From a35050d9bc640309a8216b520a9b0350266de74f Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Mon, 27 Mar 2023 17:49:49 -0700
Subject: modules/sendsms: gate the unit with a file

To prevent the unit to be triggered multiple times if the host has
already rebooted, we create a gate file when we're done running, and
before running, we check if the file exists.

Enable the service on tahoe.

Don't restart the unit when its definition has changed.
---
 modules/services/sendsms/default.nix | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

(limited to 'modules/services/sendsms')

diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix
index 9d3491a..dde77ca 100644
--- a/modules/services/sendsms/default.nix
+++ b/modules/services/sendsms/default.nix
@@ -6,23 +6,36 @@ let
 in
 {
   options.my.services.sendsms = {
-    enable = lib.mkEnableOption "sendsms configuration";
+    enable = lib.mkEnableOption "send SMS when the host reboots";
   };
 
   config = lib.mkIf cfg.enable {
-    systemd.services.sendsms = {
-      description = "Send an alert when the host has booted";
+    systemd.services.sendsms-reboot = {
+      description = "Send an SMS when the host has booted";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       path = [ pkgs.sendsms ];
+      restartIfChanged = false;
+
+      unitConfig = {
+        # If the gate file exists, it means we've already send the
+        # message, nothing to do
+        ConditionPathExists = "!/run/sendsms/reboot";
+      };
+
       serviceConfig = {
         Type = "oneshot";
         ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot";
+
+        # Write a gate file so we don't send a message multiple times
+        ExecStartPost = "${pkgs.coreutils}/bin/touch /run/sendsms/reboot";
+
         Restart = "on-failure";
 
         # Runtime directory and mode
         RuntimeDirectory = "sendsms";
         RuntimeDirectoryMode = "0755";
+        RuntimeDirectoryPreserve = "yes";
 
         # Access write directories
         UMask = "0027";
@@ -37,7 +50,6 @@ in
         ProtectSystem = "strict";
         ProtectHome = true;
         PrivateTmp = true;
-        PrivateDevices = true;
         PrivateUsers = true;
         ProtectHostname = true;
         ProtectClock = true;
@@ -45,7 +57,6 @@ in
         ProtectKernelModules = true;
         ProtectKernelLogs = true;
         ProtectControlGroups = true;
-        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
         RestrictRealtime = true;
-- 
cgit 1.4.1