dan/ele-helene.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

---
- name: Basic Setup
  hosts: ele-helene
  roles:
  - role: apt-repo/base
  - role: core/base
  - role: core/sshd/base
  - role: core/zsh
  - role: core/cpu-microcode
  - role: apt-repo/spreadspace
  - role: nginx/base
  - role: monitoring/prometheus/exporter
  - role: vm/host/base
  - role: vm/host/network
  - role: installer/debian/base
  - role: installer/openbsd/base
  # post_tasks:
  # - name: install smstools
  #   apt:
  #     name: smstools
  #     state: present

  # - name: add user for sachet
  #   user:
  #     name: sachet
  #     system: yes
  #     home: /nonexistent
  #     create_home: no
  #     groups: smsd
  #     append: yes

  # - name: create sachet config directory
  #   file:
  #     path: /etc/sachet
  #     state: directory

  # - name: install sachet config file
  #   copy:
  #     dest: /etc/sachet/config.yml
  #     content: |
  #       providers:
  #         smstools:
  #           outgoing_dir: /var/spool/sms/outgoing

  #       receivers:
  #       - name: equinox
  #         provider: smstools
  #         to:
  #         - '+436644800222'

  # - name: install systemd service unit for sachet
  #   copy:
  #     dest: /etc/systemd/system/sachet.service
  #     content: |
  #       [Unit]
  #       Description=Sachet SMS Daemon for Prometheus Alertmanager

  #       [Service]
  #       Restart=on-failure
  #       User=sachet
  #       ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml

  #       # systemd hardening-options
  #       AmbientCapabilities=
  #       CapabilityBoundingSet=
  #       DeviceAllow=/dev/null rw
  #       DevicePolicy=strict
  #       LimitMEMLOCK=0
  #       LimitNOFILE=8192
  #       LockPersonality=true
  #       MemoryDenyWriteExecute=true
  #       NoNewPrivileges=true
  #       PrivateDevices=true
  #       PrivateTmp=true
  #       PrivateUsers=true
  #       ProtectControlGroups=true
  #       ProtectHome=true
  #       ProtectKernelModules=true
  #       ProtectKernelTunables=true
  #       ProtectSystem=full
  #       ReadWritePaths=/var/spool/sms/outgoing
  #       RemoveIPC=true
  #       RestrictNamespaces=true
  #       RestrictRealtime=true
  #       SystemCallArchitectures=native

  #       [Install]
  #       WantedBy=multi-user.target

  # ## TODO:
  # ##   - configure smstools
  # ##   - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools
  # ##   - copy binary to /usr/local/bin/sachet
  # ##   - $ systemctl daemon-reload
  # ##   - $ systemctl enable --now sachet