feat: migrate to agenix for secret management

modules/ntfy.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   services.ntfy-sh = {
@@ -10,12 +10,22 @@
       auth-file = "/var/lib/ntfy-sh/user.db";
       auth-default-access = "deny-all";
       enable-login = true;
-      auth-users = [
-        "jet:${config.mySecrets.ntfyAdminHash}:admin"
-      ];
       auth-access = [
         "*:up*:write-only"
       ];
     };
   };
+
+  # Patch the generated config at runtime to inject the admin bcrypt hash
+  systemd.services.ntfy-sh = {
+    serviceConfig.RuntimeDirectory = "ntfy-sh";
+    serviceConfig.ExecStartPre = let
+      script = pkgs.writeShellScript "ntfy-patch-config" ''
+        cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml
+        HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path})
+        printf '\nauth-users:\n  - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml
+      '';
+    in [ "+${script}" ];
+    serviceConfig.ExecStart = lib.mkForce "${pkgs.ntfy-sh}/bin/ntfy serve --config /run/ntfy-sh/server.yml";
+  };
 }