From 5791172575ddaddb913ec1ecce593eae5fe26796 Mon Sep 17 00:00:00 2001
From: Jeremie Fraeys <jfaeys@gmail.com>
Date: Fri, 6 Mar 2026 14:25:43 -0500
Subject: [PATCH] feat(grafana): add SMTP configuration for email alerts

- Enable SMTP with GF_SMTP_ENABLED: true
- Configure internal Postfix relay (postfix:25)
- Set FROM address to grafana@grafana.jfraeys.com
- Disable TLS verification for internal relay (GF_SMTP_SKIP_VERIFY)
- Clear username/password for unauthenticated internal relay

Note: Grafana role currently commented out in playbook (1GB node constraint)
---
 roles/grafana/templates/docker-compose.yml.j2 | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/roles/grafana/templates/docker-compose.yml.j2 b/roles/grafana/templates/docker-compose.yml.j2
index e1f44d9..b24461f 100644
--- a/roles/grafana/templates/docker-compose.yml.j2
+++ b/roles/grafana/templates/docker-compose.yml.j2
@@ -23,6 +23,14 @@ services:
       GF_AUTH_GENERIC_OAUTH_USE_PKCE: 'true'
       GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'true'
       GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'admins') && 'Admin' || 'Viewer'"
+      # SMTP Configuration for email alerts
+      GF_SMTP_ENABLED: 'true'
+      GF_SMTP_HOST: 'postfix:25'
+      GF_SMTP_USER: ''
+      GF_SMTP_PASSWORD: ''
+      GF_SMTP_FROM_ADDRESS: '{{ grafana_smtp_from | default("grafana@" + grafana_hostname) }}'
+      GF_SMTP_FROM_NAME: 'Grafana Alerts'
+      GF_SMTP_SKIP_VERIFY: 'true'
     volumes:
       - grafana_data:/var/lib/grafana
       - ./provisioning:/etc/grafana/provisioning:ro
@@ -30,6 +38,11 @@ services:
       - monitoring
       - proxy
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=100m
     labels:
       - traefik.enable=true
       - traefik.docker.network=proxy