{ pkgs, config, ... }:
{
  sops.secrets."nats_nkey" = { };
  systemd.services."alerttonotify" = {
    enable = true;
    wants = [ "network-online.target" ];
    after = [
      "network-online.target"
      "sops-nix.service"
    ];
    wantedBy = [ "multi-user.target" ];
    restartIfChanged = true;

    environment = {
      NATS_URL = "nats://nats1.home.2rjus.net:4222";
      NATS_NKEY_FILE = "%d/nats_nkey";
    };

    serviceConfig = {
      Type = "exec";
      ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";

      CapabilityBoundingSet = "";
      DynamicUser = "yes";
      LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
      LockPersonality = "yes";
      MemoryDenyWriteExecute = "yes";
      PrivateDevices = "yes";
      PrivateUsers = "yes";
      ProtectClock = "yes";
      ProtectControlGroups = "yes";
      ProtectHome = "yes";
      ProtectHostname = "yes";
      ProtectKernelLogs = "yes";
      ProtectKernelModules = "yes";
      RestrictAddressFamilies = "AF_INET AF_INET6";
      RestrictNamespaces = "yes";
      RestrictRealtime = "yes";
      SystemCallArchitectures = "native";
      SystemCallFilter = "~@privileged";
    };
  };
}