ci: fix ntfy notifications with auth and readable secrets

.gitea/workflows/deploy.yml

@@ -36,8 +36,11 @@ jobs:
       - name: Notify success
         if: success()
         run: |
+          TOPIC=$(cat /run/agenix/ntfy-alerts-topic | tr -d '[:space:]')
+          TOKEN=$(cat /run/agenix/ntfy-alerts-token | tr -d '[:space:]')
           curl -sf -X POST \
-            "https://ntfy.sigkill.computer/deployments" \
+            "https://ntfy.sigkill.computer/$TOPIC" \
+            -H "Authorization: Bearer $TOKEN" \
             -H "Title: [muffin] Deploy succeeded" \
             -H "Priority: default" \
             -H "Tags: white_check_mark" \
@@ -46,9 +49,12 @@ jobs:
       - name: Notify failure
         if: failure()
         run: |
+          TOPIC=$(cat /run/agenix/ntfy-alerts-topic 2>/dev/null | tr -d '[:space:]')
+          TOKEN=$(cat /run/agenix/ntfy-alerts-token 2>/dev/null | tr -d '[:space:]')
           curl -sf -X POST \
-            "https://ntfy.sigkill.computer/deployments" \
+            "https://ntfy.sigkill.computer/$TOPIC" \
+            -H "Authorization: Bearer $TOKEN" \
             -H "Title: [muffin] Deploy FAILED" \
             -H "Priority: urgent" \
             -H "Tags: rotating_light" \
-            -d "server-config deploy failed at commit ${GITHUB_SHA::8}"
+            -d "server-config deploy failed at commit ${GITHUB_SHA::8}" || true

modules/age-secrets.nix

@@ -68,19 +68,19 @@
       group = "root";
     };
 
-    # ntfy-alerts secrets
+    # ntfy-alerts secrets (group-readable for CI runner notifications)
     ntfy-alerts-topic = {
       file = ../secrets/ntfy-alerts-topic.age;
-      mode = "0400";
+      mode = "0440";
       owner = "root";
-      group = "root";
+      group = "gitea-runner";
     };
 
     ntfy-alerts-token = {
       file = ../secrets/ntfy-alerts-token.age;
-      mode = "0400";
+      mode = "0440";
       owner = "root";
-      group = "root";
+      group = "gitea-runner";
     };
 
     # Firefox Sync server secrets (SYNC_MASTER_SECRET)