feat: ntfy...? :3

nixos/common/login-notify.nix

@@ -6,33 +6,25 @@
 }: let
   inherit (lib.modules) mkAfter mkDefault;
 in {
-  sops.secrets.sshd-environment = {
+  sops.secrets.ssh-notify = {
     sopsFile = ./secrets.yaml;
   };
   security.pam.services.sshd.text = let
-    notify = pkgs.writeShellScriptBin "notify" ''
-      export $(cat ${config.sops.secrets.sshd-environment.path} | xargs)
-
-      if [ "$PAM_USER" = "deploy" ]; then
-          if [ "$PAM_TYPE" = "open_session" ]; then
-              message="''${PAM_RHOST} has opened an SSH session as part of doing a Nix deployment on ${config.networking.hostName}."
-          elif [ "$PAM_TYPE" = "close_session" ]; then
-              message="''${PAM_RHOST} has closed an SSH session as part of doing a Nix deployment on ${config.networking.hostName}."
-          fi
-      else
-          if [ "$PAM_TYPE" = "open_session" ]; then
-              message="''${PAM_RHOST} opened an SSH session with ${config.networking.hostName} as user ''${PAM_USER}."
-          elif [ "$PAM_TYPE" = "close_session" ]; then
-              message="''${PAM_RHOST} closed their SSH session with ${config.networking.hostName} for user ''${PAM_USER}."
-          fi
-      fi
-
-      if [ -n "$message" ]; then
-          ${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"$message\"}" $DISCORD_WEBHOOK_LINK
+    notify = pkgs.writeShellScript "notify" ''
+      set -o allexport
+      source ${config.sops.secrets.ssh-notify.path}
+      set +o allexport
+      if [ "''${PAM_TYPE}" = "open_session" ]; then
+        curl -s -X POST \
+          -H "Authorization: Bearer ''${SSH_NOTIFY_TOKEN}" \
+          -H prio:high \
+          -H tags:warning \
+          -d "SSH login to ${config.networking.hostName}: ''${PAM_USER} from ''${PAM_RHOST}" \
+          https://ntfy.kittywit.ch/alerts
       fi
     '';
   in
     mkDefault (mkAfter ''
-      session required pam_exec.so seteuid ${notify}/bin/notify
+      session optional pam_exec.so seteuid ${notify}
     '');
 }

nixos/common/secrets.yaml

@@ -1,4 +1,4 @@
-sshd-environment: ENC[AES256_GCM,data:lyzzRDxyNzBgrLthPjdJoXgkniCwLXFZE/GMpLlRzeSvAUN6yc8sFYTmvZiCe/t/33Yr5+BtOhAUI5JzTYJ/kc3Dg4ziB4KbHP4ejPtAb6x2UbEHcN6euPogwXR8lpeO9zJE4gWFOHoYJ4bLa1wuCYgbNkjWDYYHGEoWAMVDU6XYRb3riV21WWIQO/DbC7mAgw==,iv:ZysLG3x0wlxuTYnJrGtrTkjjduMoEOyiWWuC1nRIp4I=,tag:mlNO2yo7JkV2O7A2Da+EjQ==,type:str]
+ssh-notify: ENC[AES256_GCM,data:Dyuw8cxipVPKOI7/OYiK7OyyrDrIbqp8YxyLfAbY/YJZ8xVOqv1hyrrqhRYWQo+jUi9BRA==,iv:lKUdpiWBvKr5qpo5Z/Ky2SwKk5fDGAysbbDTYrjV+m4=,tag:JwbJXiA/e3qAUsLFLatUxg==,type:str]
 tailscale-key: ENC[AES256_GCM,data:FK237Or4qtZGon9tevPh4q568+IUSWxfuG8s2ZNLXWgoa76GoyO+qwCmvXiVibRH1Ljo/LXoNQjb2pYV7w==,iv:UZv+EnlRDOWh86sOFh7ZNryPz1r55u+Dbr/dDL/USjo=,tag:B8DJwPXR/50ARbfyfxPtcw==,type:str]
 sops:
     shamir_threshold: 1
@@ -84,8 +84,8 @@ sops:
             RGova3pLS2VpRzB2VWhIcnRISlVUS3cKGyKpvwd5wr1melbtgbXAoo2qRYhWoJ8x
             ZCn/vismSmoM+OR/JVXpDiSHGfvxWBEnLj41yV82wsT1hSqigXjdUw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-03T22:14:00Z"
-    mac: ENC[AES256_GCM,data:ACZ3txmEBIUU73JSsJmDDE7+D5oXdAVNN1Dgypl8tgRIGtMFwRpktmhdXON6jHpaWiZ0DBRuvN97SWUbkPbhyMG6PrKRdQHYLdFAocuNFBpX58xIrAclVUjPEbV5bqBU/zPemxj/5sXbiuX8AYSENiAOYhfCxi8SZbNgU4W6xO8=,iv:G2d9ZRTeaNpDfkB3maZzAHYIRKB6ewwjqUQr7RBrNEM=,tag:7y/0gVUJMmyMoiwiLr8Q1g==,type:str]
+    lastmodified: "2025-10-13T19:36:20Z"
+    mac: ENC[AES256_GCM,data:FZwCV9hd3lZfN9qXzGHPmUcRfpZhaFoZZYECIrMPdqfxQG87THS53rk1Iy0It/+G1S68I5aNR0ednVCEUO/x/T+Is3a5F+RSqIwvH4ndMKmjlFhb4Uh8cp9txJyabnuRexx08OXEC/Dz0ad7VbcmG8KCo56MJm2wbbPaBEgeY04=,iv:i/CCqPJCKOsKBkmAOo/6/zjM82LL7+YDb/v95HpISfE=,tag:hgmnmb4+PIOjSKp1STjgtg==,type:str]
     pgp:
         - created_at: "2025-06-27T20:11:08Z"
           enc: |-
@@ -108,4 +108,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: CD8CE78CB0B3BDD4
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2