Check in the rest of the email stuff even though we're not going to use it.
I may delete this later, but this was a ton of work so deleting it seems like
such a waste...
--- a/roles/mail/handlers/main.yaml Wed Jan 11 20:35:41 2023 -0600
+++ b/roles/mail/handlers/main.yaml Wed Jan 11 20:37:16 2023 -0600
@@ -13,5 +13,13 @@
+- name: "reload mailman3" +- name: "reload mailman3-web" --- a/roles/mail/meta/main.yaml Wed Jan 11 20:35:41 2023 -0600
+++ b/roles/mail/meta/main.yaml Wed Jan 11 20:37:16 2023 -0600
@@ -3,3 +3,4 @@
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/mail/tasks/apache2.yaml Wed Jan 11 20:37:16 2023 -0600
@@ -0,0 +1,54 @@
+- name: "enable modules" + community.general.apache2_module: +- name: "obtain certificates" + certbot --quiet -m root@pidgin.im --no-eff-email --agree-tos + --webroot -w /var/www/html/ certonly + creates: "/etc/letsencrypt/live/{{ item }}/cert.pem" + - "lists.imfreedom.org" +- name: "enable mod_proxy_uwsgi" + command: "a2enmod proxy_uwsgi" +- name: "install apache configuration" + src: "apache-{{ item }}.conf.j2" + dest: "/etc/apache2/sites-available/{{ item }}.conf" + - "lists.imfreedom.org" + register: apache_config +- name: "enable apache configuration" + command: "a2ensite {{ item }}" # noqa 503 + - "lists.imfreedom.org" + when: apache_config.changed --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/mail/tasks/mailman.yaml Wed Jan 11 20:37:16 2023 -0600
@@ -0,0 +1,37 @@
+- name: "install mailman3" +- name: "create mailman postgres database" + community.postgresql.postgresql_db: + name: "{{ mailman_postgres_database }}" + port: "{{ mailman_postgres_port }}" + become_user: "postgres" +- name: "create mailman postgres user" + community.postgresql.postgresql_user: + db: "{{ mailman_postgres_database }}" + name: "{{ mailman_postgres_user }}" + password: "{{ mailman_postgres_password }}" + port: "{{ mailman_postgres_port }}" + become_user: "postgres" +- name: "copy mailman configuration" + dest: /etc/mailman3/mailman.cfg + notify: "reload mailman3" +- name: "copy mailman-web configuration" + src: "mailman-web.py.j2" + dest: /etc/mailmain/mainman-web.py + notify: "reload apache2" --- a/roles/mail/tasks/main.yaml Wed Jan 11 20:35:41 2023 -0600
+++ b/roles/mail/tasks/main.yaml Wed Jan 11 20:37:16 2023 -0600
@@ -30,3 +30,19 @@
+- include_tasks: "mailman.yaml" +- include_tasks: "apache2.yaml" --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/mail/templates/apache-lists.imfreedom.org.conf.j2 Wed Jan 11 20:37:16 2023 -0600
@@ -0,0 +1,46 @@
+ ServerName lists.imfreedom.org + ServerAdmin root@imfreedom.org + DocumentRoot /var/www/html + <Directory /var/www/html> + Options +FollowSymLinks + RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*$ [NC] + RewriteRule ^(.*)$ https://lists.imfreedom.org/ [R=301] + ServerName lists.imfreedom.org + ServerAdmin root@imfreedom.org + DocumentRoot /var/www/html + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCertificateKeyFile /etc/letsencrypt/live/lists.imfreedom.org/privkey.pem + SSLCACertificateFile /etc/letsencrypt/live/lists.imfreedom.org/chain.pem + SSLCertificateFile /etc/letsencrypt/live/lists.imfreedom.org/cert.pem + RewriteCond %{REQUEST_URI} ^/$ + RewriteRule (.*) /mailman3/ [R=307] + Alias /favicon.ico /var/lib/mailman3/web/static/postorius/img/favicon.ico + Alias /static /var/lib/mailman3/web/static + <Directory "/var/lib/mailman3/web/static"> + <IfModule mod_proxy_uwsgi.c> + ProxyPass /favicon.ico ! + ProxyPass / unix:/run/mailman3-web/uwsgi.sock|uwsgi://localhost/ --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/mail/templates/apache-lists.pidgin.im.conf.j2 Wed Jan 11 20:37:16 2023 -0600
@@ -0,0 +1,46 @@
+ ServerName lists.pidgin.im + ServerAdmin root@pidgin.im + DocumentRoot /var/www/html + <Directory /var/www/html> + Options +FollowSymLinks + RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*$ [NC] + RewriteRule ^(.*)$ https://lists.pidgin.im/ [R=301] + ServerName lists.pidgin.im + ServerAdmin root@pidgin.im + DocumentRoot /var/www/html + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCertificateKeyFile /etc/letsencrypt/live/lists.pidgin.im/privkey.pem + SSLCACertificateFile /etc/letsencrypt/live/lists.pidgin.im/chain.pem + SSLCertificateFile /etc/letsencrypt/live/lists.pidgin.im/cert.pem + RewriteCond %{REQUEST_URI} ^/$ + RewriteRule (.*) /mailman3/ [R=307] + Alias /mailman3/favicon.ico /var/lib/mailman3/web/static/postorius/img/favicon.ico + Alias /mailman3/static /var/lib/mailman3/web/static + <Directory "/var/lib/mailman3/web/static"> + <IfModule mod_proxy_uwsgi.c> + ProxyPass /mailman3/favicon.ico ! + ProxyPass /mailman3/static ! + ProxyPass /mailman3/ unix:/run/mailman3-web/uwsgi.sock|uwsgi://localhost/ --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/mail/templates/mailman-web.py.j2 Wed Jan 11 20:37:16 2023 -0600
@@ -0,0 +1,190 @@
+# This file is imported by the Mailman Suite. It is used to override +# the default settings from /usr/share/mailman3-web/settings.py. +# SECURITY WARNING: keep the secret key used in production secret! +SECRET_KEY = '{{ mailman_web_secret_key }}' + ('Mailman Suite Admin', 'root@pidgin.im'), +# Hosts/domain names that are valid for this site; required if DEBUG is False +# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts +# Set to '*' per default in the Deian package to allow all hostnames. Mailman3 +# is meant to run behind a webserver reverse proxy anyway. + #"localhost", # Archiving API from Mailman, keep it. + # "lists.your-domain.org", + # Add here all production URLs you may have. +# Mailman API credentials +MAILMAN_REST_API_URL = 'http://localhost:8001' +MAILMAN_REST_API_USER = '{{ mailman_web_rest_api_user }}' +MAILMAN_REST_API_PASS = '{{ mailman_web_rest_api_pass }}' +MAILMAN_ARCHIVER_KEY = '{{ mailman_web_archiver_key }}' +MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1') +# Application definition + # Uncomment the next line to enable the admin: + 'django.contrib.admin', + # Uncomment the next line to enable admin documentation: + # 'django.contrib.admindocs', + 'django.contrib.contenttypes', + 'django.contrib.sessions', + 'django.contrib.sites', + 'django.contrib.messages', + 'django.contrib.staticfiles', + 'allauth.socialaccount', + 'django_mailman3.lib.auth.fedora', + #'allauth.socialaccount.providers.openid', + #'allauth.socialaccount.providers.github', + #'allauth.socialaccount.providers.gitlab', + #'allauth.socialaccount.providers.google', + #'allauth.socialaccount.providers.facebook', + #'allauth.socialaccount.providers.twitter', + #'allauth.socialaccount.providers.stackexchange', +# https://docs.djangoproject.com/en/1.8/ref/settings/#databases + # Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'. + 'ENGINE': 'django.db.backends.sqlite3', + #'ENGINE': 'django.db.backends.postgresql_psycopg2', + #'ENGINE': 'django.db.backends.mysql', + # DB name or path to database file if using sqlite3. + 'NAME': '/var/lib/mailman3/web/mailman3web.db', + # The following settings are not used with sqlite3: + # HOST: empty for localhost through domain sockets or '127.0.0.1' for + # localhost through TCP. + # PORT: set to empty string for default. + # OPTIONS: Extra parameters to use when connecting to the database. + # Set sql_mode to 'STRICT_TRANS_TABLES' for MySQL. See + # https://docs.djangoproject.com/en/1.11/ref/ + # databases/#setting-sql-mode + #'init_command': "SET sql_mode='STRICT_TRANS_TABLES'", +# If you're behind a proxy, use the X-Forwarded-Host header +# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host +USE_X_FORWARDED_HOST = True +# And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER +# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header +# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https') +# Other security settings +# SECURE_SSL_REDIRECT = True +# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT +# contains at least this line: +# SECURE_REDIRECT_EXEMPT = [ +# "archives/api/mailman/.*", # Request from Mailman. +# SESSION_COOKIE_SECURE = True +# SECURE_CONTENT_TYPE_NOSNIFF = True +# SECURE_BROWSER_XSS_FILTER = True +# CSRF_COOKIE_SECURE = True +# CSRF_COOKIE_HTTPONLY = True +# X_FRAME_OPTIONS = 'DENY' +# https://docs.djangoproject.com/en/1.8/topics/i18n/ +# Set default domain for email addresses. +EMAILNAME = 'localhost.local' +# If you enable internal authentication, this is the address that the emails +# will appear to be coming from. Make sure you set a valid domain name, +# otherwise the emails may get rejected. +# https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email +# DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org" +DEFAULT_FROM_EMAIL = 'postorius@{}'.format(EMAILNAME) +# If you enable email reporting for error messages, this is where those emails +# will appear to be coming from. Make sure you set a valid domain name, +# otherwise the emails may get rejected. +# https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL +# SERVER_EMAIL = 'root@your-domain.org' +SERVER_EMAIL = 'root@{}'.format(EMAILNAME) +ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https" +SOCIALACCOUNT_PROVIDERS = { + # openid_url='http://me.yahoo.com'), + # 'SCOPE': ['profile', 'email'], + # 'AUTH_PARAMS': {'access_type': 'online'}, +# On a production setup, setting COMPRESS_OFFLINE to True will bring a +# significant performance improvement, as CSS files will not need to be +# recompiled on each requests. It means running an additional "compress" +# management command after each code upgrade. +# http://django-compressor.readthedocs.io/en/latest/usage/#offline-compression +POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/' --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/mail/templates/mailman.cfg.j2 Wed Jan 11 20:37:16 2023 -0600
@@ -0,0 +1,272 @@
+# Copyright (C) 2008-2017 by the Free Software Foundation, Inc. +# This file is part of GNU Mailman. +# GNU Mailman is free software: you can redistribute it and/or modify it under +# the terms of the GNU General Public License as published by the Free +# Software Foundation, either version 3 of the License, or (at your option) +# GNU Mailman is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +# You should have received a copy of the GNU General Public License along with +# GNU Mailman. If not, see <http://www.gnu.org/licenses/>. +# This file contains the Debian configuration for mailman. It uses ini-style +# formats under the lazr.config regime to define all system configuration +# options. See <https://launchpad.net/lazr.config> for details. +# This address is the "site owner" address. Certain messages which must be +# delivered to a human, but which can't be delivered to a list owner (e.g. a +# bounce from a list owner), will be sent to this address. It should point to +site_owner: {{ mailman_site_owner }} +# This is the local-part of an email address used in the From field whenever a +# message comes from some entity to which there is no natural reply recipient. +# Mailman will append '@' and the host name of the list involved. This +# address must not bounce and it must not point to a Mailman process. +noreply_address: noreply +# The default language for this server. +# Membership tests for posting purposes are usually performed by looking at a +# set of headers, passing the test if any of their values match a member of +# the list. Headers are checked in the order given in this variable. The +# value From_ means to use the envelope sender. Field names are case +# insensitive. This is a space separate list of headers. +sender_headers: from from_ reply-to sender +# Mail command processor will ignore mail command lines after designated max. +email_commands_max_lines: 10 +# Default length of time a pending request is live before it is evicted from +pending_request_life: 3d +# How long should files be saved before they are evicted from the cache? +# A callable to run with no arguments early in the initialization process. +# This runs before database initialization. +# A callable to run with no arguments late in the initialization process. +# This runs after adapters are initialized. +# Which paths.* file system layout to use. +# You should not change this variable. +# Can MIME filtered messages be preserved by list owners? +filtered_messages_are_preservable: no +# How should text/html parts be converted to text/plain when the mailing list +# is set to convert HTML to plaintext? This names a command to be called, +# where the substitution variable $filename is filled in by Mailman, and +# contains the path to the temporary file that the command should read from. +# The command should print the converted text to stdout. +html_to_plain_text_command: /usr/bin/lynx -dump $filename +# Specify what characters are allowed in list names. Characters outside of +# the class [-_.+=!$*{}~0-9a-z] matched case insensitively are never allowed, +# but this specifies a subset as the only allowable characters. This must be +# a valid character class regexp or the effect on list creation is +listname_chars: [-_.0-9a-z] +# `mailman shell` (also `withlist`) gives you an interactive prompt that you +# can use to interact with an initialized and configured Mailman system. Use +# --help for more information. This section allows you to configure certain +# aspects of this interactive shell. +# Customize the interpreter prompt. +# Banner to show on startup. +banner: Welcome to the GNU Mailman shell +# Use IPython as the shell, which must be found on the system. Valid values +# are `no`, `yes`, and `debug` where the latter is equivalent to `yes` except +# that any import errors will be displayed to stderr. +# Set this to allow for command line history if readline is available. This +# can be as simple as $var_dir/history.py to put the file in the var directory. +# Important directories for Mailman operation. These are defined here so that +# different layouts can be supported. For example, a developer layout would +# be different from a FHS layout. Most paths are based off the var_dir, and +# often just setting that will do the right thing for all the other paths. +# You might also have to set spool_dir though. +# Substitutions are allowed, but must be of the form $var where 'var' names a +# configuration variable in the paths.* section. Substitutions are expanded +# recursively until no more $-variables are present. Beware of infinite +# This is the root of the directory structure that Mailman will use to store +var_dir: /var/lib/mailman3 +# This is where the Mailman queue files directories will be created. +queue_dir: $var_dir/queue +# This is the directory containing the Mailman 'runner' and 'master' commands +# if set to the string '$argv', it will be taken as the directory containing +# the 'mailman' command. +bin_dir: /usr/lib/mailman3/bin +# All list-specific data. +list_data_dir: $var_dir/lists +# Directory where log files go. +log_dir: /var/log/mailman3 +# Directory for system-wide locks. +lock_dir: $var_dir/locks +# Directory for system-wide data. +cache_dir: $var_dir/cache +# Directory for configuration files and such. +# Directory containing Mailman plugins. +# Directory where the default IMessageStore puts its messages. +messages_dir: $var_dir/messages +# Directory for archive backends to store their messages in. Archivers should +# create a subdirectory in here to store their files. +archive_dir: $var_dir/archives +# Root directory for site-specific template override files. +template_dir: $var_dir/templates +# There are also a number of paths to specific file locations that can be +# defined. For these, the directory containing the file must already exist, +# or be one of the directories created by Mailman as per above. +# This is where PID file for the master runner is stored. +pid_file: /run/mailman3/master.pid +lock_file: $lock_dir/master.lck +# The class implementing the IDatabase. +#class: mailman.database.sqlite.SQLiteDatabase +#class: mailman.database.mysql.MySQLDatabase +class: mailman.database.postgresql.PostgreSQLDatabase +# Use this to set the Storm database engine URL. You generally have one +# primary database connection for all of Mailman. List data and most rosters +# will store their data in this database, although external rosters may access +# other databases in their own way. This string supports standard +# 'configuration' substitutions. +#url: sqlite:///$DATA_DIR/mailman.db +#url: mysql+pymysql://mailman3:mmpass@localhost/mailman3?charset=utf8&use_unicode=1 +#url: postgres://mailman3:mmpass@localhost/mailman3 +url: postgres://{{ mailman_postgres_user }}:{{ mailman_postgres_password }}@{{ mailman_postgres_server }}:{{ mailman_postgres_port }}/{{ mailman_postgres_database }} +# This defines various log settings. The options available are: +# - level -- Overrides the default level; this may be any of the +# standard Python logging levels, case insensitive. +# - format -- Overrides the default format string +# - datefmt -- Overrides the default date format string +# - path -- Overrides the default logger path. This may be a relative +# path name, in which case it is relative to Mailman's LOG_DIR, +# or it may be an absolute path name. You cannot change the +# handler class that will be used. +# - propagate -- Boolean specifying whether to propagate log message from this +# logger to the root "mailman" logger. You cannot override +# settings for the root logger. +# In this section, you can define defaults for all loggers, which will be +# prefixed by 'mailman.'. Use subsections to override settings for specific +# loggers. The names of the available loggers are: +# - archiver -- All archiver output +# - bounce -- All bounce processing logs go here +# - config -- Configuration issues +# - database -- Database logging (SQLAlchemy and Alembic) +# - debug -- Only used for development +# - error -- All exceptions go to this log +# - fromusenet -- Information related to the Usenet to Mailman gateway +# - http -- Internal wsgi-based web interface +# - locks -- Lock state changes +# - mischief -- Various types of hostile activity +# - runner -- Runner process start/stops +# - smtp -- Successful SMTP activity +# - smtp-failure -- Unsuccessful SMTP activity +# - subscribe -- Information about leaves/joins +# - vette -- Message vetting information +format: %(asctime)s (%(process)d) %(message)s +datefmt: %b %d %H:%M:%S %Y +# The hostname at which admin web service resources are exposed. +# The port at which the admin web service resources are exposed. +# Whether or not requests to the web service are secured through SSL. +# Whether or not to show tracebacks in an HTTP response for a request that +# The API version number for the current (highest) API. +# The administrative username. +admin_user: {{ mailman_admin_user }} +# The administrative password. +admin_pass: {{ mailman_admin_pass }} +# The class defining the interface to the incoming mail transport agent. +#incoming: mailman.mta.exim4.LMTP +incoming: mailman.mta.postfix.LMTP +# The callable implementing delivery to the outgoing mail transport agent. +# This must accept three arguments, the mailing list, the message, and the +# message metadata dictionary. +outgoing: mailman.mta.deliver.deliver +# How to connect to the outgoing MTA. If smtp_user and smtp_pass is given, +# then Mailman will attempt to log into the MTA when making a new connection. +# Where the LMTP server listens for connections. Use 127.0.0.1 instead of +# localhost for Postfix integration, because Postfix only consults DNS +# (e.g. not /etc/hosts). +# Where can we find the mail server specific configuration file? The path can +# be either a file system path or a Python import path. If the value starts +# with python: then it is a Python import path, otherwise it is a file system +# path. File system paths must be absolute since no guarantees are made about +# the current working directory. Python paths should not include the trailing +# .cfg, which the file must end with. +#configuration: python:mailman.config.exim4 +configuration: python:mailman.config.postfix --- a/roles/mail/templates/postfix.main.cf.j2 Wed Jan 11 20:35:41 2023 -0600
+++ b/roles/mail/templates/postfix.main.cf.j2 Wed Jan 11 20:37:16 2023 -0600
@@ -86,3 +86,8 @@
+transport_maps = hash:/var/lib/mailman3/data/postfix_lmtp +local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp +relay_domains = hash:/var/lib/mailman3/data/postfix_domains