From a35050d9bc640309a8216b520a9b0350266de74f Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Mon, 27 Mar 2023 17:49:49 -0700 Subject: modules/sendsms: gate the unit with a file To prevent the unit to be triggered multiple times if the host has already rebooted, we create a gate file when we're done running, and before running, we check if the file exists. Enable the service on tahoe. Don't restart the unit when its definition has changed. --- flake.lock | 188 ++++++++++++++++++++++++++++++++- flake.nix | 4 + hosts/tahoe/secrets/sendsms/config.age | Bin 627 -> 650 bytes hosts/tahoe/services.nix | 2 + modules/services/sendsms/default.nix | 21 +++- nix/mkSystem.nix | 1 + 6 files changed, 210 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 3fb2155..17cba1c 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,30 @@ "type": "github" } }, + "crane": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "sendsms", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1668047118, + "narHash": "sha256-F4xP7dAU6ca+hYa3qF0CtnwfQJT3YH4qEh/IxO+p9t0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "074825a9e8d6446564e2ae6949ac3feb79aa7397", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -78,6 +102,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1667395993, @@ -108,6 +148,36 @@ "type": "github" } }, + "flake-utils_3": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "futils": { "locked": { "lastModified": 1676283394, @@ -252,6 +322,21 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1668563542, + "narHash": "sha256-FrMNezX3v4qLkCg+j1e3Ei/FXOSQP4Chq4OOdttIEns=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce89321950381ec845e56c6a6d1340abe5cd7a65", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1677966287, @@ -296,6 +381,31 @@ "type": "github" } }, + "pre-commit-hooks_2": { + "inputs": { + "flake-utils": [ + "sendsms", + "flake-utils" + ], + "nixpkgs": [ + "sendsms", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1667992213, + "narHash": "sha256-8Ens8ozllvlaFMCZBxg6S7oUyynYx2v7yleC5M0jJsE=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "ebcbfe09d2bd6d15f68de3a0ebb1e4dcb5cd324b", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -307,7 +417,8 @@ "nixpkgs": "nixpkgs_3", "nur": "nur", "pre-commit-hooks": "pre-commit-hooks", - "rust": "rust" + "rust": "rust", + "sendsms": "sendsms" } }, "rust": { @@ -330,6 +441,81 @@ "repo": "rust-overlay", "type": "github" } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "sendsms", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "sendsms", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1667487142, + "narHash": "sha256-bVuzLs1ZVggJAbJmEDVO9G6p8BH3HRaolK70KXvnWnU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "cf668f737ac986c0a89e83b6b2e3c5ddbd8cf33b", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { + "inputs": { + "flake-utils": [ + "sendsms", + "flake-utils" + ], + "nixpkgs": [ + "sendsms", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1668479979, + "narHash": "sha256-UI+JUCBaMpn+5Y1hSePmndbYX5zu0+bavlfzrhPrGEk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2342f70f7257046effc031333c4cfdea66c91d82", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "sendsms": { + "inputs": { + "crane": "crane", + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_4", + "pre-commit-hooks": "pre-commit-hooks_2", + "rust-overlay": "rust-overlay_2" + }, + "locked": { + "lastModified": 1669084050, + "narHash": "sha256-yyCn7MpkFW2UHIbWcqja9IbvUjdlILD7w8zIqdmnPFA=", + "ref": "main", + "rev": "87c690117ace78b19f1535595cb68aced1fd04b1", + "revCount": 6, + "type": "git", + "url": "https://git.fcuny.net/fcuny/sendsms" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.fcuny.net/fcuny/sendsms" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f08ceb7..6179c2e 100644 --- a/flake.nix +++ b/flake.nix @@ -54,6 +54,10 @@ nixpkgs-stable.follows = "nixpkgs"; }; }; + + sendsms = { + url = "git+https://git.fcuny.net/fcuny/sendsms?ref=main"; + }; }; # Output config, or config for NixOS system diff --git a/hosts/tahoe/secrets/sendsms/config.age b/hosts/tahoe/secrets/sendsms/config.age index d925f98..ecc0845 100644 Binary files a/hosts/tahoe/secrets/sendsms/config.age and b/hosts/tahoe/secrets/sendsms/config.age differ diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix index cdd0342..87a71cf 100644 --- a/hosts/tahoe/services.nix +++ b/hosts/tahoe/services.nix @@ -65,5 +65,7 @@ in "/home/fcuny/media/videos" ]; }; + + sendsms.enable = true; }; } diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix index 9d3491a..dde77ca 100644 --- a/modules/services/sendsms/default.nix +++ b/modules/services/sendsms/default.nix @@ -6,23 +6,36 @@ let in { options.my.services.sendsms = { - enable = lib.mkEnableOption "sendsms configuration"; + enable = lib.mkEnableOption "send SMS when the host reboots"; }; config = lib.mkIf cfg.enable { - systemd.services.sendsms = { - description = "Send an alert when the host has booted"; + systemd.services.sendsms-reboot = { + description = "Send an SMS when the host has booted"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.sendsms ]; + restartIfChanged = false; + + unitConfig = { + # If the gate file exists, it means we've already send the + # message, nothing to do + ConditionPathExists = "!/run/sendsms/reboot"; + }; + serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot"; + + # Write a gate file so we don't send a message multiple times + ExecStartPost = "${pkgs.coreutils}/bin/touch /run/sendsms/reboot"; + Restart = "on-failure"; # Runtime directory and mode RuntimeDirectory = "sendsms"; RuntimeDirectoryMode = "0755"; + RuntimeDirectoryPreserve = "yes"; # Access write directories UMask = "0027"; @@ -37,7 +50,6 @@ in ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; - PrivateDevices = true; PrivateUsers = true; ProtectHostname = true; ProtectClock = true; @@ -45,7 +57,6 @@ in ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; - RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; diff --git a/nix/mkSystem.nix b/nix/mkSystem.nix index 4debbab..1cb450f 100644 --- a/nix/mkSystem.nix +++ b/nix/mkSystem.nix @@ -17,6 +17,7 @@ inputs.nixpkgs.lib.nixosSystem { overlays = [ inputs.nur.overlay inputs.rust.overlays.default + inputs.sendsms.overlay (final: prev: { tools = import "${self}/tools" { pkgs = prev; inherit naersk; }; -- cgit 1.4.1