--- - name: Basic Setup hosts: ele-telesto roles: - role: apt-repo/base - role: core/base - role: core/sshd/base - role: core/zsh - role: core/cpu-microcode - role: storage/zfs/pools - role: apt-repo/spreadspace - role: storage/zfs/sanoid - role: monitoring/prometheus/exporter - role: vm/host/base - role: vm/host/network - role: installer/debian/base - role: installer/openbsd/base post_tasks: - name: install smstools apt: name: smstools state: present - name: add user for sachet user: name: sachet system: yes home: /nonexistent create_home: no groups: smsd append: yes - name: create sachet config directory file: path: /etc/sachet state: directory - name: install sachet config file copy: dest: /etc/sachet/config.yml content: | providers: smstools: outgoing_dir: /var/spool/sms/outgoing receivers: - name: equinox provider: smstools to: - '+436644800222' - name: install systemd service unit for sachet copy: dest: /etc/systemd/system/sachet.service content: | [Unit] Description=Sachet SMS Daemon for Prometheus Alertmanager [Service] Restart=on-failure User=sachet ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml # systemd hardening-options AmbientCapabilities= CapabilityBoundingSet= DeviceAllow=/dev/null rw DevicePolicy=strict LimitMEMLOCK=0 LimitNOFILE=8192 LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true PrivateUsers=true ProtectControlGroups=true ProtectHome=true ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=full ReadWritePaths=/var/spool/sms/outgoing RemoveIPC=true RestrictNamespaces=true RestrictRealtime=true SystemCallArchitectures=native [Install] WantedBy=multi-user.target ## TODO: ## - configure smstools ## - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools ## - copy binary to /usr/local/bin/sachet ## - $ systemctl daemon-reload ## - $ systemctl enable --now sachet