From cd06a48735d2e09e71ba2bf2d91c3407e66ccba1 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Mon, 21 Nov 2022 17:55:14 -0800
Subject: feat(modules/sensdms): a module to send an SMS

A new module `sendsms` is added to send SMS when the host reboots. It's
triggered by systemd when the host boots and once the network is
available.
---
 modules/services/default.nix         |  1 +
 modules/services/sendsms/default.nix | 63 ++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 modules/services/sendsms/default.nix

(limited to 'modules/services')

diff --git a/modules/services/default.nix b/modules/services/default.nix
index 538e564..c02468f 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -15,6 +15,7 @@
     ./prometheus
     ./rclone
     ./samba
+    ./sendsms
     ./sourcegraph
     ./ssh-server
     ./syncthing
diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix
new file mode 100644
index 0000000..1238c5c
--- /dev/null
+++ b/modules/services/sendsms/default.nix
@@ -0,0 +1,63 @@
+# send SMS based on actions
+{ pkgs, config, lib, ... }:
+let
+  cfg = config.my.services.sendsms;
+  secrets = config.age.secrets;
+in
+{
+  options.my.services.sendsms = {
+    enable = lib.mkEnableOption "sendsms configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.sendsms = {
+      description = "Send an alert when the host has booted";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.sendsms ];
+      serviceConfig = {
+        Type = "oneshot";
+        WorkingDirectory = cfg.stateDir;
+        ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot";
+        Restart = "on-failure";
+
+        # Runtime directory and mode
+        RuntimeDirectory = "sendsms";
+        RuntimeDirectoryMode = "0755";
+
+        # Access write directories
+        UMask = "0027";
+
+        # Capabilities
+        CapabilityBoundingSet = "";
+
+        # Security
+        DynamicUser = true;
+        NoNewPrivileges = true;
+
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
+      };
+    };
+  };
+}
-- 
cgit 1.4.1