diff --git a/hosts/kazuki/ntfy.nix b/hosts/kazuki/ntfy.nix
index b6ae50d..54bde13 100644
--- a/hosts/kazuki/ntfy.nix
+++ b/hosts/kazuki/ntfy.nix
@@ -1,14 +1,27 @@
-{ config, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
   age.secrets.nrab-lol-cf = {
     file = ../../secrets/nrab-lol-cf.age;
     owner = config.services.nginx.user;
   };
+  age.secrets.ntfy-niko-pass = {
+    file = ../../secrets/ntfy-niko-pass.age;
+    owner = config.services.ntfy-sh.user;
+  };
+  age.secrets.ntfy-alert-pass = {
+    file = ../../secrets/ntfy-alert-pass.age;
+    owner = config.services.ntfy-sh.user;
+  };
 
   services.ntfy-sh = {
     enable = true;
     settings = {
-      base-url = "ntfy.nrab.lol";
+      base-url = "https://ntfy.nrab.lol";
       listen-http = "127.0.0.1:9800";
       behind-proxy = true;
       upstream-base-url = "https://ntfy.sh";
@@ -16,6 +29,27 @@
     };
   };
 
+  systemd.services.ntfy-sh.postStart =
+    let
+      ntfy = lib.getExe' config.services.ntfy-sh.package "ntfy";
+      script = pkgs.writeShellScript "ntfy-setup-users.sh" ''
+        ${ntfy} access everyone '*' deny
+
+        if ! ${ntfy} user list | grep -q 'user alert'; then
+          NTFY_PASSWORD="$(cat ${config.age.secrets.ntfy-alert-pass.path})" \
+            ${ntfy} user add alert
+          ${ntfy} access alert '*' write-only
+        fi
+
+        if ! ${ntfy} user list | grep -q 'user niko'; then
+          NTFY_PASSWORD="$(cat ${config.age.secrets.ntfy-niko-pass.path})" \
+            ${ntfy} user add niko
+          ${ntfy} access niko '*' read-only
+        fi
+      '';
+    in
+    toString script;
+
   users.users.nginx.extraGroups = [ "acme" ];
   networking.firewall.allowedTCPPorts = [
     80
diff --git a/secrets/alert-nrab-lol-pass.age b/secrets/alert-nrab-lol-pass.age
index d76c462..a41dc38 100644
--- a/secrets/alert-nrab-lol-pass.age
+++ b/secrets/alert-nrab-lol-pass.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw E/UAAPU36fEbTLcJqSHuXLkT9gM9SKJc69lHYZ6vsxA
-qtW5rBrMVMZlB9QAl1dJQW5wlXL9Xzzb6v0TgsVUH+I
--> ssh-ed25519 GKhvwg LVyoMAJOOeyBUUDvehyKVCMyaECs5f5nFiWFIWVcXlM
-zvoD1iS6LkgcuBwRlq8I7dL0js/881Flutn+aiWk4x8
---- qQutAtaqLW7+tjxs/t34QquhxIg+OZiGTmjGW4okQc8
-��0N�G%�*m��]~�����T�P]C�Ӛ�L��f�a�ì��To�T��
�E����{À��X�
�}�9��_�
���	nϏ|(f�-��
\ No newline at end of file
+-> ssh-ed25519 84j9mw 4n/zqW5iLJrCV7DkJjWVLqznKo5tCAtS3Ps42D3pGlA
+DikYMkhNvvXqVpuzLbKYrILImwYow6yS9zHHBEQbEi8
+-> ssh-ed25519 GKhvwg ZQmLaXauWbnXb/4/MSbYB5h9usBY02oowXNEkixBgRc
+LEV0jDifVtosFZYVOk5jBrd+koAh/B0uXnYO18HDU4g
+--- Uwt3RGREkK2dHLhhhjz+kGzAL8ik/mA3oPWnEuocXhk
+M�e�5~#�zB�]��F���k�7�5�%���!t|�T����ɖ���"c��K�8�I
�����ni��S��ؙ���a���]������8�
\ No newline at end of file
diff --git a/secrets/alert-plain-pass.age b/secrets/alert-plain-pass.age
index 0e3aee9..e638fc8 100644
--- a/secrets/alert-plain-pass.age
+++ b/secrets/alert-plain-pass.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 ioPMHA bzpHiPf01dn6o2RorgjHtJLxEXTdX2vk5gzqeurKYWY
-PCZiMqJOHaVUfTmQAxfSi4R4K9EJv9lRlvzifcZBdlg
--> ssh-ed25519 GKhvwg 9LIgHkI9ai9sG5105/cckINKLZG1ZDLJoK4VseW4+Vo
-cRJkPh2P1qIeLiC8FBMaf3Q0mdcH6KMmhKIZ8AE7oxk
---- ak5uMosvoFn03re13Wvb5izecSpHrrtmJ21YdWAvNs0
-�t�<0�C2�QϾ�G�(���$���GGwB��� H3����rK���
\ No newline at end of file
+-> ssh-ed25519 ioPMHA 631XxPesBw0DC687j0Du8gyvwHuN8DrRMtVVVPJ3kEA
+A0zq6X8YgNVGMUBtpozcwXmy8pVQwtJRpelSPVywJ+Q
+-> ssh-ed25519 GKhvwg NPPNc8ZreWcjYkriM0fn76AoYO5HSFmGY2Dnbhjchlg
+fpchA60ze8fx3ooQlyRk9lapL+m90NLn+p6eKRoyy64
+--- KYS9LOiN9+RIlzyPZ71iqQ0c6I7MptxKzjfZzrEeAhs
+z	[�i��_�1x��>���G7�2�L��!�K,����[7��Q���
\ No newline at end of file
diff --git a/secrets/attic-creds.age b/secrets/attic-creds.age
index d72389c..94875ac 100644
Binary files a/secrets/attic-creds.age and b/secrets/attic-creds.age differ
diff --git a/secrets/github-token.age b/secrets/github-token.age
index 57261b7..516eb0e 100644
--- a/secrets/github-token.age
+++ b/secrets/github-token.age
@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 IFuY+w BRVOB+nGZJ/43pUOJBXtYN9x65vGz+PeFBpUta4E7kM
-an/9NC1sk2IzT+YdaPYvGfdn5ZR8eU21/h5OjL4yddE
--> ssh-ed25519 84j9mw ndRBUsTQo3k/MQeQALBWZ8ZV86I+TjXbImDqm/ogMwU
-eTyKCxGOLdq+mVq88cqSn5Y8tPQx3tcOk2B41uCf3KM
--> ssh-ed25519 ioPMHA He7pM+kv7Mix/TsjevaXNnFt+a6uKAHdgqi/crJeIWQ
-0YWZf3na17QYViOVG3D7h7S/jgXWwZrslYHD+uFq3U4
--> ssh-ed25519 5A7peQ lNXbVWvO6oJyvuYZBzJOsgSSCW3jKqKU/FHiVStKfGw
-DckkP45wQ6i6vOqknKKoEYnERzBydM8Mgjt/17bPKc0
--> ssh-ed25519 GKhvwg Y+VUXd0xlQ5FdCb+cWDO8Gb6ATHRpxrnJqsh5FXWnzU
-q/g44328iKsulGNpZXW0FIPL59JBjJLVV8bH+WuNKkg
---- P6ctzFyIxW72c+hxF6UaR3J8bCUHPql0IsNI6TktKxg
-�
�Y��Gl^iսeg���T<t]YaJ|uY>��w�{��y�
r&p!vu���:V��=
-C�Lj����g�O�@b
\ No newline at end of file
+-> ssh-ed25519 IFuY+w G6FFvEMeBtfhAyS2FxF+uxxd3DlYAGepXDEPR9NdBEA
+ClECByd51Kby8eoJFWbzbVedoH/ouz+BMehRKMVOQqw
+-> ssh-ed25519 84j9mw b4eFV+AZ3ubWWoRGTF6IFOxsoAuBkCTyz5QzsVDsagA
+k+rDZ8aFgDRvqIyWGFiKkYPePBWbMERWGPDYUfwWZTc
+-> ssh-ed25519 ioPMHA W4jTnofv9qZxft/PlGbH9uS+KBgUXL86vB1B2MEO8Cg
+7/ZcbO2YqMCJX9NGuyG4t0+svkGxkE9MaylmpGuIQKQ
+-> ssh-ed25519 5A7peQ 7AzjFajaowcZCLrASPJbYbV+OPSZ8UZyxzy8B0kCqj8
+LNWG6lA5XRp25bBj/OJ6591780BM56tS8Cb85QcbdQw
+-> ssh-ed25519 GKhvwg f5gR3WtCGEk/7XpB6Ah3Ns4TegcTFq8+2JuWCC0pU2U
+tG1C60WknYYWwYe23pxlud1hT9uBEHaVYjF4sX5sTYg
+--- yMoAb6D7Q9IOOR9l3gnQnbxuKoCZI0HR5+PZLGjYmKk
+ߜYbq�7�(�$����Q ���|�2��cA�Eչ��?���o���QZ߈>,�
+q�W5Aa��3�f��%F 
\ No newline at end of file
diff --git a/secrets/hercules-cache.age b/secrets/hercules-cache.age
index ff6b60b..5d7c19b 100644
Binary files a/secrets/hercules-cache.age and b/secrets/hercules-cache.age differ
diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age
index 7ad7dca..6df036f 100644
--- a/secrets/hercules-secrets.age
+++ b/secrets/hercules-secrets.age
@@ -1,15 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw SzwJ0Fb3oan5QQXr10AEQzdg1Q4LNgUxPpYDftHywwo
-lt+uQHpu9u1wu1UEq3aSJZ++sBpoeX/PhCRqNoZ3vN8
--> ssh-ed25519 ioPMHA OQe9Skg2JjtWT/YnOlOexhxifueYp4sMMCuokxg0NEQ
-g2AaKoA8KBkpl7twrn/CL5YipDZ2vKiHCjF72D0dVYE
--> ssh-ed25519 IFuY+w exr87EhCeLY9Zlrxi10d9K5a2WtLXZYSbxSKUvAJ7ys
-GK9FiOWDtOWBfck0BoWt4GiCPhMysDyiUu2zDcminII
--> ssh-ed25519 5A7peQ FI5uoSKhGYWXnZyA9rcKK5N0x7+8wrHY/pCoYdOCY1g
-JRJc8uz5GgVkHCLdxfQdPFEEaRVHAzL791bYAw4DePM
--> ssh-ed25519 GKhvwg ffDs2wAJAgQt9s2R4v1UAWg5vxC5c+TnfjYJ6RRw53s
-BjF6ExVMjFmdc3WizPsH2XRqdI3vOjz9ffnsLvGeJws
---- hiMPtBqjjdtSDBXaG+ZPlKr3l75B3vS0m98y3yemh4E
-6�
ڥ�d���X�,/�`�>�-�a�e����`Y��phz:��Vl�&kJ{�U�mM�)���ۻk
�t�`$+Qu�BA�XE�IOP~�n)��h�����v-
/xN��k�4���p>}��v0幐�k%���A�R+�I�.�-
-1�ѷ>�6g�3�V����h�0>��'���N8���Y62*������W�֙����{�</-
->�LI{u�?[&S��jcS�KE��2�kU�~b�5�(B3��~�T)��A&�썸�y�^Ξ���#����yE9m�d���rͣܣ`{��+c
\ No newline at end of file
+-> ssh-ed25519 84j9mw vY3nxZWjk7h4F4hZBkp2NJrC9HULrOJ4b9nVcix3LAA
+G9PQPGVI8g61fAFUs8FWKajmPOti5hCgNladdAlo0h0
+-> ssh-ed25519 ioPMHA Y/qWQGVvQhri80M7Ci+CF85VCbKJRVZ1AF3ueQzVTCo
+gcjYjXLqxvnD12wV5zhl9ELvaX987EyBAHL7nuUmdEE
+-> ssh-ed25519 IFuY+w bl9m9HfnL/aGEe0TrjJMChNgFS1Ox2NsffazhmA4ZUU
+p4PqXZGk1pNF6Bdbh504I324OErbiwZgwKI1+bwUCJg
+-> ssh-ed25519 5A7peQ h6kXKa9g0WbUbAExL53Z3KO/8J3q/75ERJqpTj0kGCA
+nSKw2+ehVY9ZAFYLHGNPtykSn7GpYm5hSHWrosZtsAM
+-> ssh-ed25519 GKhvwg KOG4A6BbJdE95hHbUTlSGz+VleTXDzPjmlPGFMtrPls
+/mGzr+PynGrELwJsV+KTupzLfbG+eLisOtwWvOL2ZfY
+--- iioMB0ae1QZccJnjieAjCxIbbj7SPfiMu+G99WjEM/o
+&6�i�T����a�#<V�fGZ�!:��b����-�E�)~+z��!}�ľ��,���Z�4Ip�ZK�<��s���07Y�fB�Yni�x�>����˳}��pAxc{�HH����cA-��-��4�������.C�ig�0kD>��WR��
+$'~�m�d�J�J�<�!�#���m�P���JC�T�<����qZc�6���E��9~�&�C��B�jO�O����x��Xd�������{n��Y�ڄ�e��v�y�Sڶ����.�|�8ɽ�rT����˺�ӯo@��~
\ No newline at end of file
diff --git a/secrets/hercules-token.age b/secrets/hercules-token.age
index e0f7204..bd83def 100644
Binary files a/secrets/hercules-token.age and b/secrets/hercules-token.age differ
diff --git a/secrets/leet-nrab-lol-pass.age b/secrets/leet-nrab-lol-pass.age
index 1870716..6788736 100644
Binary files a/secrets/leet-nrab-lol-pass.age and b/secrets/leet-nrab-lol-pass.age differ
diff --git a/secrets/legion-niko-pass.age b/secrets/legion-niko-pass.age
index 97bce1a..b6e5efb 100644
--- a/secrets/legion-niko-pass.age
+++ b/secrets/legion-niko-pass.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 ioPMHA pWCwNDvXfVMuPXbMw4cvdz8iztUdPcJZcYBUU6Hfg34
-NW49fnk6FjLMbkDBeXnGylXpdOecHxrFjlkv+4lSde0
--> ssh-ed25519 GKhvwg bqVjtgocY6+SPikUfDOn/7gUmEIsMG7Rq0A0dyxdcn8
-EHbB9KLG3S/skQOKCKtJC4VXL2bz9sO0Lym9uI+hz6c
---- EUFvmoeavLuLPnufqmgtwEPKoK3HEgMhgBKCaD4FDho
-;���D���9Ì{*X���ĩUfh��y���C�R�h�Z~�k�F��)UP<Dj�+q�
"'�޵��������(b;�4黨)>}Ȗ����S+"�lm��K���[�H�
\ No newline at end of file
+-> ssh-ed25519 ioPMHA jkLofh/bWIQ2C6GuMO2rj3txFSZqbygxmw2Wqf6BRnI
+cEN5l7MtRup7CrcvErWqQkjoswJhHVSwLYHlwbVHHGU
+-> ssh-ed25519 GKhvwg sLzHoAm6XHQnOdZLNkjyMgNcV1LCzH5JoYprzu0bgEs
+uDrJR546WgW8PBoKRg+hZYzNwRtwUErT6jWFj9pDHlo
+--- N8Tmhynh1k7quJdAgqNPnsa7tjkt/Ev5LrdhojbiM9E
+��A�hW����+�X岆G�*Ӎ�L���Mo���U+m�/%zP����.��o���%�mc�U;�~[�g�ϰ5�82O�-\�L���2MX�J�2n�f���?O
\ No newline at end of file
diff --git a/secrets/nrab-lol-cf.age b/secrets/nrab-lol-cf.age
index 76591dc..31220f1 100644
--- a/secrets/nrab-lol-cf.age
+++ b/secrets/nrab-lol-cf.age
@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw meAuaVxNefi92UFGVqX2tKHu5XSIWDykpmiM7zjtMlM
-wcI5WePiDt9IuC9RH06PH30Sn7wbkDDk9ZEt/iQkeTA
--> ssh-ed25519 GKhvwg 6AcyxHMd2g99rdhd/s4e95LU7PtMesyD2kd7Rt6u3yg
-KXPAV17yyq94pTJdmNGVowO6DVoDLhC9UlCyAmSk59I
---- mR8BQg3dMF2IqUqDmrWIvD7hOfTeJYCpR5QlPXNcgzM
-b�qI��l	_�A��;���~��O�4�noݳ*;�[<;{�̛����-Z`�*��!�v����mx�-V���l��ԫ]|�%%��x���;5
\ No newline at end of file
+-> ssh-ed25519 84j9mw J8KF1LlgpFaq/LBh5/4H+RZ6et86bdDFOvi8+kpZXRA
+gs3mQE2r0uizPXVhiOv93DpIWFkQ8KkmNqEZ71p8KFk
+-> ssh-ed25519 GKhvwg xh1ZHY499FomptXCxj5a1NO3j0KtIKXpsYZFF5erXik
+bmDBVcJLUzrDPEGzZO0kVgXDaWXbm5RpyCq8/A+Zk4I
+--- TIKd5u8wRwrMAeDIkm9sIzeW2m+jXuzBewAVd5w5iqk
+���1I��4��q�ԙ?b�oU��2�ٍeC:���P�����
+��L#�Y�+�R�,���Cb���X�EuRD i,�1��o�Z�x&
\ No newline at end of file
diff --git a/secrets/ntfy-alert-pass.age b/secrets/ntfy-alert-pass.age
new file mode 100644
index 0000000..f67b830
--- /dev/null
+++ b/secrets/ntfy-alert-pass.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 H0Rg/A JBVUqzrPx6XwOHdMl5Qp/doUyJUwchW/GeXu50f24Fo
+ISVMQtq9mpkRshvwamwmWwYeyKZFgtyWtw+IiaQYuB4
+-> ssh-ed25519 84j9mw XiH+tWfMOZQFJmS0QyQxOe9VjTaMo9kvU3rDSu4kdyM
+dZ5P8ndFUR2yU5J8D1m3eaGQd1CVzNKtT4VowXdFtrQ
+-> ssh-ed25519 5A7peQ UytC66TWuyHd5TepfV6EIvYuyUXKXoFBctYB8cfgU1M
+sWIqvAqUJvN0J+Je3WBFFYRAff2+CexAagd4+VR37Yw
+-> ssh-ed25519 ioPMHA 7QcH5Wyljwhoj0jLMQz977gFggfehG7f2ugmnfX+tCI
+Dfe6BwfLoDRmfV8O5COBMqBYWaanC2I32OU3+ldaKig
+-> ssh-ed25519 g2vRWw 1pnce+XKob7qrB0ufkdZvHucvk9NiXATRUmczvNGMhA
+zf0ak4p+qYCtsdnWZwHtTnfjn75WPzdc+hEHk7H0exw
+-> ssh-ed25519 IFuY+w 6ujRC18VThMj4ocX3loqq2DISxS68aVu9T2w7kiKhhw
+j8ZgoMH0DIS21bDeLdRPeCRO01hX+MAv6YYpvNMLkFk
+-> ssh-ed25519 GKhvwg O+JfpLfrxaIl8PL+StLA8hb2fADlgUTOn0lujlu4k2M
+YZ03palVRAtSvldZQatrl45EvuIIkdd45IZZKjZO7js
+--- 40DpLeXN4B2bpTfcakCZ8CdUzOGREmAba4atOzsyGiM
+f_�E���d>�"e�y�L���{�ln�����5W3�-I���B�O7}9'�#=U����A5�))�
\ No newline at end of file
diff --git a/secrets/ntfy-niko-pass.age b/secrets/ntfy-niko-pass.age
new file mode 100644
index 0000000..34a4c45
--- /dev/null
+++ b/secrets/ntfy-niko-pass.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw 9fO0Uss0X8+FmibHo84aRYKDB+Mavp9X2Cg9lqGTixc
+SnOdbe+GzL01jJ4rSSh+4Xb/CIJ/23bb0/+D686TnTU
+-> ssh-ed25519 GKhvwg u3V5o3Mtk5YiwzETseVfBYlPT29HS1mwheCUCyJUh2M
+jko5Sdf+4E61I5dpjH4bUth60B8BnnOsOcAIdcMzBFw
+--- CO2Ky/1xxfSu/Tb3f0a8ORtCoRkfeh1cDtJiaP/1MDI
+l*[�'�A��u27��#u趶�IQm�,XC7�|ٞ/Ήr���-�<
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9ebebd9..e24aa29 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -67,4 +67,9 @@ in
     keys.system.kazuki
     keys.other.bootstrap
   ];
+  "ntfy-niko-pass.age".publicKeys = [
+    keys.system.kazuki
+    keys.other.bootstrap
+  ];
+  "ntfy-alert-pass.age".publicKeys = (builtins.attrValues keys.system) ++ [ keys.other.bootstrap ];
 }
diff --git a/secrets/storage-box-creds.age b/secrets/storage-box-creds.age
index 53a9b27..ddc30e0 100644
--- a/secrets/storage-box-creds.age
+++ b/secrets/storage-box-creds.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw g6s+z6YHbfOvZI7ZDp18eMu5Cjz+BoFXMx51+2lxUFY
-3q/ymTUaBQz1ZzexbPOyfIuqDa6RaXpjECfVo5wfXak
--> ssh-ed25519 GKhvwg F/e+lEu0+0pKBRRrbZJV3Dd2OaKcAwHrQAAtABrezRQ
-LcWXLsWe+izfAkA1CI6l1672SPhaEk4Kp/rHjIQtJCQ
---- YxR7bdc//u/axG37zmoSav5YBwhBqjti1aKLF4l4X2o
-�0ᨾ�ީ��������-�A%V2�1��z�~��Ƙ̒�h���f��y���	D�����c="QnC14
l��
\ No newline at end of file
+-> ssh-ed25519 84j9mw cEEM1sFBEx0VLeOpToON4hb6d21gJEYMMn/vlHu/wBs
+khAgpAFxFGKBIG2z0f5qqh122KGsrlkt5FM+5daqQcY
+-> ssh-ed25519 GKhvwg Zac7w0M77F9n0QjqEFe/mpyjanhH6YH2fc1UPPapx2o
+6AvDBxnlMZhQ/6inLj7d72k1P0EI43wBniwa5ieTgYk
+--- zEz2LeBNXbH433jUfugEYHVMeEB64yq2/01Xd18tPgg
+��g�]��i�7����R�l4���p	��C&�)o�^ʅIs�i�:��[ɥ7w���yeX��6$
���ٗ��

\ No newline at end of file
diff --git a/secrets/storage-box-webdav.age b/secrets/storage-box-webdav.age
index 3b20f1c..bd650f9 100644
Binary files a/secrets/storage-box-webdav.age and b/secrets/storage-box-webdav.age differ
diff --git a/secrets/vault-cert-env.age b/secrets/vault-cert-env.age
index 1a7e601..070e2d3 100644
Binary files a/secrets/vault-cert-env.age and b/secrets/vault-cert-env.age differ