# send SMS based on actions { pkgs, config, lib, ... }: let cfg = config.my.services.sendsms; secrets = config.age.secrets; in { options.my.services.sendsms = { enable = lib.mkEnableOption "sendsms configuration"; }; config = lib.mkIf cfg.enable { systemd.services.sendsms = { description = "Send an alert when the host has booted"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.sendsms ]; serviceConfig = { Type = "oneshot"; WorkingDirectory = cfg.stateDir; ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot"; Restart = "on-failure"; # Runtime directory and mode RuntimeDirectory = "sendsms"; RuntimeDirectoryMode = "0755"; # Access write directories UMask = "0027"; # Capabilities CapabilityBoundingSet = ""; # Security DynamicUser = true; NoNewPrivileges = true; # Sandboxing ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; PrivateDevices = true; PrivateUsers = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; }; }; }; }