blob: e3913843b1159bb0993bc216402981a69d62facb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
---
- name: Basic Setup
hosts: ele-helene
roles:
- role: apt-repo/base
- role: core/base
- role: core/sshd/base
- role: core/zsh
- role: core/ntp
- role: core/cpu-microcode
- role: apt-repo/spreadspace
- role: nginx/base
- role: monitoring/prometheus/exporter
- role: vm/host/base
- role: vm/host/network
- role: installer/debian/base
- role: installer/openbsd/base
- role: streaming/blackmagic/desktopvideo
- role: kubernetes/base
- role: kubernetes/standalone/base
- role: streaming/player
# post_tasks:
# - name: install smstools
# apt:
# name: smstools
# state: present
# - name: add user for sachet
# user:
# name: sachet
# system: yes
# home: /nonexistent
# create_home: no
# groups: smsd
# append: yes
# - name: create sachet config directory
# file:
# path: /etc/sachet
# state: directory
# - name: install sachet config file
# copy:
# dest: /etc/sachet/config.yml
# content: |
# providers:
# smstools:
# outgoing_dir: /var/spool/sms/outgoing
# receivers:
# - name: equinox
# provider: smstools
# to:
# - '+436644800222'
# - name: install systemd service unit for sachet
# copy:
# dest: /etc/systemd/system/sachet.service
# content: |
# [Unit]
# Description=Sachet SMS Daemon for Prometheus Alertmanager
# [Service]
# Restart=on-failure
# User=sachet
# ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml
# # systemd hardening-options
# AmbientCapabilities=
# CapabilityBoundingSet=
# DeviceAllow=/dev/null rw
# DevicePolicy=strict
# LimitMEMLOCK=0
# LimitNOFILE=8192
# LockPersonality=true
# MemoryDenyWriteExecute=true
# NoNewPrivileges=true
# PrivateDevices=true
# PrivateTmp=true
# PrivateUsers=true
# ProtectControlGroups=true
# ProtectHome=true
# ProtectKernelModules=true
# ProtectKernelTunables=true
# ProtectSystem=full
# ReadWritePaths=/var/spool/sms/outgoing
# RemoveIPC=true
# RestrictNamespaces=true
# RestrictRealtime=true
# SystemCallArchitectures=native
# [Install]
# WantedBy=multi-user.target
# ## TODO:
# ## - configure smstools
# ## - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools
# ## - copy binary to /usr/local/bin/sachet
# ## - $ systemctl daemon-reload
# ## - $ systemctl enable --now sachet
|
