about summary refs log tree commit diff
path: root/modules/services/sendsms/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/services/sendsms/default.nix')
-rw-r--r--modules/services/sendsms/default.nix72
1 files changed, 0 insertions, 72 deletions
diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix
deleted file mode 100644
index dde77ca..0000000
--- a/modules/services/sendsms/default.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-# send SMS based on actions
-{ pkgs, config, lib, ... }:
-let
-  cfg = config.my.services.sendsms;
-  secrets = config.age.secrets;
-in
-{
-  options.my.services.sendsms = {
-    enable = lib.mkEnableOption "send SMS when the host reboots";
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.sendsms-reboot = {
-      description = "Send an SMS when the host has booted";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      path = [ pkgs.sendsms ];
-      restartIfChanged = false;
-
-      unitConfig = {
-        # If the gate file exists, it means we've already send the
-        # message, nothing to do
-        ConditionPathExists = "!/run/sendsms/reboot";
-      };
-
-      serviceConfig = {
-        Type = "oneshot";
-        ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot";
-
-        # Write a gate file so we don't send a message multiple times
-        ExecStartPost = "${pkgs.coreutils}/bin/touch /run/sendsms/reboot";
-
-        Restart = "on-failure";
-
-        # Runtime directory and mode
-        RuntimeDirectory = "sendsms";
-        RuntimeDirectoryMode = "0755";
-        RuntimeDirectoryPreserve = "yes";
-
-        # Access write directories
-        UMask = "0027";
-
-        # Capabilities
-        CapabilityBoundingSet = "";
-
-        # Security
-        NoNewPrivileges = true;
-
-        # Sandboxing
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProtectHostname = true;
-        ProtectClock = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectKernelLogs = true;
-        ProtectControlGroups = true;
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        PrivateMounts = true;
-
-        # System Call Filtering
-        SystemCallArchitectures = "native";
-        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
-      };
-    };
-  };
-}