4 files changed, 38 insertions, 0 deletions

diff --git a/ansible/roles/alloy/files/alloy-override.conf b/ansible/roles/alloy/files/alloy-override.conf
new file mode 100644
index 0000000..79df840
--- /dev/null
+++ b/ansible/roles/alloy/files/alloy-override.conf
@@ -0,0 +1,5 @@
+[Service]
+ProtectHome=true
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/alloy
+NoNewPrivileges=true
diff --git a/ansible/roles/alloy/handlers/main.yml b/ansible/roles/alloy/handlers/main.yml
index e38b3c6..eb19222 100644
--- a/ansible/roles/alloy/handlers/main.yml
+++ b/ansible/roles/alloy/handlers/main.yml
@@ -5,3 +5,10 @@
     state: reloaded
   tags:
     - role::alloy
+
+- name: Restart the alloy service
+  service:
+    name: alloy
+    state: restarted
+  tags:
+    - role::alloy
diff --git a/ansible/roles/alloy/meta/main.yml b/ansible/roles/alloy/meta/main.yml
new file mode 100644
index 0000000..56e9b53
--- /dev/null
+++ b/ansible/roles/alloy/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - systemd
diff --git a/ansible/roles/alloy/tasks/main.yml b/ansible/roles/alloy/tasks/main.yml
index f593e61..1ad95e2 100644
--- a/ansible/roles/alloy/tasks/main.yml
+++ b/ansible/roles/alloy/tasks/main.yml
@@ -36,6 +36,29 @@
   notify:
     - Reload the alloy service
 
+- name: Create service override directory
+  file:
+    path: /etc/systemd/system/alloy.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  tags:
+    - role::alloy
+
+- name: Create service dropin with security overrides
+  copy:
+    src: alloy-override.conf
+    dest: /etc/systemd/system/alloy.service.d/override.conf
+    owner: root
+    group: root
+    mode: "0444"
+  tags:
+    - role::alloy
+  notify:
+    - Reload the systemd daemon
+    - Restart the alloy service
+
 - name: Start and enable the Alloy service
   service:
     name: alloy