summaryrefslogtreecommitdiff
path: root/dan/ele-telesto.yml
blob: 41ae9151673d1dfd332b5a7c8e7ca931827b67eb (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

---
- name: Basic Setup
  hosts: ele-telesto
  roles:
  - role: apt-repo/base
  - role: core/base
  - role: core/sshd/base
  - role: core/zsh
  - role: core/cpu-microcode
  - role: storage/zfs/pools
  - role: apt-repo/spreadspace
  - role: storage/zfs/sanoid
  - role: monitoring/prometheus/exporter
  - role: vm/host/base
  - role: vm/host/network
  - role: installer/debian/base
  - role: installer/openbsd/base
  post_tasks:
  - name: install smstools
    apt:
      name: smstools
      state: present

  - name: add user for sachet
    user:
      name: sachet
      system: yes
      home: /nonexistent
      create_home: no
      groups: smsd
      append: yes

  - name: create sachet config directory
    file:
      path: /etc/sachet
      state: directory

  - name: install sachet config file
    copy:
      dest: /etc/sachet/config.yml
      content: |
        providers:
          smstools:
            outgoing_dir: /var/spool/sms/outgoing

        receivers:
        - name: equinox
          provider: smstools
          to:
          - '+436644800222'

  - name: install systemd service unit for sachet
    copy:
      dest: /etc/systemd/system/sachet.service
      content: |
        [Unit]
        Description=Sachet SMS Daemon for Prometheus Alertmanager

        [Service]
        Restart=on-failure
        User=sachet
        ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml

        # systemd hardening-options
        AmbientCapabilities=
        CapabilityBoundingSet=
        DeviceAllow=/dev/null rw
        DevicePolicy=strict
        LimitMEMLOCK=0
        LimitNOFILE=8192
        LockPersonality=true
        MemoryDenyWriteExecute=true
        NoNewPrivileges=true
        PrivateDevices=true
        PrivateTmp=true
        PrivateUsers=true
        ProtectControlGroups=true
        ProtectHome=true
        ProtectKernelModules=true
        ProtectKernelTunables=true
        ProtectSystem=full
        ReadWritePaths=/var/spool/sms/outgoing
        RemoveIPC=true
        RestrictNamespaces=true
        RestrictRealtime=true
        SystemCallArchitectures=native

        [Install]
        WantedBy=multi-user.target

  ## TODO:
  ##   - configure smstools
  ##   - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools
  ##   - copy binary to /usr/local/bin/sachet
  ##   - $ systemctl daemon-reload
  ##   - $ systemctl enable --now sachet
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 09:05:21 +0000