Commit bc1c5fe6 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Add mailman role for the new lists.al.org machine

The DNS is still pointing to luna.
parent ac8e5863
$ANSIBLE_VAULT;1.1;AES256
33663534393934353761333131636338343835616465386562393436663463343566376536303962
3463363464623530653630383464326232303565333039320a386364623664613931636531336233
34366536623139613733626539306462366139356562393166346234343261306631333763396462
3735643430396562650a646463303232633039313037346238636239616461373337656563393239
62386464396237303634336661363135333464363135343234626234336432333963666136346633
66636633633237383937393431326639623938356133323566663562653964613564343231323939
38336537656532353163366439393366373264366363303730663139383436356335613462653234
64313365643833333739
...@@ -11,6 +11,10 @@ ...@@ -11,6 +11,10 @@
- { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" } - { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
- { role: prometheus_exporters } - { role: prometheus_exporters }
- { role: promtail } - { role: promtail }
- { role: certbot }
- { role: nginx }
- { role: fail2ban } - { role: fail2ban }
- { role: rspamd, rspamd_dkim_domain: lists.archlinux.org, rspamd_dkim_use_esld: false, tags: ["mail"] } - { role: rspamd, rspamd_dkim_domain: lists.archlinux.org, rspamd_dkim_use_esld: false, tags: ["mail"] }
- { role: unbound, unbound_port: 5353, tags: ["mail"] } - { role: unbound, unbound_port: 5353, tags: ["mail"] }
- { role: uwsgi }
- { role: mailman }
lists_domain: lists.archlinux.org
[uwsgi]
plugins = cgi
socket = /run/uwsgi/%n.sock
chmod-socket = 770
threads = 2
cgi = /=/usr/lib/mailman/cgi-bin/
cgi-index = listinfo
uid = mailman
gid = http
# We don't have a Junk folder for mailman so reject mails which are probably spam
/^X-Spam: Yes$/ REJECT Your message has been rejected by Rspamd
---
- name: reload mailman
service: name=mailman state=reloaded
- name: reload postfix
service: name=postfix state=reloaded
---
- name: create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ lists_domain }}"]
- name: install mailman, uwsgi-plugin-cgi and postfx
pacman: name=mailman,uwsgi-plugin-cgi,postfix,postfix-pcre state=present
- name: install mailman configuration
template: src=mm_cfg.py.j2 dest=/etc/mailman/mm_cfg.py follow=yes owner=root group=root mode=0644
notify: reload mailman
- name: install postfix configuration
template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0644
notify: reload postfix
- name: install postfix maps
copy: src={{ item }} dest=/etc/postfix/ owner=root group=root mode=0644
loop:
- milter_header_checks
- name: open firewall holes for postfix
ansible.posix.firewalld: service=smtp permanent=true state=enabled immediate=yes
when: configure_firewall
tags:
- firewall
- name: create mailman list
command: /usr/lib/mailman/bin/newlist -a mailman root@{{ lists_domain }} meG0n5Wq6dEWCA6s
args:
creates: /var/lib/mailman/lists/mailman
- name: configure mailman uwsgi service
copy: src=mailman.ini dest=/etc/uwsgi/vassals/ owner=mailman group=http mode=0644
- name: make nginx log dir
file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
- name: start and enable postfix
systemd: name=postfix.service enabled=yes daemon_reload=yes state=started
- name: start and enable mailman{.service,-*.timer}
systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
loop:
- mailman.service
- mailman-senddigests.timer
- mailman-nightlygzip.timer
- mailman-mailpasswds.timer
- mailman-gatenews.timer
- mailman-disabled.timer
- mailman-cullbadshunt.timer
- mailman-checkdbs.timer
#
# {{ansible_managed}}
#
compatibility_level = 3.6
biff = no
smtputf8_enable = no
smtpd_tls_cert_file = /etc/letsencrypt/live/{{ lists_domain }}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_security_level = may
mydomain = {{ lists_domain }}
myorigin = {{ lists_domain }}
mydestination = {{ lists_domain }}
# fatal: configuration error: mailbox_size_limit is smaller than message_size_limit
message_size_limit = 104857600
mailbox_size_limit = $message_size_limit
recipient_delimiter = +
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
# enable for testing new config
soft_bounce = no
debug_peer_list =
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime) and client ($client_address).
# rspamd
smtpd_milters = inet:localhost:11332
non_smtpd_milters = $smtpd_milters
alias_maps = hash:/var/lib/mailman/data/aliases
alias_database = $alias_maps
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman
milter_header_checks = pcre:/etc/postfix/milter_header_checks
delay_warning_time = 4h
# -*- python -*-
# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
"""This module contains your site-specific settings.
From a brand new distribution it should be copied to mm_cfg.py. If you
already have an mm_cfg.py, be careful to add in only the new settings you
want. Mailman's installation procedure will never overwrite your mm_cfg.py
file.
The complete set of distributed defaults, with documentation, are in the file
Defaults.py. In mm_cfg.py, override only those you want to change, after the
from Defaults import *
line (see below).
Note that these are just default settings; many can be overridden via the
administrator and user interfaces on a per-list or per-user basis.
Also note that many of these settings will not be effective until Mailman
is restarted. Thus, you should always restart Mailman after changing this
file.
Further, settings which relate to a list's host_name and web_page_url only
affect lists created after the change. For existing lists, see the FAQ at
<http://wiki.list.org/x/mIA9>.
"""
###############################################
# Here's where we get the distributed defaults.
from Defaults import *
##################################################
# Put YOUR site-specific settings below this line.
# Please see: http://wiki.list.org/x/mIA9 if you change this
DEFAULT_URL_HOST = '{{ lists_domain }}'
DEFAULT_EMAIL_HOST = '{{ lists_domain }}'
MTA = 'Postfix'
VIRTUAL_HOSTS.clear()
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['{{ lists_domain }}']
DEFAULT_URL_PATTERN = 'https://%s/'
PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'
# bot protection
SUBSCRIBE_FORM_SECRET = '{{ vault_mailman_subscribe_form_secret }}'
VIRTUAL_HOST_OVERVIEW = Off
DEFAULT_SEND_REMINDERS = 0
PUBLIC_MBOX = Yes
DEFAULT_MSG_HEADER = ""
DEFAULT_MSG_FOOTER = ""
#DEFAULT_DMARC_MODERATION_ACTION = 1
REMOVE_DKIM_HEADERS = 1
server {
listen 80;
listen [::]:80;
server_name {{ lists_domain }};
access_log /var/log/nginx/{{ lists_domain }}/access.log main;
access_log /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
error_log /var/log/nginx/{{ lists_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ lists_domain }};
access_log /var/log/nginx/{{ lists_domain }}/access.log main;
access_log /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
error_log /var/log/nginx/{{ lists_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ lists_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem;
# redirect old urls
location /mailman {
rewrite ^/mailman/(.*) /$1 permanent;
}
location /icons {
alias /usr/lib/mailman/icons;
}
location /pipermail {
alias /var/lib/mailman/archives/public;
autoindex on;
}
location / {
root /usr/lib/mailman/cgi-bin/;
index listinfo;
include uwsgi_params;
uwsgi_modifier1 9;
uwsgi_pass unix:/run/uwsgi/mailman.sock;
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment