{ pkgs, config, ... }:
{
  sops.secrets."nats_nkey" = { };
  systemd.services."alerttonotify" = {
    enable = true;
    wants = [ "network-online.target" ];
    after = [
      "network-online.target"
      "sops-nix.service"
    ];
    wantedBy = [ "multi-user.target" ];
    restartIfChanged = true;

    environment = {
      NATS_URL = "nats://nats1.home.2rjus.net:4222";
      NATS_NKEY_FILE = "%d/nats_nkey";
    };

    serviceConfig = {
      Type = "exec";
      ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";
      DynamicUser = "yes";
      CapabilityBoundingSet = "";
      RestrictAddressFamilies = "AF_INET AF_INET6";
      SystemCallArchitectures = "native";
      LockPersonality = "yes";
      MemoryDenyWriteExecute = "yes";
      PrivateDevices = "yes";
      PrivateUsers = "yes";
      ProtectControlGroups = "yes";
      ProtectHome = "yes";
      ProtectHostname = "yes";
      RestrictNamespace = "yes";
      LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
    };
  };
}