mailman3 whoop whoop

695b34e2 · Kristian Klausen · 94045bd8 · 695b34e2 · 695b34e2 · 695b34e2
Commit 695b34e2 authored 2 years ago by Kristian Klausen
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -157,14 +157,6 @@ Prometheus, and Grafana server which receives selected performance/metrics from

  Online collborative markdwown editor for Arch Linux Staff.

-## mailman3.archlinux.org
-
-This server runs mailman3 as mailman2 and mailman3 can't be installed on the same server. The HTTP and LMTP traffic is routed over WireGuard from lists.archlinux.org.
-
-### Services
-
-  - mailman3
-
 ### Services
  - [hedgedoc](https://hedgedoc.org/)


--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -164,15 +164,15 @@
 3072 MD5:50:c8:93:43:05:d5:73:a4:84:b1:07:66:a7:20:a5:79 root@archlinux-packer (RSA)

 # lists.archlinux.org
-1024 SHA256:/o3BhNZ6MdfHXrqDzVxP5OgKcTmo1/e2v80Xb+Q2ypc root@archlinux-packer (DSA)
-256 SHA256:Xe+YrG+IfhtQkNft+SB7UsTQCIgbqNnqMl/Pqs6uzBE root@archlinux-packer (ECDSA)
-256 SHA256:fAKD+26rDZ74MOMWZI8L3k2c7RzTYd69+iwKp4zhw8c root@archlinux-packer (ED25519)
-3072 SHA256:NyspEiVRnuRtL854ErcdybtjoBia+miQkpuToYZEl78 root@archlinux-packer (RSA)
+1024 SHA256:U1A+NO+I+JRg0YPo+UgwGfbextnL+pVuqjWGdyokLpI root@archlinux-packer (DSA)
+256 SHA256:vdEZ5/6Xxd7Azjzaf5xz5kfzQrWcq1raz5cFAIclooE root@archlinux-packer (ECDSA)
+256 SHA256:iCeRz+2HK7heoapDRscHpgbEX4cbem1BZpWzrAoOxTQ root@archlinux-packer (ED25519)
+3072 SHA256:sqUYYmrNXzYPL5TtsBsTnaANsZ/P7miyCAIkt0YWfBg root@archlinux-packer (RSA)

-1024 MD5:fb:bb:0e:a8:0c:5c:41:5a:b1:d9:61:4d:e5:c3:bf:b1 root@archlinux-packer (DSA)
-256 MD5:56:43:80:27:a7:4e:4c:1f:a4:14:dd:d1:eb:37:13:a9 root@archlinux-packer (ECDSA)
-256 MD5:3c:91:d8:b0:4b:5c:36:40:79:27:8a:c7:24:d6:26:af root@archlinux-packer (ED25519)
-3072 MD5:88:99:f2:47:b1:e3:3c:99:52:67:d5:d5:55:b0:af:2c root@archlinux-packer (RSA)
+1024 MD5:8f:94:fe:a9:56:ee:3f:cc:a4:e7:a5:4f:2b:02:e8:c3 root@archlinux-packer (DSA)
+256 MD5:ca:3e:2d:aa:8a:4b:71:3a:18:22:59:0f:6e:ff:ae:5d root@archlinux-packer (ECDSA)
+256 MD5:a8:d3:f8:42:ff:ae:7d:71:1b:fe:93:4b:f7:df:38:5f root@archlinux-packer (ED25519)
+3072 MD5:51:ea:a4:ec:76:87:ee:89:e7:3a:fc:80:ea:fe:2d:9c root@archlinux-packer (RSA)

 # mail.archlinux.org
 1024 SHA256:/d3MC4NoQbPSNgNebFyzNCze4HVHPhITVWy9vWdZUp4 root@archlinux-packer (DSA)
@@ -185,17 +185,6 @@
 256 MD5:dd:20:c1:f1:f2:fa:70:86:3a:e2:39:86:b1:01:2f:61 root@archlinux-packer (ED25519)
 3072 MD5:b6:14:30:bd:fe:43:46:6a:20:a2:8b:b0:aa:d4:35:19 root@archlinux-packer (RSA)

-# mailman3.archlinux.org
-1024 SHA256:U1A+NO+I+JRg0YPo+UgwGfbextnL+pVuqjWGdyokLpI root@archlinux-packer (DSA)
-256 SHA256:vdEZ5/6Xxd7Azjzaf5xz5kfzQrWcq1raz5cFAIclooE root@archlinux-packer (ECDSA)
-256 SHA256:iCeRz+2HK7heoapDRscHpgbEX4cbem1BZpWzrAoOxTQ root@archlinux-packer (ED25519)
-3072 SHA256:sqUYYmrNXzYPL5TtsBsTnaANsZ/P7miyCAIkt0YWfBg root@archlinux-packer (RSA)
-
-1024 MD5:8f:94:fe:a9:56:ee:3f:cc:a4:e7:a5:4f:2b:02:e8:c3 root@archlinux-packer (DSA)
-256 MD5:ca:3e:2d:aa:8a:4b:71:3a:18:22:59:0f:6e:ff:ae:5d root@archlinux-packer (ECDSA)
-256 MD5:a8:d3:f8:42:ff:ae:7d:71:1b:fe:93:4b:f7:df:38:5f root@archlinux-packer (ED25519)
-3072 MD5:51:ea:a4:ec:76:87:ee:89:e7:3a:fc:80:ea:fe:2d:9c root@archlinux-packer (RSA)
-
 # man.archlinux.org
 1024 SHA256:11C7Qa1GSNBBspSlber3Sp+LEMRpfr/VWkypfu6OnhA root@archlinux-packer (DSA)
 256 SHA256:fL79NVaEiwXGfUhTXWLkue/D1seSADYbui+jwQ2dvW0 root@archlinux-packer (ECDSA)

--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -86,20 +86,15 @@ homedir.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxEHvFCXujU6s4eW0U79o
 homedir.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDuQbGoCSIPisaZeqtJhM369ugQWc8pHE8404AZu0yUgDxMl6AP5BUfdynlR6VGt4edSaEyp9BkT15YaKh5vph/9MUtZ2zbQ7WPRuvfLNG+RI458q4CYdykVMmTs1DEeAxaVMIAL3225pqh7QMcME0edX9f4PLLkQk8+AAAy24rvgwxLE0BnSLB3zp7wCJw5rm2iZAcqsKkIZw2FJKMlRuEovdvgc7A0FfkSc8muvvHET1FK/Uqv5i9R2Xk3NPFkt/bzcwOVBXCeqUrjLmD0UhRWX8J8GMmrEVPVQLBT6mn/OtlXpOiDcr9HkSLS1mqo59N9wyI4tCKjYQZMEWU36PYjXlDzqOGmdAR6Ly8vDo3BC+ByQqLf/ixkoFD/I5inGejPnAv9eXuiP8o0KoPDOALD8gqwqCoPjElE9ZVObp+NJbuQeXRZt70VKxZEWrUKxKxHM3RoYvgd3h/GHaYEGWdbvTMTVK+xnrczL+Eme4Y81zA8KTwY5qbyc5QCHvksKM=

 # lists.archlinux.org
-lists.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKBHMlX50Jr2HiVJ/qDSH3mAjobpbBrGvBRXTKB/xXFBiVXCbJQCQ9HKXQZunLALaIm+jAgpskbXqLQMEpWzST8=
-lists.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVKwNsXUXpgNhlwPVlBRNlpvOt0U9deANS/n//nxbe1
-lists.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuKQnkGRdXyu74f92lzJcQMMDjTzVXkne/mLHiMYKQWlboIBIry3FkzyUGDLbNlZOe4PNR43D9FI0/1EjAuVV72HVQ9sidCbJR/azw3+JF8zwU1HDMOhtCNaWYNqk0DHDvHuWhL6N0duFASf+ZTKRB5Rgk3+p0FisKMCep2vJy5kHY0829INk6ORgPxYzCHCZOLEfZX0aydwscTnubKq1t9blWUdqKSm5Xq5+NEJNPKlo6TgdcBihkdAyaGnZ9KWrXycV6j0UaT/VJNuumZ9KlsvI7Xi/TVDWcLcsU/UqeEvnzUi3oRrvkADzIcoFa5/QrSRQJppKAUgjuhOuk+Px38IIvRdrwDxDoChei+qU8S2O24PP7Cu4oYZ/ecGb8wJleEWVVaYrD5JTEugg0iTe2t0LJiP6rTC1faxErZ9wru18nGNWYR2b+b1MfBzppAoikZUoqygKYYLAerHj3B9wFmw2RJG8JFZ95lMukJmDG8kCYz7eq753PYAAmpFZbdZU=
+lists.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLYxKdG6ntbOV/YpVbRkJiJfAPt8BTTN/hKm0uebSwpuQbbv5hxXLSOYeA0C/yJBNXXX4EJ82J88oEJQBFxiPvY=
+lists.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+GtJoC+QEUyKA/ZneTBXOBs7W3JBAEb1nLDkjzsqa1
+lists.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdPJQIkN6wDk/140HS1WCIKc0Iz7Oq8c98XaLB0i9ksUxkWB4rxia/WP5RRF+g9yAqZvIg0f5W0d85pfuh+1TOccXk8r6GsH+gRIEkdmwu4Mf7iBpkQxl3n70yjNGxgbwGkVG9vREvJ4v3l/NRZrX2/N3RvcPG9TQwjFFOFYTRZNfUPvsppk572yQ8cjf7oUvJmLOwsKagO5WMUoKFAbO35/Mp2H6VbApYtIdpkFOXnaJUVduHInNa18CmKl28ZSTsigLkYb8pboS6RacJYgA5kK0vQsXCguDrA+SI9k1xW4i9FjUWsLlPuLkk9c7Tj39R95gWhxWwQ99ApNDVvZa+skSbMS7h4/d3NosyM2OO9LfqPiHn2xDsuvmpN0ScCwuocwR09EMrj4MQKzo31ITFHuSyxob0Z4yTQrKvJxdNwveXqaRHFNXUvSWtoRkk2cKB5hjsr0QCROBidYu4WG+/LfolzJQfuRqH7dvg5dvmJLrcozfcCpxspdBTIEKLG/c=

 # mail.archlinux.org
 mail.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFvJy2P8zOSKt3EocULHN85PVGW1AINk15+GilqUc5a79Zsy0FvWqV16fjxLRN3zIOkBvSKZMvsNadja+quEr9s=
 mail.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTOoGxsf23f6AjIHcQQuvbTOaeIt48Y0PiBj9qlJi1H
 mail.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPrURadxte8UJiteGa6+Q+OjTAjhvGAQFkNSXj1pr4k03uxkU6l2v2LuTygk+4SZSCyUsKvNx/ljJeHBnuecQ8rRv19ZFqy/GQKB3oEmiNYMo2dYYlJWwTVBHatmghhB1j2y40yqdKWH2xQuXC3HtnS7fHG0g1Rc4R9KB4MQlcXkwnSEMpwpWBoO7sr0M4YTdwE+nSG9aNfyPbPGp3mX4ATz5X5hPJOlSFVDV6NuKrA+5qyt4jSKdeG5IuWeEnEJesYJEvShYdY9DvMCXnZykB0emzzk+5+Cp2lTPf9LOO3wNsTgHV/CwkoAoMgr9+ASefhBr3nxmmrs9T7nwuobGCGFUqQ2D8IKCmsWGVKXYERViz3x/gYUIlHgVJpoIXCFFqbdpWwxKR1aDMug2fFe699/FzuPdqrWPFdQMF2mPQ0w3AH/62KGp+PULE2HxrlCiY/gF2m8iJLgunxVKmi/c0ufgK9QilnKcPO+W4tcISa5MYt7MSTTLV9eVsgVjGhOU=

-# mailman3.archlinux.org
-mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLYxKdG6ntbOV/YpVbRkJiJfAPt8BTTN/hKm0uebSwpuQbbv5hxXLSOYeA0C/yJBNXXX4EJ82J88oEJQBFxiPvY=
-mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+GtJoC+QEUyKA/ZneTBXOBs7W3JBAEb1nLDkjzsqa1
-mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdPJQIkN6wDk/140HS1WCIKc0Iz7Oq8c98XaLB0i9ksUxkWB4rxia/WP5RRF+g9yAqZvIg0f5W0d85pfuh+1TOccXk8r6GsH+gRIEkdmwu4Mf7iBpkQxl3n70yjNGxgbwGkVG9vREvJ4v3l/NRZrX2/N3RvcPG9TQwjFFOFYTRZNfUPvsppk572yQ8cjf7oUvJmLOwsKagO5WMUoKFAbO35/Mp2H6VbApYtIdpkFOXnaJUVduHInNa18CmKl28ZSTsigLkYb8pboS6RacJYgA5kK0vQsXCguDrA+SI9k1xW4i9FjUWsLlPuLkk9c7Tj39R95gWhxWwQ99ApNDVvZa+skSbMS7h4/d3NosyM2OO9LfqPiHn2xDsuvmpN0ScCwuocwR09EMrj4MQKzo31ITFHuSyxob0Z4yTQrKvJxdNwveXqaRHFNXUvSWtoRkk2cKB5hjsr0QCROBidYu4WG+/LfolzJQfuRqH7dvg5dvmJLrcozfcCpxspdBTIEKLG/c=
-
 # man.archlinux.org
 man.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhnsStoFw6rbVpE1S1vsXNk8de1SyMag1C+v0DWVSuNYzTylYg4322WbYzw45z2XhxrF6XmCSDMvgxvFwnfLQA=
 man.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzjkN+igIxSIv5N9+ANNoo6knPa51Tj5TAXs4EQ8lY2

--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -26,7 +26,6 @@ root_ssh_keys:
      - dashboards.archlinux.org
      - gitlab.archlinux.org
      - lists.archlinux.org
-      - mailman3.archlinux.org
      - monitoring.archlinux.org

 # - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this

--- a/host_vars/mailman3.archlinux.org/misc
+++ b/host_vars/mailman3.archlinux.org/misc
-filesystem: btrfs
-ipv4_address: 65.21.106.94
-wireguard_address: 10.0.0.37
-wireguard_public_key: obBFreFGNDLB17+PaJspE4qNeVX4o7ZPcJj3ZmJhahg=
--- a/host_vars/mailman3.archlinux.org/vault_wireguard.yml
+++ b/host_vars/mailman3.archlinux.org/vault_wireguard.yml
-$ANSIBLE_VAULT;1.1;AES256
-32363065633737653663623334663139323638366462343630623765396636353932653932356261
-6239356162633731656330383436363861376231616462390a356432316532333632653839333230
-63636434373462643231323532633362363434646230323636333264393032373632343932616361
-6536383038313134300a363139313337646533626334333666326535623039323332666338306532
-33643430313864663833343765623138393165386564343636306363626232666436353665353235
-34623064363764336139633334663530376332633536383033313438613035303662333435313536
-34366663643130633064646161613065373532653235373730316439643165383635353761396639
-61656462333035666437
--- a/hosts
+++ b/hosts
@@ -51,7 +51,6 @@ security.archlinux.org
 md.archlinux.org
 lists.archlinux.org
 gluebuddy.archlinux.org
-mailman3.archlinux.org

 [public_html]
 homedir.archlinux.org
@@ -138,7 +137,6 @@ gluebuddy.archlinux.org
 homedir.archlinux.org
 lists.archlinux.org
 mail.archlinux.org
-mailman3.archlinux.org
 man.archlinux.org
 matrix.archlinux.org
 md.archlinux.org

--- a/playbooks/lists.archlinux.org.yml
+++ b/playbooks/lists.archlinux.org.yml
@@ -8,7 +8,7 @@
    - { role: sshd }
    - { role: root_ssh }
    - { role: hardening }
-    - { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
+    - { role: borg_client, tags: ["borg"] }
    - { role: prometheus_exporters }
    - { role: promtail }
    - { role: certbot }
@@ -17,4 +17,5 @@
    - { role: rspamd, rspamd_dkim_domain: lists.archlinux.org, rspamd_dkim_use_esld: false, tags: ["mail"] }
    - { role: unbound, unbound_port: 5353, tags: ["mail"] }
    - { role: uwsgi }
+    - { role: postgres }
    - { role: mailman }
--- a/playbooks/mailman3.archlinux.org.yml
+++ b/playbooks/mailman3.archlinux.org.yml
- name: Setup mailman3 server
-  hosts: mailman3.archlinux.org
-  remote_user: root
-  roles:
-    - { role: common }
-    - { role: firewalld }
-    - { role: wireguard }
-    - { role: sshd }
-    - { role: root_ssh }
-    - { role: hardening }
-    - { role: borg_client, tags: ["borg"] }
-    - { role: prometheus_exporters }
-    - { role: promtail }
-    - { role: nginx, nginx_firewall_zone: wireguard }
-    - { role: uwsgi }
-    - { role: postgres }
-    - { role: mailman3 }
--- a/roles/mailman/defaults/main.yml
+++ b/roles/mailman/defaults/main.yml
 lists_domain: lists.archlinux.org
+lists:
+  arch-announce:
+    allow_list_posts: false
+    bounce_info_stale_after: 60d
+    default_member_action: reject
+    default_nonmember_action: reject
+    description: This mailing list is for official announcements for the Arch Linux distribution.
+    display_name: Arch-announce
+    moderator_password: "{{ vault_archweb_mailman_password }}"
+  arch-commits:
+    allow_list_posts: false
+    accept_these_nonmembers:
+      - ^.+@(.+\.)?archlinux\.org
+    archive_policy: never
+    default_member_action: reject
+    default_nonmember_action: reject
+    description: Arch Linux packaging commits
+    display_name: Arch-commits
+    info: This list contains all commits to the package repositories, including diffs for newest changes.
+    max_message_size: 200
+  arch-dev:
+    advertised: false
+    archive_policy: private
+    description: Development Discussion for Arch Linux
+    display_name: Arch-dev
+    info: This list is for development discussion about Arch Linux.  This list is closed to the general public and only used by internal Arch Linux developers.
+    subscription_policy: confirm_then_moderate
+  arch-devops:
+    display_name: Arch-devops
+    description: Arch Linux Infrastructure development discussion
+  arch-devops-private:
+    advertised: false
+    archive_policy: private
+    description: List for internal discussion of the devops team
+    display_name: Arch-devops-private
+    subscription_policy: confirm_then_moderate
+  arch-dev-public:
+    default_member_action: hold
+    description: Public mailing list for Arch Linux development
+    display_name: Arch-dev-public
+  arch-events:
+    description: Arch Linux Events
+    display_name: Arch-events
+  arch-general:
+    description: General Discussion about Arch Linux
+    display_name: Arch-general
+    info: "This mailing list hosts general discusson about the Arch Linux distribution.  Questions, problems, and new development ideas can be posted here.\n\nYou must be subscribed to the list in order to post to it."
+  arch-mirrors-announce:
+    description: List for mirror admins to send announcements (like downtime notifications) to our users
+    display_name: Arch-mirrors-announce
+    info: "This list is intended for admins of Arch Linux mirrors that want to notify our users about downtime of their mirror.\r\n\r\nThis list also accepts mails from non-subscribers."
+  arch-mirrors:
+    description: Arch Linux Mirroring Discussion and Announcements
+    display_name: Arch-mirrors
+    info: This list is intended for admins of Arch Linux mirrors. Discussion and announcements regarding mirroring will use this list.
+  arch-multilib:
+    description: Arch Linux Multilib (32bit libs on 64bit OSes)
+    display_name: Arch-multilib
+  arch-ports:
+    description: Discussion regarding the porting of Arch Linux to non-x86_64 architectures
+    display_name: Arch-ports
+    info: This list is primarily used to talk about porting Arch Linux to non-x86_64 platforms, such as PPC, ARM, i586, i686, etc.
+  arch-proaudio:
+    description: Discussion about real-time multimedia, including (semi-)pro audio and video
+    display_name: Arch-proaudio
+  arch-projects:
+    description: Arch Linux projects development discussion
+    display_name: Arch-projects
+    info: "Announcements, development discussion, patches and pull requests for the Arch Linux projects:<ul><li><a target=\"blank\" href=\"https://github.com/archlinux/archweb/\">archweb</a> (patches preferably on Github as pull requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/arch-release-promotion/\">arch-release-promotion</a> (patches only on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/dbscripts/\">dbscripts</a> (patches preferably on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/devtools/\">devtools</a> (patches preferably on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://github.com/archlinux/mkinitcpio/\">mkinitcpio</a> (patches preferably on Github as pull requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/namcap/\">namcap</a> (patches preferably on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/netctl/\">netctl</a> (patches preferably on the mailing list)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/pyalpm/\">pyalpm</a> (patches preferably on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/repod/\">repod</a> (patches only on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/shim-signed/\">shim-signed</a> (contributions preferably on GitLab as merge requests)</li></ul>\r\nPlease begin the email subject with the name of a project in square brackets (e.g. <code>[devtools]</code>). If no project matches, use <code>[projects]</code>.\r\n\r\nNote: No user discussion!"
+  arch-releng:
+    description: Arch Linux Release Engineering
+    display_name: Arch-releng
+  arch-security:
+    description: Announcements about security issues in Arch Linux and its packages
+    display_name: Arch-security
+    info: Discussion about announcements should happen on arch-general.
+  arch-tu:
+    advertised: false
+    archive_policy: private
+    description: Trusted Users Discussion for Arch Linux
+    display_name: Arch-tu
+    info: This list is for trusted users discussion about Arch Linux.  This list is closed to the general public and only used by internal Arch Linux trusted users.
+    subscription_policy: confirm_then_moderate
+  arch-wiki-admins:
+    advertised: false
+    archive_policy: private
+    display_name: Arch-wiki-admins
+    subscription_policy: confirm_then_moderate
+  arch-women:
+    description: Mailing list for the Arch Women project
+    display_name: Arch-women
+    info: "<a href=\"https://archwomen.org/\">Arch Women</a> is an all inclusive organization of Arch Linux enthusiasts with a focus on helping more women become involved in the Arch Linux community and FOSS.\r\n\r\nMailing list graciously hosted by the Arch Linux™ project."
+  aur-dev:
+    description: Arch User Repository (AUR) Development
+    display_name: Aur-dev
+    info: This list is intended for discussion of AUR and community based code and development.
+  aur-general:
+    description: Discussion about the Arch User Repository (AUR)
+    display_name: Aur-general
+    info: This list is for Trusted Users, Arch Linux developers, and the general public to discuss issues surrounding the Trusted User structure and the Arch User Repository (AUR).
+  aur-requests:
+    accept_these_nonmembers:
+      - notify@aur.archlinux.org
+    description: Public mailing list for AUR package deletion/merge/orphan requests
+    display_name: Aur-requests
+  pacman-contrib:
+    description: Discussion list for pacman-contrib development
+    display_name: Pacman-contrib
+    info: This list is used by pacman-contrib developers to coordinate, share patches, etc.
+  pacman-dev:
+    description: Discussion list for pacman development
+    display_name: Pacman-dev
+    info: This list is used by pacman developers and contributors to coordinate, fix problems, share patches, etc.
+  staff:
+    advertised: false
+    archive_policy: private
+    description: Internal list that includes all Arch Linux staff members (devs, TUs, support staff)
+    display_name: Staff
+    subscription_policy: confirm_then_moderate
--- a/roles/mailman3/files/list_base_configuration.json
+++ b/roles/mailman3/files/list_base_configuration.json
--- a/roles/mailman/files/mailman.ini
+++ b/roles/mailman/files/mailman.ini
-[uwsgi]
-plugins = cgi
-socket = /run/uwsgi/%n.sock
-chmod-socket = 770
-threads = 2
-
-cgi = /=/usr/lib/mailman/cgi-bin/
-cgi-index = listinfo
-uid = mailman
-gid = http
--- a/roles/mailman/files/migrated-lists.map
+++ b/roles/mailman/files/migrated-lists.map
-/listinfo/arch-announce /mailman3/lists/arch-announce@lists.archlinux.org/;
-/listinfo/arch-commits /mailman3/lists/arch-commits@lists.archlinux.org/;
-/listinfo/arch-dev /mailman3/lists/arch-dev@lists.archlinux.org/;
-/listinfo/arch-dev-public /mailman3/lists/arch-dev-public@lists.archlinux.org/;
-/listinfo/arch-devops /mailman3/lists/arch-devops@lists.archlinux.org/;
-/listinfo/arch-devops-private /mailman3/lists/arch-devops-private@lists.archlinux.org/;
-/listinfo/arch-events /mailman3/lists/arch-events@lists.archlinux.org/;
-/listinfo/arch-general /mailman3/lists/arch-general@lists.archlinux.org/;
-/listinfo/arch-mirrors /mailman3/lists/arch-mirrors@lists.archlinux.org/;
-/listinfo/arch-mirrors-announce /mailman3/lists/arch-mirrors-announce@lists.archlinux.org/;
-/listinfo/arch-multilib /mailman3/lists/arch-multilib@lists.archlinux.org/;
-/listinfo/arch-ports /mailman3/lists/arch-ports@lists.archlinux.org/;
-/listinfo/arch-proaudio /mailman3/lists/arch-proaudio@lists.archlinux.org/;
-/listinfo/arch-projects /mailman3/lists/arch-projects@lists.archlinux.org/;
-/listinfo/arch-releng /mailman3/lists/arch-releng@lists.archlinux.org/;
-/listinfo/arch-security /mailman3/lists/arch-security@lists.archlinux.org/;
-/listinfo/arch-tu /mailman3/lists/arch-tu@lists.archlinux.org/;
-/listinfo/arch-wiki-admins /mailman3/lists/arch-wiki-admins@lists.archlinux.org/;
-/listinfo/arch-women /mailman3/lists/arch-women@lists.archlinux.org/;
-/listinfo/aur-dev /mailman3/lists/aur-dev@lists.archlinux.org/;
-/listinfo/aur-general /mailman3/lists/aur-general@lists.archlinux.org/;
-/listinfo/aur-requests /mailman3/lists/aur-requests@lists.archlinux.org/;
-/listinfo/pacman-contrib /mailman3/lists/pacman-contrib@lists.archlinux.org/;
-/listinfo/pacman-dev /mailman3/lists/pacman-dev@lists.archlinux.org/;
-/listinfo/staff /mailman3/lists/staff@lists.archlinux.org/;
--- a/roles/mailman/files/override.conf
+++ b/roles/mailman/files/override.conf
-[Service]
-Restart=always
--- a/roles/mailman/handlers/main.yml
+++ b/roles/mailman/handlers/main.yml
- name: Restart mailman
-  service: name=mailman daemon_reload=yes state=restarted
-
 - name: Reload mailman
-  service: name=mailman state=reloaded
+  service: name=mailman3 state=reloaded
+
+- name: Restart mailman-web
+  service: name=uwsgi@mailman\\x2dweb.service state=restarted

 - name: Reload postfix
  service: name=postfix state=reloaded
@@ -11,4 +11,3 @@
  command: postmap /etc/postfix/{{ item }}
  loop:
    - aliases
-    - transport
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -4,12 +4,19 @@
  vars:
    domains: ["{{ lists_domain }}"]

- name: Install mailman, uwsgi-plugin-cgi and postfx
-  pacman: name=mailman,uwsgi-plugin-cgi,postfix,postfix-pcre state=present
+- name: Install mailman3 and related packages
+  pacman: name=mailman3,mailman3-hyperkitty,python-psycopg2,mailman-web,uwsgi-plugin-python,postfix,postfix-pcre state=present
+  register: install

- name: Install mailman configuration
-  template: src=mm_cfg.py.j2 dest=/etc/mailman/mm_cfg.py follow=yes owner=root group=root mode=0644
-  notify: Reload mailman
+- name: Install {mailman,mailman-web} configuration
+  template: src={{ item.src }} dest={{ item.dest }} owner=root group={{ item.group }} mode=0640
+  loop:
+    - {src: mailman.cfg.j2, dest: /etc/mailman.cfg, group: mailman}
+    - {src: mailman-hyperkitty.cfg.j2, dest: /etc/mailman-hyperkitty.cfg, group: mailman}
+    - {src: settings.py.j2, dest: /etc/webapps/mailman-web/settings.py, group: mailman-web}
+  notify:
+    - Reload mailman
+    - Restart mailman-web

 - name: Install postfix configuration
  template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0644
@@ -22,59 +29,66 @@
    - milter_header_checks
  notify: Run postmap

- name: Install postfix templated maps
-  template: src={{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
-  loop:
-    - transport
-  notify: Run postmap
-
 - name: Open firewall holes for postfix
-  ansible.posix.firewalld: service=smtp zone={{ item }} permanent=true state=enabled immediate=yes
-  loop:
-    -
-    - wireguard
-  when: configure_firewall
+  ansible.posix.firewalld: service=smtp permanent=true state=enabled immediate=yes
  tags:
    - firewall

- name: Create mailman list
-  command: /usr/lib/mailman/bin/newlist -a mailman root@{{ lists_domain }} meG0n5Wq6dEWCA6s
-  args:
-    creates: /var/lib/mailman/lists/mailman
-
- name: Configure mailman uwsgi service
-  copy: src=mailman.ini dest=/etc/uwsgi/vassals/ owner=mailman group=http mode=0644
-
 - name: Make nginx log dir
  file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755

- name: Install nginx mailman2->mailman3 redirect map
-  copy: src=migrated-lists.map dest=/etc/nginx/maps/ owner=root group=root mode=0644
-  notify: Reload nginx
-
 - name: Set up nginx
  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
  notify: Reload nginx
-  tags: ['nginx']

- name: Start and enable postfix
-  systemd: name=postfix.service enabled=yes daemon_reload=yes state=started
+- name: Create postgres {mailman,mailman-web} user
+  postgresql_user: name={{ item.username }} password={{ item.password }}
+  loop:
+    - {username: "{{ vault_mailman_db_user }}", password: "{{ vault_mailman_db_password }}"}
+    - {username: "{{ vault_mailman_web_db_user }}", password: "{{ vault_mailman_web_db_password }}"}
+  become: true
+  become_user: postgres
+  become_method: su
+  no_log: true

- name: Create drop-in directory for mailman.service
-  file: path=/etc/systemd/system/mailman.service.d state=directory owner=root group=root mode=0755
+- name: Create {mailman,mailman-web} db
+  postgresql_db: name={{ item.db }} owner={{ item.owner }}
+  loop:
+    - {db: mailman, owner: "{{ vault_mailman_db_user }}"}
+    - {db: mailman-web, owner: "{{ vault_mailman_web_db_user }}"}
+  become: true
+  become_user: postgres
+  become_method: su

- name: Install drop-in for mailman.service
-  copy: src=override.conf dest=/etc/systemd/system/mailman.service.d/ owner=root group=root mode=0644
-  notify: Restart mailman
+- name: Run Django management tasks
+  command: django-admin {{ item }} --pythonpath /etc/webapps/mailman-web --settings settings
+  loop:
+    - migrate
+    - loaddata
+    - collectstatic
+    - compress
+  become: true
+  become_user: mailman-web
+  when: false
+
+- name: Start and enable postfix
+  systemd: name=postfix.service enabled=yes daemon_reload=yes state=started

 - name: Start and enable mailman{.service,-*.timer}
  systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
  loop:
-    - mailman.service
-    - mailman-senddigests.timer
-    - mailman-nightlygzip.timer
-    - mailman-mailpasswds.timer
-    - mailman-gatenews.timer
-    - mailman-disabled.timer
-    - mailman-cullbadshunt.timer
-    - mailman-checkdbs.timer
+    - mailman3.service
+    - mailman3-digests.timer
+    - mailman3-notify.timer
+    - uwsgi@mailman\x2dweb.service
+
+- name: update list configurations
+  uri:
+    url: http://localhost:8001/3.1/lists/{{ item }}.lists.archlinux.org/config
+    user: "{{ vault_mailman_admin_user }}"
+    password: "{{ vault_mailman_admin_pass }}"
+    method: PUT
+    body_format: json
+    status_code: 204
+    body: "{{ lookup('file', 'list_base_configuration.json') | from_json | combine(lists[item]) | to_json }}"
+  loop: "{{ lists.keys() }}"
--- a/roles/mailman3/templates/mailman-hyperkitty.cfg.j2
+++ b/roles/mailman3/templates/mailman-hyperkitty.cfg.j2
@@ -15,7 +15,7 @@
 # better if it is not.
 # However, if your Mailman installation is accessed via HTTPS, the URL needs
 # to match your SSL certificate (e.g. https://lists.example.com/hyperkitty).
-base_url: http://localhost/archives/
+base_url: http://localhost:8000/archives/

 # Shared API key, must be the identical to the value in HyperKitty's
 # settings.

--- a/roles/mailman3/templates/mailman.cfg.j2
+++ b/roles/mailman3/templates/mailman.cfg.j2
@@ -11,10 +11,9 @@ admin_user: {{ vault_mailman_admin_user }}
 admin_pass: {{ vault_mailman_admin_pass }}

 [mta]
-configuration: /etc/postfix.cfg
-lmtp_host: {{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}
+lmtp_host: 127.0.0.1
 lmtp_port: 8024
-smtp_host: {{ hostvars['lists.archlinux.org']['wireguard_address'] }}
+smtp_host: 127.0.0.1
 smtp_port: 25

 [archiver.hyperkitty]

--- a/roles/mailman/templates/main.cf.j2
+++ b/roles/mailman/templates/main.cf.j2
@@ -22,7 +22,6 @@ mynetworks =
    127.0.0.0/8
    [::1]/128
    [fe80::]/64
-    {{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}

 # fatal: configuration error: mailbox_size_limit is smaller than message_size_limit
 message_size_limit = 104857600
@@ -46,10 +45,10 @@ smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please
 smtpd_milters = inet:localhost:11332
 non_smtpd_milters = $smtpd_milters

-alias_maps = hash:/etc/postfix/aliases hash:/var/lib/mailman/data/aliases
-local_recipient_maps = hash:/etc/postfix/transport $alias_maps
+alias_maps = hash:/etc/postfix/aliases
+local_recipient_maps = hash:/var/lib/mailman/data/postfix_lmtp $alias_maps
 alias_database = $alias_maps
-transport_maps = hash:/etc/postfix/transport
+transport_maps = hash:/var/lib/mailman/data/postfix_lmtp

 milter_header_checks = pcre:/etc/postfix/milter_header_checks


--- a/roles/mailman/templates/mm_cfg.py.j2
+++ b/roles/mailman/templates/mm_cfg.py.j2
-# -*- python -*-
-
-# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-# 
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software 
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-"""This module contains your site-specific settings.
-
-From a brand new distribution it should be copied to mm_cfg.py.  If you
-already have an mm_cfg.py, be careful to add in only the new settings you
-want.  Mailman's installation procedure will never overwrite your mm_cfg.py
-file.
-
-The complete set of distributed defaults, with documentation, are in the file
-Defaults.py.  In mm_cfg.py, override only those you want to change, after the
-
-  from Defaults import *
-
-line (see below).
-
-Note that these are just default settings; many can be overridden via the
-administrator and user interfaces on a per-list or per-user basis.
-
-Also note that many of these settings will not be effective until Mailman
-is restarted.  Thus, you should always restart Mailman after changing this
-file.
-
-Further, settings which relate to a list's host_name and web_page_url only
-affect lists created after the change.  For existing lists, see the FAQ at
-<http://wiki.list.org/x/mIA9>.
-
-"""
-
-###############################################
-# Here's where we get the distributed defaults.
-
-from Defaults import *
-
-##################################################
-# Put YOUR site-specific settings below this line.
-
-# Please see: http://wiki.list.org/x/mIA9 if you change this
-DEFAULT_URL_HOST = '{{ lists_domain }}'
-DEFAULT_EMAIL_HOST = '{{ lists_domain }}'
-MTA = 'Postfix'
-
-VIRTUAL_HOSTS.clear()
-add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
-
-POSTFIX_STYLE_VIRTUAL_DOMAINS = ['{{ lists_domain }}']
-
-DEFAULT_URL_PATTERN = 'https://%s/'
-PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'
-
-# bot protection
-SUBSCRIBE_FORM_SECRET = '{{ vault_mailman_subscribe_form_secret }}'
-
-VIRTUAL_HOST_OVERVIEW = Off
-
-DEFAULT_SEND_REMINDERS = 0
-
-PUBLIC_MBOX = Yes
-
-DEFAULT_MSG_HEADER = ""
-DEFAULT_MSG_FOOTER = ""
-#DEFAULT_DMARC_MODERATION_ACTION = 1
-REMOVE_DKIM_HEADERS = 1