diff options
-rw-r--r-- | flake.lock | 166 | ||||
-rw-r--r-- | flake.nix | 8 | ||||
-rw-r--r-- | modules/services/default.nix | 1 | ||||
-rw-r--r-- | modules/services/sendsms/default.nix | 63 | ||||
-rw-r--r-- | nix/mkSystem.nix | 1 |
5 files changed, 236 insertions, 3 deletions
diff --git a/flake.lock b/flake.lock index 1b8262a..63f226c 100644 --- a/flake.lock +++ b/flake.lock @@ -49,12 +49,36 @@ "flake-compat": "flake-compat_2", "flake-utils": "flake-utils_4", "nixpkgs": [ - "x509-tools", + "sendsms", "nixpkgs" ], "rust-overlay": "rust-overlay_3" }, "locked": { + "lastModified": 1668047118, + "narHash": "sha256-F4xP7dAU6ca+hYa3qF0CtnwfQJT3YH4qEh/IxO+p9t0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "074825a9e8d6446564e2ae6949ac3feb79aa7397", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_3": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils": "flake-utils_5", + "nixpkgs": [ + "x509-tools", + "nixpkgs" + ], + "rust-overlay": "rust-overlay_5" + }, + "locked": { "lastModified": 1667522439, "narHash": "sha256-1tDYoumL5337T4BkC87iRXbAfeyeeOXa5WAbeP/ENqQ=", "owner": "ipetkov", @@ -119,6 +143,22 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1659877975, @@ -179,6 +219,21 @@ "type": "github" } }, + "flake-utils_5": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "futils": { "locked": { "lastModified": 1659877975, @@ -371,6 +426,31 @@ "pre-commit-hooks_3": { "inputs": { "flake-utils": [ + "sendsms", + "flake-utils" + ], + "nixpkgs": [ + "sendsms", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1667992213, + "narHash": "sha256-8Ens8ozllvlaFMCZBxg6S7oUyynYx2v7yleC5M0jJsE=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "ebcbfe09d2bd6d15f68de3a0ebb1e4dcb5cd324b", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks_4": { + "inputs": { + "flake-utils": [ "x509-tools", "flake-utils" ], @@ -405,6 +485,7 @@ "nur": "nur", "pre-commit-hooks": "pre-commit-hooks_2", "rust": "rust", + "sendsms": "sendsms", "x509-tools": "x509-tools" } }, @@ -484,6 +565,58 @@ "rust-overlay_3": { "inputs": { "flake-utils": [ + "sendsms", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "sendsms", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1667487142, + "narHash": "sha256-bVuzLs1ZVggJAbJmEDVO9G6p8BH3HRaolK70KXvnWnU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "cf668f737ac986c0a89e83b6b2e3c5ddbd8cf33b", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_4": { + "inputs": { + "flake-utils": [ + "sendsms", + "flake-utils" + ], + "nixpkgs": [ + "sendsms", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1668479979, + "narHash": "sha256-UI+JUCBaMpn+5Y1hSePmndbYX5zu0+bavlfzrhPrGEk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2342f70f7257046effc031333c4cfdea66c91d82", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_5": { + "inputs": { + "flake-utils": [ "x509-tools", "crane", "flake-utils" @@ -508,7 +641,7 @@ "type": "github" } }, - "rust-overlay_4": { + "rust-overlay_6": { "inputs": { "flake-utils": [ "x509-tools", @@ -533,7 +666,7 @@ "type": "github" } }, - "x509-tools": { + "sendsms": { "inputs": { "crane": "crane_2", "flake-utils": [ @@ -546,6 +679,33 @@ "rust-overlay": "rust-overlay_4" }, "locked": { + "lastModified": 1668913928, + "narHash": "sha256-l8rmzMW0py0Q8Mrxc0Fw+ZFG0R08dS7WqghEllBbd9Y=", + "ref": "main", + "rev": "43200a050e9e85a3b8cf717e59efb84d9314a6b8", + "revCount": 5, + "type": "git", + "url": "https://git.fcuny.net/fcuny/sendsms" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.fcuny.net/fcuny/sendsms" + } + }, + "x509-tools": { + "inputs": { + "crane": "crane_3", + "flake-utils": [ + "futils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks": "pre-commit-hooks_4", + "rust-overlay": "rust-overlay_6" + }, + "locked": { "lastModified": 1668381652, "narHash": "sha256-xdrF/ZOpq3lAxJgVtNapMSkTpDFB63V0ILJGrMQaEWI=", "ref": "main", diff --git a/flake.nix b/flake.nix index 51ab48e..9de6d9f 100644 --- a/flake.nix +++ b/flake.nix @@ -54,6 +54,14 @@ nixpkgs.follows = "nixpkgs"; }; }; + + sendsms = { + url = "git+https://git.fcuny.net/fcuny/sendsms?ref=main"; + inputs = { + flake-utils.follows = "futils"; + nixpkgs.follows = "nixpkgs"; + }; + }; }; # Output config, or config for NixOS system diff --git a/modules/services/default.nix b/modules/services/default.nix index 538e564..c02468f 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -15,6 +15,7 @@ ./prometheus ./rclone ./samba + ./sendsms ./sourcegraph ./ssh-server ./syncthing diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix new file mode 100644 index 0000000..1238c5c --- /dev/null +++ b/modules/services/sendsms/default.nix @@ -0,0 +1,63 @@ +# send SMS based on actions +{ pkgs, config, lib, ... }: +let + cfg = config.my.services.sendsms; + secrets = config.age.secrets; +in +{ + options.my.services.sendsms = { + enable = lib.mkEnableOption "sendsms configuration"; + }; + + config = lib.mkIf cfg.enable { + systemd.services.sendsms = { + description = "Send an alert when the host has booted"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.sendsms ]; + serviceConfig = { + Type = "oneshot"; + WorkingDirectory = cfg.stateDir; + ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot"; + Restart = "on-failure"; + + # Runtime directory and mode + RuntimeDirectory = "sendsms"; + RuntimeDirectoryMode = "0755"; + + # Access write directories + UMask = "0027"; + + # Capabilities + CapabilityBoundingSet = ""; + + # Security + DynamicUser = true; + NoNewPrivileges = true; + + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + }; + }; +} diff --git a/nix/mkSystem.nix b/nix/mkSystem.nix index 4debbab..1cb450f 100644 --- a/nix/mkSystem.nix +++ b/nix/mkSystem.nix @@ -17,6 +17,7 @@ inputs.nixpkgs.lib.nixosSystem { overlays = [ inputs.nur.overlay inputs.rust.overlays.default + inputs.sendsms.overlay (final: prev: { tools = import "${self}/tools" { pkgs = prev; inherit naersk; }; |