Add mailman role for the new lists.al.org machine

The DNS is still pointing to luna.

group_vars/all/vault_mailman.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33663534393934353761333131636338343835616465386562393436663463343566376536303962
+3463363464623530653630383464326232303565333039320a386364623664613931636531336233
+34366536623139613733626539306462366139356562393166346234343261306631333763396462
+3735643430396562650a646463303232633039313037346238636239616461373337656563393239
+62386464396237303634336661363135333464363135343234626234336432333963666136346633
+66636633633237383937393431326639623938356133323566663562653964613564343231323939
+38336537656532353163366439393366373264366363303730663139383436356335613462653234
+64313365643833333739

playbooks/lists.archlinux.org.yml

@@ -11,6 +11,10 @@
     - { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
     - { role: prometheus_exporters }
     - { role: promtail }
+    - { role: certbot }
+    - { role: nginx }
     - { role: fail2ban }
     - { role: rspamd, rspamd_dkim_domain: lists.archlinux.org, rspamd_dkim_use_esld: false, tags: ["mail"] }
     - { role: unbound, unbound_port: 5353, tags: ["mail"] }
+    - { role: uwsgi }
+    - { role: mailman }

roles/mailman/defaults/main.yml

@@ -0,0 +1 @@
+lists_domain: lists.archlinux.org

roles/mailman/files/mailman.ini

@@ -0,0 +1,10 @@
+[uwsgi]
+plugins = cgi
+socket = /run/uwsgi/%n.sock
+chmod-socket = 770
+threads = 2
+
+cgi = /=/usr/lib/mailman/cgi-bin/
+cgi-index = listinfo
+uid = mailman
+gid = http

roles/mailman/files/milter_header_checks

@@ -0,0 +1,2 @@
+# We don't have a Junk folder for mailman so reject mails which are probably spam
+/^X-Spam: Yes$/ REJECT Your message has been rejected by Rspamd

roles/mailman/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: reload mailman
+  service: name=mailman state=reloaded
+
+- name: reload postfix
+  service: name=postfix state=reloaded

roles/mailman/tasks/main.yml

@@ -0,0 +1,59 @@
+---
+- name: create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ lists_domain }}"]
+
+- name: install mailman, uwsgi-plugin-cgi and postfx
+  pacman: name=mailman,uwsgi-plugin-cgi,postfix,postfix-pcre state=present
+
+- name: install mailman configuration
+  template: src=mm_cfg.py.j2 dest=/etc/mailman/mm_cfg.py follow=yes owner=root group=root mode=0644
+  notify: reload mailman
+
+- name: install postfix configuration
+  template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0644
+  notify: reload postfix
+
+- name: install postfix maps
+  copy: src={{ item }} dest=/etc/postfix/ owner=root group=root mode=0644
+  loop:
+    - milter_header_checks
+
+- name: open firewall holes for postfix
+  ansible.posix.firewalld: service=smtp permanent=true state=enabled immediate=yes
+  when: configure_firewall
+  tags:
+    - firewall
+
+- name: create mailman list
+  command: /usr/lib/mailman/bin/newlist -a mailman root@{{ lists_domain }} meG0n5Wq6dEWCA6s
+  args:
+    creates: /var/lib/mailman/lists/mailman
+
+- name: configure mailman uwsgi service
+  copy: src=mailman.ini dest=/etc/uwsgi/vassals/ owner=mailman group=http mode=0644
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
+  notify: reload nginx
+  tags: ['nginx']
+
+- name: start and enable postfix
+  systemd: name=postfix.service enabled=yes daemon_reload=yes state=started
+
+- name: start and enable mailman{.service,-*.timer}
+  systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
+  loop:
+    - mailman.service
+    - mailman-senddigests.timer
+    - mailman-nightlygzip.timer
+    - mailman-mailpasswds.timer
+    - mailman-gatenews.timer
+    - mailman-disabled.timer
+    - mailman-cullbadshunt.timer
+    - mailman-checkdbs.timer

roles/mailman/templates/main.cf.j2

@@ -0,0 +1,50 @@
+#
+# {{ansible_managed}}
+#
+
+compatibility_level = 3.6
+
+biff = no
+smtputf8_enable = no
+
+smtpd_tls_cert_file = /etc/letsencrypt/live/{{ lists_domain }}/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem
+smtpd_tls_loglevel = 1
+smtpd_tls_security_level = may
+
+smtp_tls_loglevel = 1
+smtp_tls_security_level = may
+
+mydomain = {{ lists_domain }}
+myorigin = {{ lists_domain }}
+mydestination = {{ lists_domain }}
+
+# fatal: configuration error: mailbox_size_limit is smaller than message_size_limit
+message_size_limit = 104857600
+mailbox_size_limit = $message_size_limit
+recipient_delimiter = +
+disable_vrfy_command = yes
+strict_rfc821_envelopes = yes
+
+# enable for testing new config
+soft_bounce = no
+debug_peer_list =
+
+smtpd_relay_restrictions =
+    permit_mynetworks
+    permit_sasl_authenticated
+    reject_unauth_destination
+
+smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime) and client ($client_address).
+
+# rspamd
+smtpd_milters = inet:localhost:11332
+non_smtpd_milters = $smtpd_milters
+
+alias_maps = hash:/var/lib/mailman/data/aliases
+alias_database = $alias_maps
+virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman
+
+milter_header_checks = pcre:/etc/postfix/milter_header_checks
+
+delay_warning_time = 4h

roles/mailman/templates/mm_cfg.py.j2

@@ -0,0 +1,79 @@
+# -*- python -*-
+
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software 
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+"""This module contains your site-specific settings.
+
+From a brand new distribution it should be copied to mm_cfg.py.  If you
+already have an mm_cfg.py, be careful to add in only the new settings you
+want.  Mailman's installation procedure will never overwrite your mm_cfg.py
+file.
+
+The complete set of distributed defaults, with documentation, are in the file
+Defaults.py.  In mm_cfg.py, override only those you want to change, after the
+
+  from Defaults import *
+
+line (see below).
+
+Note that these are just default settings; many can be overridden via the
+administrator and user interfaces on a per-list or per-user basis.
+
+Also note that many of these settings will not be effective until Mailman
+is restarted.  Thus, you should always restart Mailman after changing this
+file.
+
+Further, settings which relate to a list's host_name and web_page_url only
+affect lists created after the change.  For existing lists, see the FAQ at
+<http://wiki.list.org/x/mIA9>.
+
+"""
+
+###############################################
+# Here's where we get the distributed defaults.
+
+from Defaults import *
+
+##################################################
+# Put YOUR site-specific settings below this line.
+
+# Please see: http://wiki.list.org/x/mIA9 if you change this
+DEFAULT_URL_HOST = '{{ lists_domain }}'
+DEFAULT_EMAIL_HOST = '{{ lists_domain }}'
+MTA = 'Postfix'
+
+VIRTUAL_HOSTS.clear()
+add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
+
+POSTFIX_STYLE_VIRTUAL_DOMAINS = ['{{ lists_domain }}']
+
+DEFAULT_URL_PATTERN = 'https://%s/'
+PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'
+
+# bot protection
+SUBSCRIBE_FORM_SECRET = '{{ vault_mailman_subscribe_form_secret }}'
+
+VIRTUAL_HOST_OVERVIEW = Off
+
+DEFAULT_SEND_REMINDERS = 0
+
+PUBLIC_MBOX = Yes
+
+DEFAULT_MSG_HEADER = ""
+DEFAULT_MSG_FOOTER = ""
+#DEFAULT_DMARC_MODERATION_ACTION = 1
+REMOVE_DKIM_HEADERS = 1

roles/mailman/templates/nginx.d.conf.j2

@@ -0,0 +1,53 @@
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ lists_domain }};
+
+    access_log   /var/log/nginx/{{ lists_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
+    error_log    /var/log/nginx/{{ lists_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ lists_domain }};
+
+    access_log   /var/log/nginx/{{ lists_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
+    error_log    /var/log/nginx/{{ lists_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ lists_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem;
+
+    # redirect old urls
+    location /mailman {
+        rewrite ^/mailman/(.*) /$1 permanent;
+    }
+
+    location /icons {
+        alias /usr/lib/mailman/icons;
+    }
+
+    location /pipermail {
+        alias /var/lib/mailman/archives/public;
+        autoindex on;
+    }
+
+    location / {
+        root            /usr/lib/mailman/cgi-bin/;
+        index           listinfo;
+        include         uwsgi_params;
+        uwsgi_modifier1 9;
+        uwsgi_pass      unix:/run/uwsgi/mailman.sock;
+    }
+
+}