From b6be1dab76e20b21b6b4a9f9739e7b985c6b3b6b Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 2 Aug 2021 17:57:18 +0200
Subject: ele-telesto: base install for smstools and sachet

---
 dan/ele-telesto.yml | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/dan/ele-telesto.yml b/dan/ele-telesto.yml
index 16cad541..41ae9151 100644
--- a/dan/ele-telesto.yml
+++ b/dan/ele-telesto.yml
@@ -15,3 +15,82 @@
   - role: vm/host/network
   - role: installer/debian/base
   - role: installer/openbsd/base
+  post_tasks:
+  - name: install smstools
+    apt:
+      name: smstools
+      state: present
+
+  - name: add user for sachet
+    user:
+      name: sachet
+      system: yes
+      home: /nonexistent
+      create_home: no
+      groups: smsd
+      append: yes
+
+  - name: create sachet config directory
+    file:
+      path: /etc/sachet
+      state: directory
+
+  - name: install sachet config file
+    copy:
+      dest: /etc/sachet/config.yml
+      content: |
+        providers:
+          smstools:
+            outgoing_dir: /var/spool/sms/outgoing
+
+        receivers:
+        - name: equinox
+          provider: smstools
+          to:
+          - '+436644800222'
+
+  - name: install systemd service unit for sachet
+    copy:
+      dest: /etc/systemd/system/sachet.service
+      content: |
+        [Unit]
+        Description=Sachet SMS Daemon for Prometheus Alertmanager
+
+        [Service]
+        Restart=on-failure
+        User=sachet
+        ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml
+
+        # systemd hardening-options
+        AmbientCapabilities=
+        CapabilityBoundingSet=
+        DeviceAllow=/dev/null rw
+        DevicePolicy=strict
+        LimitMEMLOCK=0
+        LimitNOFILE=8192
+        LockPersonality=true
+        MemoryDenyWriteExecute=true
+        NoNewPrivileges=true
+        PrivateDevices=true
+        PrivateTmp=true
+        PrivateUsers=true
+        ProtectControlGroups=true
+        ProtectHome=true
+        ProtectKernelModules=true
+        ProtectKernelTunables=true
+        ProtectSystem=full
+        ReadWritePaths=/var/spool/sms/outgoing
+        RemoveIPC=true
+        RestrictNamespaces=true
+        RestrictRealtime=true
+        SystemCallArchitectures=native
+
+        [Install]
+        WantedBy=multi-user.target
+
+  ## TODO:
+  ##   - configure smstools
+  ##   - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools
+  ##   - copy binary to /usr/local/bin/sachet
+  ##   - $ systemctl daemon-reload
+  ##   - $ systemctl enable --now sachet
-- 
cgit v1.2.3