Verified Commit 5fb9ff20 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Merge branch 'mailman3' into 'master'

Setup mailman3 server

See merge request !437
parents 95e51df5 d1c23d5d
Pipeline #18784 passed with stage
in 35 seconds
...@@ -151,6 +151,14 @@ Prometheus, and Grafana server which receives selected performance/metrics from ...@@ -151,6 +151,14 @@ Prometheus, and Grafana server which receives selected performance/metrics from
Online collborative markdwown editor for Arch Linux Staff. Online collborative markdwown editor for Arch Linux Staff.
## mailman3.archlinux.org
This server runs mailman3 as mailman2 and mailman3 can't be installed on the same server. The HTTP and LMTP traffic is routed over WireGuard from lists.archlinux.org.
### Services
- mailman3
### Services ### Services
- [hedgedoc](https://hedgedoc.org/) - [hedgedoc](https://hedgedoc.org/)
......
...@@ -186,15 +186,15 @@ ...@@ -186,15 +186,15 @@
3072 MD5:b6:14:30:bd:fe:43:46:6a:20:a2:8b:b0:aa:d4:35:19 root@archlinux-packer (RSA) 3072 MD5:b6:14:30:bd:fe:43:46:6a:20:a2:8b:b0:aa:d4:35:19 root@archlinux-packer (RSA)
# mailman3.archlinux.org # mailman3.archlinux.org
1024 SHA256:uYhlq19YzcZ8PEModMv2Y65xsiq1H+mjdwZ8PtbPET8 root@archlinux-packer (DSA) 1024 SHA256:U1A+NO+I+JRg0YPo+UgwGfbextnL+pVuqjWGdyokLpI root@archlinux-packer (DSA)
256 SHA256:85YiWFreKiw2Pv/XaKTqs0J0VInFtyVahpDRx2O9/B4 root@archlinux-packer (ECDSA) 256 SHA256:vdEZ5/6Xxd7Azjzaf5xz5kfzQrWcq1raz5cFAIclooE root@archlinux-packer (ECDSA)
256 SHA256:b0mcOvNMzGrekDDtx83ZB1p5kN0meFek7zz1LbkfeHM root@archlinux-packer (ED25519) 256 SHA256:iCeRz+2HK7heoapDRscHpgbEX4cbem1BZpWzrAoOxTQ root@archlinux-packer (ED25519)
3072 SHA256:5hC4XSzA+/CgpL6cLYt0UbHB4aUs/o0IPxSScZwoi4A root@archlinux-packer (RSA) 3072 SHA256:sqUYYmrNXzYPL5TtsBsTnaANsZ/P7miyCAIkt0YWfBg root@archlinux-packer (RSA)
1024 MD5:3b:20:ad:1e:65:d8:3a:2e:09:69:62:46:e6:d9:6a:3e root@archlinux-packer (DSA) 1024 MD5:8f:94:fe:a9:56:ee:3f:cc:a4:e7:a5:4f:2b:02:e8:c3 root@archlinux-packer (DSA)
256 MD5:8d:ee:10:9b:05:56:b3:c7:4a:de:00:ad:95:c1:95:fa root@archlinux-packer (ECDSA) 256 MD5:ca:3e:2d:aa:8a:4b:71:3a:18:22:59:0f:6e:ff:ae:5d root@archlinux-packer (ECDSA)
256 MD5:25:a8:b9:3c:fe:74:e7:7f:39:03:8e:23:dc:20:eb:bf root@archlinux-packer (ED25519) 256 MD5:a8:d3:f8:42:ff:ae:7d:71:1b:fe:93:4b:f7:df:38:5f root@archlinux-packer (ED25519)
3072 MD5:20:a0:74:13:bd:97:59:11:75:a4:67:28:92:c3:40:35 root@archlinux-packer (RSA) 3072 MD5:51:ea:a4:ec:76:87:ee:89:e7:3a:fc:80:ea:fe:2d:9c root@archlinux-packer (RSA)
# man.archlinux.org # man.archlinux.org
1024 SHA256:11C7Qa1GSNBBspSlber3Sp+LEMRpfr/VWkypfu6OnhA root@archlinux-packer (DSA) 1024 SHA256:11C7Qa1GSNBBspSlber3Sp+LEMRpfr/VWkypfu6OnhA root@archlinux-packer (DSA)
......
...@@ -96,9 +96,9 @@ mail.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTOoGxsf23f6AjIHcQQuvbTO ...@@ -96,9 +96,9 @@ mail.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTOoGxsf23f6AjIHcQQuvbTO
mail.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPrURadxte8UJiteGa6+Q+OjTAjhvGAQFkNSXj1pr4k03uxkU6l2v2LuTygk+4SZSCyUsKvNx/ljJeHBnuecQ8rRv19ZFqy/GQKB3oEmiNYMo2dYYlJWwTVBHatmghhB1j2y40yqdKWH2xQuXC3HtnS7fHG0g1Rc4R9KB4MQlcXkwnSEMpwpWBoO7sr0M4YTdwE+nSG9aNfyPbPGp3mX4ATz5X5hPJOlSFVDV6NuKrA+5qyt4jSKdeG5IuWeEnEJesYJEvShYdY9DvMCXnZykB0emzzk+5+Cp2lTPf9LOO3wNsTgHV/CwkoAoMgr9+ASefhBr3nxmmrs9T7nwuobGCGFUqQ2D8IKCmsWGVKXYERViz3x/gYUIlHgVJpoIXCFFqbdpWwxKR1aDMug2fFe699/FzuPdqrWPFdQMF2mPQ0w3AH/62KGp+PULE2HxrlCiY/gF2m8iJLgunxVKmi/c0ufgK9QilnKcPO+W4tcISa5MYt7MSTTLV9eVsgVjGhOU= mail.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPrURadxte8UJiteGa6+Q+OjTAjhvGAQFkNSXj1pr4k03uxkU6l2v2LuTygk+4SZSCyUsKvNx/ljJeHBnuecQ8rRv19ZFqy/GQKB3oEmiNYMo2dYYlJWwTVBHatmghhB1j2y40yqdKWH2xQuXC3HtnS7fHG0g1Rc4R9KB4MQlcXkwnSEMpwpWBoO7sr0M4YTdwE+nSG9aNfyPbPGp3mX4ATz5X5hPJOlSFVDV6NuKrA+5qyt4jSKdeG5IuWeEnEJesYJEvShYdY9DvMCXnZykB0emzzk+5+Cp2lTPf9LOO3wNsTgHV/CwkoAoMgr9+ASefhBr3nxmmrs9T7nwuobGCGFUqQ2D8IKCmsWGVKXYERViz3x/gYUIlHgVJpoIXCFFqbdpWwxKR1aDMug2fFe699/FzuPdqrWPFdQMF2mPQ0w3AH/62KGp+PULE2HxrlCiY/gF2m8iJLgunxVKmi/c0ufgK9QilnKcPO+W4tcISa5MYt7MSTTLV9eVsgVjGhOU=
# mailman3.archlinux.org # mailman3.archlinux.org
mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFIHctq5/hKXaU//Jkzifp71ePIzcxdlxE5SZz1e7AcNp0Cci9W8A8NPtP6DMUvv4ezdKp+A/Czcy49tQolI30s= mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLYxKdG6ntbOV/YpVbRkJiJfAPt8BTTN/hKm0uebSwpuQbbv5hxXLSOYeA0C/yJBNXXX4EJ82J88oEJQBFxiPvY=
mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0FZBrH2DQQoGn85t+2PN8t8FmUst9PsEsmGekfFAc+ mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+GtJoC+QEUyKA/ZneTBXOBs7W3JBAEb1nLDkjzsqa1
mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqZnMXg8rPkeKh3w9U/rNMc9NXjLu5K7Azfs0o/rIm3Hm2thLJH4i6hVGpSIfCw77WzoW0kotAEMkX3WaO/MXqp7qWiEv5Xy/Y9p2YNYdCdkhDdDhmuHSlYT+acnSHVPSjdN3SaaxXoN1/GAb5jlRMItZncind3gU0G6Kpls6N9tHsbjNqOG9Yv6hAlYfyVn4Q20H1ABLCJSUgWNOXq5DrqOLddblajbg4gQ8u6tYSpKDkPyEA8vmOueoTcwzB7k+aZRJmR9CVh5tsYc6QyBlljkFY8xhwLxVRMAe7dPND7LsTbfO20zVlZ94rPkTN46lb9ekrVwlzLlFd0nnJ2iWFiBU9HKelsxj5r8OorZfRkpXa8QVW04smQxycgHutEmsDGob5OFYkAPrdbuE0vA8KOk02D8NWhFHcG2nR/zMohNEJQsoTIHx7xeagFrC4Xgn7M+nhCVIIpbAOkRFjHAr4j2fGHjLzxV3EPkLN08aIcK53uHZTo2YSHL+JoU936o8= mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdPJQIkN6wDk/140HS1WCIKc0Iz7Oq8c98XaLB0i9ksUxkWB4rxia/WP5RRF+g9yAqZvIg0f5W0d85pfuh+1TOccXk8r6GsH+gRIEkdmwu4Mf7iBpkQxl3n70yjNGxgbwGkVG9vREvJ4v3l/NRZrX2/N3RvcPG9TQwjFFOFYTRZNfUPvsppk572yQ8cjf7oUvJmLOwsKagO5WMUoKFAbO35/Mp2H6VbApYtIdpkFOXnaJUVduHInNa18CmKl28ZSTsigLkYb8pboS6RacJYgA5kK0vQsXCguDrA+SI9k1xW4i9FjUWsLlPuLkk9c7Tj39R95gWhxWwQ99ApNDVvZa+skSbMS7h4/d3NosyM2OO9LfqPiHn2xDsuvmpN0ScCwuocwR09EMrj4MQKzo31ITFHuSyxob0Z4yTQrKvJxdNwveXqaRHFNXUvSWtoRkk2cKB5hjsr0QCROBidYu4WG+/LfolzJQfuRqH7dvg5dvmJLrcozfcCpxspdBTIEKLG/c=
# man.archlinux.org # man.archlinux.org
man.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhnsStoFw6rbVpE1S1vsXNk8de1SyMag1C+v0DWVSuNYzTylYg4322WbYzw45z2XhxrF6XmCSDMvgxvFwnfLQA= man.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhnsStoFw6rbVpE1S1vsXNk8de1SyMag1C+v0DWVSuNYzTylYg4322WbYzw45z2XhxrF6XmCSDMvgxvFwnfLQA=
......
$ANSIBLE_VAULT;1.1;AES256
63633533303232373335663630346139613137616132393738383265663337636565663935386365
3262636536383962333438653033323061306433323232610a623836643732616163383364316639
37626134643334383432346465343734353566663261643334396563336132666133666431313563
6365643566626635360a616139393131346566666266653737303562663664656231643836373038
37316436643133333261313963356435353938393032313935353939613962303733623934313965
64356635626561376130336134656436386638306538373635313638393932313337316636343533
32666138613765326332373335366634313530656162383162633861666365333230303132346263
63613031643230356361383638386230613231626135663763373630666362623536663165356335
33333033376332653130626262633563336238383931393636346339333963326330373431363931
61383733626363316539653638373562616335366363306365353166666335383037633830636263
37313663636139666131623435383833313434396665663162623934646330626362346237363331
65323537383536333763646431623061646337613761363861373261343638653235333038663239
34636662663763363832643061313035316437633965346332363432653562613865623261613235
61303239626136303736356533373739343566313464343931383962633232313263383230336438
32653534623739616436346539616336373562376632303833323230643465666262303263383334
64623362363863393866666461396237613934656239653262316438633338313036303436313236
61623562376139616539646231376438636234656363666639646465663035326161346435396439
63613839396163616135313537626535393039623866646431333239383263313931386131303464
36353837303662343530663561363036633864346131343731643535386462316663353233636638
36323134643230376239326637656537633337323333616630313531653239366263386238363333
32336538613635613964366562383165616433363738623638393364363233636262643131653532
62326363356333333563383139323366363462613031303566376365643439373163613166333339
38353266616463396139336663353536336631666565656630396431363439333034653336316234
61663232383136353937336431353131323933613462666233663464656166356161613039316436
3136
---
filesystem: btrfs
ipv4_address: 65.21.106.94
wireguard_address: 10.0.0.37
wireguard_public_key: obBFreFGNDLB17+PaJspE4qNeVX4o7ZPcJj3ZmJhahg=
$ANSIBLE_VAULT;1.1;AES256
32363065633737653663623334663139323638366462343630623765396636353932653932356261
6239356162633731656330383436363861376231616462390a356432316532333632653839333230
63636434373462643231323532633362363434646230323636333264393032373632343932616361
6536383038313134300a363139313337646533626334333666326535623039323332666338306532
33643430313864663833343765623138393165386564343636306363626232666436353665353235
34623064363764336139633334663530376332633536383033313438613035303662333435313536
34366663643130633064646161613065373532653235373730316439643165383635353761396639
61656462333035666437
...@@ -45,6 +45,7 @@ security.archlinux.org ...@@ -45,6 +45,7 @@ security.archlinux.org
md.archlinux.org md.archlinux.org
lists.archlinux.org lists.archlinux.org
gluebuddy.archlinux.org gluebuddy.archlinux.org
mailman3.archlinux.org
[public_html] [public_html]
homedir.archlinux.org homedir.archlinux.org
...@@ -127,6 +128,7 @@ gluebuddy.archlinux.org ...@@ -127,6 +128,7 @@ gluebuddy.archlinux.org
homedir.archlinux.org homedir.archlinux.org
lists.archlinux.org lists.archlinux.org
mail.archlinux.org mail.archlinux.org
mailman3.archlinux.org
man.archlinux.org man.archlinux.org
matrix.archlinux.org matrix.archlinux.org
md.archlinux.org md.archlinux.org
......
- name: setup mailman3 server
hosts: mailman3.archlinux.org
remote_user: root
roles:
- { role: common }
- { role: firewalld }
- { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: hardening }
- { role: borg_client, tags: ["borg"] }
- { role: prometheus_exporters }
- { role: promtail }
- { role: nginx, nginx_firewall_zone: wireguard }
- { role: uwsgi }
- { role: postgres }
- { role: mailman3 }
/listinfo/arch-announce /archives/list/arch-announce@lists.archlinux.org/;
/listinfo/arch-devops-private /archives/list/arch-devops-private@lists.archlinux.org/;
/listinfo/arch-events /archives/list/arch-events@lists.archlinux.org/;
/listinfo/arch-wiki-admins /archives/list/arch-wiki-admins@lists.archlinux.org/;
...@@ -7,3 +7,9 @@ ...@@ -7,3 +7,9 @@
- name: reload postfix - name: reload postfix
service: name=postfix state=reloaded service: name=postfix state=reloaded
- name: run postmap
command: postmap /etc/postfix/{{ item }}
loop:
- aliases
- transport
...@@ -21,10 +21,19 @@ ...@@ -21,10 +21,19 @@
loop: loop:
- aliases - aliases
- milter_header_checks - milter_header_checks
notify: reload postfix notify: run postmap
- name: install postfix templated maps
template: src={{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
loop:
- transport
notify: run postmap
- name: open firewall holes for postfix - name: open firewall holes for postfix
ansible.posix.firewalld: service=smtp permanent=true state=enabled immediate=yes ansible.posix.firewalld: service=smtp zone={{ item }} permanent=true state=enabled immediate=yes
loop:
-
- wireguard
when: configure_firewall when: configure_firewall
tags: tags:
- firewall - firewall
...@@ -40,6 +49,10 @@ ...@@ -40,6 +49,10 @@
- name: make nginx log dir - name: make nginx log dir
file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755 file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
- name: install nginx mailman2->mailman3 redirect map
copy: src=migrated-lists.map dest=/etc/nginx/maps/ owner=root group=root mode=0644
notify: reload nginx
- name: set up nginx - name: set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644 template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
notify: reload nginx notify: reload nginx
......
...@@ -18,6 +18,11 @@ smtp_tls_security_level = may ...@@ -18,6 +18,11 @@ smtp_tls_security_level = may
mydomain = {{ lists_domain }} mydomain = {{ lists_domain }}
myorigin = {{ lists_domain }} myorigin = {{ lists_domain }}
mydestination = {{ lists_domain }} mydestination = {{ lists_domain }}
mynetworks =
127.0.0.0/8
[::1]/128
[fe80::]/64
{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}
# fatal: configuration error: mailbox_size_limit is smaller than message_size_limit # fatal: configuration error: mailbox_size_limit is smaller than message_size_limit
message_size_limit = 104857600 message_size_limit = 104857600
...@@ -41,9 +46,10 @@ smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please ...@@ -41,9 +46,10 @@ smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please
smtpd_milters = inet:localhost:11332 smtpd_milters = inet:localhost:11332
non_smtpd_milters = $smtpd_milters non_smtpd_milters = $smtpd_milters
alias_maps = texthash:/etc/postfix/aliases hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/postfix/aliases hash:/var/lib/mailman/data/aliases
local_recipient_maps = $alias_maps local_recipient_maps = hash:/etc/postfix/transport $alias_maps
alias_database = $alias_maps alias_database = $alias_maps
transport_maps = hash:/etc/postfix/transport
milter_header_checks = pcre:/etc/postfix/milter_header_checks milter_header_checks = pcre:/etc/postfix/milter_header_checks
......
...@@ -15,6 +15,10 @@ server { ...@@ -15,6 +15,10 @@ server {
} }
} }
map $uri $migrated_uri {
include maps/migrated-lists.map;
}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
...@@ -28,6 +32,10 @@ server { ...@@ -28,6 +32,10 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem; ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem;
if ($migrated_uri) {
return 302 $migrated_uri;
}
# redirect old urls # redirect old urls
location /mailman/ { location /mailman/ {
rewrite ^/mailman/(.*) /$1 permanent; rewrite ^/mailman/(.*) /$1 permanent;
...@@ -51,4 +59,10 @@ server { ...@@ -51,4 +59,10 @@ server {
uwsgi_pass unix:/run/uwsgi/mailman.sock; uwsgi_pass unix:/run/uwsgi/mailman.sock;
} }
location ~ ^/(static|mailman3|archives|user-profile|accounts|admin3)($|/) {
proxy_pass http://{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }};
proxy_set_header Host {{ lists_domain }};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
} }
# AUTOMATICALLY GENERATED BY MAILMAN ON 2022-04-30 15:19:36
#
# This file is generated by Mailman, and is kept in sync with the binary hash
# file. YOU SHOULD NOT MANUALLY EDIT THIS FILE unless you know what you're
# doing, and can keep the two files properly in sync. If you screw it up,
# you're on your own.
# Aliases which are visible only in the @lists.archlinux.org domain.
arch-announce@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-announce-bounces@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-announce-confirm@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-announce-join@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-announce-leave@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-announce-owner@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-announce-request@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-announce-subscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-announce-unsubscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private-bounces@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private-confirm@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private-join@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private-leave@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private-owner@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private-request@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private-subscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-devops-private-unsubscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events-bounces@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events-confirm@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events-join@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events-leave@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events-owner@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events-request@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events-subscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-events-unsubscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins-bounces@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins-confirm@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins-join@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins-leave@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins-owner@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins-request@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins-subscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
arch-wiki-admins-unsubscribe@lists.archlinux.org lmtp:[{{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}]:8024
lists_domain: lists.archlinux.org
[postfix]
# Additional configuration variables for the postfix MTA.
# This variable describe the program to use for regenerating the transport map
# db file, from the associated plain text files. The file being updated will
# be appended to this string (with a separating space), so it must be
# appropriate for os.system().
postmap_command: /usr/bin/true
# This variable describes the type of transport maps that will be generated by
# mailman to be used with postfix for LMTP transport. By default, it is set to
# hash, but mailman also supports `regex` tables.
transport_file_type: hash
---
- name: reload mailman
service: name=mailman3 state=reloaded
- name: restart mailman-web
service: name=uwsgi@mailman\\x2dweb.service state=restarted
---
- name: install mailman3 and related packages
pacman: name=mailman3,mailman3-hyperkitty,python-psycopg2,mailman-web,uwsgi-plugin-python state=present
register: install
- name: install {mailman,mailman-web} configuration
template: src={{ item.src }} dest={{ item.dest }} owner=root group={{ item.group }} mode=0640
loop:
- {src: mailman.cfg.j2, dest: /etc/mailman.cfg, group: mailman}
- {src: mailman-hyperkitty.cfg.j2, dest: /etc/mailman-hyperkitty.cfg, group: mailman}
- {src: settings.py.j2, dest: /etc/webapps/mailman-web/settings.py, group: mailman-web}
- {src: urls.py.j2, dest: /etc/webapps/mailman-web/urls.py, group: mailman-web}
notify:
- reload mailman
- restart mailman-web
- name: install mailman postfix.cfg configuration
copy: src=postfix.cfg dest=/etc/postfix.cfg owner=root group=root mode=0644
notify: reload mailman
- name: make nginx log dir
file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
- name: create postgres {mailman,mailman-web} user
postgresql_user: name={{ item.username }} password={{ item.password }}
loop:
- {username: "{{ vault_mailman_db_user }}", password: "{{ vault_mailman_db_password }}"}
- {username: "{{ vault_mailman_web_db_user }}", password: "{{ vault_mailman_web_db_password }}"}
become: true
become_user: postgres
become_method: su
no_log: true
- name: create {mailman,mailman-web} db
postgresql_db: name={{ item.db }} owner={{ item.owner }}
loop:
- {db: mailman, owner: "{{ vault_mailman_db_user }}"}
- {db: mailman-web, owner: "{{ vault_mailman_web_db_user }}"}
become: true
become_user: postgres
become_method: su
- name: run Django management tasks
command: django-admin {{ item }} --pythonpath /etc/webapps/mailman-web --settings settings
loop:
- migrate
- loaddata
- collectstatic
- compress
become: true
become_user: mailman-web
when: install.changed
- name: open LMTP ipv4 port for lists.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['lists.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8024 accept"
tags:
- firewall
- name: start and enable mailman{.service,-*.timer}
systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
loop:
- mailman3.service
- mailman3-digests.timer
- mailman3-gatenews.timer
- mailman3-notify.timer
- uwsgi@mailman\x2dweb.service
[mailman]
site_owner: root@{{ lists_domain }}
layout: fhs
[database]
class: mailman.database.postgresql.PostgreSQLDatabase
url: postgres://{{ vault_mailman_db_user }}:{{ vault_mailman_db_password }}@/mailman
[webservice]
admin_user: {{ vault_mailman_admin_user }}
admin_pass: {{ vault_mailman_admin_pass }}
[mta]
configuration: /etc/postfix.cfg
lmtp_host: {{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}
lmtp_port: 8024
smtp_host: {{ hostvars['lists.archlinux.org']['wireguard_address'] }}
smtp_port: 25
[archiver.hyperkitty]
class: mailman_hyperkitty.Archiver
enable: yes
configuration: /etc/mailman-hyperkitty.cfg
server {
listen 80;
listen [::]:80;
server_name {{ lists_domain }} localhost;
set_real_ip_from {{ hostvars['lists.archlinux.org']['wireguard_address'] }}/32;
real_ip_header X-Forwarded-For;
access_log /var/log/nginx/{{ lists_domain }}/access.log main;
access_log /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
error_log /var/log/nginx/{{ lists_domain }}/error.log;
location /static {
alias /var/lib/mailman-web/static;
}
# include uwsgi_params
location / {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:/run/mailman-web/mailman-web.sock;
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment