diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 809858c..cf3be7e 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -36,8 +36,11 @@ jobs: - name: Notify success if: success() run: | + TOPIC=$(cat /run/agenix/ntfy-alerts-topic | tr -d '[:space:]') + TOKEN=$(cat /run/agenix/ntfy-alerts-token | tr -d '[:space:]') curl -sf -X POST \ - "https://ntfy.sigkill.computer/deployments" \ + "https://ntfy.sigkill.computer/$TOPIC" \ + -H "Authorization: Bearer $TOKEN" \ -H "Title: [muffin] Deploy succeeded" \ -H "Priority: default" \ -H "Tags: white_check_mark" \ @@ -46,9 +49,12 @@ jobs: - name: Notify failure if: failure() run: | + TOPIC=$(cat /run/agenix/ntfy-alerts-topic 2>/dev/null | tr -d '[:space:]') + TOKEN=$(cat /run/agenix/ntfy-alerts-token 2>/dev/null | tr -d '[:space:]') curl -sf -X POST \ - "https://ntfy.sigkill.computer/deployments" \ + "https://ntfy.sigkill.computer/$TOPIC" \ + -H "Authorization: Bearer $TOKEN" \ -H "Title: [muffin] Deploy FAILED" \ -H "Priority: urgent" \ -H "Tags: rotating_light" \ - -d "server-config deploy failed at commit ${GITHUB_SHA::8}" + -d "server-config deploy failed at commit ${GITHUB_SHA::8}" || true diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix index f820ea1..18d28cd 100644 --- a/modules/age-secrets.nix +++ b/modules/age-secrets.nix @@ -68,19 +68,19 @@ group = "root"; }; - # ntfy-alerts secrets + # ntfy-alerts secrets (group-readable for CI runner notifications) ntfy-alerts-topic = { file = ../secrets/ntfy-alerts-topic.age; - mode = "0400"; + mode = "0440"; owner = "root"; - group = "root"; + group = "gitea-runner"; }; ntfy-alerts-token = { file = ../secrets/ntfy-alerts-token.age; - mode = "0400"; + mode = "0440"; owner = "root"; - group = "root"; + group = "gitea-runner"; }; # Firefox Sync server secrets (SYNC_MASTER_SECRET)