feat(modules/sensdms): a module to send an SMS

A new module `sendsms` is added to send SMS when the host reboots. It's triggered by systemd when the host boots and once the network is available.
author: Franck Cuny <franck@fcuny.net> 2022-11-21 17:55:14 -0800
committer: Franck Cuny <franck@fcuny.net> 2022-11-30 17:47:00 -0800
commit: cd06a48735d2e09e71ba2bf2d91c3407e66ccba1 (patch)
tree: 6e3f6fb9ab615cf8c952f67da0080d0fbd9338d9 /modules
parent: ref(tools/sendsms): it's been moved to its own repository (diff)
download: infra-cd06a48735d2e09e71ba2bf2d91c3407e66ccba1.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 538e564..c02468f 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -15,6 +15,7 @@
     ./prometheus
     ./rclone
     ./samba
+    ./sendsms
     ./sourcegraph
     ./ssh-server
     ./syncthing
diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix
new file mode 100644
index 0000000..1238c5c
--- /dev/null
+++ b/modules/services/sendsms/default.nix
@@ -0,0 +1,63 @@
+# send SMS based on actions
+{ pkgs, config, lib, ... }:
+let
+  cfg = config.my.services.sendsms;
+  secrets = config.age.secrets;
+in
+{
+  options.my.services.sendsms = {
+    enable = lib.mkEnableOption "sendsms configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.sendsms = {
+      description = "Send an alert when the host has booted";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.sendsms ];
+      serviceConfig = {
+        Type = "oneshot";
+        WorkingDirectory = cfg.stateDir;
+        ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot";
+        Restart = "on-failure";
+
+        # Runtime directory and mode
+        RuntimeDirectory = "sendsms";
+        RuntimeDirectoryMode = "0755";
+
+        # Access write directories
+        UMask = "0027";
+
+        # Capabilities
+        CapabilityBoundingSet = "";
+
+        # Security
+        DynamicUser = true;
+        NoNewPrivileges = true;
+
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
+      };
+    };
+  };
+}
author	Franck Cuny <franck@fcuny.net>	2022-11-21 17:55:14 -0800
committer	Franck Cuny <franck@fcuny.net>	2022-11-30 17:47:00 -0800
commit	cd06a48735d2e09e71ba2bf2d91c3407e66ccba1 (patch)
tree	6e3f6fb9ab615cf8c952f67da0080d0fbd9338d9 /modules
parent	ref(tools/sendsms): it's been moved to its own repository (diff)
download	infra-cd06a48735d2e09e71ba2bf2d91c3407e66ccba1.tar.gz