about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/services/sendsms/default.nix21
1 files changed, 16 insertions, 5 deletions
diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix
index 9d3491a..dde77ca 100644
--- a/modules/services/sendsms/default.nix
+++ b/modules/services/sendsms/default.nix
@@ -6,23 +6,36 @@ let
 in
 {
   options.my.services.sendsms = {
-    enable = lib.mkEnableOption "sendsms configuration";
+    enable = lib.mkEnableOption "send SMS when the host reboots";
   };
 
   config = lib.mkIf cfg.enable {
-    systemd.services.sendsms = {
-      description = "Send an alert when the host has booted";
+    systemd.services.sendsms-reboot = {
+      description = "Send an SMS when the host has booted";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       path = [ pkgs.sendsms ];
+      restartIfChanged = false;
+
+      unitConfig = {
+        # If the gate file exists, it means we've already send the
+        # message, nothing to do
+        ConditionPathExists = "!/run/sendsms/reboot";
+      };
+
       serviceConfig = {
         Type = "oneshot";
         ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot";
+
+        # Write a gate file so we don't send a message multiple times
+        ExecStartPost = "${pkgs.coreutils}/bin/touch /run/sendsms/reboot";
+
         Restart = "on-failure";
 
         # Runtime directory and mode
         RuntimeDirectory = "sendsms";
         RuntimeDirectoryMode = "0755";
+        RuntimeDirectoryPreserve = "yes";
 
         # Access write directories
         UMask = "0027";
@@ -37,7 +50,6 @@ in
         ProtectSystem = "strict";
         ProtectHome = true;
         PrivateTmp = true;
-        PrivateDevices = true;
         PrivateUsers = true;
         ProtectHostname = true;
         ProtectClock = true;
@@ -45,7 +57,6 @@ in
         ProtectKernelModules = true;
         ProtectKernelLogs = true;
         ProtectControlGroups = true;
-        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
         RestrictRealtime = true;