diff --git a/roles/alertmanager/tasks/main.yml b/roles/alertmanager/tasks/main.yml
index cbf611f..0c9df37 100644
--- a/roles/alertmanager/tasks/main.yml
+++ b/roles/alertmanager/tasks/main.yml
@@ -4,7 +4,7 @@
   set_fact:
     alertmanager_smtp_host: "{{ ALERTMANAGER_SMTP_HOST | default(lookup('env', 'ALERTMANAGER_SMTP_HOST') | default('postfix:25', true), true) }}"
     alertmanager_smtp_from: "{{ ALERTMANAGER_SMTP_FROM | default(lookup('env', 'ALERTMANAGER_SMTP_FROM') | default('no-reply@' ~ (inventory_hostname | default('localhost')), true), true) }}"
-    alertmanager_email_to: "{{ ALERTMANAGER_EMAIL_TO | default(lookup('env', 'ALERTMANAGER_EMAIL_TO') | default('admin@localhost', true), true) }}"
+    alertmanager_email_to: "{{ ALERTMANAGER_EMAIL_TO | default(lookup('env', 'ALERTMANAGER_EMAIL_TO') | default('alerts@' ~ (auth_hostname | default(inventory_hostname | default('localhost'))), true), true) }}"
   no_log: true
 
 - name: Fail if Alertmanager email recipient is not configured
diff --git a/roles/alertmanager/templates/docker-compose.yml.j2 b/roles/alertmanager/templates/docker-compose.yml.j2
index f2c7ef3..d15bbac 100644
--- a/roles/alertmanager/templates/docker-compose.yml.j2
+++ b/roles/alertmanager/templates/docker-compose.yml.j2
@@ -11,6 +11,11 @@ services:
       - monitoring
       - proxy
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=50m
     labels:
       - com.centurylinklabs.watchtower.enable=true