Kill the mailman2 server and put the mailman3 server in its place

With the final lists migrated to mailman3[1], the mailman2 server can finally be killed. When the mailman3 server was initially setup[2], it was done on a separate server because the mailman and mailman3 packages conflicted, and the traffic was routed over wireguard (HTTP, LMTP and SMTP). Instead of installing mailman3 on the original lists.al.org server and transferring the data, it was easier just to install the missing pieces (basically Postfix and adjusting the Nginx configuration) on the ml3 server and move the IPs (to keep the IP mail reputation). So basically the following was done: - The IPs for the original lists.al.org was moved to the mailman3.al.org server - The mailman2 datadir was transferred to mailman3.al.org server, so we can keep the pipermail links alive, and import missing mails if needed - The original lists.al.org server was decommissioned - The mailman3.al.org server was renamed to lists.al.org - The missing pieces was added to the mailman3 role (basically Postfix + Nginx adjustments) - The mailman role was deleted and the mailman3 role renamed to mailman [1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists") [2] 9294828f ("Setup mailman3 server") Fix #59

Kill the mailman2 server and put the mailman3 server in its place
893a95f3 · Kristian Klausen · 3c152709 · 893a95f3 · 893a95f3 · 893a95f3
Verified Commit 893a95f3 authored 2 years ago by Kristian Klausen
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -157,14 +157,6 @@ Prometheus, and Grafana server which receives selected performance/metrics from

  Online collborative markdwown editor for Arch Linux Staff.

-## mailman3.archlinux.org
-
-This server runs mailman3 as mailman2 and mailman3 can't be installed on the same server. The HTTP and LMTP traffic is routed over WireGuard from lists.archlinux.org.
-
-### Services
-
-  - mailman3
-
 ### Services
  - [hedgedoc](https://hedgedoc.org/)


--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -164,15 +164,15 @@
 3072 MD5:50:c8:93:43:05:d5:73:a4:84:b1:07:66:a7:20:a5:79 root@archlinux-packer (RSA)

 # lists.archlinux.org
-1024 SHA256:/o3BhNZ6MdfHXrqDzVxP5OgKcTmo1/e2v80Xb+Q2ypc root@archlinux-packer (DSA)
-256 SHA256:Xe+YrG+IfhtQkNft+SB7UsTQCIgbqNnqMl/Pqs6uzBE root@archlinux-packer (ECDSA)
-256 SHA256:fAKD+26rDZ74MOMWZI8L3k2c7RzTYd69+iwKp4zhw8c root@archlinux-packer (ED25519)
-3072 SHA256:NyspEiVRnuRtL854ErcdybtjoBia+miQkpuToYZEl78 root@archlinux-packer (RSA)
+1024 SHA256:U1A+NO+I+JRg0YPo+UgwGfbextnL+pVuqjWGdyokLpI root@archlinux-packer (DSA)
+256 SHA256:vdEZ5/6Xxd7Azjzaf5xz5kfzQrWcq1raz5cFAIclooE root@archlinux-packer (ECDSA)
+256 SHA256:iCeRz+2HK7heoapDRscHpgbEX4cbem1BZpWzrAoOxTQ root@archlinux-packer (ED25519)
+3072 SHA256:sqUYYmrNXzYPL5TtsBsTnaANsZ/P7miyCAIkt0YWfBg root@archlinux-packer (RSA)

-1024 MD5:fb:bb:0e:a8:0c:5c:41:5a:b1:d9:61:4d:e5:c3:bf:b1 root@archlinux-packer (DSA)
-256 MD5:56:43:80:27:a7:4e:4c:1f:a4:14:dd:d1:eb:37:13:a9 root@archlinux-packer (ECDSA)
-256 MD5:3c:91:d8:b0:4b:5c:36:40:79:27:8a:c7:24:d6:26:af root@archlinux-packer (ED25519)
-3072 MD5:88:99:f2:47:b1:e3:3c:99:52:67:d5:d5:55:b0:af:2c root@archlinux-packer (RSA)
+1024 MD5:8f:94:fe:a9:56:ee:3f:cc:a4:e7:a5:4f:2b:02:e8:c3 root@archlinux-packer (DSA)
+256 MD5:ca:3e:2d:aa:8a:4b:71:3a:18:22:59:0f:6e:ff:ae:5d root@archlinux-packer (ECDSA)
+256 MD5:a8:d3:f8:42:ff:ae:7d:71:1b:fe:93:4b:f7:df:38:5f root@archlinux-packer (ED25519)
+3072 MD5:51:ea:a4:ec:76:87:ee:89:e7:3a:fc:80:ea:fe:2d:9c root@archlinux-packer (RSA)

 # mail.archlinux.org
 1024 SHA256:/d3MC4NoQbPSNgNebFyzNCze4HVHPhITVWy9vWdZUp4 root@archlinux-packer (DSA)
@@ -185,17 +185,6 @@
 256 MD5:dd:20:c1:f1:f2:fa:70:86:3a:e2:39:86:b1:01:2f:61 root@archlinux-packer (ED25519)
 3072 MD5:b6:14:30:bd:fe:43:46:6a:20:a2:8b:b0:aa:d4:35:19 root@archlinux-packer (RSA)

-# mailman3.archlinux.org
-1024 SHA256:U1A+NO+I+JRg0YPo+UgwGfbextnL+pVuqjWGdyokLpI root@archlinux-packer (DSA)
-256 SHA256:vdEZ5/6Xxd7Azjzaf5xz5kfzQrWcq1raz5cFAIclooE root@archlinux-packer (ECDSA)
-256 SHA256:iCeRz+2HK7heoapDRscHpgbEX4cbem1BZpWzrAoOxTQ root@archlinux-packer (ED25519)
-3072 SHA256:sqUYYmrNXzYPL5TtsBsTnaANsZ/P7miyCAIkt0YWfBg root@archlinux-packer (RSA)
-
-1024 MD5:8f:94:fe:a9:56:ee:3f:cc:a4:e7:a5:4f:2b:02:e8:c3 root@archlinux-packer (DSA)
-256 MD5:ca:3e:2d:aa:8a:4b:71:3a:18:22:59:0f:6e:ff:ae:5d root@archlinux-packer (ECDSA)
-256 MD5:a8:d3:f8:42:ff:ae:7d:71:1b:fe:93:4b:f7:df:38:5f root@archlinux-packer (ED25519)
-3072 MD5:51:ea:a4:ec:76:87:ee:89:e7:3a:fc:80:ea:fe:2d:9c root@archlinux-packer (RSA)
-
 # man.archlinux.org
 1024 SHA256:11C7Qa1GSNBBspSlber3Sp+LEMRpfr/VWkypfu6OnhA root@archlinux-packer (DSA)
 256 SHA256:fL79NVaEiwXGfUhTXWLkue/D1seSADYbui+jwQ2dvW0 root@archlinux-packer (ECDSA)

--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -86,20 +86,15 @@ homedir.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxEHvFCXujU6s4eW0U79o
 homedir.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDuQbGoCSIPisaZeqtJhM369ugQWc8pHE8404AZu0yUgDxMl6AP5BUfdynlR6VGt4edSaEyp9BkT15YaKh5vph/9MUtZ2zbQ7WPRuvfLNG+RI458q4CYdykVMmTs1DEeAxaVMIAL3225pqh7QMcME0edX9f4PLLkQk8+AAAy24rvgwxLE0BnSLB3zp7wCJw5rm2iZAcqsKkIZw2FJKMlRuEovdvgc7A0FfkSc8muvvHET1FK/Uqv5i9R2Xk3NPFkt/bzcwOVBXCeqUrjLmD0UhRWX8J8GMmrEVPVQLBT6mn/OtlXpOiDcr9HkSLS1mqo59N9wyI4tCKjYQZMEWU36PYjXlDzqOGmdAR6Ly8vDo3BC+ByQqLf/ixkoFD/I5inGejPnAv9eXuiP8o0KoPDOALD8gqwqCoPjElE9ZVObp+NJbuQeXRZt70VKxZEWrUKxKxHM3RoYvgd3h/GHaYEGWdbvTMTVK+xnrczL+Eme4Y81zA8KTwY5qbyc5QCHvksKM=

 # lists.archlinux.org
-lists.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKBHMlX50Jr2HiVJ/qDSH3mAjobpbBrGvBRXTKB/xXFBiVXCbJQCQ9HKXQZunLALaIm+jAgpskbXqLQMEpWzST8=
-lists.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVKwNsXUXpgNhlwPVlBRNlpvOt0U9deANS/n//nxbe1
-lists.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuKQnkGRdXyu74f92lzJcQMMDjTzVXkne/mLHiMYKQWlboIBIry3FkzyUGDLbNlZOe4PNR43D9FI0/1EjAuVV72HVQ9sidCbJR/azw3+JF8zwU1HDMOhtCNaWYNqk0DHDvHuWhL6N0duFASf+ZTKRB5Rgk3+p0FisKMCep2vJy5kHY0829INk6ORgPxYzCHCZOLEfZX0aydwscTnubKq1t9blWUdqKSm5Xq5+NEJNPKlo6TgdcBihkdAyaGnZ9KWrXycV6j0UaT/VJNuumZ9KlsvI7Xi/TVDWcLcsU/UqeEvnzUi3oRrvkADzIcoFa5/QrSRQJppKAUgjuhOuk+Px38IIvRdrwDxDoChei+qU8S2O24PP7Cu4oYZ/ecGb8wJleEWVVaYrD5JTEugg0iTe2t0LJiP6rTC1faxErZ9wru18nGNWYR2b+b1MfBzppAoikZUoqygKYYLAerHj3B9wFmw2RJG8JFZ95lMukJmDG8kCYz7eq753PYAAmpFZbdZU=
+lists.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLYxKdG6ntbOV/YpVbRkJiJfAPt8BTTN/hKm0uebSwpuQbbv5hxXLSOYeA0C/yJBNXXX4EJ82J88oEJQBFxiPvY=
+lists.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+GtJoC+QEUyKA/ZneTBXOBs7W3JBAEb1nLDkjzsqa1
+lists.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdPJQIkN6wDk/140HS1WCIKc0Iz7Oq8c98XaLB0i9ksUxkWB4rxia/WP5RRF+g9yAqZvIg0f5W0d85pfuh+1TOccXk8r6GsH+gRIEkdmwu4Mf7iBpkQxl3n70yjNGxgbwGkVG9vREvJ4v3l/NRZrX2/N3RvcPG9TQwjFFOFYTRZNfUPvsppk572yQ8cjf7oUvJmLOwsKagO5WMUoKFAbO35/Mp2H6VbApYtIdpkFOXnaJUVduHInNa18CmKl28ZSTsigLkYb8pboS6RacJYgA5kK0vQsXCguDrA+SI9k1xW4i9FjUWsLlPuLkk9c7Tj39R95gWhxWwQ99ApNDVvZa+skSbMS7h4/d3NosyM2OO9LfqPiHn2xDsuvmpN0ScCwuocwR09EMrj4MQKzo31ITFHuSyxob0Z4yTQrKvJxdNwveXqaRHFNXUvSWtoRkk2cKB5hjsr0QCROBidYu4WG+/LfolzJQfuRqH7dvg5dvmJLrcozfcCpxspdBTIEKLG/c=

 # mail.archlinux.org
 mail.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFvJy2P8zOSKt3EocULHN85PVGW1AINk15+GilqUc5a79Zsy0FvWqV16fjxLRN3zIOkBvSKZMvsNadja+quEr9s=
 mail.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTOoGxsf23f6AjIHcQQuvbTOaeIt48Y0PiBj9qlJi1H
 mail.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPrURadxte8UJiteGa6+Q+OjTAjhvGAQFkNSXj1pr4k03uxkU6l2v2LuTygk+4SZSCyUsKvNx/ljJeHBnuecQ8rRv19ZFqy/GQKB3oEmiNYMo2dYYlJWwTVBHatmghhB1j2y40yqdKWH2xQuXC3HtnS7fHG0g1Rc4R9KB4MQlcXkwnSEMpwpWBoO7sr0M4YTdwE+nSG9aNfyPbPGp3mX4ATz5X5hPJOlSFVDV6NuKrA+5qyt4jSKdeG5IuWeEnEJesYJEvShYdY9DvMCXnZykB0emzzk+5+Cp2lTPf9LOO3wNsTgHV/CwkoAoMgr9+ASefhBr3nxmmrs9T7nwuobGCGFUqQ2D8IKCmsWGVKXYERViz3x/gYUIlHgVJpoIXCFFqbdpWwxKR1aDMug2fFe699/FzuPdqrWPFdQMF2mPQ0w3AH/62KGp+PULE2HxrlCiY/gF2m8iJLgunxVKmi/c0ufgK9QilnKcPO+W4tcISa5MYt7MSTTLV9eVsgVjGhOU=

-# mailman3.archlinux.org
-mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLYxKdG6ntbOV/YpVbRkJiJfAPt8BTTN/hKm0uebSwpuQbbv5hxXLSOYeA0C/yJBNXXX4EJ82J88oEJQBFxiPvY=
-mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+GtJoC+QEUyKA/ZneTBXOBs7W3JBAEb1nLDkjzsqa1
-mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdPJQIkN6wDk/140HS1WCIKc0Iz7Oq8c98XaLB0i9ksUxkWB4rxia/WP5RRF+g9yAqZvIg0f5W0d85pfuh+1TOccXk8r6GsH+gRIEkdmwu4Mf7iBpkQxl3n70yjNGxgbwGkVG9vREvJ4v3l/NRZrX2/N3RvcPG9TQwjFFOFYTRZNfUPvsppk572yQ8cjf7oUvJmLOwsKagO5WMUoKFAbO35/Mp2H6VbApYtIdpkFOXnaJUVduHInNa18CmKl28ZSTsigLkYb8pboS6RacJYgA5kK0vQsXCguDrA+SI9k1xW4i9FjUWsLlPuLkk9c7Tj39R95gWhxWwQ99ApNDVvZa+skSbMS7h4/d3NosyM2OO9LfqPiHn2xDsuvmpN0ScCwuocwR09EMrj4MQKzo31ITFHuSyxob0Z4yTQrKvJxdNwveXqaRHFNXUvSWtoRkk2cKB5hjsr0QCROBidYu4WG+/LfolzJQfuRqH7dvg5dvmJLrcozfcCpxspdBTIEKLG/c=
-
 # man.archlinux.org
 man.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhnsStoFw6rbVpE1S1vsXNk8de1SyMag1C+v0DWVSuNYzTylYg4322WbYzw45z2XhxrF6XmCSDMvgxvFwnfLQA=
 man.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzjkN+igIxSIv5N9+ANNoo6knPa51Tj5TAXs4EQ8lY2

--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -26,7 +26,6 @@ root_ssh_keys:
      - dashboards.archlinux.org
      - gitlab.archlinux.org
      - lists.archlinux.org
-      - mailman3.archlinux.org
      - monitoring.archlinux.org

 # - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this

--- a/group_vars/all/vault_mailman.yml
+++ b/group_vars/all/vault_mailman.yml
 $ANSIBLE_VAULT;1.1;AES256
-38306134633332383131393237386134643236316136333335313130663639373434643434303734
-6530323361333765393633616338333830346634363835350a363933363736393935333833313461
-66336437366666316366326566313837653934333732336532393264343663643861633639636566
-3330353837636631320a303533653661623866383230353563366166653232316635353631613836
-39306531623538656335643031623361633465366138356263663630386362626630336262303865
-31306465323730316633316534333663313565336634346164363331353962366239663035366139
-33636139666262663962396236396337666336663835633865373966386534393064323333326164
-35643530656134643565
+63633533303232373335663630346139613137616132393738383265663337636565663935386365
+3262636536383962333438653033323061306433323232610a623836643732616163383364316639
+37626134643334383432346465343734353566663261643334396563336132666133666431313563
+6365643566626635360a616139393131346566666266653737303562663664656231643836373038
+37316436643133333261313963356435353938393032313935353939613962303733623934313965
+64356635626561376130336134656436386638306538373635313638393932313337316636343533
+32666138613765326332373335366634313530656162383162633861666365333230303132346263
+63613031643230356361383638386230613231626135663763373630666362623536663165356335
+33333033376332653130626262633563336238383931393636346339333963326330373431363931
+61383733626363316539653638373562616335366363306365353166666335383037633830636263
+37313663636139666131623435383833313434396665663162623934646330626362346237363331
+65323537383536333763646431623061646337613761363861373261343638653235333038663239
+34636662663763363832643061313035316437633965346332363432653562613865623261613235
+61303239626136303736356533373739343566313464343931383962633232313263383230336438
+32653534623739616436346539616336373562376632303833323230643465666262303263383334
+64623362363863393866666461396237613934656239653262316438633338313036303436313236
+61623562376139616539646231376438636234656363666639646465663035326161346435396439
+63613839396163616135313537626535393039623866646431333239383263313931386131303464
+36353837303662343530663561363036633864346131343731643535386462316663353233636638
+36323134643230376239326637656537633337323333616630313531653239366263386238363333
+32336538613635613964366562383165616433363738623638393364363233636262643131653532
+62326363356333333563383139323366363462613031303566376365643439373163613166333339
+38353266616463396139336663353536336631666565656630396431363439333034653336316234
+61663232383136353937336431353131323933613462666233663464656166356161613039316436
+3136
--- a/group_vars/all/vault_mailman3.yml
+++ b/group_vars/all/vault_mailman3.yml
-$ANSIBLE_VAULT;1.1;AES256
-63633533303232373335663630346139613137616132393738383265663337636565663935386365
-3262636536383962333438653033323061306433323232610a623836643732616163383364316639
-37626134643334383432346465343734353566663261643334396563336132666133666431313563
-6365643566626635360a616139393131346566666266653737303562663664656231643836373038
-37316436643133333261313963356435353938393032313935353939613962303733623934313965
-64356635626561376130336134656436386638306538373635313638393932313337316636343533
-32666138613765326332373335366634313530656162383162633861666365333230303132346263
-63613031643230356361383638386230613231626135663763373630666362623536663165356335
-33333033376332653130626262633563336238383931393636346339333963326330373431363931
-61383733626363316539653638373562616335366363306365353166666335383037633830636263
-37313663636139666131623435383833313434396665663162623934646330626362346237363331
-65323537383536333763646431623061646337613761363861373261343638653235333038663239
-34636662663763363832643061313035316437633965346332363432653562613865623261613235
-61303239626136303736356533373739343566313464343931383962633232313263383230336438
-32653534623739616436346539616336373562376632303833323230643465666262303263383334
-64623362363863393866666461396237613934656239653262316438633338313036303436313236
-61623562376139616539646231376438636234656363666639646465663035326161346435396439
-63613839396163616135313537626535393039623866646431333239383263313931386131303464
-36353837303662343530663561363036633864346131343731643535386462316663353233636638
-36323134643230376239326637656537633337323333616630313531653239366263386238363333
-32336538613635613964366562383165616433363738623638393364363233636262643131653532
-62326363356333333563383139323366363462613031303566376365643439373163613166333339
-38353266616463396139336663353536336631666565656630396431363439333034653336316234
-61663232383136353937336431353131323933613462666233663464656166356161613039316436
-3136
--- a/host_vars/mailman3.archlinux.org/misc
+++ b/host_vars/mailman3.archlinux.org/misc
-filesystem: btrfs
-ipv4_address: 65.21.106.94
-wireguard_address: 10.0.0.37
-wireguard_public_key: obBFreFGNDLB17+PaJspE4qNeVX4o7ZPcJj3ZmJhahg=
--- a/host_vars/mailman3.archlinux.org/vault_wireguard.yml
+++ b/host_vars/mailman3.archlinux.org/vault_wireguard.yml
-$ANSIBLE_VAULT;1.1;AES256
-32363065633737653663623334663139323638366462343630623765396636353932653932356261
-6239356162633731656330383436363861376231616462390a356432316532333632653839333230
-63636434373462643231323532633362363434646230323636333264393032373632343932616361
-6536383038313134300a363139313337646533626334333666326535623039323332666338306532
-33643430313864663833343765623138393165386564343636306363626232666436353665353235
-34623064363764336139633334663530376332633536383033313438613035303662333435313536
-34366663643130633064646161613065373532653235373730316439643165383635353761396639
-61656462333035666437
--- a/hosts
+++ b/hosts
@@ -51,7 +51,6 @@ security.archlinux.org
 md.archlinux.org
 lists.archlinux.org
 gluebuddy.archlinux.org
-mailman3.archlinux.org

 [public_html]
 homedir.archlinux.org
@@ -138,7 +137,6 @@ gluebuddy.archlinux.org
 homedir.archlinux.org
 lists.archlinux.org
 mail.archlinux.org
-mailman3.archlinux.org
 man.archlinux.org
 matrix.archlinux.org
 md.archlinux.org

--- a/playbooks/lists.archlinux.org.yml
+++ b/playbooks/lists.archlinux.org.yml
@@ -8,7 +8,7 @@
    - { role: sshd }
    - { role: root_ssh }
    - { role: hardening }
-    - { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
+    - { role: borg_client, tags: ["borg"] }
    - { role: prometheus_exporters }
    - { role: promtail }
    - { role: certbot }
@@ -17,4 +17,5 @@
    - { role: rspamd, rspamd_dkim_domain: lists.archlinux.org, rspamd_dkim_use_esld: false, tags: ["mail"] }
    - { role: unbound, unbound_port: 5353, tags: ["mail"] }
    - { role: uwsgi }
+    - { role: postgres }
    - { role: mailman }
--- a/playbooks/mailman3.archlinux.org.yml
+++ b/playbooks/mailman3.archlinux.org.yml
- name: Setup mailman3 server
-  hosts: mailman3.archlinux.org
-  remote_user: root
-  roles:
-    - { role: common }
-    - { role: firewalld }
-    - { role: wireguard }
-    - { role: sshd }
-    - { role: root_ssh }
-    - { role: hardening }
-    - { role: borg_client, tags: ["borg"] }
-    - { role: prometheus_exporters }
-    - { role: promtail }
-    - { role: nginx, nginx_firewall_zone: wireguard }
-    - { role: uwsgi }
-    - { role: postgres }
-    - { role: mailman3 }
--- a/roles/mailman/defaults/main.yml
+++ b/roles/mailman/defaults/main.yml
 lists_domain: lists.archlinux.org
+lists:
+  arch-announce:
+    allow_list_posts: false
+    bounce_info_stale_after: 60d
+    default_member_action: reject
+    default_nonmember_action: reject
+    description: This mailing list is for official announcements for the Arch Linux distribution.
+    display_name: Arch-announce
+    moderator_password: "{{ vault_archweb_mailman_password }}"
+  arch-commits:
+    allow_list_posts: false
+    accept_these_nonmembers:
+      - ^.+@(.+\.)?archlinux\.org
+    archive_policy: never
+    default_member_action: reject
+    default_nonmember_action: reject
+    description: Arch Linux packaging commits
+    display_name: Arch-commits
+    info: This list contains all commits to the package repositories, including diffs for newest changes.
+    max_message_size: 200
+  arch-dev:
+    advertised: false
+    archive_policy: private
+    description: Development Discussion for Arch Linux
+    display_name: Arch-dev
+    info: This list is for development discussion about Arch Linux.  This list is closed to the general public and only used by internal Arch Linux developers.
+    subscription_policy: confirm_then_moderate
+  arch-devops:
+    display_name: Arch-devops
+    description: Arch Linux Infrastructure development discussion
+  arch-devops-private:
+    advertised: false
+    archive_policy: private
+    description: List for internal discussion of the devops team
+    display_name: Arch-devops-private
+    subscription_policy: confirm_then_moderate
+  arch-dev-public:
+    default_member_action: hold
+    description: Public mailing list for Arch Linux development
+    display_name: Arch-dev-public
+  arch-events:
+    description: Arch Linux Events
+    display_name: Arch-events
+  arch-general:
+    description: General Discussion about Arch Linux
+    display_name: Arch-general
+    info: |
+      This mailing list hosts general discusson about the Arch Linux distribution.  Questions, problems, and new development ideas can be posted here.
+
+      You must be subscribed to the list in order to post to it.
+  arch-mirrors-announce:
+    description: List for mirror admins to send announcements (like downtime notifications) to our users
+    display_name: Arch-mirrors-announce
+    info: |
+      This list is intended for admins of Arch Linux mirrors that want to notify our users about downtime of their mirror.
+
+      This list also accepts mails from non-subscribers.
+  arch-mirrors:
+    description: Arch Linux Mirroring Discussion and Announcements
+    display_name: Arch-mirrors
+    info: This list is intended for admins of Arch Linux mirrors. Discussion and announcements regarding mirroring will use this list.
+  arch-multilib:
+    description: Arch Linux Multilib (32bit libs on 64bit OSes)
+    display_name: Arch-multilib
+  arch-ports:
+    description: Discussion regarding the porting of Arch Linux to non-x86_64 architectures
+    display_name: Arch-ports
+    info: This list is primarily used to talk about porting Arch Linux to non-x86_64 platforms, such as PPC, ARM, i586, i686, etc.
+  arch-proaudio:
+    description: Discussion about real-time multimedia, including (semi-)pro audio and video
+    display_name: Arch-proaudio
+  arch-projects:
+    description: Arch Linux projects development discussion
+    display_name: Arch-projects
+    info: |
+      Announcements, development discussion, patches and pull requests for the Arch Linux projects:<ul><li><a target="blank" href="https://github.com/archlinux/archweb/">archweb</a> (patches preferably on Github as pull requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/arch-release-promotion/">arch-release-promotion</a> (patches only on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/dbscripts/">dbscripts</a> (patches preferably on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/devtools/">devtools</a> (patches preferably on GitLab as merge requests)</li><li><a target="blank" href="https://github.com/archlinux/mkinitcpio/">mkinitcpio</a> (patches preferably on Github as pull requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/namcap/">namcap</a> (patches preferably on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/netctl/">netctl</a> (patches preferably on the mailing list)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/pyalpm/">pyalpm</a> (patches preferably on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/repod/">repod</a> (patches only on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/shim-signed/">shim-signed</a> (contributions preferably on GitLab as merge requests)</li></ul>
+
+      Please begin the email subject with the name of a project in square brackets (e.g. <code>[devtools]</code>). If no project matches, use <code>[projects]</code>.
+
+      Note: No user discussion!
+  arch-releng:
+    description: Arch Linux Release Engineering
+    display_name: Arch-releng
+  arch-security:
+    description: Announcements about security issues in Arch Linux and its packages
+    display_name: Arch-security
+    info: Discussion about announcements should happen on arch-general.
+  arch-tu:
+    advertised: false
+    archive_policy: private
+    description: Trusted Users Discussion for Arch Linux
+    display_name: Arch-tu
+    info: This list is for trusted users discussion about Arch Linux.  This list is closed to the general public and only used by internal Arch Linux trusted users.
+    subscription_policy: confirm_then_moderate
+  arch-wiki-admins:
+    advertised: false
+    archive_policy: private
+    default_nonmember_action: defer
+    display_name: Arch-wiki-admins
+    subscription_policy: confirm_then_moderate
+  arch-women:
+    description: Mailing list for the Arch Women project
+    display_name: Arch-women
+    info: |
+      <a href="https://archwomen.org/">Arch Women</a> is an all inclusive organization of Arch Linux enthusiasts with a focus on helping more women become involved in the Arch Linux community and FOSS.
+
+      Mailing list graciously hosted by the Arch Linux™ project.
+  aur-dev:
+    description: Arch User Repository (AUR) Development
+    display_name: Aur-dev
+    info: This list is intended for discussion of AUR and community based code and development.
+  aur-general:
+    description: Discussion about the Arch User Repository (AUR)
+    display_name: Aur-general
+    info: This list is for Trusted Users, Arch Linux developers, and the general public to discuss issues surrounding the Trusted User structure and the Arch User Repository (AUR).
+  aur-requests:
+    accept_these_nonmembers:
+      - notify@aur.archlinux.org
+    description: Public mailing list for AUR package deletion/merge/orphan requests
+    display_name: Aur-requests
+  pacman-contrib:
+    description: Discussion list for pacman-contrib development
+    display_name: Pacman-contrib
+    info: This list is used by pacman-contrib developers to coordinate, share patches, etc.
+  pacman-dev:
+    description: Discussion list for pacman development
+    display_name: Pacman-dev
+    info: This list is used by pacman developers and contributors to coordinate, fix problems, share patches, etc.
+  staff:
+    advertised: false
+    archive_policy: private
+    description: Internal list that includes all Arch Linux staff members (devs, TUs, support staff)
+    display_name: Staff
+    subscription_policy: confirm_then_moderate
--- a/roles/mailman3/files/list_base_configuration.json
+++ b/roles/mailman3/files/list_base_configuration.json
--- a/roles/mailman/files/mailman.ini
+++ b/roles/mailman/files/mailman.ini
-[uwsgi]
-plugins = cgi
-socket = /run/uwsgi/%n.sock
-chmod-socket = 770
-threads = 2
-
-cgi = /=/usr/lib/mailman/cgi-bin/
-cgi-index = listinfo
-uid = mailman
-gid = http
--- a/roles/mailman/files/migrated-lists.map
+++ b/roles/mailman/files/migrated-lists.map
-/listinfo/arch-announce /mailman3/lists/arch-announce@lists.archlinux.org/;
-/listinfo/arch-commits /mailman3/lists/arch-commits@lists.archlinux.org/;
-/listinfo/arch-dev /mailman3/lists/arch-dev@lists.archlinux.org/;
-/listinfo/arch-dev-public /mailman3/lists/arch-dev-public@lists.archlinux.org/;
-/listinfo/arch-devops /mailman3/lists/arch-devops@lists.archlinux.org/;
-/listinfo/arch-devops-private /mailman3/lists/arch-devops-private@lists.archlinux.org/;
-/listinfo/arch-events /mailman3/lists/arch-events@lists.archlinux.org/;
-/listinfo/arch-general /mailman3/lists/arch-general@lists.archlinux.org/;
-/listinfo/arch-mirrors /mailman3/lists/arch-mirrors@lists.archlinux.org/;
-/listinfo/arch-mirrors-announce /mailman3/lists/arch-mirrors-announce@lists.archlinux.org/;
-/listinfo/arch-multilib /mailman3/lists/arch-multilib@lists.archlinux.org/;
-/listinfo/arch-ports /mailman3/lists/arch-ports@lists.archlinux.org/;
-/listinfo/arch-proaudio /mailman3/lists/arch-proaudio@lists.archlinux.org/;
-/listinfo/arch-projects /mailman3/lists/arch-projects@lists.archlinux.org/;
-/listinfo/arch-releng /mailman3/lists/arch-releng@lists.archlinux.org/;
-/listinfo/arch-security /mailman3/lists/arch-security@lists.archlinux.org/;
-/listinfo/arch-tu /mailman3/lists/arch-tu@lists.archlinux.org/;
-/listinfo/arch-wiki-admins /mailman3/lists/arch-wiki-admins@lists.archlinux.org/;
-/listinfo/arch-women /mailman3/lists/arch-women@lists.archlinux.org/;
-/listinfo/aur-dev /mailman3/lists/aur-dev@lists.archlinux.org/;
-/listinfo/aur-general /mailman3/lists/aur-general@lists.archlinux.org/;
-/listinfo/aur-requests /mailman3/lists/aur-requests@lists.archlinux.org/;
-/listinfo/pacman-contrib /mailman3/lists/pacman-contrib@lists.archlinux.org/;
-/listinfo/pacman-dev /mailman3/lists/pacman-dev@lists.archlinux.org/;
-/listinfo/staff /mailman3/lists/staff@lists.archlinux.org/;
--- a/roles/mailman/files/override.conf
+++ b/roles/mailman/files/override.conf
-[Service]
-Restart=always
--- a/roles/mailman/handlers/main.yml
+++ b/roles/mailman/handlers/main.yml
- name: Restart mailman
-  service: name=mailman daemon_reload=yes state=restarted
-
 - name: Reload mailman
-  service: name=mailman state=reloaded
+  service: name=mailman3 state=reloaded
+
+- name: Restart mailman-web
+  service: name=uwsgi@mailman\\x2dweb.service state=restarted

 - name: Reload postfix
  service: name=postfix state=reloaded
@@ -11,4 +11,3 @@
  command: postmap /etc/postfix/{{ item }}
  loop:
    - aliases
-    - transport
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -4,12 +4,19 @@
  vars:
    domains: ["{{ lists_domain }}"]

- name: Install mailman, uwsgi-plugin-cgi and postfx
-  pacman: name=mailman,uwsgi-plugin-cgi,postfix,postfix-pcre state=present
+- name: Install mailman3 and related packages
+  pacman: name=mailman3,mailman3-hyperkitty,python-psycopg2,mailman-web,python-xapian-haystack,uwsgi-plugin-python,postfix,postfix-pcre state=present
+  register: install

- name: Install mailman configuration
-  template: src=mm_cfg.py.j2 dest=/etc/mailman/mm_cfg.py follow=yes owner=root group=root mode=0644
-  notify: Reload mailman
+- name: Install {mailman,mailman-web} configuration
+  template: src={{ item.src }} dest={{ item.dest }} owner=root group={{ item.group }} mode=0640
+  loop:
+    - {src: mailman.cfg.j2, dest: /etc/mailman.cfg, group: mailman}
+    - {src: mailman-hyperkitty.cfg.j2, dest: /etc/mailman-hyperkitty.cfg, group: mailman}
+    - {src: settings.py.j2, dest: /etc/webapps/mailman-web/settings.py, group: mailman-web}
+  notify:
+    - Reload mailman
+    - Restart mailman-web

 - name: Install postfix configuration
  template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0644
@@ -22,59 +29,66 @@
    - milter_header_checks
  notify: Run postmap

- name: Install postfix templated maps
-  template: src={{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
-  loop:
-    - transport
-  notify: Run postmap
-
 - name: Open firewall holes for postfix
-  ansible.posix.firewalld: service=smtp zone={{ item }} permanent=true state=enabled immediate=yes
-  loop:
-    -
-    - wireguard
-  when: configure_firewall
+  ansible.posix.firewalld: service=smtp permanent=true state=enabled immediate=yes
  tags:
    - firewall

- name: Create mailman list
-  command: /usr/lib/mailman/bin/newlist -a mailman root@{{ lists_domain }} meG0n5Wq6dEWCA6s
-  args:
-    creates: /var/lib/mailman/lists/mailman
-
- name: Configure mailman uwsgi service
-  copy: src=mailman.ini dest=/etc/uwsgi/vassals/ owner=mailman group=http mode=0644
-
 - name: Make nginx log dir
  file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755

- name: Install nginx mailman2->mailman3 redirect map
-  copy: src=migrated-lists.map dest=/etc/nginx/maps/ owner=root group=root mode=0644
-  notify: Reload nginx
-
 - name: Set up nginx
  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
  notify: Reload nginx
-  tags: ['nginx']

- name: Start and enable postfix
-  systemd: name=postfix.service enabled=yes daemon_reload=yes state=started
+- name: Create postgres {mailman,mailman-web} user
+  postgresql_user: name={{ item.username }} password={{ item.password }}
+  loop:
+    - {username: "{{ vault_mailman_db_user }}", password: "{{ vault_mailman_db_password }}"}
+    - {username: "{{ vault_mailman_web_db_user }}", password: "{{ vault_mailman_web_db_password }}"}
+  become: true
+  become_user: postgres
+  become_method: su
+  no_log: true

- name: Create drop-in directory for mailman.service
-  file: path=/etc/systemd/system/mailman.service.d state=directory owner=root group=root mode=0755
+- name: Create {mailman,mailman-web} db
+  postgresql_db: name={{ item.db }} owner={{ item.owner }}
+  loop:
+    - {db: mailman, owner: "{{ vault_mailman_db_user }}"}
+    - {db: mailman-web, owner: "{{ vault_mailman_web_db_user }}"}
+  become: true
+  become_user: postgres
+  become_method: su

- name: Install drop-in for mailman.service
-  copy: src=override.conf dest=/etc/systemd/system/mailman.service.d/ owner=root group=root mode=0644
-  notify: Restart mailman
+- name: Run Django management tasks
+  command: django-admin {{ item }} --pythonpath /etc/webapps/mailman-web --settings settings
+  loop:
+    - migrate
+    - loaddata
+    - collectstatic
+    - compress
+  become: true
+  become_user: mailman-web
+  when: false
+
+- name: Start and enable postfix
+  systemd: name=postfix.service enabled=yes daemon_reload=yes state=started

 - name: Start and enable mailman{.service,-*.timer}
  systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
  loop:
-    - mailman.service
-    - mailman-senddigests.timer
-    - mailman-nightlygzip.timer
-    - mailman-mailpasswds.timer
-    - mailman-gatenews.timer
-    - mailman-disabled.timer
-    - mailman-cullbadshunt.timer
-    - mailman-checkdbs.timer
+    - mailman3.service
+    - mailman3-digests.timer
+    - mailman3-notify.timer
+    - uwsgi@mailman\x2dweb.service
+
+- name: Update list configurations
+  uri:
+    url: http://localhost:8001/3.1/lists/{{ item }}.lists.archlinux.org/config
+    user: "{{ vault_mailman_admin_user }}"
+    password: "{{ vault_mailman_admin_pass }}"
+    method: PUT
+    body_format: json
+    status_code: 204
+    body: "{{ lookup('file', 'list_base_configuration.json') | from_json | combine(lists[item]) | to_json }}"
+  loop: "{{ lists.keys() }}"
--- a/roles/mailman3/templates/mailman-hyperkitty.cfg.j2
+++ b/roles/mailman3/templates/mailman-hyperkitty.cfg.j2
@@ -15,7 +15,7 @@
 # better if it is not.
 # However, if your Mailman installation is accessed via HTTPS, the URL needs
 # to match your SSL certificate (e.g. https://lists.example.com/hyperkitty).
-base_url: http://localhost/archives/
+base_url: http://localhost:8000/archives/

 # Shared API key, must be the identical to the value in HyperKitty's
 # settings.

--- a/roles/mailman3/templates/mailman.cfg.j2
+++ b/roles/mailman3/templates/mailman.cfg.j2
@@ -10,13 +10,6 @@ url: postgres://{{ vault_mailman_db_user }}:{{ vault_mailman_db_password }}@/mai
 admin_user: {{ vault_mailman_admin_user }}
 admin_pass: {{ vault_mailman_admin_pass }}

-[mta]
-configuration: /etc/postfix.cfg
-lmtp_host: {{ hostvars['mailman3.archlinux.org']['wireguard_address'] }}
-lmtp_port: 8024
-smtp_host: {{ hostvars['lists.archlinux.org']['wireguard_address'] }}
-smtp_port: 25
-
 [archiver.hyperkitty]
 class: mailman_hyperkitty.Archiver
 enable: yes