Certbot on mailman3

network.yml

@@ -52,7 +52,6 @@
         - {from: grafana.crans.org, to: "10.231.136.102:3000"}
         - {from: webirc.crans.org, to: "10.231.136.1:9000"}
         - {from: framadate.crans.org, to: 10.231.136.153}
-        - {from: mailman.crans.org, to: 10.231.136.180}
 
         # Zamok
         - {from: install-party.crans.org, to: 10.231.136.1}

roles/mailman3/tasks/main.yml

@@ -11,6 +11,8 @@
       - postgresql
       - python3-pip  # CAS
       - python3-lxml  # CAS
+      - certbot  # cert
+      - python3-certbot-nginx
     install_recommends: false
   register: apt_result
   retries: 3
@@ -59,6 +61,17 @@
     state: link
   notify: Restart nginx
 
+- name: Create /etc/letsencrypt/conf.d
+  file:
+    path: /etc/letsencrypt/conf.d
+    state: directory
+
+- name: Add Certbot configuration
+  template:
+    src: "letsencrypt/conf.d/mailman.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/mailman.ini"
+    mode: 0644
+
 - name: Indicate role in motd
   template:
     src: update-motd.d/05-service.j2

roles/mailman3/templates/letsencrypt/conf.d/mailman.ini.j2

@@ -0,0 +1,23 @@
+{{ ansible_header | comment }}
+
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/mailman.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Always use the staging/testing server
+# server = https://acme-staging.api.letsencrypt.org/directory
+
+# Uncomment and update to register with the specified e-mail address
+email = {{ mailman3.site_owner }}
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Use DNS-01 challenge
+authenticator = nginx
+
+# Domains
+cert-name = mailman.crans.org
+domains = mailman.crans.org

roles/mailman3/templates/nginx/sites-available/mailman3.j2

@@ -4,12 +4,42 @@ upstream mailman3 {
     server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
 }
 
+# Redirect http://mailman.crans.org to https://mailman.crans.org
 server {
     listen 80;
     listen [::]:80;
-    server_name mailman.crans.org mailman.adm.crans.org localhost;
+
+    server_name mailman.crans.org localhost;
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
+
+# Reverse proxify https://mailman.crans.org to UWSGI
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name mailman.crans.org localhost;
     server_tokens off;
 
+    # SSL common conf
+    ssl_certificate /etc/letsencrypt/live/mailman.crans.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mailman.crans.org/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+    ssl_dhparam /etc/letsencrypt/dhparam;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/mailman.crans.org/chain.pem;
+
     location / {
         uwsgi_pass mailman3;
         include /etc/nginx/uwsgi_params;
@@ -23,6 +53,7 @@ server {
         alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
     }
 
+    # Log into separate log files
     access_log /var/log/nginx/mailman3_access.log combined;
     error_log /var/log/nginx/mailman3_error.log;
 }

roles/postfix-mailman3/tasks/main.yml

@@ -15,7 +15,7 @@
     mode: 0644
     owner: root
     group: root
-  loop: []
+  loop:
     - main.cf
   notify: Restart postfix
 

roles/postfix-mailman3/templates/postfix/main.cf.j2

@@ -30,8 +30,8 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 
-# Send to main mail server
-relayhost = smtp.adm.crans.org
+# All non local mail is sent to domain MX
+relayhost = $mydomain
 
 # Only localhost
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128