about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-11-21 17:55:14 -0800
committerFranck Cuny <franck@fcuny.net>2022-11-30 17:47:00 -0800
commitcd06a48735d2e09e71ba2bf2d91c3407e66ccba1 (patch)
tree6e3f6fb9ab615cf8c952f67da0080d0fbd9338d9
parentref(tools/sendsms): it's been moved to its own repository (diff)
downloadworld-cd06a48735d2e09e71ba2bf2d91c3407e66ccba1.tar.gz
feat(modules/sensdms): a module to send an SMS
A new module `sendsms` is added to send SMS when the host reboots. It's
triggered by systemd when the host boots and once the network is
available.
-rw-r--r--flake.lock166
-rw-r--r--flake.nix8
-rw-r--r--modules/services/default.nix1
-rw-r--r--modules/services/sendsms/default.nix63
-rw-r--r--nix/mkSystem.nix1
5 files changed, 236 insertions, 3 deletions
diff --git a/flake.lock b/flake.lock
index 1b8262a..63f226c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -49,12 +49,36 @@
         "flake-compat": "flake-compat_2",
         "flake-utils": "flake-utils_4",
         "nixpkgs": [
-          "x509-tools",
+          "sendsms",
           "nixpkgs"
         ],
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
+        "lastModified": 1668047118,
+        "narHash": "sha256-F4xP7dAU6ca+hYa3qF0CtnwfQJT3YH4qEh/IxO+p9t0=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "074825a9e8d6446564e2ae6949ac3feb79aa7397",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "crane_3": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": [
+          "x509-tools",
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_5"
+      },
+      "locked": {
         "lastModified": 1667522439,
         "narHash": "sha256-1tDYoumL5337T4BkC87iRXbAfeyeeOXa5WAbeP/ENqQ=",
         "owner": "ipetkov",
@@ -119,6 +143,22 @@
         "type": "github"
       }
     },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "locked": {
         "lastModified": 1659877975,
@@ -179,6 +219,21 @@
         "type": "github"
       }
     },
+    "flake-utils_5": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "futils": {
       "locked": {
         "lastModified": 1659877975,
@@ -371,6 +426,31 @@
     "pre-commit-hooks_3": {
       "inputs": {
         "flake-utils": [
+          "sendsms",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "sendsms",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1667992213,
+        "narHash": "sha256-8Ens8ozllvlaFMCZBxg6S7oUyynYx2v7yleC5M0jJsE=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "ebcbfe09d2bd6d15f68de3a0ebb1e4dcb5cd324b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks_4": {
+      "inputs": {
+        "flake-utils": [
           "x509-tools",
           "flake-utils"
         ],
@@ -405,6 +485,7 @@
         "nur": "nur",
         "pre-commit-hooks": "pre-commit-hooks_2",
         "rust": "rust",
+        "sendsms": "sendsms",
         "x509-tools": "x509-tools"
       }
     },
@@ -484,6 +565,58 @@
     "rust-overlay_3": {
       "inputs": {
         "flake-utils": [
+          "sendsms",
+          "crane",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "sendsms",
+          "crane",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1667487142,
+        "narHash": "sha256-bVuzLs1ZVggJAbJmEDVO9G6p8BH3HRaolK70KXvnWnU=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "cf668f737ac986c0a89e83b6b2e3c5ddbd8cf33b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_4": {
+      "inputs": {
+        "flake-utils": [
+          "sendsms",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "sendsms",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1668479979,
+        "narHash": "sha256-UI+JUCBaMpn+5Y1hSePmndbYX5zu0+bavlfzrhPrGEk=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "2342f70f7257046effc031333c4cfdea66c91d82",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_5": {
+      "inputs": {
+        "flake-utils": [
           "x509-tools",
           "crane",
           "flake-utils"
@@ -508,7 +641,7 @@
         "type": "github"
       }
     },
-    "rust-overlay_4": {
+    "rust-overlay_6": {
       "inputs": {
         "flake-utils": [
           "x509-tools",
@@ -533,7 +666,7 @@
         "type": "github"
       }
     },
-    "x509-tools": {
+    "sendsms": {
       "inputs": {
         "crane": "crane_2",
         "flake-utils": [
@@ -546,6 +679,33 @@
         "rust-overlay": "rust-overlay_4"
       },
       "locked": {
+        "lastModified": 1668913928,
+        "narHash": "sha256-l8rmzMW0py0Q8Mrxc0Fw+ZFG0R08dS7WqghEllBbd9Y=",
+        "ref": "main",
+        "rev": "43200a050e9e85a3b8cf717e59efb84d9314a6b8",
+        "revCount": 5,
+        "type": "git",
+        "url": "https://git.fcuny.net/fcuny/sendsms"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.fcuny.net/fcuny/sendsms"
+      }
+    },
+    "x509-tools": {
+      "inputs": {
+        "crane": "crane_3",
+        "flake-utils": [
+          "futils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": "pre-commit-hooks_4",
+        "rust-overlay": "rust-overlay_6"
+      },
+      "locked": {
         "lastModified": 1668381652,
         "narHash": "sha256-xdrF/ZOpq3lAxJgVtNapMSkTpDFB63V0ILJGrMQaEWI=",
         "ref": "main",
diff --git a/flake.nix b/flake.nix
index 51ab48e..9de6d9f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -54,6 +54,14 @@
         nixpkgs.follows = "nixpkgs";
       };
     };
+
+    sendsms = {
+      url = "git+https://git.fcuny.net/fcuny/sendsms?ref=main";
+      inputs = {
+        flake-utils.follows = "futils";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
   };
 
   # Output config, or config for NixOS system
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 538e564..c02468f 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -15,6 +15,7 @@
     ./prometheus
     ./rclone
     ./samba
+    ./sendsms
     ./sourcegraph
     ./ssh-server
     ./syncthing
diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix
new file mode 100644
index 0000000..1238c5c
--- /dev/null
+++ b/modules/services/sendsms/default.nix
@@ -0,0 +1,63 @@
+# send SMS based on actions
+{ pkgs, config, lib, ... }:
+let
+  cfg = config.my.services.sendsms;
+  secrets = config.age.secrets;
+in
+{
+  options.my.services.sendsms = {
+    enable = lib.mkEnableOption "sendsms configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.sendsms = {
+      description = "Send an alert when the host has booted";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.sendsms ];
+      serviceConfig = {
+        Type = "oneshot";
+        WorkingDirectory = cfg.stateDir;
+        ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot";
+        Restart = "on-failure";
+
+        # Runtime directory and mode
+        RuntimeDirectory = "sendsms";
+        RuntimeDirectoryMode = "0755";
+
+        # Access write directories
+        UMask = "0027";
+
+        # Capabilities
+        CapabilityBoundingSet = "";
+
+        # Security
+        DynamicUser = true;
+        NoNewPrivileges = true;
+
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
+      };
+    };
+  };
+}
diff --git a/nix/mkSystem.nix b/nix/mkSystem.nix
index 4debbab..1cb450f 100644
--- a/nix/mkSystem.nix
+++ b/nix/mkSystem.nix
@@ -17,6 +17,7 @@ inputs.nixpkgs.lib.nixosSystem {
         overlays = [
           inputs.nur.overlay
           inputs.rust.overlays.default
+          inputs.sendsms.overlay
           (final: prev:
             {
               tools = import "${self}/tools" { pkgs = prev; inherit naersk; };