From 125c59b7f8af0bfc7d1da327c0ff79d14fb169ca Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Wed, 21 May 2025 11:34:16 +0200
Subject: [PATCH] feat(meta/ntfy-sh): register ntfy-sh password in meta

---
 machines/nixos/web01/ntfy-sh/default.nix | 32 +++++++++++++++++-------
 meta/options.nix                         |  8 ++++++
 meta/organization/members.nix            |  1 +
 3 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/machines/nixos/web01/ntfy-sh/default.nix b/machines/nixos/web01/ntfy-sh/default.nix
index acfb080..51de1c3 100644
--- a/machines/nixos/web01/ntfy-sh/default.nix
+++ b/machines/nixos/web01/ntfy-sh/default.nix
@@ -2,11 +2,31 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-{ config, ... }:
+{
+  config,
+  lib,
+  meta,
+  ...
+}:
 
 let
+  inherit (lib)
+    filterAttrs
+    mapAttrsToList
+    mapAttrs
+    ;
+
   host = "push.dgnum.eu";
   port = 2586;
+
+  ntfy-users = mapAttrs (_: member: { hashedPassword = member.ntfy-hashedPassword; }) (
+    filterAttrs (_: member: member.ntfy-hashedPassword != null) meta.organization.members
+  );
+  ntfy-access = mapAttrsToList (name: _: {
+    topic = "monitoring";
+    username = name;
+    permission = "ro";
+  }) ntfy-users;
 in
 {
   nixpkgs.overlays = [
@@ -36,15 +56,9 @@ in
           username = "systemd";
           permission = "wo";
         }
-      ];
-      users = {
+      ] ++ ntfy-access;
+      users = ntfy-users // {
         "systemd".passwordFile = config.age.secrets."ntfy-sh-systemd_passwd".path;
-
-        # TODO: through meta
-        "catvayor" = {
-          role = "admin";
-          hashedPassword = "$2b$05$rDvB8C7OoWoyAgLAeaZBcuptiJulF/BfSYREoPRIZkmAO7hhimvNy";
-        };
       };
     };
   };
diff --git a/meta/options.nix b/meta/options.nix
index 403b5c9..8949b0e 100644
--- a/meta/options.nix
+++ b/meta/options.nix
@@ -142,6 +142,14 @@ in
                   '';
                 };
 
+                ntfy-hashedPassword = mkOption {
+                  type = nullOr str;
+                  default = null;
+                  description = ''
+                    Hashed password for ntfy-sh account.
+                  '';
+                };
+
                 # FIXME: Unused
                 vpnKeys = mkOption {
                   type = attrsOf vpnKeyType;
diff --git a/meta/organization/members.nix b/meta/organization/members.nix
index 92fbccd..8db3f66 100644
--- a/meta/organization/members.nix
+++ b/meta/organization/members.nix
@@ -42,6 +42,7 @@
         builderKeys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDn3ft6Pmlql8er86nyCVFSQDEY993By+667OmN3ECK9 catvayor@kat-probook"
         ];
+        ntfy-hashedPassword = "$2b$05$rDvB8C7OoWoyAgLAeaZBcuptiJulF/BfSYREoPRIZkmAO7hhimvNy";
       };
 
       cst1 = {