Fully setup hyperkitty and nginx rules.

50615a32 · Jelle van der Waa · Jelle van der Waa · 3c36760a · 50615a32 · 50615a32
Verified Commit 50615a32 authored Mar 15, 2020 by Jelle van der Waa 🚧 Committed by Jelle van der Waa Jul 28, 2020
--- a/roles/mailman/defaults/main.yml
+++ b/roles/mailman/defaults/main.yml
 # Mailman
+mailman_domain: mailman3.archlinux.org # lists.archlinux.org
 mailman_db_user: mailman
+mailman_nginx_conf: /etc/nginx/nginx.d/mailman.conf

 # Hyperkitty
 hyperkitty_dir: /usr/share/webapps/hyperkitty

--- a/roles/mailman/files/hyperkitty.socket
+++ b/roles/mailman/files/hyperkitty.socket
--- a/roles/mailman/files/uwsgi-secure@.service
+++ b/roles/mailman/files/uwsgi-secure@.service
+[Unit]
+Description=uWSGI service unit
+After=syslog.target
+
+[Service]
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/%I.ini
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill -INT $MAINPID
+Type=notify
+SuccessExitStatus=15 17 29 30
+StandardError=syslog
+NotifyAccess=all
+KillSignal=SIGQUIT
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ReadWriteDirectories=/etc/webapps /var/lib/
+ProtectHome=yes
+NoNewPrivileges=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/mailman/files/uwsgi-secure@.socket
+++ b/roles/mailman/files/uwsgi-secure@.socket
+[Unit]
+Description=Socket for uWSGI %I
+
+[Socket]
+ListenStream=/run/%I/%I.sock
+SocketGroup=http
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -29,7 +29,9 @@
  become_user: postgres
  become_method: su

- template: src="hyperkitty.py.j2" dest="/etc/webapps/hyperkitty/settings_local.py" owner=hyperkitty group=root mode=0644
+- file: src=/etc/webapps/hyperkitty/settings_local.py dest=/usr/share/webapps/hyperkitty/settings_local.py owner=root group=hyperkitty state=link
+
+- template: src="hyperkitty.py.j2" dest="/etc/webapps/hyperkitty/settings_local.py" owner=root group=hyperkitty mode=0644

 # TODO: only run when required, ie. hyperkitty package updated
 - name: generate a hyperkitty database
@@ -82,6 +84,36 @@
  become_method: sudo
  when: not hyperkitty_superuser_existed

+- name: copy uwsgi-secure@.socket service
+  copy: src=uwsgi-secure@.service dest=/etc/systemd/system/uwsgi-secure@.service
+  notify:
+    - daemon reload
+
+- name: copy uwsgi-secure@.socket service
+  copy: src=uwsgi-secure@.socket dest=/etc/systemd/system/uwsgi-secure@.socket
+  notify:
+    - daemon reload
+
+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ mailman_domain }}' creates='/etc/letsencrypt/live/{{ mailman_domain }}/fullchain.pem'
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest="{{ mailman_nginx_conf }}" owner=root group=root mode=644
+  notify:
+    - reload nginx
+  tags: ['nginx']
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=root mode=0755
+
+- name: enable hyperkitty socket
+  service: name="uwsgi-secure@hyperkitty.socket" enabled=yes state=started
+
+- name: enable hyperkitty asynchronous operations service
+  service: name="hyperkitty-qcluster.service" enabled=yes state=started

 - name: start and enable mailman core service
  service: name="mailman3.service" enabled=yes state=started

--- a/roles/mailman/templates/hyperkitty.py.j2
+++ b/roles/mailman/templates/hyperkitty.py.j2
@@ -10,6 +10,7 @@ ADMINS = (
 ALLOWED_HOSTS = [
 	"localhost",
 	"127.0.0,1",
+	"{{ mailman_domain }}",
 ]

 EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
@@ -23,7 +24,7 @@ DATABASES = {
          'ENGINE'  : 'django.db.backends.postgresql_psycopg2',
          'NAME'    : 'hyperkitty',
          'USER'    : '{{ hyperkitty_db_user }}',
-          'PASSWORD': ''{{ vault_postgres_users.hyperkitty }},
+          'PASSWORD': '{{ vault_postgres_users.hyperkitty }}',
          'HOST'    : 'localhost',
          'PORT'    : '',
    }

--- a/roles/mailman/templates/nginx.d.conf.j2
+++ b/roles/mailman/templates/nginx.d.conf.j2
 server {
    listen       80;
    listen       [::]:80;
-    server_name  mailman.archlinux.org;
+    server_name  mailman3.archlinux.org;

    access_log   /var/log/nginx/{{ mailman_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ mailman_domain }}/error.log;
@@ -17,17 +17,21 @@ server {
 server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
-    server_name  mailman.archlinux.org;
+    server_name  mailman3.archlinux.org;

    access_log   /var/log/nginx/{{ mailman_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ mailman_domain }}/error.log;

-    ssl_certificate      /etc/letsencrypt/live/mailman.archlinux.org/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/mailman.archlinux.org/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/mailman.archlinux.org/chain.pem;
+    ssl_certificate      /etc/letsencrypt/live/mailman3.archlinux.org/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/mailman3.archlinux.org/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/mailman3.archlinux.org/chain.pem;

-    location / {
-        access_log off;
-        return 301 https://{{ mailman_domain }}$request_uri;
+    charset utf-8;
+    client_max_body_size 75M;
+    root /usr/share/webapps/hyperkitty;
+
+    location ~^/(accounts|admin|hyperkitty)/(.*)$ {
+         include /etc/nginx/uwsgi_params;
+         uwsgi_pass unix:/run/hyperkitty/hyperkitty.sock;
    }
 }