From 33082a3d589d2d086d6fceef5eac3096f5ef17f0 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Mon, 21 Aug 2023 17:43:56 -0700 Subject: remove custom tools --- modules/services/default.nix | 1 - modules/services/sendsms/default.nix | 72 ------------------------------------ 2 files changed, 73 deletions(-) delete mode 100644 modules/services/sendsms/default.nix (limited to 'modules') diff --git a/modules/services/default.nix b/modules/services/default.nix index 77cf853..1aeeff1 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -4,6 +4,5 @@ imports = [ ./backup ./monitoring - ./sendsms ]; } diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix deleted file mode 100644 index dde77ca..0000000 --- a/modules/services/sendsms/default.nix +++ /dev/null @@ -1,72 +0,0 @@ -# send SMS based on actions -{ pkgs, config, lib, ... }: -let - cfg = config.my.services.sendsms; - secrets = config.age.secrets; -in -{ - options.my.services.sendsms = { - enable = lib.mkEnableOption "send SMS when the host reboots"; - }; - - config = lib.mkIf cfg.enable { - systemd.services.sendsms-reboot = { - description = "Send an SMS when the host has booted"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.sendsms ]; - restartIfChanged = false; - - unitConfig = { - # If the gate file exists, it means we've already send the - # message, nothing to do - ConditionPathExists = "!/run/sendsms/reboot"; - }; - - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot"; - - # Write a gate file so we don't send a message multiple times - ExecStartPost = "${pkgs.coreutils}/bin/touch /run/sendsms/reboot"; - - Restart = "on-failure"; - - # Runtime directory and mode - RuntimeDirectory = "sendsms"; - RuntimeDirectoryMode = "0755"; - RuntimeDirectoryPreserve = "yes"; - - # Access write directories - UMask = "0027"; - - # Capabilities - CapabilityBoundingSet = ""; - - # Security - NoNewPrivileges = true; - - # Sandboxing - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - PrivateMounts = true; - - # System Call Filtering - SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; - }; - }; - }; -} -- cgit 1.4.1