diff options
| -rw-r--r-- | dan/ele-telesto.yml | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/dan/ele-telesto.yml b/dan/ele-telesto.yml index 16cad541..41ae9151 100644 --- a/dan/ele-telesto.yml +++ b/dan/ele-telesto.yml @@ -15,3 +15,82 @@ - role: vm/host/network - role: installer/debian/base - role: installer/openbsd/base + post_tasks: + - name: install smstools + apt: + name: smstools + state: present + + - name: add user for sachet + user: + name: sachet + system: yes + home: /nonexistent + create_home: no + groups: smsd + append: yes + + - name: create sachet config directory + file: + path: /etc/sachet + state: directory + + - name: install sachet config file + copy: + dest: /etc/sachet/config.yml + content: | + providers: + smstools: + outgoing_dir: /var/spool/sms/outgoing + + receivers: + - name: equinox + provider: smstools + to: + - '+436644800222' + + - name: install systemd service unit for sachet + copy: + dest: /etc/systemd/system/sachet.service + content: | + [Unit] + Description=Sachet SMS Daemon for Prometheus Alertmanager + + [Service] + Restart=on-failure + User=sachet + ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml + + # systemd hardening-options + AmbientCapabilities= + CapabilityBoundingSet= + DeviceAllow=/dev/null rw + DevicePolicy=strict + LimitMEMLOCK=0 + LimitNOFILE=8192 + LockPersonality=true + MemoryDenyWriteExecute=true + NoNewPrivileges=true + PrivateDevices=true + PrivateTmp=true + PrivateUsers=true + ProtectControlGroups=true + ProtectHome=true + ProtectKernelModules=true + ProtectKernelTunables=true + ProtectSystem=full + ReadWritePaths=/var/spool/sms/outgoing + RemoveIPC=true + RestrictNamespaces=true + RestrictRealtime=true + SystemCallArchitectures=native + + [Install] + WantedBy=multi-user.target + + ## TODO: + ## - configure smstools + ## - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools + ## - copy binary to /usr/local/bin/sachet + ## - $ systemctl daemon-reload + ## - $ systemctl enable --now sachet |