diff --git a/roles/grafana/templates/docker-compose.yml.j2 b/roles/grafana/templates/docker-compose.yml.j2
index e1f44d9..b24461f 100644
--- a/roles/grafana/templates/docker-compose.yml.j2
+++ b/roles/grafana/templates/docker-compose.yml.j2
@@ -23,6 +23,14 @@ services:
       GF_AUTH_GENERIC_OAUTH_USE_PKCE: 'true'
       GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'true'
       GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'admins') && 'Admin' || 'Viewer'"
+      # SMTP Configuration for email alerts
+      GF_SMTP_ENABLED: 'true'
+      GF_SMTP_HOST: 'postfix:25'
+      GF_SMTP_USER: ''
+      GF_SMTP_PASSWORD: ''
+      GF_SMTP_FROM_ADDRESS: '{{ grafana_smtp_from | default("grafana@" + grafana_hostname) }}'
+      GF_SMTP_FROM_NAME: 'Grafana Alerts'
+      GF_SMTP_SKIP_VERIFY: 'true'
     volumes:
       - grafana_data:/var/lib/grafana
       - ./provisioning:/etc/grafana/provisioning:ro
@@ -30,6 +38,11 @@ services:
       - monitoring
       - proxy
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=100m
     labels:
       - traefik.enable=true
       - traefik.docker.network=proxy