diff --git a/group_vars/mailman.yml b/group_vars/mailman.yml
index d101e33bcf406596d81e22b2162746c70ec5b53d..f04dd88f07e750d55b6ac0b2e95d60361d4d3fa6 100644
--- a/group_vars/mailman.yml
+++ b/group_vars/mailman.yml
@@ -7,6 +7,58 @@ loc_certbot:
certname: crans.org
domains: "*.crans.org"
+loc_nginx:
+ service_name: mailman3
+ upstreams:
+ - name: mailman3
+ server: "unix:/run/mailman3-web/uwsgi.sock fail_timeout=0"
+ servers:
+ - ssl: false
+ server_name:
+ - "localhost"
+ locations:
+ - filter: "/"
+ params:
+ - "uwsgi_pass mailman3"
+ - "include /etc/nginx/uwsgi_params"
+
+ - ssl: crans.org
+ default: true
+ server_name:
+ - "mailman.crans.org"
+ locations:
+ - filter: "/"
+ params:
+ - "uwsgi_pass mailman3"
+ - "satisfy any"
+ - "allow 185.230.76.0/22"
+ - "allow 2a0c:700:0::/40"
+ - "deny all"
+ - "auth_basic \"On n'aime pas les spambots, donc on a mis un mot de passe. Le login est Stop et le mot de passe est Spam.\""
+ - "auth_basic_user_file /etc/nginx/passwd"
+ - "error_page 401 /error/401.html"
+
+ - filter: "/mailman3/static"
+ params:
+ - "alias /var/lib/mailman3/web/static"
+
+ - filter: "/mailman3/static/favicon.ico"
+ params:
+ - "alias /var/lib/mailman3/web/static/postorius/img/favicon.ico"
+
+ - filter: "/error/"
+ params:
+ - "internal"
+ - "alias /var/www/"
+
+ - filter: "/robots.txt"
+ params:
+ - "alias /var/www/robots.txt"
+
+ auth_passwd:
+ Stop: "$apr1$NXaV5H7Q$J3ora3Jo5h775Y1nm93PN1" # Spam
+ deploy_robots_file: true
+
glob_mailman3:
site_owner: root@crans.org
database:
diff --git a/plays/mailman.yml b/plays/mailman.yml
index 2182e778e92268d08ed1e9b7c6961f3f0bb5dbe1..ae0231f6fa44571c53fed99637c5eb1032072de4 100755
--- a/plays/mailman.yml
+++ b/plays/mailman.yml
@@ -5,7 +5,9 @@
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
mailman3: '{{ glob_mailman3 | default({}) | combine(loc_mailman3 | default({})) }}'
+ nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
roles:
- certbot
+ - nginx
- mailman3
- postfix-mailman3
diff --git a/roles/mailman3/handlers/main.yml b/roles/mailman3/handlers/main.yml
index 01c64c13fcad218496b79ba36933939618ff157a..cea846677dabedc22c205219310d8ba0a411b087 100644
--- a/roles/mailman3/handlers/main.yml
+++ b/roles/mailman3/handlers/main.yml
@@ -8,8 +8,3 @@
service:
name: mailman3-web
state: restarted
-
-- name: Restart nginx
- service:
- name: nginx
- state: restarted
diff --git a/roles/mailman3/tasks/main.yml b/roles/mailman3/tasks/main.yml
index 57ad9799788e46e90b0809ff2dae8e83c6728156..6c507eaa05541df6f0fa30566d114c983002ea33 100644
--- a/roles/mailman3/tasks/main.yml
+++ b/roles/mailman3/tasks/main.yml
@@ -7,7 +7,6 @@
name:
- dbconfig-no-thanks # Do not autoconfigure database
- mailman3-full
- - nginx
- postgresql
- python3-pip # CAS
- python3-lxml # CAS
@@ -54,21 +53,8 @@
group: www-data
notify: Restart mailman3-web
-- name: Configure nginx site
- template:
- src: nginx/sites-available/mailman3.j2
- dest: /etc/nginx/sites-available/mailman3
- notify: Restart nginx
-
-- name: Enable nginx site
- file:
- src: /etc/nginx/sites-available/mailman3
- dest: /etc/nginx/sites-enabled/mailman3
- state: link
- notify: Restart nginx
-
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
- dest: /etc/update-motd.d/04-mailman3
+ dest: /etc/update-motd.d/05-mailman3
mode: 0755
diff --git a/roles/mailman3/templates/letsencrypt/conf.d/mailman.ini.j2 b/roles/mailman3/templates/letsencrypt/conf.d/mailman.ini.j2
deleted file mode 100644
index a5e63741d7a67f90792f284a9094e253d6377bd3..0000000000000000000000000000000000000000
--- a/roles/mailman3/templates/letsencrypt/conf.d/mailman.ini.j2
+++ /dev/null
@@ -1,23 +0,0 @@
-{{ ansible_header | comment }}
-
-# To generate the certificate, please use the following command
-# certbot --config /etc/letsencrypt/conf.d/mailman.ini certonly
-
-# Use a 4096 bit RSA key instead of 2048
-rsa-key-size = 4096
-
-# Always use the staging/testing server
-# server = https://acme-staging.api.letsencrypt.org/directory
-
-# Uncomment and update to register with the specified e-mail address
-email = {{ mailman3.site_owner }}
-
-# Uncomment to use a text interface instead of ncurses
-text = True
-
-# Use DNS-01 challenge
-authenticator = nginx
-
-# Domains
-cert-name = mailman.crans.org
-domains = mailman.crans.org
diff --git a/roles/mailman3/templates/nginx/sites-available/mailman3.j2 b/roles/mailman3/templates/nginx/sites-available/mailman3.j2
deleted file mode 100644
index 2d664910339290417c1e1bb5f86637ebb3c210c3..0000000000000000000000000000000000000000
--- a/roles/mailman3/templates/nginx/sites-available/mailman3.j2
+++ /dev/null
@@ -1,76 +0,0 @@
-{{ ansible_header | comment }}
-
-upstream mailman3 {
- server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
-}
-
-# Local hyperkitty API
-server {
- listen 80;
- listen [::]:80;
-
- server_name localhost;
-
- location / {
- uwsgi_pass mailman3;
- include /etc/nginx/uwsgi_params;
- }
-
- # Log into separate log files
- access_log /var/log/nginx/mailman3_access.log combined;
- error_log /var/log/nginx/mailman3_error.log;
-}
-
-# Redirect http://mailman.crans.org to https://mailman.crans.org
-server {
- listen 80;
- listen [::]:80;
-
- server_name mailman.crans.org;
-
- location / {
- return 302 https://$host$request_uri;
- }
-}
-
-# Reverse proxify https://mailman.crans.org to UWSGI
-server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
-
- server_name mailman.crans.org;
- server_tokens off;
-
- # SSL common conf
- ssl_certificate /etc/letsencrypt/live/crans.org/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/crans.org/privkey.pem;
- ssl_session_timeout 1d;
- ssl_session_cache shared:MozSSL:10m;
- ssl_session_tickets off;
- ssl_dhparam /etc/letsencrypt/dhparam;
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
- ssl_prefer_server_ciphers off;
-
- # Enable OCSP Stapling, point to certificate chain
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/letsencrypt/live/crans.org/chain.pem;
-
- location / {
- uwsgi_pass mailman3;
- include /etc/nginx/uwsgi_params;
- }
-
- location /mailman3/static {
- alias /var/lib/mailman3/web/static;
- }
-
- location /mailman3/static/favicon.ico {
- alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
- }
-
- # Log into separate log files
- access_log /var/log/nginx/mailman3_access.log combined;
- error_log /var/log/nginx/mailman3_error.log;
-}
diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2
index 297d069df9ccb4018012c5df5e06ae560b2294ae..66c952493fb077b9806d54cd63e69440e02c5df7 100644
--- a/roles/nginx/templates/nginx/sites-available/service.j2
+++ b/roles/nginx/templates/nginx/sites-available/service.j2
@@ -91,8 +91,8 @@ server {
listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
{% else -%}
- listen 80 default;
- listen [::]:80 default;
+ listen 80{% if server.default is defined and server.default %} default_server{% endif %};
+ listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
{% endif -%}
server_name {{ server.server_name|join(" ") }};