diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix
index ed702e6..0307457 100644
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -80,6 +80,7 @@
   #   password=${config.sops.placeholder."drives/cirno/password"}
   # '';
 
+  sops.secrets."boot/ntfy_key" = { };
 
   virtualisation = {
     docker.enable = true;
@@ -93,6 +94,11 @@
   services.zfs.autoScrub.enable = true;
 
   boot.initrd = {
+    secrets = {
+      # NOTE: this means that sops already needs to have installed this key at
+      #       its path before rebuilding once again.
+      "/secrets/boot/ntfy_key" = config.sops.secrets."boot/ntfy_key".path;
+    };
     network = {
       enable = true;
       udhcpc.enable = true;
@@ -107,6 +113,12 @@
       };
       postCommands = ''
         export NIX_SSL_CERT_FILE='${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt'
+        export NTFY_KEY="$('${lib.getExe' pkgs.coreutils "cat"}' '/secrets/boot/ntfy_key')"
+
+        '${lib.getExe pkgs.curl}' \
+         -H "Title: tsuki reached ZFS unlocking stage" \
+         -d "Please log in and fix :)" \
+         "https://ntfy.sh/$NTFY_KEY"
 
         echo 'zfs load-key -a; killall zfs; exit' >> /root/.profile
       '';
diff --git a/secrets/tsuki.yaml b/secrets/tsuki.yaml
index 78cc7b4..f971154 100644
--- a/secrets/tsuki.yaml
+++ b/secrets/tsuki.yaml
@@ -1,3 +1,5 @@
+boot:
+    ntfy_key: ENC[AES256_GCM,data:5wgPGmEqJVCLgk99B//vD0V0JY7qrULW9djd3ewCVQ==,iv:rWY4lIxj82QftMBeTggqsDQA2d5uR7Rc67bBhVIV+ho=,tag:UUDKzYqBcqWPue3SfVz7lA==,type:str]
 github:
     tokens:
         prometheus_exporter: ENC[AES256_GCM,data:7UxV462JZ775prtH9GsIpM1YExHaLRqtJ44NDqkDdgf22Y1/fy5DVA==,iv:IZr/7A9DOUrVlI3+OdXdKzbDIyqJucTbNN9DmGCpKAY=,tag:ThMMXaiEYhPNMnCNNz1uNQ==,type:str]
@@ -54,8 +56,8 @@ sops:
             N3ZHc2tWTEpsNFNTVTI5amtPR2RIT3MKUGszZcvd7k+62TPmQNDOFvtjGLegjyQ8
             NpCYsXRuIIJ9phzcyG0Iobf3uJBdNtXm2ujBGlY9TqwfIATygwJQjQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-28T23:33:37Z"
-    mac: ENC[AES256_GCM,data:iw6m2XmdVgEvGeYQC9ORcaxu4p6kiYWJNWmkYPPOPLSn4xECgd8tmPlxUWHwiIEjDzD+Vi7atafW8eAtQg9T8s4mvV1Ovw7oBKzzGk3DqFKB9//myedBtIvntCYGDpBSXcVqK1iHKsG605fnY1CrzyRG5gi3xoub3AabcM8l8sQ=,iv:JdIKfELLUUG/2AzQx/uc+YaHhGNAb0sSiih3rDBkUjg=,tag:fqCMmnjIDACAzG+eiCCKrQ==,type:str]
+    lastmodified: "2025-12-29T07:05:51Z"
+    mac: ENC[AES256_GCM,data:GhhS7iGMiOI1cTJbE8ZAeyKENpvN9L552ajWYfJdSnUFXvH7QXiNBa2LRNccQVX2gnfOTVi16ms+6L+NBHlWMuk+kFywCeR0ZppIt0ktoIfLuzJEyAQHNMNkrdvVAKYd2cjdGRvWhj1qXZERLwl+uSMKj/iK1ghNkBwMNSuzZas=,iv:Jat524mwCqLQCo0u1v4G6kemdjCw2XqghHiQuV38AxA=,tag:6i/hBgTN+wVafrXywuLoUw==,type:str]
     pgp:
         - created_at: "2025-10-24T02:47:54Z"
           enc: |-
@@ -78,4 +80,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.11.0