From cd06a48735d2e09e71ba2bf2d91c3407e66ccba1 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Mon, 21 Nov 2022 17:55:14 -0800 Subject: feat(modules/sensdms): a module to send an SMS A new module `sendsms` is added to send SMS when the host reboots. It's triggered by systemd when the host boots and once the network is available. --- modules/services/default.nix | 1 + modules/services/sendsms/default.nix | 63 ++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 modules/services/sendsms/default.nix (limited to 'modules/services') diff --git a/modules/services/default.nix b/modules/services/default.nix index 538e564..c02468f 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -15,6 +15,7 @@ ./prometheus ./rclone ./samba + ./sendsms ./sourcegraph ./ssh-server ./syncthing diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix new file mode 100644 index 0000000..1238c5c --- /dev/null +++ b/modules/services/sendsms/default.nix @@ -0,0 +1,63 @@ +# send SMS based on actions +{ pkgs, config, lib, ... }: +let + cfg = config.my.services.sendsms; + secrets = config.age.secrets; +in +{ + options.my.services.sendsms = { + enable = lib.mkEnableOption "sendsms configuration"; + }; + + config = lib.mkIf cfg.enable { + systemd.services.sendsms = { + description = "Send an alert when the host has booted"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.sendsms ]; + serviceConfig = { + Type = "oneshot"; + WorkingDirectory = cfg.stateDir; + ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot"; + Restart = "on-failure"; + + # Runtime directory and mode + RuntimeDirectory = "sendsms"; + RuntimeDirectoryMode = "0755"; + + # Access write directories + UMask = "0027"; + + # Capabilities + CapabilityBoundingSet = ""; + + # Security + DynamicUser = true; + NoNewPrivileges = true; + + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + }; + }; +} -- cgit 1.4.1