The push gateway enables mobile push notifications for Android and iOS users connected to your node. Without it, mobile users will only receive messages when the app is open.
Prerequisite: you've completed Install — Docker or Install — Source, plus the Configuration page. The push gateway is a separate process from the L2 node and they authenticate to each other via a shared secret set in both configs.
# Pull the push gateway image
docker pull ogmara/ogmara:push-gateway-latest
# Run the push gateway.
# This mounts the config file (created in the "Configuration" section below)
# and loads the secrets from the env file (created in the "Secrets via an
# Environment File" section below) — set both up first, then run this.
docker run -d \
--name ogmara-push \
--restart unless-stopped \
-p 127.0.0.1:41722:41722/tcp \
-v /etc/ogmara/push-gateway.toml:/etc/ogmara/push-gateway.toml:ro \
--env-file /etc/ogmara/push-gateway.env \
ogmara/ogmara:push-gateway-latest
# Clone and build
git clone https://github.com/Ogmara/push-gateway.git
cd push-gateway
cargo build --release
# Install the binary (the built binary is named ogmara-push-gateway)
sudo cp target/release/ogmara-push-gateway /usr/local/bin/
sudo chmod +x /usr/local/bin/ogmara-push-gateway
VAPID keys are needed only if you enable browser Web Push ([webpush] enabled = true). Skip this if you serve only mobile (FCM/APNs) or no push. There is no built-in generator subcommand; use the standard web-push tool, which emits keys in the base64url format the gateway expects:
# Generate a VAPID key pair (base64url)
npx web-push generate-vapid-keys
# Put the printed PRIVATE key into [webpush] vapid_private_key.
# The PUBLIC key is derived by the gateway automatically and served at
# GET /vapid-key (clients fetch it from there) — you do not configure it.
# /etc/ogmara/push-gateway.toml
# (generate this file with: ogmara-push-gateway init -o /etc/ogmara/push-gateway.toml)
[gateway]
listen_port = 41722
listen_addr = "127.0.0.1"
# Shared secret with the L2 node. Prefer the OGMARA_PUSH_SECRET env var
# (see below) over hard-coding it here. Must equal the node's
# [push_gateway] auth_token.
push_secret = ""
# Canonical PUBLIC URL of THIS gateway. Device-registration requests are
# cryptographically bound to it, so it MUST match the URL clients use.
# REQUIRED: if empty, /register and /unregister reject every request (503).
# Prefer the OGMARA_GATEWAY_URL env var.
public_url = "https://push.yourdomain.com"
# Per-IP rate limit for /register + /unregister.
rate_limit_per_sec = 20
# Device registry file. Push tokens are encrypted at rest when
# OGMARA_REGISTRY_KEY (see below) is set.
registry_file = "/var/lib/ogmara/registry.json"
# Web Push is OPTIONAL (Android/iOS use [fcm]/[apns], default off).
[webpush]
enabled = false
vapid_private_key = "YOUR_VAPID_PRIVATE_KEY"
vapid_subject = "mailto:admin@yourdomain.com"
# The VAPID PUBLIC key is DERIVED automatically and served at GET /vapid-key —
# you do not set it here.
Secrets are kept out of the config file in a small environment file. Three values go here:
OGMARA_PUSH_SECRET — the shared secret with the L2 node (must equal the node's auth_token).OGMARA_GATEWAY_URL — this gateway's public URL. Required — without it, registration returns 503.OGMARA_REGISTRY_KEY — a 32-byte key that encrypts stored push tokens. Strongly recommended; without it, tokens are stored in plaintext.Step 1 — generate the two random secrets. Run this twice and copy each line of output (you'll paste them in the next step):
openssl rand -hex 32
Step 2 — create the environment file at /etc/ogmara/push-gateway.env. Open it in an editor (sudo nano /etc/ogmara/push-gateway.env) and paste the following, replacing the three placeholder values. Note there are no quotes and no spaces around the = — this file is read literally, not by a shell, so do not put commands like $(openssl …) here:
# /etc/ogmara/push-gateway.env
OGMARA_PUSH_SECRET=paste-the-first-openssl-output-here
OGMARA_GATEWAY_URL=https://push.yourdomain.com
OGMARA_REGISTRY_KEY=paste-the-second-openssl-output-here
The OGMARA_PUSH_SECRET value must be identical to the auth_token you set in the L2 node config (next section).
Step 3 — lock down the file so only the gateway user can read it:
sudo chown ogmara:ogmara /etc/ogmara/push-gateway.env
sudo chmod 600 /etc/ogmara/push-gateway.env
The systemd service below loads this file automatically (EnvironmentFile=). Docker users: pass it with --env-file /etc/ogmara/push-gateway.env on docker run (the run command in Option A already includes it).
Edit the [push_gateway] block in your L2 node configuration (the auto-generated default ships with enabled = false and empty values).
# In /etc/ogmara/ogmara.toml
[push_gateway]
enabled = true
url = "http://127.0.0.1:41722"
# Must equal the gateway's OGMARA_PUSH_SECRET. The node reads this from the
# config file (there is no env-var override for it on the node side), so keep
# ogmara.toml readable only by the ogmara user.
auth_token = "YOUR_SHARED_SECRET"
# /etc/systemd/system/ogmara-push-gateway.service
[Unit]
Description=Ogmara Push Notification Gateway
After=network-online.target ogmara-node.service
Wants=network-online.target
[Service]
Type=simple
User=ogmara
Group=ogmara
WorkingDirectory=/var/lib/ogmara/push-gateway
# Secrets via an environment file (chmod 600, owned by ogmara) holding
# OGMARA_PUSH_SECRET / OGMARA_GATEWAY_URL / OGMARA_REGISTRY_KEY (see above).
EnvironmentFile=/etc/ogmara/push-gateway.env
# IMPORTANT: exactly ONE ExecStart line (systemd rejects multiple for
# Type=simple). The global --config goes BEFORE the `run` subcommand.
ExecStart=/usr/local/bin/ogmara-push-gateway --config /etc/ogmara/push-gateway.toml run
Restart=on-failure
RestartSec=5
# Hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/ogmara/push-gateway
PrivateTmp=true
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
# Enable and start — run daemon-reload after ANY edit to the unit file above
sudo systemctl daemon-reload
sudo systemctl enable ogmara-push-gateway
sudo systemctl start ogmara-push-gateway
# Restart the L2 node to connect to the push gateway
sudo systemctl restart ogmara-node
Important: The shared secret must be identical in both the push gateway config and the L2 node config. Use a strong random value generated with openssl rand -hex 32. Never commit this secret to version control.