ansible/roles/mailman3/templates/nginx/sites-available/mailman3.j2

{{ ansible_header | comment }}

upstream mailman3 {
    server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
}

# Local hyperkitty API
server {
    listen 80;
    listen [::]:80;

    server_name localhost;

    location / {
        uwsgi_pass mailman3;
        include /etc/nginx/uwsgi_params;
    }

    # Log into separate log files
    access_log /var/log/nginx/mailman3_access.log combined;
    error_log /var/log/nginx/mailman3_error.log;
}

# Redirect http://mailman.crans.org to https://mailman.crans.org
server {
    listen 80;
    listen [::]:80;

    server_name mailman.crans.org;

    location / {
        return 302 https://$host$request_uri;
    }
}

# Reverse proxify https://mailman.crans.org to UWSGI
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name mailman.crans.org;
    server_tokens off;

    # SSL common conf
    ssl_certificate /etc/letsencrypt/live/crans.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/crans.org/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_dhparam /etc/letsencrypt/dhparam;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # Enable OCSP Stapling, point to certificate chain
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/crans.org/chain.pem;

    location / {
        uwsgi_pass mailman3;
        include /etc/nginx/uwsgi_params;
    }

    location /mailman3/static {
        alias /var/lib/mailman3/web/static;
    }

    location /mailman3/static/favicon.ico {
        alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
    }

    # Log into separate log files
    access_log /var/log/nginx/mailman3_access.log combined;
    error_log /var/log/nginx/mailman3_error.log;
}