crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[mailman3] Use nginx role 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
certbot_on_virtu
Yohann D'ANELLO 2021-02-28 18:03:06 +01:00 committed by ynerant
parent b74d5e0bf1
commit 90a6c623ed
7 changed files with 57 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
group_vars/mailman.yml
View File

@ -7,6 +7,58 @@ loc_certbot:
certname: crans.org
domains: "*.crans.org"
loc_nginx:
service_name: mailman3
upstreams:
- name: mailman3
server: "unix:/run/mailman3-web/uwsgi.sock fail_timeout=0"
servers:
- ssl: false
server_name:
- "localhost"
locations:
- filter: "/"
params:
- "uwsgi_pass mailman3"
- "include /etc/nginx/uwsgi_params"
- ssl: crans.org
default: true
server_name:
- "mailman.crans.org"
locations:
- filter: "/"
params:
- "uwsgi_pass mailman3"
- "satisfy any"
- "allow 185.230.76.0/22"
- "allow 2a0c:700:0::/40"
- "deny all"
- "auth_basic \"On n'aime pas les spambots, donc on a mis un mot de passe. Le login est Stop et le mot de passe est Spam.\""
- "auth_basic_user_file /etc/nginx/passwd"
- "error_page 401 /error/401.html"
- filter: "/mailman3/static"
params:
- "alias /var/lib/mailman3/web/static"
- filter: "/mailman3/static/favicon.ico"
params:
- "alias /var/lib/mailman3/web/static/postorius/img/favicon.ico"
- filter: "/error/"
params:
- "internal"
- "alias /var/www/"
- filter: "/robots.txt"
params:
- "alias /var/www/robots.txt"
auth_passwd:
Stop: "$apr1$NXaV5H7Q$J3ora3Jo5h775Y1nm93PN1" # Spam
deploy_robots_file: true
glob_mailman3:
site_owner: root@crans.org
database:

2
plays/mailman.yml
View File

@ -5,7 +5,9 @@
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
mailman3: '{{ glob_mailman3 | default({}) | combine(loc_mailman3 | default({})) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
roles:
- certbot
- nginx
- mailman3
- postfix-mailman3

5
roles/mailman3/handlers/main.yml
View File

@ -8,8 +8,3 @@
service:
name: mailman3-web
state: restarted
- name: Restart nginx
service:
name: nginx
state: restarted

16
roles/mailman3/tasks/main.yml
View File

@ -7,7 +7,6 @@
name:
- dbconfig-no-thanks # Do not autoconfigure database
- mailman3-full
- nginx
- postgresql
- python3-pip # CAS
- python3-lxml # CAS
@ -54,21 +53,8 @@
group: www-data
notify: Restart mailman3-web
- name: Configure nginx site
template:
src: nginx/sites-available/mailman3.j2
dest: /etc/nginx/sites-available/mailman3
notify: Restart nginx
- name: Enable nginx site
file:
src: /etc/nginx/sites-available/mailman3
dest: /etc/nginx/sites-enabled/mailman3
state: link
notify: Restart nginx
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/04-mailman3
dest: /etc/update-motd.d/05-mailman3
mode: 0755

23
roles/mailman3/templates/letsencrypt/conf.d/mailman.ini.j2
View File

@ -1,23 +0,0 @@
{{ ansible_header | comment }}
# To generate the certificate, please use the following command
# certbot --config /etc/letsencrypt/conf.d/mailman.ini certonly
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = {{ mailman3.site_owner }}
# Uncomment to use a text interface instead of ncurses
text = True
# Use DNS-01 challenge
authenticator = nginx
# Domains
cert-name = mailman.crans.org
domains = mailman.crans.org

76
roles/mailman3/templates/nginx/sites-available/mailman3.j2
View File

@ -1,76 +0,0 @@
{{ ansible_header | comment }}
upstream mailman3 {
server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
}
# Local hyperkitty API
server {
listen 80;
listen [::]:80;
server_name localhost;
location / {
uwsgi_pass mailman3;
include /etc/nginx/uwsgi_params;
}
# Log into separate log files
access_log /var/log/nginx/mailman3_access.log combined;
error_log /var/log/nginx/mailman3_error.log;
}
# Redirect http://mailman.crans.org to https://mailman.crans.org
server {
listen 80;
listen [::]:80;
server_name mailman.crans.org;
location / {
return 302 https://$host$request_uri;
}
}
# Reverse proxify https://mailman.crans.org to UWSGI
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mailman.crans.org;
server_tokens off;
# SSL common conf
ssl_certificate /etc/letsencrypt/live/crans.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/crans.org/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/crans.org/chain.pem;
location / {
uwsgi_pass mailman3;
include /etc/nginx/uwsgi_params;
}
location /mailman3/static {
alias /var/lib/mailman3/web/static;
}
location /mailman3/static/favicon.ico {
alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
}
# Log into separate log files
access_log /var/log/nginx/mailman3_access.log combined;
error_log /var/log/nginx/mailman3_error.log;
}

4
roles/nginx/templates/nginx/sites-available/service.j2
View File

@ -91,8 +91,8 @@ server {
listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
{% else -%}
listen 80 default;
listen [::]:80 default;
listen 80{% if server.default is defined and server.default %} default_server{% endif %};
listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
{% endif -%}
server_name {{ server.server_name|join(" ") }};