diff --git a/docs/servers.md b/docs/servers.md
index f72f11d190e61c8c1af21af776391a6101412748..4b822c9a90f79dd4c560d29b93c338814b5c1524 100644
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -151,6 +151,14 @@ Prometheus, and Grafana server which receives selected performance/metrics from
Online collborative markdwown editor for Arch Linux Staff.
+## mailman3.archlinux.org
+
+This server runs mailman3 as mailman2 and mailman3 can't be installed on the same server. The HTTP and LMTP traffic is routed over WireGuard from lists.archlinux.org.
+
+### Services
+
+ - mailman3
+
### Services
- [hedgedoc](https://hedgedoc.org/)
diff --git a/docs/ssh-hostkeys.txt b/docs/ssh-hostkeys.txt
index 5d949146acf36b516486b804dd8405b68dff4f02..f19b6dc244d771f2cde2cb9ce01765e3d4c48b60 100644
--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -186,15 +186,15 @@
3072 MD5:b6:14:30:bd:fe:43:46:6a:20:a2:8b:b0:aa:d4:35:19 root@archlinux-packer (RSA)
# mailman3.archlinux.org
-1024 SHA256:uYhlq19YzcZ8PEModMv2Y65xsiq1H+mjdwZ8PtbPET8 root@archlinux-packer (DSA)
-256 SHA256:85YiWFreKiw2Pv/XaKTqs0J0VInFtyVahpDRx2O9/B4 root@archlinux-packer (ECDSA)
-256 SHA256:b0mcOvNMzGrekDDtx83ZB1p5kN0meFek7zz1LbkfeHM root@archlinux-packer (ED25519)
-3072 SHA256:5hC4XSzA+/CgpL6cLYt0UbHB4aUs/o0IPxSScZwoi4A root@archlinux-packer (RSA)
-
-1024 MD5:3b:20:ad:1e:65:d8:3a:2e:09:69:62:46:e6:d9:6a:3e root@archlinux-packer (DSA)
-256 MD5:8d:ee:10:9b:05:56:b3:c7:4a:de:00:ad:95:c1:95:fa root@archlinux-packer (ECDSA)
-256 MD5:25:a8:b9:3c:fe:74:e7:7f:39:03:8e:23:dc:20:eb:bf root@archlinux-packer (ED25519)
-3072 MD5:20:a0:74:13:bd:97:59:11:75:a4:67:28:92:c3:40:35 root@archlinux-packer (RSA)
+1024 SHA256:U1A+NO+I+JRg0YPo+UgwGfbextnL+pVuqjWGdyokLpI root@archlinux-packer (DSA)
+256 SHA256:vdEZ5/6Xxd7Azjzaf5xz5kfzQrWcq1raz5cFAIclooE root@archlinux-packer (ECDSA)
+256 SHA256:iCeRz+2HK7heoapDRscHpgbEX4cbem1BZpWzrAoOxTQ root@archlinux-packer (ED25519)
+3072 SHA256:sqUYYmrNXzYPL5TtsBsTnaANsZ/P7miyCAIkt0YWfBg root@archlinux-packer (RSA)
+
+1024 MD5:8f:94:fe:a9:56:ee:3f:cc:a4:e7:a5:4f:2b:02:e8:c3 root@archlinux-packer (DSA)
+256 MD5:ca:3e:2d:aa:8a:4b:71:3a:18:22:59:0f:6e:ff:ae:5d root@archlinux-packer (ECDSA)
+256 MD5:a8:d3:f8:42:ff:ae:7d:71:1b:fe:93:4b:f7:df:38:5f root@archlinux-packer (ED25519)
+3072 MD5:51:ea:a4:ec:76:87:ee:89:e7:3a:fc:80:ea:fe:2d:9c root@archlinux-packer (RSA)
# man.archlinux.org
1024 SHA256:11C7Qa1GSNBBspSlber3Sp+LEMRpfr/VWkypfu6OnhA root@archlinux-packer (DSA)
diff --git a/docs/ssh-known_hosts.txt b/docs/ssh-known_hosts.txt
index 4821545fd0fb8f26a8ec218aa9acf9f5fa244ae6..6570c8db0d7ace21bc2eefc959a74389b6418e78 100644
--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -96,9 +96,9 @@ mail.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTOoGxsf23f6AjIHcQQuvbTO
mail.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPrURadxte8UJiteGa6+Q+OjTAjhvGAQFkNSXj1pr4k03uxkU6l2v2LuTygk+4SZSCyUsKvNx/ljJeHBnuecQ8rRv19ZFqy/GQKB3oEmiNYMo2dYYlJWwTVBHatmghhB1j2y40yqdKWH2xQuXC3HtnS7fHG0g1Rc4R9KB4MQlcXkwnSEMpwpWBoO7sr0M4YTdwE+nSG9aNfyPbPGp3mX4ATz5X5hPJOlSFVDV6NuKrA+5qyt4jSKdeG5IuWeEnEJesYJEvShYdY9DvMCXnZykB0emzzk+5+Cp2lTPf9LOO3wNsTgHV/CwkoAoMgr9+ASefhBr3nxmmrs9T7nwuobGCGFUqQ2D8IKCmsWGVKXYERViz3x/gYUIlHgVJpoIXCFFqbdpWwxKR1aDMug2fFe699/FzuPdqrWPFdQMF2mPQ0w3AH/62KGp+PULE2HxrlCiY/gF2m8iJLgunxVKmi/c0ufgK9QilnKcPO+W4tcISa5MYt7MSTTLV9eVsgVjGhOU=
# mailman3.archlinux.org
-mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFIHctq5/hKXaU//Jkzifp71ePIzcxdlxE5SZz1e7AcNp0Cci9W8A8NPtP6DMUvv4ezdKp+A/Czcy49tQolI30s=
-mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0FZBrH2DQQoGn85t+2PN8t8FmUst9PsEsmGekfFAc+
-mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqZnMXg8rPkeKh3w9U/rNMc9NXjLu5K7Azfs0o/rIm3Hm2thLJH4i6hVGpSIfCw77WzoW0kotAEMkX3WaO/MXqp7qWiEv5Xy/Y9p2YNYdCdkhDdDhmuHSlYT+acnSHVPSjdN3SaaxXoN1/GAb5jlRMItZncind3gU0G6Kpls6N9tHsbjNqOG9Yv6hAlYfyVn4Q20H1ABLCJSUgWNOXq5DrqOLddblajbg4gQ8u6tYSpKDkPyEA8vmOueoTcwzB7k+aZRJmR9CVh5tsYc6QyBlljkFY8xhwLxVRMAe7dPND7LsTbfO20zVlZ94rPkTN46lb9ekrVwlzLlFd0nnJ2iWFiBU9HKelsxj5r8OorZfRkpXa8QVW04smQxycgHutEmsDGob5OFYkAPrdbuE0vA8KOk02D8NWhFHcG2nR/zMohNEJQsoTIHx7xeagFrC4Xgn7M+nhCVIIpbAOkRFjHAr4j2fGHjLzxV3EPkLN08aIcK53uHZTo2YSHL+JoU936o8=
+mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLYxKdG6ntbOV/YpVbRkJiJfAPt8BTTN/hKm0uebSwpuQbbv5hxXLSOYeA0C/yJBNXXX4EJ82J88oEJQBFxiPvY=
+mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+GtJoC+QEUyKA/ZneTBXOBs7W3JBAEb1nLDkjzsqa1
+mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdPJQIkN6wDk/140HS1WCIKc0Iz7Oq8c98XaLB0i9ksUxkWB4rxia/WP5RRF+g9yAqZvIg0f5W0d85pfuh+1TOccXk8r6GsH+gRIEkdmwu4Mf7iBpkQxl3n70yjNGxgbwGkVG9vREvJ4v3l/NRZrX2/N3RvcPG9TQwjFFOFYTRZNfUPvsppk572yQ8cjf7oUvJmLOwsKagO5WMUoKFAbO35/Mp2H6VbApYtIdpkFOXnaJUVduHInNa18CmKl28ZSTsigLkYb8pboS6RacJYgA5kK0vQsXCguDrA+SI9k1xW4i9FjUWsLlPuLkk9c7Tj39R95gWhxWwQ99ApNDVvZa+skSbMS7h4/d3NosyM2OO9LfqPiHn2xDsuvmpN0ScCwuocwR09EMrj4MQKzo31ITFHuSyxob0Z4yTQrKvJxdNwveXqaRHFNXUvSWtoRkk2cKB5hjsr0QCROBidYu4WG+/LfolzJQfuRqH7dvg5dvmJLrcozfcCpxspdBTIEKLG/c=
# man.archlinux.org
man.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhnsStoFw6rbVpE1S1vsXNk8de1SyMag1C+v0DWVSuNYzTylYg4322WbYzw45z2XhxrF6XmCSDMvgxvFwnfLQA=
diff --git a/group_vars/all/vault_mailman3.yml b/group_vars/all/vault_mailman3.yml
new file mode 100644
index 0000000000000000000000000000000000000000..03690e6514cf72c76b8ddf31e443a818f8930956
--- /dev/null
+++ b/group_vars/all/vault_mailman3.yml
@@ -0,0 +1,26 @@
+$ANSIBLE_VAULT;1.1;AES256
+63633533303232373335663630346139613137616132393738383265663337636565663935386365
+3262636536383962333438653033323061306433323232610a623836643732616163383364316639
+37626134643334383432346465343734353566663261643334396563336132666133666431313563
+6365643566626635360a616139393131346566666266653737303562663664656231643836373038
+37316436643133333261313963356435353938393032313935353939613962303733623934313965
+64356635626561376130336134656436386638306538373635313638393932313337316636343533
+32666138613765326332373335366634313530656162383162633861666365333230303132346263
+63613031643230356361383638386230613231626135663763373630666362623536663165356335
+33333033376332653130626262633563336238383931393636346339333963326330373431363931
+61383733626363316539653638373562616335366363306365353166666335383037633830636263
+37313663636139666131623435383833313434396665663162623934646330626362346237363331
+65323537383536333763646431623061646337613761363861373261343638653235333038663239
+34636662663763363832643061313035316437633965346332363432653562613865623261613235
+61303239626136303736356533373739343566313464343931383962633232313263383230336438
+32653534623739616436346539616336373562376632303833323230643465666262303263383334
+64623362363863393866666461396237613934656239653262316438633338313036303436313236
+61623562376139616539646231376438636234656363666639646465663035326161346435396439
+63613839396163616135313537626535393039623866646431333239383263313931386131303464
+36353837303662343530663561363036633864346131343731643535386462316663353233636638
+36323134643230376239326637656537633337323333616630313531653239366263386238363333
+32336538613635613964366562383165616433363738623638393364363233636262643131653532
+62326363356333333563383139323366363462613031303566376365643439373163613166333339
+38353266616463396139336663353536336631666565656630396431363439333034653336316234
+61663232383136353937336431353131323933613462666233663464656166356161613039316436
+3136
diff --git a/host_vars/mailman3.archlinux.org/misc b/host_vars/mailman3.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..c8bb8a76d1d0802116bbca118b89e60c5cd982be
--- /dev/null
+++ b/host_vars/mailman3.archlinux.org/misc
@@ -0,0 +1,5 @@
+---
+filesystem: btrfs
+ipv4_address: 65.21.106.94
+wireguard_address: 10.0.0.37
+wireguard_public_key: obBFreFGNDLB17+PaJspE4qNeVX4o7ZPcJj3ZmJhahg=
diff --git a/host_vars/mailman3.archlinux.org/vault_wireguard.yml b/host_vars/mailman3.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e8e3b3fc5288446b86cdca45acda017d89b019a6
--- /dev/null
+++ b/host_vars/mailman3.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+32363065633737653663623334663139323638366462343630623765396636353932653932356261
+6239356162633731656330383436363861376231616462390a356432316532333632653839333230
+63636434373462643231323532633362363434646230323636333264393032373632343932616361
+6536383038313134300a363139313337646533626334333666326535623039323332666338306532
+33643430313864663833343765623138393165386564343636306363626232666436353665353235
+34623064363764336139633334663530376332633536383033313438613035303662333435313536
+34366663643130633064646161613065373532653235373730316439643165383635353761396639
+61656462333035666437
diff --git a/hosts b/hosts
index e68a9a7ff4b0e126163b47194497f4c585599f76..7e88a79790835cad9296360286ba9a7e280e4917 100644
--- a/hosts
+++ b/hosts
@@ -45,6 +45,7 @@ security.archlinux.org
md.archlinux.org
lists.archlinux.org
gluebuddy.archlinux.org
+mailman3.archlinux.org
[public_html]
homedir.archlinux.org
@@ -127,6 +128,7 @@ gluebuddy.archlinux.org
homedir.archlinux.org
lists.archlinux.org
mail.archlinux.org
+mailman3.archlinux.org
man.archlinux.org
matrix.archlinux.org
md.archlinux.org
diff --git a/playbooks/mailman3.archlinux.org.yml b/playbooks/mailman3.archlinux.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b2ca8650326455be93640cd0c533e7c870338a78
--- /dev/null
+++ b/playbooks/mailman3.archlinux.org.yml
@@ -0,0 +1,17 @@
+- name: setup mailman3 server
+ hosts: mailman3.archlinux.org
+ remote_user: root
+ roles:
+ - { role: common }
+ - { role: firewalld }
+ - { role: wireguard }
+ - { role: sshd }
+ - { role: root_ssh }
+ - { role: hardening }
+ - { role: borg_client, tags: ["borg"] }
+ - { role: prometheus_exporters }
+ - { role: promtail }
+ - { role: nginx, nginx_firewall_zone: wireguard }
+ - { role: uwsgi }
+ - { role: postgres }
+ - { role: mailman3 }
diff --git a/roles/mailman/files/migrated-lists.map b/roles/mailman/files/migrated-lists.map
new file mode 100644
index 0000000000000000000000000000000000000000..4a7aa307dd7c4a16a938eb2407541e34906e7340
--- /dev/null
+++ b/roles/mailman/files/migrated-lists.map
@@ -0,0 +1,4 @@
+/listinfo/arch-announce /archives/list/arch-announce@lists.archlinux.org/;
+/listinfo/arch-devops-private /archives/list/arch-devops-private@lists.archlinux.org/;
+/listinfo/arch-events /archives/list/arch-events@lists.archlinux.org/;
+/listinfo/arch-wiki-admins /archives/list/arch-wiki-admins@lists.archlinux.org/;
diff --git a/roles/mailman/handlers/main.yml b/roles/mailman/handlers/main.yml
index 575fe778eaffe5841bc88c1f9e34a943f6db190a..bf89770a798c7f06650b62e516aeef98b49eb509 100644
--- a/roles/mailman/handlers/main.yml
+++ b/roles/mailman/handlers/main.yml
@@ -7,3 +7,9 @@
- name: reload postfix
service: name=postfix state=reloaded
+
+- name: run postmap
+ command: postmap /etc/postfix/{{ item }}
+ loop:
+ - aliases
+ - transport
diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml
index 117048f99b87ea4256d33908bcdec1c1b016b2c2..0b6497435bcda41c4ae18099471c587144bd736d 100644
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -21,10 +21,19 @@
loop:
- aliases
- milter_header_checks
- notify: reload postfix
+ notify: run postmap
+
+- name: install postfix templated maps
+ template: src={{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
+ loop:
+ - transport
+ notify: run postmap
- name: open firewall holes for postfix
- ansible.posix.firewalld: service=smtp permanent=true state=enabled immediate=yes
+ ansible.posix.firewalld: service=smtp zone={{ item }} permanent=true state=enabled immediate=yes
+ loop:
+ -
+ - wireguard
when: configure_firewall
tags:
- firewall
@@ -40,6 +49,10 @@
- name: make nginx log dir
file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
+- name: install nginx mailman2->mailman3 redirect map
+ copy: src=migrated-lists.map dest=/etc/nginx/maps/ owner=root group=root mode=0644
+ notify: reload nginx
+
- name: set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
notify: reload nginx
diff --git a/roles/mailman/templates/main.cf.j2 b/roles/mailman/templates/main.cf.j2
index 5a250a082b08a1e66599d03742fb6423fcc62846..5d29e60b779c833ae33f2a4aebcc1a87e68425cf 100644
--- a/roles/mailman/templates/main.cf.j2
+++ b/roles/mailman/templates/main.cf.j2
@@ -18,6 +18,11 @@ smtp_tls_security_level = may
mydomain = {{ lists_domain }}
myorigin = {{ lists_domain }}
mydestination = {{ lists_domain }}
+mynetworks =
+ 127.0.0.0/8
+ [::1]/128
+ [fe80::]/64
+ {{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}
# fatal: configuration error: mailbox_size_limit is smaller than message_size_limit
message_size_limit = 104857600
@@ -41,9 +46,10 @@ smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please
smtpd_milters = inet:localhost:11332
non_smtpd_milters = $smtpd_milters
-alias_maps = texthash:/etc/postfix/aliases hash:/var/lib/mailman/data/aliases
-local_recipient_maps = $alias_maps
+alias_maps = hash:/etc/postfix/aliases hash:/var/lib/mailman/data/aliases
+local_recipient_maps = hash:/etc/postfix/transport $alias_maps
alias_database = $alias_maps
+transport_maps = hash:/etc/postfix/transport
milter_header_checks = pcre:/etc/postfix/milter_header_checks
diff --git a/roles/mailman/templates/nginx.d.conf.j2 b/roles/mailman/templates/nginx.d.conf.j2
index e399179be94a7ce7b7e57f17533401eceffc0547..e8cd51c88cb1c4af848b0d7b776cf984521e2d62 100644
--- a/roles/mailman/templates/nginx.d.conf.j2
+++ b/roles/mailman/templates/nginx.d.conf.j2
@@ -15,6 +15,10 @@ server {
}
}
+map $uri $migrated_uri {
+ include maps/migrated-lists.map;
+}
+
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
@@ -28,6 +32,10 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem;
+ if ($migrated_uri) {
+ return 302 $migrated_uri;
+ }
+
# redirect old urls
location /mailman/ {
rewrite ^/mailman/(.*) /$1 permanent;
@@ -51,4 +59,10 @@ server {
uwsgi_pass unix:/run/uwsgi/mailman.sock;
}
+ location ~ ^/(static|mailman3|archives|user-profile|accounts|admin3)($|/) {
+ proxy_pass http://{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }};
+ proxy_set_header Host {{ lists_domain }};
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
}
diff --git a/roles/mailman/templates/transport.j2 b/roles/mailman/templates/transport.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d51d9e02160a17cd9e96fc3d0388b22554acd48b
--- /dev/null
+++ b/roles/mailman/templates/transport.j2
@@ -0,0 +1,47 @@
+# AUTOMATICALLY GENERATED BY MAILMAN ON 2022-04-30 15:19:36
+#
+# This file is generated by Mailman, and is kept in sync with the binary hash
+# file. YOU SHOULD NOT MANUALLY EDIT THIS FILE unless you know what you're
+# doing, and can keep the two files properly in sync. If you screw it up,
+# you're on your own.
+
+# Aliases which are visible only in the @lists.archlinux.org domain.
+arch-announce@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-announce-bounces@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-announce-confirm@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-announce-join@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-announce-leave@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-announce-owner@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-announce-request@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-announce-subscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-announce-unsubscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+
+arch-devops-private@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-devops-private-bounces@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-devops-private-confirm@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-devops-private-join@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-devops-private-leave@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-devops-private-owner@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-devops-private-request@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-devops-private-subscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-devops-private-unsubscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+
+arch-events@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-events-bounces@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-events-confirm@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-events-join@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-events-leave@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-events-owner@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-events-request@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-events-subscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-events-unsubscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+
+arch-wiki-admins@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-wiki-admins-bounces@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-wiki-admins-confirm@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-wiki-admins-join@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-wiki-admins-leave@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-wiki-admins-owner@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-wiki-admins-request@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-wiki-admins-subscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
+arch-wiki-admins-unsubscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
diff --git a/roles/mailman3/defaults/main.yml b/roles/mailman3/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b2d2b3fd97fea0e40382ddc367ac056d789ad2af
--- /dev/null
+++ b/roles/mailman3/defaults/main.yml
@@ -0,0 +1 @@
+lists_domain: lists.archlinux.org
diff --git a/roles/mailman3/files/postfix.cfg b/roles/mailman3/files/postfix.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..6068f1cc65c30fc0febb823d33b8e962bb105ff0
--- /dev/null
+++ b/roles/mailman3/files/postfix.cfg
@@ -0,0 +1,13 @@
+[postfix]
+# Additional configuration variables for the postfix MTA.
+
+# This variable describe the program to use for regenerating the transport map
+# db file, from the associated plain text files. The file being updated will
+# be appended to this string (with a separating space), so it must be
+# appropriate for os.system().
+postmap_command: /usr/bin/true
+
+# This variable describes the type of transport maps that will be generated by
+# mailman to be used with postfix for LMTP transport. By default, it is set to
+# hash, but mailman also supports `regex` tables.
+transport_file_type: hash
diff --git a/roles/mailman3/handlers/main.yml b/roles/mailman3/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2e70e721a21a342ba9e37f1e1bd408f211b367df
--- /dev/null
+++ b/roles/mailman3/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: reload mailman
+ service: name=mailman3 state=reloaded
+
+- name: restart mailman-web
+ service: name=uwsgi@mailman\\x2dweb.service state=restarted
diff --git a/roles/mailman3/tasks/main.yml b/roles/mailman3/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f987b59af0303ff0f8a06e06d9bf59ce2060c463
--- /dev/null
+++ b/roles/mailman3/tasks/main.yml
@@ -0,0 +1,72 @@
+---
+- name: install mailman3 and related packages
+ pacman: name=mailman3,mailman3-hyperkitty,python-psycopg2,mailman-web,uwsgi-plugin-python state=present
+ register: install
+
+- name: install {mailman,mailman-web} configuration
+ template: src={{ item.src }} dest={{ item.dest }} owner=root group={{ item.group }} mode=0640
+ loop:
+ - {src: mailman.cfg.j2, dest: /etc/mailman.cfg, group: mailman}
+ - {src: mailman-hyperkitty.cfg.j2, dest: /etc/mailman-hyperkitty.cfg, group: mailman}
+ - {src: settings.py.j2, dest: /etc/webapps/mailman-web/settings.py, group: mailman-web}
+ - {src: urls.py.j2, dest: /etc/webapps/mailman-web/urls.py, group: mailman-web}
+ notify:
+ - reload mailman
+ - restart mailman-web
+
+- name: install mailman postfix.cfg configuration
+ copy: src=postfix.cfg dest=/etc/postfix.cfg owner=root group=root mode=0644
+ notify: reload mailman
+
+- name: make nginx log dir
+ file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+ template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
+ notify: reload nginx
+ tags: ['nginx']
+
+- name: create postgres {mailman,mailman-web} user
+ postgresql_user: name={{ item.username }} password={{ item.password }}
+ loop:
+ - {username: "{{ vault_mailman_db_user }}", password: "{{ vault_mailman_db_password }}"}
+ - {username: "{{ vault_mailman_web_db_user }}", password: "{{ vault_mailman_web_db_password }}"}
+ become: true
+ become_user: postgres
+ become_method: su
+ no_log: true
+
+- name: create {mailman,mailman-web} db
+ postgresql_db: name={{ item.db }} owner={{ item.owner }}
+ loop:
+ - {db: mailman, owner: "{{ vault_mailman_db_user }}"}
+ - {db: mailman-web, owner: "{{ vault_mailman_web_db_user }}"}
+ become: true
+ become_user: postgres
+ become_method: su
+
+- name: run Django management tasks
+ command: django-admin {{ item }} --pythonpath /etc/webapps/mailman-web --settings settings
+ loop:
+ - migrate
+ - loaddata
+ - collectstatic
+ - compress
+ become: true
+ become_user: mailman-web
+ when: install.changed
+
+- name: open LMTP ipv4 port for lists.archlinux.org
+ ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+ rich_rule="rule family=ipv4 source address={{ hostvars['lists.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8024 accept"
+ tags:
+ - firewall
+
+- name: start and enable mailman{.service,-*.timer}
+ systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
+ loop:
+ - mailman3.service
+ - mailman3-digests.timer
+ - mailman3-gatenews.timer
+ - mailman3-notify.timer
+ - uwsgi@mailman\x2dweb.service
diff --git a/roles/mailman3/templates/mailman.cfg.j2 b/roles/mailman3/templates/mailman.cfg.j2
new file mode 100644
index 0000000000000000000000000000000000000000..82b4c47ed09f413b4363e166ffcfd84425a306d3
--- /dev/null
+++ b/roles/mailman3/templates/mailman.cfg.j2
@@ -0,0 +1,23 @@
+[mailman]
+site_owner: root@{{ lists_domain }}
+layout: fhs
+
+[database]
+class: mailman.database.postgresql.PostgreSQLDatabase
+url: postgres://{{ vault_mailman_db_user }}:{{ vault_mailman_db_password }}@/mailman
+
+[webservice]
+admin_user: {{ vault_mailman_admin_user }}
+admin_pass: {{ vault_mailman_admin_pass }}
+
+[mta]
+configuration: /etc/postfix.cfg
+lmtp_host: {{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}
+lmtp_port: 8024
+smtp_host: {{ hostvars['lists.archlinux.org']['wireguard_address'] }}
+smtp_port: 25
+
+[archiver.hyperkitty]
+class: mailman_hyperkitty.Archiver
+enable: yes
+configuration: /etc/mailman-hyperkitty.cfg
diff --git a/roles/mailman3/templates/nginx.d.conf.j2 b/roles/mailman3/templates/nginx.d.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e0576e8cb6db07405879e592210d04dfff57251e
--- /dev/null
+++ b/roles/mailman3/templates/nginx.d.conf.j2
@@ -0,0 +1,22 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ lists_domain }} localhost;
+
+ set_real_ip_from {{ hostvars['lists.archlinux.org']['wireguard_address'] }}/32;
+ real_ip_header X-Forwarded-For;
+
+ access_log /var/log/nginx/{{ lists_domain }}/access.log main;
+ access_log /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
+ error_log /var/log/nginx/{{ lists_domain }}/error.log;
+
+ location /static {
+ alias /var/lib/mailman-web/static;
+ }
+
+ # include uwsgi_params
+ location / {
+ include /etc/nginx/uwsgi_params;
+ uwsgi_pass unix:/run/mailman-web/mailman-web.sock;
+ }
+}
diff --git a/roles/mailman3/templates/settings.py.j2 b/roles/mailman3/templates/settings.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f78a27d704d052eb0ef120fe17ead287bb71a954
--- /dev/null
+++ b/roles/mailman3/templates/settings.py.j2
@@ -0,0 +1,56 @@
+# mailman-web config
+
+from mailman_web.settings.base import *
+from mailman_web.settings.mailman import *
+
+
+#: Default list of admins who receive the emails from error logging.
+ADMINS = (
+ ('Mailman Suite Admin', 'root@{{ lists_domain }}'),
+)
+
+# Postgresql datbase setup.
+DATABASES = {
+ 'default': {
+ 'ENGINE': 'django.db.backends.postgresql_psycopg2',
+ 'NAME': 'mailman-web',
+ 'USER': '{{ vault_mailman_web_db_user }}',
+ 'PASSWORD': '{{ vault_mailman_web_db_password }}',
+ }
+}
+
+#: See https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
+ALLOWED_HOSTS = [
+ "localhost", # Archiving API from Mailman, keep it.
+ "{{ lists_domain }}",
+]
+
+#: Current Django Site being served. This is used to customize the web host
+#: being used to serve the current website. For more details about Django
+#: site, see: https://docs.djangoproject.com/en/dev/ref/contrib/sites/
+SITE_ID = 1
+
+SECRET_KEY = '{{ vault_mailman_web_secret_key }}'
+
+MAILMAN_REST_API_USER = '{{ vault_mailman_admin_user }}'
+MAILMAN_REST_API_PASS = '{{ vault_mailman_admin_pass }}'
+MAILMAN_ARCHIVER_KEY = '{{ vault_mailman_archiver_key }}'
+
+#: https://docs.djangoproject.com/en/3.2/topics/email/#smtp-backend
+EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
+EMAIL_HOST = '{{ hostvars['lists.archlinux.org']['wireguard_address'] }}'
+EMAIL_PORT = 25
+
+#: Sender in Emails sent out by Postorius.
+DEFAULT_FROM_EMAIL = 'postorius@{{ lists_domain }}'
+SERVER_EMAIL = 'root@{{ lists_domain }}'
+
+POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost'
+HYPERKITTY_ALLOW_WEB_POSTING = False
+
+HAYSTACK_CONNECTIONS = {
+ 'default': {
+ 'ENGINE': 'haystack.backends.whoosh_backend.WhooshEngine',
+ 'PATH': '/var/lib/mailman-web/fulltext_index'
+ }
+}
diff --git a/roles/mailman3/templates/urls.py.j2 b/roles/mailman3/templates/urls.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..7b01c57ac33354cd33ec6c4e3eaab4ba4f463189
--- /dev/null
+++ b/roles/mailman3/templates/urls.py.j2
@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
+#
+# This file is part of Postorius.
+#
+# Postorius is free software: you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# Postorius is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# Postorius. If not, see <http://www.gnu.org/licenses/>.
+
+
+from django.urls import include, path
+from django.contrib import admin
+from django.urls import reverse_lazy
+from django.views.generic import RedirectView
+
+urlpatterns = [
+ path('', RedirectView.as_view(
+ url=reverse_lazy('list_index'),
+ permanent=True)),
+ path('mailman3/', include('postorius.urls')),
+ path('archives/', include('hyperkitty.urls')),
+ path('', include('django_mailman3.urls')),
+ path('accounts/', include('allauth.urls')),
+ # Django admin
+ path('admin3/', admin.site.urls),
+]
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 00cd5b8296d4f1278d606913f6e3eb936b9aa186..2f0347b76967a8980dbb4b1f7ae31d30f515f068 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -1,2 +1,3 @@
---
letsencrypt_validation_dir: "/var/lib/letsencrypt"
+nginx_firewall_zone:
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 7e36c2ef1051afa9610ff1355245fa7ea0ea2f7c..b80b6aaf141460827be790d7336e50e256bbccfc 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -27,6 +27,7 @@
- name: install cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/nginx owner=root group=root mode=0755
+ when: "'certbot' in ansible_play_role_names"
- name: create nginx.d directory
file: state=directory path=/etc/nginx/nginx.d owner=root group=root mode=0755
@@ -59,7 +60,7 @@
service: name=nginx enabled=yes
- name: open firewall holes
- ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
+ ansible.posix.firewalld: service={{ item }} zone={{ nginx_firewall_zone }} permanent=true state=enabled immediate=yes
with_items:
- http
- https