From 6d35dcd7e836b2e59367249ec260c028697dbae0 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 22 Feb 2021 23:23:18 +0100
Subject: [PATCH] [nginx/mailman] Fix configuration

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/mailman.yml                         | 10 +++++-----
 host_vars/redisdead.adm.crans.org.yml          |  8 ++++++++
 hosts                                          |  1 +
 roles/mailman/tasks/main.yml                   |  8 ++++++++
 .../nginx/snippets/fastcgi-mailman.conf.j2     | 18 ++++++++++++++++++
 roles/nginx/templates/nginx/passwd.j2          |  2 +-
 roles/nginx/templates/www/html/robots.txt.j2   |  2 --
 7 files changed, 41 insertions(+), 8 deletions(-)
 create mode 100644 roles/mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2

diff --git a/group_vars/mailman.yml b/group_vars/mailman.yml
index 115215fa..fe7a0de7 100644
--- a/group_vars/mailman.yml
+++ b/group_vars/mailman.yml
@@ -18,21 +18,21 @@ loc_nginx:
         - filter: "/error/"
           params:
             - "internal"
-            - "alias /var/www/html"
+            - "alias /var/www/html/"
         - filter: "/create"
           params:
             - "default_type text/html"
-            - "alias /etc/mailman/create.txt"
+            - "alias /etc/mailman/create.html"
         - filter: "~ ^/$"
           params:
             - "return 302 https://lists.crans.org/listinfo"
         - filter: "/"
           params:
-            - "include \"/etc/nginx/snippets/fastcgi.conf\""
+            - "include \"/etc/nginx/snippets/fastcgi-mailman.conf\""
         - filter: "~ ^/listinfo"
           params:
             - "satisfy any"
-            - "include \"/etc/nginx/snippets/fastcgi.conf\""
+            - "include \"/etc/nginx/snippets/fastcgi-mailman.conf\""
             - "allow 185.230.76.0/22"
             - "allow 2a0c:700:0::/40"
             - "deny all"
@@ -42,7 +42,7 @@ loc_nginx:
         - filter: "~ ^/admin"
           params:
             - "satisfy any"
-            - "include \"/etc/nginx/snippets/fastcgi.conf\""
+            - "include \"/etc/nginx/snippets/fastcgi-mailman.conf\""
             - "allow 185.230.76.0/22"
             - "allow 2a0c:700:0::/40"
             - "deny all"
diff --git a/host_vars/redisdead.adm.crans.org.yml b/host_vars/redisdead.adm.crans.org.yml
index 8228a1d0..f562ec36 100644
--- a/host_vars/redisdead.adm.crans.org.yml
+++ b/host_vars/redisdead.adm.crans.org.yml
@@ -33,3 +33,11 @@ to_backup:
   secrets_file: "/etc/rsyncd.secrets",
   hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
   }
+
+loc_certbot:
+  - dns_rfc2136_server: '172.16.10.147'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: root@crans.org
+    certname: crans.org
+    domains: "*.crans.org"
diff --git a/hosts b/hosts
index abd29eb7..e66ffb17 100644
--- a/hosts
+++ b/hosts
@@ -26,6 +26,7 @@ sputnik.adm.crans.org
 [certbot:children]
 dovecot
 git
+mailman
 radius  # We use certbot to manage LE certificates
 reverseproxy
 thelounge
diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml
index 467ef9f0..9a74a41e 100644
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -19,6 +19,14 @@
     - create.html
   notify: Reload mailman
 
+- name: Deploy mailman snippet
+  template:
+    src: "nginx/snippets/fastcgi-mailman.conf.j2"
+    dest: "/etc/nginx/snippets/fastcgi-mailman.conf"
+    owner: root
+    group: root
+    mode: 0644
+
 # Fanciness
 - name: Deploy custom logo
   copy:
diff --git a/roles/mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2 b/roles/mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2
new file mode 100644
index 00000000..d3215c7f
--- /dev/null
+++ b/roles/mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2
@@ -0,0 +1,18 @@
+{{ ansible_header | comment }}
+
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info (^/[^/]*)(.*)$;
+
+# check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+# Let NGINX handle errors
+fastcgi_intercept_errors on;
+
+include /etc/nginx/fastcgi.conf;
+fastcgi_pass unix:/var/run/fcgiwrap.socket;
diff --git a/roles/nginx/templates/nginx/passwd.j2 b/roles/nginx/templates/nginx/passwd.j2
index e87369c9..75d0ff7c 100644
--- a/roles/nginx/templates/nginx/passwd.j2
+++ b/roles/nginx/templates/nginx/passwd.j2
@@ -1,4 +1,4 @@
 {{ ansible_header | comment }}
 {% for user, hash in nginx.auth_passwd.items() -%}
-{{ user }}: {{ hash }}
+{{ user }}:{{ hash }}
 {% endfor -%}
diff --git a/roles/nginx/templates/www/html/robots.txt.j2 b/roles/nginx/templates/www/html/robots.txt.j2
index 3fbaed74..1f53798b 100644
--- a/roles/nginx/templates/www/html/robots.txt.j2
+++ b/roles/nginx/templates/www/html/robots.txt.j2
@@ -1,4 +1,2 @@
-{{ ansible_header | comment }}
-
 User-agent: *
 Disallow: /