diff --git a/group_vars/mailman.yml b/group_vars/mailman.yml
index 115215fa45c3df3d51ea31f50f7d2cea64c43ac8..fe7a0de7484a5cce7f0f355cf5f4c52d45b29b65 100644
--- a/group_vars/mailman.yml
+++ b/group_vars/mailman.yml
@@ -18,21 +18,21 @@ loc_nginx:
         - filter: "/error/"
           params:
             - "internal"
-            - "alias /var/www/html"
+            - "alias /var/www/html/"
         - filter: "/create"
           params:
             - "default_type text/html"
-            - "alias /etc/mailman/create.txt"
+            - "alias /etc/mailman/create.html"
         - filter: "~ ^/$"
           params:
             - "return 302 https://lists.crans.org/listinfo"
         - filter: "/"
           params:
-            - "include \"/etc/nginx/snippets/fastcgi.conf\""
+            - "include \"/etc/nginx/snippets/fastcgi-mailman.conf\""
         - filter: "~ ^/listinfo"
           params:
             - "satisfy any"
-            - "include \"/etc/nginx/snippets/fastcgi.conf\""
+            - "include \"/etc/nginx/snippets/fastcgi-mailman.conf\""
             - "allow 185.230.76.0/22"
             - "allow 2a0c:700:0::/40"
             - "deny all"
@@ -42,7 +42,7 @@ loc_nginx:
         - filter: "~ ^/admin"
           params:
             - "satisfy any"
-            - "include \"/etc/nginx/snippets/fastcgi.conf\""
+            - "include \"/etc/nginx/snippets/fastcgi-mailman.conf\""
             - "allow 185.230.76.0/22"
             - "allow 2a0c:700:0::/40"
             - "deny all"
diff --git a/host_vars/redisdead.adm.crans.org.yml b/host_vars/redisdead.adm.crans.org.yml
index 8228a1d0f68dc4a674859cef562009440f788244..f562ec360aba3bb7e26b649dd83ccf1312e22cf9 100644
--- a/host_vars/redisdead.adm.crans.org.yml
+++ b/host_vars/redisdead.adm.crans.org.yml
@@ -33,3 +33,11 @@ to_backup:
   secrets_file: "/etc/rsyncd.secrets",
   hosts_allow: ["zephir.adm.crans.org", "10.231.136.6"],
   }
+
+loc_certbot:
+  - dns_rfc2136_server: '172.16.10.147'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: root@crans.org
+    certname: crans.org
+    domains: "*.crans.org"
diff --git a/hosts b/hosts
index abd29eb7395e4e502503f1e706ac183658924322..e66ffb179767b1f300f40aac08966f43b9d02e30 100644
--- a/hosts
+++ b/hosts
@@ -26,6 +26,7 @@ sputnik.adm.crans.org
 [certbot:children]
 dovecot
 git
+mailman
 radius  # We use certbot to manage LE certificates
 reverseproxy
 thelounge
diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml
index 467ef9f0a29c58cec12e8acabcdbaa148c4a74b3..9a74a41ec8e2e71289965dd8d77ec02628b7b3a7 100644
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -19,6 +19,14 @@
     - create.html
   notify: Reload mailman
 
+- name: Deploy mailman snippet
+  template:
+    src: "nginx/snippets/fastcgi-mailman.conf.j2"
+    dest: "/etc/nginx/snippets/fastcgi-mailman.conf"
+    owner: root
+    group: root
+    mode: 0644
+
 # Fanciness
 - name: Deploy custom logo
   copy:
diff --git a/roles/mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2 b/roles/mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d3215c7fa99aabdad9fe87c45bf66fb5f6bffd10
--- /dev/null
+++ b/roles/mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2
@@ -0,0 +1,18 @@
+{{ ansible_header | comment }}
+
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info (^/[^/]*)(.*)$;
+
+# check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+# Let NGINX handle errors
+fastcgi_intercept_errors on;
+
+include /etc/nginx/fastcgi.conf;
+fastcgi_pass unix:/var/run/fcgiwrap.socket;
diff --git a/roles/nginx/templates/nginx/passwd.j2 b/roles/nginx/templates/nginx/passwd.j2
index e87369c9f6a51b44c56a0123f919f0a8efe3ce15..75d0ff7c813da0f8599fe8a47beb90baad466397 100644
--- a/roles/nginx/templates/nginx/passwd.j2
+++ b/roles/nginx/templates/nginx/passwd.j2
@@ -1,4 +1,4 @@
 {{ ansible_header | comment }}
 {% for user, hash in nginx.auth_passwd.items() -%}
-{{ user }}: {{ hash }}
+{{ user }}:{{ hash }}
 {% endfor -%}
diff --git a/roles/nginx/templates/www/html/robots.txt.j2 b/roles/nginx/templates/www/html/robots.txt.j2
index 3fbaed7487cfaf8c21fbfe2e9ca63b89114d7eed..1f53798bb4fe33c86020be7f10c44f29486fd190 100644
--- a/roles/nginx/templates/www/html/robots.txt.j2
+++ b/roles/nginx/templates/www/html/robots.txt.j2
@@ -1,4 +1,2 @@
-{{ ansible_header | comment }}
-
 User-agent: *
 Disallow: /