From 42bf77ee5763090d2c02f5d2d7a7a686ce09a5e8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 21 Jul 2022 02:32:05 +0200
Subject: add role for sachet

---
 roles/monitoring/sachet/defaults/main.yml          | 13 +++++
 roles/monitoring/sachet/handlers/main.yml          |  5 ++
 roles/monitoring/sachet/tasks/main.yml             | 61 ++++++++++++++++++++++
 roles/monitoring/sachet/tasks/smstools.yml         | 13 +++++
 .../monitoring/sachet/templates/sachet.service.j2  | 35 +++++++++++++
 roles/monitoring/sachet/templates/sachet.yml.j2    |  7 +++
 6 files changed, 134 insertions(+)
 create mode 100644 roles/monitoring/sachet/defaults/main.yml
 create mode 100644 roles/monitoring/sachet/handlers/main.yml
 create mode 100644 roles/monitoring/sachet/tasks/main.yml
 create mode 100644 roles/monitoring/sachet/tasks/smstools.yml
 create mode 100644 roles/monitoring/sachet/templates/sachet.service.j2
 create mode 100644 roles/monitoring/sachet/templates/sachet.yml.j2

(limited to 'roles/monitoring')

diff --git a/roles/monitoring/sachet/defaults/main.yml b/roles/monitoring/sachet/defaults/main.yml
new file mode 100644
index 00000000..14a07d5f
--- /dev/null
+++ b/roles/monitoring/sachet/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+#sachet_version: "3.2.1~smstools"
+sachet_listen: 127.0.0.1:9876
+
+# sachet_providers:
+#   smstools:
+#     outgoing_dir: /var/spool/sms/outgoing
+
+# sachet_receivers:
+#   - name: 'admins'
+#     provider: 'smstools'
+#     to:
+#     - '+15551234578'
diff --git a/roles/monitoring/sachet/handlers/main.yml b/roles/monitoring/sachet/handlers/main.yml
new file mode 100644
index 00000000..d150d88b
--- /dev/null
+++ b/roles/monitoring/sachet/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart sachet
+  service:
+    name: sachet
+    state: restarted
diff --git a/roles/monitoring/sachet/tasks/main.yml b/roles/monitoring/sachet/tasks/main.yml
new file mode 100644
index 00000000..bb77dc44
--- /dev/null
+++ b/roles/monitoring/sachet/tasks/main.yml
@@ -0,0 +1,61 @@
+---
+- name: check if prometheus apt component of spreadspace repo is enabled
+  assert:
+    msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'"
+    that:
+    - spreadspace_apt_repo_components is defined
+    - "'prometheus' in spreadspace_apt_repo_components"
+
+- name: generate apt pin file for sachet package
+  when: sachet_version is defined
+  copy:
+    dest: "/etc/apt/preferences.d/sachet.pref"
+    content: |
+      Package: sachet
+      Pin: version {{ sachet_version }}-1
+      Pin-Priority: 1001
+
+- name: remove apt pin file for sachet package
+  when: sachet_version is not defined
+  file:
+    path: "/etc/apt/preferences.d/sachet.pref"
+    state: absent
+
+- name: install apt packages
+  apt:
+    name: "sachet{% if sachet_version is defined %}={{ sachet_version }}-1{% endif %}"
+    state: present
+    allow_downgrade: yes
+  notify: restart sachet
+
+- name: add user for sachet
+  user:
+    name: sachet
+    system: yes
+    home: /nonexistent
+    create_home: no
+
+- name: install and configure smstools
+  when: "'smstools' in sachet_providers"
+  include_tasks: smstools.yml
+
+- name: generate configuration file
+  template:
+    src: sachet.yml.j2
+    dest: /etc/sachet.yml
+    owner: sachet
+    mode: 0600
+  notify: restart sachet
+
+- name: generate systemd service unit
+  template:
+    src: sachet.service.j2
+    dest: /etc/systemd/system/sachet.service
+  notify: restart sachet
+
+- name: make sure sachet is enabled and started
+  systemd:
+    name: sachet.service
+    daemon_reload: yes
+    state: started
+    enabled: yes
diff --git a/roles/monitoring/sachet/tasks/smstools.yml b/roles/monitoring/sachet/tasks/smstools.yml
new file mode 100644
index 00000000..9631a3b7
--- /dev/null
+++ b/roles/monitoring/sachet/tasks/smstools.yml
@@ -0,0 +1,13 @@
+---
+- name: install smstools
+  apt:
+    name: smstools
+    state: present
+
+- name: add user sachet to smsd group
+  user:
+    name: sachet
+    groups: smsd
+    append: yes
+
+## TODO: configure smstools
diff --git a/roles/monitoring/sachet/templates/sachet.service.j2 b/roles/monitoring/sachet/templates/sachet.service.j2
new file mode 100644
index 00000000..9f87c39d
--- /dev/null
+++ b/roles/monitoring/sachet/templates/sachet.service.j2
@@ -0,0 +1,35 @@
+[Unit]
+Description=Sachet SMS Daemon for Prometheus Alertmanager
+
+[Service]
+Restart=always
+User=sachet
+ExecStart=/usr/bin/sachet -config /etc/sachet.yml -listen-address {{ sachet_listen }}
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LimitMEMLOCK=0
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+{% if 'smstools' in sachet_providers %}
+ReadWritePaths={{ sachet_providers.smstools.outgoing_dir }}
+{% endif %}
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/monitoring/sachet/templates/sachet.yml.j2 b/roles/monitoring/sachet/templates/sachet.yml.j2
new file mode 100644
index 00000000..b9e25785
--- /dev/null
+++ b/roles/monitoring/sachet/templates/sachet.yml.j2
@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+providers:
+  {{ sachet_providers | to_nice_yaml(indent=2) | indent(2) }}
+
+receivers:
+  {{ sachet_receivers | to_nice_yaml(indent=2) | indent(2) }}
-- 
cgit v1.2.3