From ac8b0b9abd7f0e97bf87044de885f9c9d479e497 Mon Sep 17 00:00:00 2001
From: Jeremie Fraeys <jfaeys@gmail.com>
Date: Fri, 6 Mar 2026 14:25:52 -0500
Subject: [PATCH] fix(alertmanager): use domain-based email for alerts

- Change default ALERTMANAGER_EMAIL_TO from admin@localhost to domain-based
- Use alerts@auth.jfraeys.com as default (configurable via env/vault)
- Remove hardcoded localhost email reference

Fixes: Alert delivery to proper domain email instead of localhost
---
 roles/alertmanager/tasks/main.yml                  | 2 +-
 roles/alertmanager/templates/docker-compose.yml.j2 | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/roles/alertmanager/tasks/main.yml b/roles/alertmanager/tasks/main.yml
index cbf611f..0c9df37 100644
--- a/roles/alertmanager/tasks/main.yml
+++ b/roles/alertmanager/tasks/main.yml
@@ -4,7 +4,7 @@
   set_fact:
     alertmanager_smtp_host: "{{ ALERTMANAGER_SMTP_HOST | default(lookup('env', 'ALERTMANAGER_SMTP_HOST') | default('postfix:25', true), true) }}"
     alertmanager_smtp_from: "{{ ALERTMANAGER_SMTP_FROM | default(lookup('env', 'ALERTMANAGER_SMTP_FROM') | default('no-reply@' ~ (inventory_hostname | default('localhost')), true), true) }}"
-    alertmanager_email_to: "{{ ALERTMANAGER_EMAIL_TO | default(lookup('env', 'ALERTMANAGER_EMAIL_TO') | default('admin@localhost', true), true) }}"
+    alertmanager_email_to: "{{ ALERTMANAGER_EMAIL_TO | default(lookup('env', 'ALERTMANAGER_EMAIL_TO') | default('alerts@' ~ (auth_hostname | default(inventory_hostname | default('localhost'))), true), true) }}"
   no_log: true
 
 - name: Fail if Alertmanager email recipient is not configured
diff --git a/roles/alertmanager/templates/docker-compose.yml.j2 b/roles/alertmanager/templates/docker-compose.yml.j2
index f2c7ef3..d15bbac 100644
--- a/roles/alertmanager/templates/docker-compose.yml.j2
+++ b/roles/alertmanager/templates/docker-compose.yml.j2
@@ -11,6 +11,11 @@ services:
       - monitoring
       - proxy
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=50m
     labels:
       - com.centurylinklabs.watchtower.enable=true