Add mailman role for the new lists.al.org machine
The DNS is still pointing to luna.
This commit is contained in:
parent
ac8e5863c5
commit
bc1c5fe614
9
group_vars/all/vault_mailman.yml
Normal file
9
group_vars/all/vault_mailman.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33663534393934353761333131636338343835616465386562393436663463343566376536303962
|
||||
3463363464623530653630383464326232303565333039320a386364623664613931636531336233
|
||||
34366536623139613733626539306462366139356562393166346234343261306631333763396462
|
||||
3735643430396562650a646463303232633039313037346238636239616461373337656563393239
|
||||
62386464396237303634336661363135333464363135343234626234336432333963666136346633
|
||||
66636633633237383937393431326639623938356133323566663562653964613564343231323939
|
||||
38336537656532353163366439393366373264366363303730663139383436356335613462653234
|
||||
64313365643833333739
|
|
@ -11,6 +11,10 @@
|
|||
- { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
|
||||
- { role: prometheus_exporters }
|
||||
- { role: promtail }
|
||||
- { role: certbot }
|
||||
- { role: nginx }
|
||||
- { role: fail2ban }
|
||||
- { role: rspamd, rspamd_dkim_domain: lists.archlinux.org, rspamd_dkim_use_esld: false, tags: ["mail"] }
|
||||
- { role: unbound, unbound_port: 5353, tags: ["mail"] }
|
||||
- { role: uwsgi }
|
||||
- { role: mailman }
|
||||
|
|
1
roles/mailman/defaults/main.yml
Normal file
1
roles/mailman/defaults/main.yml
Normal file
|
@ -0,0 +1 @@
|
|||
lists_domain: lists.archlinux.org
|
10
roles/mailman/files/mailman.ini
Normal file
10
roles/mailman/files/mailman.ini
Normal file
|
@ -0,0 +1,10 @@
|
|||
[uwsgi]
|
||||
plugins = cgi
|
||||
socket = /run/uwsgi/%n.sock
|
||||
chmod-socket = 770
|
||||
threads = 2
|
||||
|
||||
cgi = /=/usr/lib/mailman/cgi-bin/
|
||||
cgi-index = listinfo
|
||||
uid = mailman
|
||||
gid = http
|
2
roles/mailman/files/milter_header_checks
Normal file
2
roles/mailman/files/milter_header_checks
Normal file
|
@ -0,0 +1,2 @@
|
|||
# We don't have a Junk folder for mailman so reject mails which are probably spam
|
||||
/^X-Spam: Yes$/ REJECT Your message has been rejected by Rspamd
|
6
roles/mailman/handlers/main.yml
Normal file
6
roles/mailman/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: reload mailman
|
||||
service: name=mailman state=reloaded
|
||||
|
||||
- name: reload postfix
|
||||
service: name=postfix state=reloaded
|
59
roles/mailman/tasks/main.yml
Normal file
59
roles/mailman/tasks/main.yml
Normal file
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
- name: create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ lists_domain }}"]
|
||||
|
||||
- name: install mailman, uwsgi-plugin-cgi and postfx
|
||||
pacman: name=mailman,uwsgi-plugin-cgi,postfix,postfix-pcre state=present
|
||||
|
||||
- name: install mailman configuration
|
||||
template: src=mm_cfg.py.j2 dest=/etc/mailman/mm_cfg.py follow=yes owner=root group=root mode=0644
|
||||
notify: reload mailman
|
||||
|
||||
- name: install postfix configuration
|
||||
template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0644
|
||||
notify: reload postfix
|
||||
|
||||
- name: install postfix maps
|
||||
copy: src={{ item }} dest=/etc/postfix/ owner=root group=root mode=0644
|
||||
loop:
|
||||
- milter_header_checks
|
||||
|
||||
- name: open firewall holes for postfix
|
||||
ansible.posix.firewalld: service=smtp permanent=true state=enabled immediate=yes
|
||||
when: configure_firewall
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: create mailman list
|
||||
command: /usr/lib/mailman/bin/newlist -a mailman root@{{ lists_domain }} meG0n5Wq6dEWCA6s
|
||||
args:
|
||||
creates: /var/lib/mailman/lists/mailman
|
||||
|
||||
- name: configure mailman uwsgi service
|
||||
copy: src=mailman.ini dest=/etc/uwsgi/vassals/ owner=mailman group=http mode=0644
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: set up nginx
|
||||
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
|
||||
notify: reload nginx
|
||||
tags: ['nginx']
|
||||
|
||||
- name: start and enable postfix
|
||||
systemd: name=postfix.service enabled=yes daemon_reload=yes state=started
|
||||
|
||||
- name: start and enable mailman{.service,-*.timer}
|
||||
systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
|
||||
loop:
|
||||
- mailman.service
|
||||
- mailman-senddigests.timer
|
||||
- mailman-nightlygzip.timer
|
||||
- mailman-mailpasswds.timer
|
||||
- mailman-gatenews.timer
|
||||
- mailman-disabled.timer
|
||||
- mailman-cullbadshunt.timer
|
||||
- mailman-checkdbs.timer
|
50
roles/mailman/templates/main.cf.j2
Normal file
50
roles/mailman/templates/main.cf.j2
Normal file
|
@ -0,0 +1,50 @@
|
|||
#
|
||||
# {{ansible_managed}}
|
||||
#
|
||||
|
||||
compatibility_level = 3.6
|
||||
|
||||
biff = no
|
||||
smtputf8_enable = no
|
||||
|
||||
smtpd_tls_cert_file = /etc/letsencrypt/live/{{ lists_domain }}/fullchain.pem
|
||||
smtpd_tls_key_file = /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem
|
||||
smtpd_tls_loglevel = 1
|
||||
smtpd_tls_security_level = may
|
||||
|
||||
smtp_tls_loglevel = 1
|
||||
smtp_tls_security_level = may
|
||||
|
||||
mydomain = {{ lists_domain }}
|
||||
myorigin = {{ lists_domain }}
|
||||
mydestination = {{ lists_domain }}
|
||||
|
||||
# fatal: configuration error: mailbox_size_limit is smaller than message_size_limit
|
||||
message_size_limit = 104857600
|
||||
mailbox_size_limit = $message_size_limit
|
||||
recipient_delimiter = +
|
||||
disable_vrfy_command = yes
|
||||
strict_rfc821_envelopes = yes
|
||||
|
||||
# enable for testing new config
|
||||
soft_bounce = no
|
||||
debug_peer_list =
|
||||
|
||||
smtpd_relay_restrictions =
|
||||
permit_mynetworks
|
||||
permit_sasl_authenticated
|
||||
reject_unauth_destination
|
||||
|
||||
smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime) and client ($client_address).
|
||||
|
||||
# rspamd
|
||||
smtpd_milters = inet:localhost:11332
|
||||
non_smtpd_milters = $smtpd_milters
|
||||
|
||||
alias_maps = hash:/var/lib/mailman/data/aliases
|
||||
alias_database = $alias_maps
|
||||
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman
|
||||
|
||||
milter_header_checks = pcre:/etc/postfix/milter_header_checks
|
||||
|
||||
delay_warning_time = 4h
|
79
roles/mailman/templates/mm_cfg.py.j2
Normal file
79
roles/mailman/templates/mm_cfg.py.j2
Normal file
|
@ -0,0 +1,79 @@
|
|||
# -*- python -*-
|
||||
|
||||
# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
|
||||
"""This module contains your site-specific settings.
|
||||
|
||||
From a brand new distribution it should be copied to mm_cfg.py. If you
|
||||
already have an mm_cfg.py, be careful to add in only the new settings you
|
||||
want. Mailman's installation procedure will never overwrite your mm_cfg.py
|
||||
file.
|
||||
|
||||
The complete set of distributed defaults, with documentation, are in the file
|
||||
Defaults.py. In mm_cfg.py, override only those you want to change, after the
|
||||
|
||||
from Defaults import *
|
||||
|
||||
line (see below).
|
||||
|
||||
Note that these are just default settings; many can be overridden via the
|
||||
administrator and user interfaces on a per-list or per-user basis.
|
||||
|
||||
Also note that many of these settings will not be effective until Mailman
|
||||
is restarted. Thus, you should always restart Mailman after changing this
|
||||
file.
|
||||
|
||||
Further, settings which relate to a list's host_name and web_page_url only
|
||||
affect lists created after the change. For existing lists, see the FAQ at
|
||||
<http://wiki.list.org/x/mIA9>.
|
||||
|
||||
"""
|
||||
|
||||
###############################################
|
||||
# Here's where we get the distributed defaults.
|
||||
|
||||
from Defaults import *
|
||||
|
||||
##################################################
|
||||
# Put YOUR site-specific settings below this line.
|
||||
|
||||
# Please see: http://wiki.list.org/x/mIA9 if you change this
|
||||
DEFAULT_URL_HOST = '{{ lists_domain }}'
|
||||
DEFAULT_EMAIL_HOST = '{{ lists_domain }}'
|
||||
MTA = 'Postfix'
|
||||
|
||||
VIRTUAL_HOSTS.clear()
|
||||
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
|
||||
|
||||
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['{{ lists_domain }}']
|
||||
|
||||
DEFAULT_URL_PATTERN = 'https://%s/'
|
||||
PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'
|
||||
|
||||
# bot protection
|
||||
SUBSCRIBE_FORM_SECRET = '{{ vault_mailman_subscribe_form_secret }}'
|
||||
|
||||
VIRTUAL_HOST_OVERVIEW = Off
|
||||
|
||||
DEFAULT_SEND_REMINDERS = 0
|
||||
|
||||
PUBLIC_MBOX = Yes
|
||||
|
||||
DEFAULT_MSG_HEADER = ""
|
||||
DEFAULT_MSG_FOOTER = ""
|
||||
#DEFAULT_DMARC_MODERATION_ACTION = 1
|
||||
REMOVE_DKIM_HEADERS = 1
|
53
roles/mailman/templates/nginx.d.conf.j2
Normal file
53
roles/mailman/templates/nginx.d.conf.j2
Normal file
|
@ -0,0 +1,53 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ lists_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ lists_domain }}/access.log main;
|
||||
access_log /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
|
||||
error_log /var/log/nginx/{{ lists_domain }}/error.log;
|
||||
|
||||
include snippets/letsencrypt.conf;
|
||||
|
||||
location / {
|
||||
access_log off;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {{ lists_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ lists_domain }}/access.log main;
|
||||
access_log /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
|
||||
error_log /var/log/nginx/{{ lists_domain }}/error.log;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ lists_domain }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ lists_domain }}/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem;
|
||||
|
||||
# redirect old urls
|
||||
location /mailman {
|
||||
rewrite ^/mailman/(.*) /$1 permanent;
|
||||
}
|
||||
|
||||
location /icons {
|
||||
alias /usr/lib/mailman/icons;
|
||||
}
|
||||
|
||||
location /pipermail {
|
||||
alias /var/lib/mailman/archives/public;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
location / {
|
||||
root /usr/lib/mailman/cgi-bin/;
|
||||
index listinfo;
|
||||
include uwsgi_params;
|
||||
uwsgi_modifier1 9;
|
||||
uwsgi_pass unix:/run/uwsgi/mailman.sock;
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in a new issue