---
loc_nginx:
  service_name: mailman3
  upstreams:
    - name: mailman3
      server: unix:/run/mailman3-web/uwsgi.sock fail_timeout=0
  servers:
    - ssl: false
      server_name:
        - localhost
      locations:
        - filter: /
          params:
            - uwsgi_pass mailman3
            - include /etc/nginx/uwsgi_params

    - ssl: false
      default: true
      server_name:
        - lists.crans.org
      locations:
        - filter: /
          params:
            - uwsgi_pass mailman3
            - include /etc/nginx/uwsgi_params
            - satisfy any
            - allow 185.230.76.0/22
            - allow 2a0c:700:0::/40
            - deny all
            - auth_basic "On n'aime pas les spambots, donc on a mis un mot de passe. Le login est Stop et le mot de passe est Spam."
            - auth_basic_user_file /etc/nginx/passwd
            - error_page 401 /error/401.html

        - filter: /mailman3/static
          params:
            - alias /var/lib/mailman3/web/static

        - filter: /mailman3/static/favicon.ico
          params:
            - alias /var/lib/mailman3/web/static/postorius/img/favicon.ico

        - filter: /error/
          params:
            - internal
            - alias /var/www/html/

        - filter: /robots.txt
          params:
            - alias /var/www/robots.txt

  auth_passwd:
    Stop: $apr1$NXaV5H7Q$J3ora3Jo5h775Y1nm93PN1  # Spam
  deploy_robots_file: true

glob_mailman3:
  site_owner: root@crans.org
  database:
    user: mailman3
    pass: "{{ vault.mailman3.database.pass }}"
    host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
    port: 5432
    name: mailman3
  web_database:
    user: mailman3web
    pass: "{{ vault.mailman3.web_database.pass }}"
    host: "{{ query('ldap', 'ip', 'tealc', 'adm') | ansible.utils.ipv4 | first }}"
    port: 5432
    name: mailman3web
  restadmin_pass: "{{ vault.mailman3.restadmin_pass }}"
  archiver_key: "{{ vault.mailman3.archiver_key }}"
  web_secret_key: "{{ vault.mailman3.web_secret_key }}"
  web_domains:
    - lists.crans.org
  default_domain: lists.crans.org
  postfix_domain: crans.org

loc_opendkim:
  domain: lists.crans.org
  selector: lists
  signing:
    - "*@lists.crans.org"
  sender_headers: List-Post,Sender,From
  txt_record: |
    lists._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7jkgGjxZvQDbgFIuqb59lt7O1Jg6DFTSBxFlTfBW+3MF+AFjBR3AZ/UXwDA1vH4UTZqq0fWN6y6wqE/F7+HDjpqZGGuygZWTGVbBxwiKSjc2kq2mz7kLisE3a/jP8kyQDdb7fWrtTw9fxYu+Ygs0744otjRsui/ZK6zbrO8XQfd5UYnj4IGALeIuVFVLmwTY+VL/xWR/UjcfxgAprRfH0ec8PGlrxhpeLhUSJxw3Q6QfTnDsIpWLfJdgxILGa58TmhH6d+faxa1OIP37wswPjkDykmMFsCQJX9P7mXXR0+1FIRhhNpfCRXXj37udbIezDEMfA15rWSoYinPU+x7i6LhfJD7G40p1oDBiaOimZ8D/PUDAtoWRQeFiNOOQmNqDaVwlaOMvIZH2ZFD2I0eJIDb2FBYqhTb5GVyhKPePqT5FZE0s8SXqvYRNUWHuomS79kfo4TC74UPlavIbyCVTFlLi5ujc5RANm/FuH2w3ns1+YAlCeoblzwVdgN+h4/DI5kI88+0Hf+HCfQg+rPQL7ak7Wszo0iWvYUZ8t+IPbNDcVm5YI6koqkWGgfMrC0bDI5r+ZQACK15Fi6x3tV0umhytgRQWG9MyK61diNIc1LFsyL2lD0oOAjlpDlVSpUnXKhjRPq4YdaIojlgGSsWsq8sBhQTCY5DNHUuJLL1iPqsCAwEAAQ=="  ; ----- DKIM key lists for lists.crans.org
  private_key: "{{ vault.opendkim['lists.crans.org'].private_key }}"