From ae36169565358c581751259fa7e038a01a351168 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 11 Jul 2020 15:12:32 +0200 Subject: [PATCH] Mailman3 web config --- plays/mailman.yml | 4 + roles/mailman3/tasks/main.yml | 19 +- .../templates/mailman3/mailman-web.py.j2 | 193 ++++++++++++++++++ .../nginx/sites-available/mailman3.j2 | 2 +- 4 files changed, 211 insertions(+), 7 deletions(-) create mode 100644 roles/mailman3/templates/mailman3/mailman-web.py.j2 diff --git a/plays/mailman.yml b/plays/mailman.yml index 2cdd78c8..2a92b80c 100755 --- a/plays/mailman.yml +++ b/plays/mailman.yml @@ -29,5 +29,9 @@ site_owner: root@crans.org database_pass: "{{ vault_mailman3_database_pass }}" restadmin_pass: "{{ vault_mailman3_restadmin_pass }}" + archiver_key: "{{ vault_mailman3_archiver_key }}" + web_secret_key: "{{ vault_mailman3_web_secret_key }}" + web_database_pass: "{{ vault_mailman3_web_database_pass }}" + web_domain: "mailman.crans.org" roles: - mailman3 diff --git a/roles/mailman3/tasks/main.yml b/roles/mailman3/tasks/main.yml index 9b847778..9cd50c03 100644 --- a/roles/mailman3/tasks/main.yml +++ b/roles/mailman3/tasks/main.yml @@ -13,7 +13,7 @@ until: apt_result is succeeded # You will need to setup postgres -# sudo -u postgres createuser -W mailman3 +# sudo -u postgres createuser -P mailman3 # sudo -u postgres createdb -O mailman3 mailman3 # Test with : psql -U mailman3 -W -d mailman3 -h localhost - name: Configure mailman3 @@ -25,11 +25,18 @@ group: list notify: Restart mailman3 -#- name: Configure mailman3-web -# template: -# src: mailman3/mailman3-web.py.j2 -# dest: /etc/mailman3/mailman3-web.py -# notify: Restart mailman3-web +# You will need to setup postgres +# sudo -u postgres createuser -P mailman3web +# sudo -u postgres createdb -O mailman3web mailman3web +# Test with : psql -U mailman3web -W -d mailman3web -h localhost +- name: Configure mailman3-web + template: + src: mailman3/mailman-web.py.j2 + dest: /etc/mailman3/mailman-web.py + mode: 0640 + owner: root + group: www-data + notify: Restart mailman3-web - name: Configure nginx site template: diff --git a/roles/mailman3/templates/mailman3/mailman-web.py.j2 b/roles/mailman3/templates/mailman3/mailman-web.py.j2 new file mode 100644 index 00000000..e93956eb --- /dev/null +++ b/roles/mailman3/templates/mailman3/mailman-web.py.j2 @@ -0,0 +1,193 @@ +{{ ansible_header | comment }} + +# This file is imported by the Mailman Suite. It is used to override +# the default settings from /usr/share/mailman3-web/settings.py. + +# SECURITY WARNING: keep the secret key used in production secret! +SECRET_KEY = '{{ mailman3.web_secret_key }}' + +ADMINS = ( + ('Mailman Suite Admin', '{{ mailman3.site_owner }}'), +) + +# Hosts/domain names that are valid for this site; required if DEBUG is False +# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts +# Set to '*' per default in the Deian package to allow all hostnames. Mailman3 +# is meant to run behind a webserver reverse proxy anyway. +ALLOWED_HOSTS = [ + "localhost", # Archiving API from Mailman, keep it. + "{{ mailman3.web_domain }}", + # Add here all production URLs you may have. + #'*' +] + +# Mailman API credentials +MAILMAN_REST_API_URL = 'http://localhost:8001' +MAILMAN_REST_API_USER = 'restadmin' +MAILMAN_REST_API_PASS = '{{ mailman3.restadmin_pass }}' +MAILMAN_ARCHIVER_KEY = '{{ mailman3.archiver_key }}' +MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1') + +# Application definition + +INSTALLED_APPS = ( + 'hyperkitty', + 'postorius', + 'django_mailman3', + # Uncomment the next line to enable the admin: + 'django.contrib.admin', + # Uncomment the next line to enable admin documentation: + # 'django.contrib.admindocs', + 'django.contrib.auth', + 'django.contrib.contenttypes', + 'django.contrib.sessions', + 'django.contrib.sites', + 'django.contrib.messages', + 'django.contrib.staticfiles', + 'rest_framework', + 'django_gravatar', + 'compressor', + 'haystack', + 'django_extensions', + 'django_q', + 'allauth', + 'allauth.account', + 'allauth.socialaccount', + #'django_mailman3.lib.auth.fedora', + #'allauth.socialaccount.providers.openid', + #'allauth.socialaccount.providers.github', + #'allauth.socialaccount.providers.gitlab', + #'allauth.socialaccount.providers.google', + #'allauth.socialaccount.providers.facebook', + #'allauth.socialaccount.providers.twitter', + #'allauth.socialaccount.providers.stackexchange', +) + + +# Database +# https://docs.djangoproject.com/en/1.8/ref/settings/#databases + +DATABASES = { + 'default': { + # Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'. + #'ENGINE': 'django.db.backends.sqlite3', + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + #'ENGINE': 'django.db.backends.mysql', + # DB name or path to database file if using sqlite3. + 'NAME': 'mailman3web', + # The following settings are not used with sqlite3: + 'USER': 'mailman3web', + 'PASSWORD': '{{ mailman3.web_database_pass }}', + # HOST: empty for localhost through domain sockets or '127.0.0.1' for + # localhost through TCP. + 'HOST': '127.0.0.1', + # PORT: set to empty string for default. + 'PORT': '', + # OPTIONS: Extra parameters to use when connecting to the database. + 'OPTIONS': { + # Set sql_mode to 'STRICT_TRANS_TABLES' for MySQL. See + # https://docs.djangoproject.com/en/1.11/ref/ + # databases/#setting-sql-mode + #'init_command': "SET sql_mode='STRICT_TRANS_TABLES'", + }, + } +} + + +# If you're behind a proxy, use the X-Forwarded-Host header +# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host +USE_X_FORWARDED_HOST = True + +# And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER +# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https') + +# Other security settings +# SECURE_SSL_REDIRECT = True +# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT +# contains at least this line: +# SECURE_REDIRECT_EXEMPT = [ +# "archives/api/mailman/.*", # Request from Mailman. +# ] +# SESSION_COOKIE_SECURE = True +# SECURE_CONTENT_TYPE_NOSNIFF = True +# SECURE_BROWSER_XSS_FILTER = True +# CSRF_COOKIE_SECURE = True +# CSRF_COOKIE_HTTPONLY = True +# X_FRAME_OPTIONS = 'DENY' + + +# Internationalization +# https://docs.djangoproject.com/en/1.8/topics/i18n/ + +LANGUAGE_CODE = 'en-us' + +TIME_ZONE = 'UTC' + +USE_I18N = True +USE_L10N = True +USE_TZ = True + + +# Set default domain for email addresses. +EMAILNAME = 'crans.org' # A changer en prod + +# If you enable internal authentication, this is the address that the emails +# will appear to be coming from. Make sure you set a valid domain name, +# otherwise the emails may get rejected. +# https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email +# DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org" +DEFAULT_FROM_EMAIL = 'contact@{}'.format(EMAILNAME) + +# If you enable email reporting for error messages, this is where those emails +# will appear to be coming from. Make sure you set a valid domain name, +# otherwise the emails may get rejected. +# https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL +# SERVER_EMAIL = 'root@your-domain.org' +SERVER_EMAIL = 'root@{}'.format(EMAILNAME) + + +# Django Allauth +ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https" + + +# +# Social auth +# +SOCIALACCOUNT_PROVIDERS = { + #'openid': { + # 'SERVERS': [ + # dict(id='yahoo', + # name='Yahoo', + # openid_url='http://me.yahoo.com'), + # ], + #}, + #'google': { + # 'SCOPE': ['profile', 'email'], + # 'AUTH_PARAMS': {'access_type': 'online'}, + #}, + #'facebook': { + # 'METHOD': 'oauth2', + # 'SCOPE': ['email'], + # 'FIELDS': [ + # 'email', + # 'name', + # 'first_name', + # 'last_name', + # 'locale', + # 'timezone', + # ], + # 'VERSION': 'v2.4', + #}, +} + +# On a production setup, setting COMPRESS_OFFLINE to True will bring a +# significant performance improvement, as CSS files will not need to be +# recompiled on each requests. It means running an additional "compress" +# management command after each code upgrade. +# http://django-compressor.readthedocs.io/en/latest/usage/#offline-compression +COMPRESS_OFFLINE = True + +POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/' + diff --git a/roles/mailman3/templates/nginx/sites-available/mailman3.j2 b/roles/mailman3/templates/nginx/sites-available/mailman3.j2 index a6799a3c..c243b591 100644 --- a/roles/mailman3/templates/nginx/sites-available/mailman3.j2 +++ b/roles/mailman3/templates/nginx/sites-available/mailman3.j2 @@ -1,6 +1,6 @@ {{ ansible_header | comment }} -stream mailman3 { +upstream mailman3 { server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0; }