diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/services/sendsms/default.nix | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/modules/services/sendsms/default.nix b/modules/services/sendsms/default.nix new file mode 100644 index 0000000..1238c5c --- /dev/null +++ b/modules/services/sendsms/default.nix @@ -0,0 +1,63 @@ +# send SMS based on actions +{ pkgs, config, lib, ... }: +let + cfg = config.my.services.sendsms; + secrets = config.age.secrets; +in +{ + options.my.services.sendsms = { + enable = lib.mkEnableOption "sendsms configuration"; + }; + + config = lib.mkIf cfg.enable { + systemd.services.sendsms = { + description = "Send an alert when the host has booted"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.sendsms ]; + serviceConfig = { + Type = "oneshot"; + WorkingDirectory = cfg.stateDir; + ExecStart = "${pkgs.sendsms}/bin/sendsms --config ${secrets."sendsms/config".path} reboot"; + Restart = "on-failure"; + + # Runtime directory and mode + RuntimeDirectory = "sendsms"; + RuntimeDirectoryMode = "0755"; + + # Access write directories + UMask = "0027"; + + # Capabilities + CapabilityBoundingSet = ""; + + # Security + DynamicUser = true; + NoNewPrivileges = true; + + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + }; + }; +} |