Certbot on mailman3

fcf0ebf4 · me5na7qbjqbrp · 4bce1f93 · fcf0ebf4 · fcf0ebf4 · fcf0ebf4
Verified Commit fcf0ebf4 authored 4 years ago by me5na7qbjqbrp
--- a/network.yml
+++ b/network.yml
@@ -52,7 +52,6 @@
        - {from: grafana.crans.org, to: "10.231.136.102:3000"}
        - {from: webirc.crans.org, to: "10.231.136.1:9000"}
        - {from: framadate.crans.org, to: 10.231.136.153}
-        - {from: mailman.crans.org, to: 10.231.136.180}

        # Zamok
        - {from: install-party.crans.org, to: 10.231.136.1}

--- a/roles/mailman3/tasks/main.yml
+++ b/roles/mailman3/tasks/main.yml
@@ -11,6 +11,8 @@
      - postgresql
      - python3-pip  # CAS
      - python3-lxml  # CAS
+      - certbot  # cert
+      - python3-certbot-nginx
    install_recommends: false
  register: apt_result
  retries: 3
@@ -59,6 +61,17 @@
    state: link
  notify: Restart nginx

+- name: Create /etc/letsencrypt/conf.d
+  file:
+    path: /etc/letsencrypt/conf.d
+    state: directory
+
+- name: Add Certbot configuration
+  template:
+    src: "letsencrypt/conf.d/mailman.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/mailman.ini"
+    mode: 0644
+
 - name: Indicate role in motd
  template:
    src: update-motd.d/05-service.j2

--- a/roles/mailman3/templates/letsencrypt/conf.d/mailman.ini.j2
+++ b/roles/mailman3/templates/letsencrypt/conf.d/mailman.ini.j2
+{{ ansible_header | comment }}
+
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/mailman.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Always use the staging/testing server
+# server = https://acme-staging.api.letsencrypt.org/directory
+
+# Uncomment and update to register with the specified e-mail address
+email = {{ mailman3.site_owner }}
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Use DNS-01 challenge
+authenticator = nginx
+
+# Domains
+cert-name = mailman.crans.org
+domains = mailman.crans.org
--- a/roles/mailman3/templates/nginx/sites-available/mailman3.j2
+++ b/roles/mailman3/templates/nginx/sites-available/mailman3.j2
@@ -4,12 +4,42 @@ upstream mailman3 {
    server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
 }

+# Redirect http://mailman.crans.org to https://mailman.crans.org
 server {
    listen 80;
    listen [::]:80;
-    server_name mailman.crans.org mailman.adm.crans.org localhost;
+
+    server_name mailman.crans.org localhost;
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
+
+# Reverse proxify https://mailman.crans.org to UWSGI
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name mailman.crans.org localhost;
    server_tokens off;

+    # SSL common conf
+    ssl_certificate /etc/letsencrypt/live/mailman.crans.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mailman.crans.org/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+    ssl_dhparam /etc/letsencrypt/dhparam;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/mailman.crans.org/chain.pem;
+
    location / {
        uwsgi_pass mailman3;
        include /etc/nginx/uwsgi_params;
@@ -23,6 +53,7 @@ server {
        alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
    }

+    # Log into separate log files
    access_log /var/log/nginx/mailman3_access.log combined;
    error_log /var/log/nginx/mailman3_error.log;
 }
--- a/roles/postfix-mailman3/tasks/main.yml
+++ b/roles/postfix-mailman3/tasks/main.yml
@@ -15,7 +15,7 @@
    mode: 0644
    owner: root
    group: root
-  loop: []
+  loop:
    - main.cf
  notify: Restart postfix


--- a/roles/postfix-mailman3/templates/postfix/main.cf.j2
+++ b/roles/postfix-mailman3/templates/postfix/main.cf.j2
@@ -30,8 +30,8 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases

-# Send to main mail server
-relayhost = smtp.adm.crans.org
+# All non local mail is sent to domain MX
+relayhost = $mydomain

 # Only localhost
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128