# send SMS based on actions { pkgs, config, lib, ... }: let cfg = config.my.services.sendsms; secrets = config.age.secrets; in { options.my.services.sendsms = { enable = lib.mkEnableOption "send SMS when the host reboots"; }; config = lib.mkIf cfg.enable { systemd.services.sendsms-reboot = { description = "Send an SMS when the host has booted"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.sendsms ]; restartIfChanged = false; unitConfig = { # If the gate file exists, it means we've already send the # message, nothing to do ConditionPathExists = "!/run/sendsms/reboot"; }; serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot"; # Write a gate file so we don't send a message multiple times ExecStartPost = "${pkgs.coreutils}/bin/touch /run/sendsms/reboot"; Restart = "on-failure"; # Runtime directory and mode RuntimeDirectory = "sendsms"; RuntimeDirectoryMode = "0755"; RuntimeDirectoryPreserve = "yes"; # Access write directories UMask = "0027"; # Capabilities CapabilityBoundingSet = ""; # Security NoNewPrivileges = true; # Sandboxing ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; PrivateUsers = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; }; }; }; }