- crowdsec.nix: drop the ntfy notifications (one push per ban was constant
noise on the WAN-exposed box); bans still happen silently
- service-health.nix: OnFailure=notify-failure@%n on 16 core units sends an
ntfy 'down' push when a unit truly fails (after exhausting Restart=), then
a 'recovered' push when it comes back. Shares /var/secrets/ntfy-url.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>