// This primarily tests the awkward migration that introduces the "expires" column.
+	// The migration logic has to update the column, using the existing "cache-duration" value.
+
+	filename := newSqliteTestCacheFile(t)
+	db, err := sql.Open("sqlite3", filename)
+	require.Nil(t, err)
+
+	// Create "version 8" schema
+	_, err = db.Exec(`
+		BEGIN;
+		CREATE TABLE IF NOT EXISTS messages (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			mid TEXT NOT NULL,
+			time INT NOT NULL,
+			topic TEXT NOT NULL,
+			message TEXT NOT NULL,
+			title TEXT NOT NULL,
+			priority INT NOT NULL,
+			tags TEXT NOT NULL,
+			click TEXT NOT NULL,
+			icon TEXT NOT NULL,			
+			actions TEXT NOT NULL,
+			attachment_name TEXT NOT NULL,
+			attachment_type TEXT NOT NULL,
+			attachment_size INT NOT NULL,
+			attachment_expires INT NOT NULL,
+			attachment_url TEXT NOT NULL,
+			sender TEXT NOT NULL,
+			encoding TEXT NOT NULL,
+			published INT NOT NULL
+		);
+		CREATE INDEX IF NOT EXISTS idx_mid ON messages (mid);
+		CREATE INDEX IF NOT EXISTS idx_time ON messages (time);
+		CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
+		CREATE TABLE IF NOT EXISTS schemaVersion (
+			id INT PRIMARY KEY,
+			version INT NOT NULL
+		);		
+		INSERT INTO schemaVersion (id, version) VALUES (1, 9);
+		COMMIT;
+	`)
+	require.Nil(t, err)
+
+	// Insert a bunch of messages
+	insertQuery := `
+		INSERT INTO messages (mid, time, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, encoding, published) 
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+	`
+	for i := 0; i < 10; i++ {
+		_, err = db.Exec(
+			insertQuery,
+			fmt.Sprintf("abcd%d", i),
+			time.Now().Unix(),
+			"mytopic",
+			fmt.Sprintf("some message %d", i),
+			"",        // title
+			0,         // priority
+			"",        // tags
+			"",        // click
+			"",        // icon
+			"",        // actions
+			"",        // attachment_name
+			"",        // attachment_type
+			0,         // attachment_size
+			0,         // attachment_type
+			"",        // attachment_url
+			"9.9.9.9", // sender
+			"",        // encoding
+			1,         // published
+		)
+		require.Nil(t, err)
+	}
+
+	// Create cache to trigger migration
+	cacheDuration := 17 * time.Hour
+	c, err := newSqliteCache(filename, "", cacheDuration, 0, 0, false)
+	require.Nil(t, err)
+	checkSchemaVersion(t, c.db)
+
+	// Check version
+	rows, err := db.Query(`SELECT version FROM main.schemaVersion WHERE id = 1`)
+	require.Nil(t, err)
+	require.True(t, rows.Next())
+	var version int
+	require.Nil(t, rows.Scan(&version))
+	require.Equal(t, currentSchemaVersion, version)
+
+	messages, err := c.Messages("mytopic", sinceAllMessages, false)
+	require.Nil(t, err)
+	require.Equal(t, 10, len(messages))
+	for _, m := range messages {
+		require.True(t, m.Expires > time.Now().Add(cacheDuration-5*time.Second).Unix())
+		require.True(t, m.Expires < time.Now().Add(cacheDuration+5*time.Second).Unix())
+	}
+}
+
+func TestSqliteCache_StartupQueries_WAL(t *testing.T) {
+	filename := newSqliteTestCacheFile(t)
+	startupQueries := `pragma journal_mode = WAL; 
+pragma synchronous = normal; 
+pragma temp_store = memory;`
+	db, err := newSqliteCache(filename, startupQueries, time.Hour, 0, 0, false)
+	require.Nil(t, err)
+	require.Nil(t, db.AddMessage(newDefaultMessage("mytopic", "some message")))
+	require.FileExists(t, filename)
+	require.FileExists(t, filename+"-wal")
+	require.FileExists(t, filename+"-shm")
+}
+
+func TestSqliteCache_StartupQueries_None(t *testing.T) {
+	filename := newSqliteTestCacheFile(t)
+	startupQueries := ""
+	db, err := newSqliteCache(filename, startupQueries, time.Hour, 0, 0, false)
+	require.Nil(t, err)
+	require.Nil(t, db.AddMessage(newDefaultMessage("mytopic", "some message")))
+	require.FileExists(t, filename)
+	require.NoFileExists(t, filename+"-wal")
+	require.NoFileExists(t, filename+"-shm")
+}
+
+func TestSqliteCache_StartupQueries_Fail(t *testing.T) {
+	filename := newSqliteTestCacheFile(t)
+	startupQueries := `xx error`
+	_, err := newSqliteCache(filename, startupQueries, time.Hour, 0, 0, false)
+	require.Error(t, err)
+}
+
+func TestSqliteCache_Sender(t *testing.T) {
+	testSender(t, newSqliteTestCache(t))
+}
+
+func TestMemCache_Sender(t *testing.T) {
+	testSender(t, newMemTestCache(t))
+}
+
+func testSender(t *testing.T, c *messageCache) {
+	m1 := newDefaultMessage("mytopic", "mymessage")
+	m1.Sender = netip.MustParseAddr("1.2.3.4")
+	require.Nil(t, c.AddMessage(m1))
+
+	m2 := newDefaultMessage("mytopic", "mymessage without sender")
+	require.Nil(t, c.AddMessage(m2))
+
+	messages, err := c.Messages("mytopic", sinceAllMessages, false)
+	require.Nil(t, err)
+	require.Equal(t, 2, len(messages))
+	require.Equal(t, messages[0].Sender, netip.MustParseAddr("1.2.3.4"))
+	require.Equal(t, messages[1].Sender, netip.Addr{})
+}
+
+func checkSchemaVersion(t *testing.T, db *sql.DB) {
+	rows, err := db.Query(`SELECT version FROM schemaVersion`)
+	require.Nil(t, err)
+	require.True(t, rows.Next())
+
+	var schemaVersion int
+	require.Nil(t, rows.Scan(&schemaVersion))
+	require.Equal(t, currentSchemaVersion, schemaVersion)
+	require.Nil(t, rows.Close())
+}
+
+func TestMemCache_NopCache(t *testing.T) {
+	c, _ := newNopCache()
+	assert.Nil(t, c.AddMessage(newDefaultMessage("mytopic", "my message")))
+
+	messages, err := c.Messages("mytopic", sinceAllMessages, false)
+	assert.Nil(t, err)
+	assert.Empty(t, messages)
+
+	topics, err := c.Topics()
+	assert.Nil(t, err)
+	assert.Empty(t, topics)
+}
+
+func newSqliteTestCache(t *testing.T) *messageCache {
+	c, err := newSqliteCache(newSqliteTestCacheFile(t), "", time.Hour, 0, 0, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return c
+}
+
+func newSqliteTestCacheFile(t *testing.T) string {
+	return filepath.Join(t.TempDir(), "cache.db")
+}
+
+func newSqliteTestCacheFromFile(t *testing.T, filename, startupQueries string) *messageCache {
+	c, err := newSqliteCache(filename, startupQueries, time.Hour, 0, 0, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return c
+}
+
+func newMemTestCache(t *testing.T) *messageCache {
+	c, err := newMemCache()
+	if err != nil {
+		t.Fatal(err)
+	}
+	return c
+}
--- a/server/ntfy.service
+++ b/server/ntfy.service
@@ -5,7 +5,8 @@ After=network.target
 [Service]
 User=ntfy
 Group=ntfy
-ExecStart=/usr/bin/ntfy serve
+ExecStart=/usr/bin/ntfy serve --no-log-dates
+ExecReload=/bin/kill --signal HUP $MAINPID
 Restart=on-failure
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 LimitNOFILE=10000
--- a/server/server.go
+++ b/server/server.go
--- a/Show More
+++ b/Show More