about summary refs log tree commit diff
path: root/modules/services/sendsms
diff options
context:
space:
mode:
Diffstat (limited to 'modules/services/sendsms')
-rw-r--r--modules/services/sendsms/default.nix63
1 files changed, 63 insertions, 0 deletions
diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix
new file mode 100644
index 0000000..1238c5c
--- /dev/null
+++ b/modules/services/sendsms/default.nix
@@ -0,0 +1,63 @@
+# send SMS based on actions
+{ pkgs, config, lib, ... }:
+let
+  cfg = config.my.services.sendsms;
+  secrets = config.age.secrets;
+in
+{
+  options.my.services.sendsms = {
+    enable = lib.mkEnableOption "sendsms configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.sendsms = {
+      description = "Send an alert when the host has booted";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.sendsms ];
+      serviceConfig = {
+        Type = "oneshot";
+        WorkingDirectory = cfg.stateDir;
+        ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot";
+        Restart = "on-failure";
+
+        # Runtime directory and mode
+        RuntimeDirectory = "sendsms";
+        RuntimeDirectoryMode = "0755";
+
+        # Access write directories
+        UMask = "0027";
+
+        # Capabilities
+        CapabilityBoundingSet = "";
+
+        # Security
+        DynamicUser = true;
+        NoNewPrivileges = true;
+
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
+      };
+    };
+  };
+}