ntfy-sh: add runtime secret file support

[JacobMetz]

ADDED: smtpSenderPassFile and webPushPrivateKeyFile options ADDED: systemd LoadCredential for secure runtime secret handling ADDED: security hardening options for notification service CHANGED: state directory handling

Closes #352461

Things done

• Built on platform(s)
  • [x] x86_64-linux
  • [ ] aarch64-linux
  • [ ] x86_64-darwin
  • [ ] aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • [ ] sandbox = relaxed
  • [ ] sandbox = true
• [x] Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• [ ] Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage Note: I attempted to run nixpkgs-review, but my dual core laptop repeatedly froze during the process. If additional testing is required, I would appreciate assistance or confirmation from a reviewer with more capable hardware.
• [x] Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • [ ] (Package updates) Added a release notes entry if the change is major or breaking
  • [ ] (Module updates) Added a release notes entry if the change is significant
  • [ ] (Module addition) Added a release notes entry if adding a new NixOS module
• [x] Fits CONTRIBUTING.md.

---

Add a :+1: reaction to pull requests you find important.

[pluiedev]

Welcome to Nixpkgs! Please squash your commits into just one 🥰