docs: add sections and fix typos/errors

docs/SECRETS.md

@@ -6,14 +6,20 @@ Secrets are managed with `agenix` in the `agenix/` directory. This allows to dec
 
 The `agenix` help menu is already very helpful, but here you have a survival guide:
 
-- `agenix` commands should run relative to the `agenix/` direcotry.
+- `agenix` commands should run relative to the `agenix/` directory.
 - `agenix -d` allows you to descrypt such file if you possess any of the decryption keys.
 - `agenix -e` decrypts (if present) and opens the file in your editor to re-encrypt when exited.
 - `agenix -r` re-encypts `*.age` files in the case you ever change its decryption keys.
 
 # Secrets
 
-<!-- TODO: missing ntfy.sh secret docs -->
+There is a `ntfy.age` secret file which contents look like:
+
+```sh
+NTFY_TOPIC=readable-name_XXXXXXXXXX
+```
+
+This secret file is meant to be sources by shells before using [ntfy.sh](<https://ntfy.sh/>) to push important notifications. This topic could contain sensitive information and must be kept secret amongst administrators.
 
 ## DNS TSIG Keys
 
@@ -24,5 +30,5 @@ These keys can be generated using `tsig-keygen <key-name>` (historically they we
 When DNS is enabled for a host, it will look for `dns/${fqdn}/${zone}.key` secrets.
 
 - The key whose zone matches the `${fqdn}` will be allowed to tramit updates for all the domain.
-- Keys restrained to a specific `${subdomain}` will only be allowed to edit records of such subdomain.
+- Keys restrained to a specific `${zone}` will only be allowed to edit records of such zone.
 - All keys must be named with the zone they affect, final dot included, so that (e.g. `tuxcord.net/javalsai.tuxcord.net.key` must be generated by `tsig-keygen javalsai.tuxcord.net.`).