Update to 2021-12-01 19:13

2025-07-27 00:05:44 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/mailman/defaults/main.yml
+++ b/roles/mailman/defaults/main.yml
@@ -0,0 +1,63 @@
+---
+
+# Version to install
+mailman_version:
+  core: 3.3.4
+  postorius: 1.3.4
+  hyperkitty: 1.3.4
+mailman_root_dir: /opt/mailman
+mailman_user: mailman
+# Should ansible handle upgrades ? If False, only initale inistall
+mailman_manage_upgrade: True
+
+# Can be mysql or postgres
+mailman_db_engine: postgres
+mailman_db_server: "{{ (mailman_db_engine == 'postgres') | ternary(pg_server,mysql_server) | default('localhost') }}"
+mailman_db_port: "{{ (mailman_db_engine == 'postgres') | ternary('5432','3306') }}"
+mailman_db_user: mailman
+# A random one will be generated if not set
+# mailman_db_pass: S3cR3t.
+# Two databases are used, one for the core service, another for the web interface
+mailman_db_name:
+  core: mailman
+  web: mailmanweb
+
+# Email address of the admin
+mailman_site_owner: "{{ system_admin_email | default('admin' + ansible_domain) }}"
+mailman_public_url: https://listes.{{ ansible_domain }}/
+# Django secret key. A random one will be generated and stored in
+# {{ mailman_root_dir }}/meta/ansible_secret_key if not set
+# mailman_secret_key: 'p@ssW0rd'
+
+# Port on which uwsgi will listen
+mailman_web_port: 8012
+# IP addresses allowed to access uwsgi port
+mailman_web_src_ip: []
+
+# Port on which mailiman will listen for LMTP connexions
+mailman_lmtp_port: 8024
+# IP/CIDR allowed to access the LMTP service
+mailman_lmtp_src_ip: []
+
+# Port on which the core service will bind to expose the REST API
+# this port will not be exposed, it's limited to localhost and used by the web interface
+mailman_rest_port: 8013
+# A password to protect the REST API. The username is mailmanapi
+# A random one will be created if not defined here
+# mailman_rest_pass: F00/b4r\B4Z
+
+# the API key for HyperKitty. A random one will be generated and stored in
+# {{ mailman_root_dir }}/meta/ansible_hyperkitty_api_key if not defined
+# mailman_hyperkitty_api_key
+
+# Default FROM email
+mailman_email_from: mailman-no-reply@{{ ansible_domain }}
+mailman_smtp_server: localhost
+mailman_smtp_port: 25
+mailman_smtp_tls: False
+#mailman_smtp_user:
+#mailman_smtp_pass:
+
+mailman_default_lang: fr
+
+
--- a/roles/mailman/handlers/main.yml
+++ b/roles/mailman/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: restart mailman
+  service: name={{ item }} state=restarted
+  loop:
+    - mailman-core
+    - mailman-web
+
+- name: restart mailman timers
+  systemd: name={{ item }}.timer state=restarted
+  loop:
+    - mailman-digests
+    - mailman-notify
--- a/roles/mailman/meta/main.yml
+++ b/roles/mailman/meta/main.yml
@@ -0,0 +1,11 @@
+---
+
+dependencies:
+  - role: postgresql_server
+    when:
+      - mailman_db_engine == 'postgres'
+      - mailman_db_server in ['127.0.0.1','localhost']
+  - role: mysql_server
+    when:
+      - mailman_db_engine == 'mysql'
+      - mailman_db_server in ['127.0.0.1','localhost']
--- a/roles/mailman/tasks/archive_post.yml
+++ b/roles/mailman/tasks/archive_post.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ mailman_archive_dir }}.tar.zst --use-compress-program=zstd ./
+  environment:
+    ZST_CLEVEL: 10
+  args:
+    chdir: "{{ mailman_archive_dir }}"
+    warn: False
+  tags: mailman
--- a/roles/mailman/tasks/archive_pre.yml
+++ b/roles/mailman/tasks/archive_pre.yml
@@ -0,0 +1,51 @@
+---
+
+- name: Create the archive dir
+  file:
+    path: "{{ mailman_archive_dir }}"
+    state: directory
+  tags: mailman
+
+- name: Archive previous version
+  synchronize:
+    src: "{{ mailman_root_dir }}/{{ item }}"
+    dest: "{{ mailman_archive_dir }}/"
+    delete: True
+    compress: False
+  loop:
+    - venv
+    - data
+  delegate_to: "{{ inventory_hostname }}"
+  tags: mailman
+
+- name: Dump the database
+  command: >
+    /usr/pgsql-14/bin/pg_dump
+    --clean
+    --create
+    --host={{ mailman_db_server | quote }}
+    --port={{ mailman_db_port | quote }}
+    --username=sqladmin {{ mailman_db_name[item] | quote }}
+    --file="{{ mailman_archive_dir }}/{{ mailman_db_name[item] }}.sql"
+  loop: "{{ mailman_db_name.keys() | list }}"
+  environment:
+    - PGPASSWORD: "{{ pg_admin_pass }}"
+  when: mailman_db_engine == 'postgres'
+  tags: mailman
+
+- name: Dump the database
+  mysql_db:
+    state: dump
+    name: "{{ mailman_db_name[item] }}"
+    target: "{{ mailman_archive_dir }}/{{ mailman_db_name[item] }}.sql.xz"
+    login_host: "{{ mailman_db_server }}"
+    login_port: "{{ mailman_db_port }}"
+    login_user: "{{ mailman_db_user }}"
+    login_password: "{{ mailman_db_pass }}"
+    quick: True
+    single_transaction: True
+  loop: "{{ mailman_db_name.keys() | list }}"
+  environment:
+    XZ_OPT: -T0
+  when: mailman_db_engine == 'mysql'
+  tags: mailman
--- a/roles/mailman/tasks/cleanup.yml
+++ b/roles/mailman/tasks/cleanup.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Remove uneeded files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ mailman_archive_dir }}"
+  tags: mailman
--- a/roles/mailman/tasks/conf.yml
+++ b/roles/mailman/tasks/conf.yml
@@ -0,0 +1,39 @@
+---
+
+- name: Deploy configuration
+  template: src={{ item }}.j2 dest={{ mailman_root_dir }}/etc/{{ item }} group={{ mailman_user }} mode=640
+  loop:
+    - mailman.cfg
+    - settings.py
+    - uwsgi.ini
+    - urls.py
+    - hyperkitty.cfg
+  notify:
+    - restart mailman
+  tags: mailman
+
+- block:
+    - name: Migrate web database
+      command: "{{ mailman_root_dir }}/venv/bin/mailman-web migrate"
+
+    - name: Collect static assets
+      shell: echo yes | {{ mailman_root_dir }}/venv/bin/mailman-web collectstatic
+
+    - name: Compress assets
+      command: "{{ mailman_root_dir }}/venv/bin/mailman-web compress"
+  when: mailman_install_mode == 'upgrade' or 'install' in [mailman_postorius_install_mode,mailman_hyperkitty_install_mode]
+  environment:
+    - MAILMAN_WEB_CONFIG: "{{ mailman_root_dir }}/etc/settings.py"
+  become_user: "{{ mailman_user }}"
+  tags: mailman
+
+- name: Create an initial superuser
+  django_manage:
+    command: createsuperuser --noinput --username admin --email {{ mailman_site_owner }}
+    app_path: "{{ mailman_root_dir }}/venv/bin"
+    virtualenv: "{{ mailman_root_dir }}/venv"
+  environment:
+    DJANGO_SUPERUSER_PASSWORD: "{{ mailman_admin_pass }}"
+  register: mailman_admin_user
+  when: mailman_install_mode == 'install'
+  tags: mailman
--- a/roles/mailman/tasks/directories.yml
+++ b/roles/mailman/tasks/directories.yml
@@ -0,0 +1,48 @@
+---
+
+- name: Create directories
+  file:
+    path: "{{ mailman_root_dir }}/{{ item.dir }}"
+    state: directory
+    owner: "{{ item.owner | default(omit) }}"
+    group: "{{ item.group | default(omit) }}"
+    mode: "{{ item.mode | default(omit) }}"
+  loop:
+    - dir: venv
+    - dir: archives
+      mode: 700
+    - dir: meta
+      mode: 700
+    - dir: etc
+      group: "{{ mailman_user }}"
+      mode: 770
+    - dir: data
+      owner: "{{ mailman_user }}"
+      group: "{{ mailman_user }}"
+      mode: 700
+    - dir: data/fulltext_index
+      owner: "{{ mailman_user }}"
+      group: "{{ mailman_user }}"
+      mode: 700
+    - dir: tmp
+      owner: "{{ mailman_user }}"
+      group: "{{ mailman_user }}"
+      mode: 700
+    - dir: log
+      owner: "{{ mailman_user }}"
+      group: "{{ mailman_user }}"
+      mode: 700
+    - dir: web/static
+      group: "{{ mailman_user }}"
+      mode: 775
+    - dir: backup
+      mode: 700
+  tags: mailman
+
+# mailman-web pretend to support specifying the conf dir
+# with the MAILMAN_WEB_CONFIG env var, but it's not, the script
+# exits with status code 1 if /etc/mailman3/settings.py doesn't exist
+- name: Link config dir
+  file: src={{ mailman_root_dir }}/etc dest=/etc/mailman3 state=link
+  tags: mailman
+
--- a/roles/mailman/tasks/facts.yml
+++ b/roles/mailman/tasks/facts.yml
@@ -0,0 +1,96 @@
+---
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ mailman_root_dir }}"
+    - version: "{{ mailman_version.core }}"
+    - version_file: 'ansible_core_version'
+  tags: mailman
+
+- block:
+    - set_fact: mailman_core_install_mode={{ (install_mode == 'upgrade' and not mailman_manage_upgrade) | ternary('none', install_mode) }}
+    - set_fact: mailman_core_current_version={{ current_version | default('') }}
+  tags: mailman
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ mailman_root_dir }}"
+    - version: "{{ mailman_version.postorius }}"
+    - version_file: 'ansible_postorius_version'
+  tags: mailman
+
+- block:
+    - set_fact: mailman_postorius_install_mode={{ (install_mode == 'upgrade' and not mailman_manage_upgrade) | ternary('none', install_mode) }}
+    - set_fact: mailman_postorius_current_version={{ current_version | default('') }}
+  tags: mailman
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ mailman_root_dir }}"
+    - version: "{{ mailman_version.hyperkitty }}"
+    - version_file: 'ansible_hyperkitty_version'
+  tags: mailman
+
+- block:
+    - set_fact: mailman_hyperkitty_install_mode={{ (install_mode == 'upgrade' and not mailman_manage_upgrade) | ternary('none', install_mode) }}
+    - set_fact: mailman_hyperkitty_current_version={{ current_version | default('') }}
+  tags: mailman
+
+- set_fact: mailman_install_mode='none'
+  tags: mailman
+- set_fact: mailman_install_mode='upgrade'
+  when: >
+    'upgrade' in [mailman_core_install_mode, mailman_postorius_install_mode, mailman_hyperkitty_install_mode] and
+    'install' not in [mailman_core_install_mode, mailman_postorius_install_mode, mailman_hyperkitty_install_mode]
+  tags: mailman
+
+# Create a random pass for the DB if needed
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ mailman_root_dir }}/meta/ansible_dbpass"
+        - complex: False
+    - set_fact: mailman_db_pass={{ rand_pass }}
+  when: mailman_db_pass is not defined
+  tags: mailman
+
+# Random secret key
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ mailman_root_dir }}/meta/ansible_secret_key"
+    - set_fact: mailman_secret_key={{ rand_pass }}
+  when: mailman_secret_key is not defined
+  tags: mailman
+
+# Random API password
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ mailman_root_dir }}/meta/ansible_rest_pass"
+        - complex: False
+    - set_fact: mailman_rest_pass={{ rand_pass }}
+  when: mailman_rest_pass is not defined
+  tags: mailman
+
+# HyperKitty API Key
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ mailman_root_dir }}/meta/ansible_hyperkitty_api_key"
+        - complex: False
+    - set_fact: mailman_hyperkitty_api_key={{ rand_pass }}
+  when: mailman_hyperkitty_api_key is not defined
+  tags: mailman
+
+# Random password for the admin account
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ mailman_root_dir }}/meta/ansible_admin_pass"
+    - set_fact: mailman_admin_pass={{ rand_pass }}
+  tags: mailman
+
+# Shortcut for the archive dir, used to backup current install during upgades
+- set_fact: mailman_archive_dir={{ mailman_root_dir }}/archives/core_{{ mailman_core_current_version }}_postorius_{{ mailman_postorius_current_version }}_hyperkitty_{{ mailman_hyperkitty_current_version }}
+  tags: mailman
--- a/roles/mailman/tasks/install.yml
+++ b/roles/mailman/tasks/install.yml
@@ -0,0 +1,172 @@
+---
+
+- name: Enable python39 module
+  command: dnf -y module enable python39
+  args:
+    warn: False
+  changed_when: False
+  tags: mailman
+
+- name: Install packages
+  yum:
+    name:
+      - python39-pip
+      - python39-devel
+      - git
+      - gcc
+      - sassc
+  tags: mailman
+
+- name: Wipe the venv on upgrades
+  file: path={{ mailman_root_dir }}/venv state=absent
+  when: mailman_install_mode == 'upgrade'
+  tags: mailman
+
+- name: Create the venv dir
+  file: path={{ mailman_root_dir }}/venv state=directory
+  tags: mailman
+
+- name: Setup the virtualenv
+  pip:
+    name:
+      - pip
+      - wheel
+      - django<3.1
+      - mailman=={{ mailman_version.core }}
+      - postorius=={{ mailman_version.postorius }}
+      - HyperKitty=={{ mailman_version.hyperkitty }}
+      - mailman_hyperkitty
+      - mailman-web
+      - uwsgi
+      - whoosh
+    virtualenv: "{{ mailman_root_dir }}/venv"
+    virtualenv_command: /usr/bin/python3.9 -m venv
+  notify: restart mailman
+  tags: mailman
+
+- when: mailman_db_engine == 'postgres'
+  block:
+    - name: Install Postgres support
+      yum:
+        name:
+          - postgresql-devel
+
+    - name: Install postgres python support
+      pip:
+        name:
+          - psycopg2-binary==2.8.6 # There's a bug with TZ in 2.9
+        virtualenv: "{{ mailman_root_dir }}/venv"
+        virtualenv_command: /usr/bin/python3.9 -m venv
+
+    - name: Create the PostgreSQL role
+      postgresql_user:
+        db: postgres
+        name: "{{ mailman_db_user }}"
+        password: "{{ mailman_db_pass }}"
+        login_host: "{{ mailman_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+      tags: mailman
+    
+    - name: Create the PostgreSQL databases
+      postgresql_db:
+        name: "{{ mailman_db_name[item] }}"
+        encoding: UTF-8
+        template: template0
+        owner: "{{ mailman_db_user }}"
+        login_host: "{{ mailman_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+      loop: "{{ mailman_db_name.keys() | list }}"
+
+  tags: mailman
+
+- when: mailman_db_engine == 'mysql'
+  block:
+    - name: Install mysql support
+      yum:
+        name:
+          - mariadb-devel
+
+    - name: Install mysql python support
+      pip:
+        name:
+          - mysqlclient
+          - pymysql
+        virtualenv: "{{ mailman_root_dir }}/venv"
+        virtualenv_command: /usr/bin/python3.9 -m venv
+
+    - include_tasks: ../includes/webapps_create_mysql_db.yml
+      vars:
+        - db_name: "{{ mailman_db_name[mailman_db] }}"
+        - db_user: "{{ mailman_db_user }}"
+        - db_server: "{{ mailman_db_server }}"
+        - db_pass: "{{ mailman_db_pass }}"
+        - append_privs: True
+      loop: "{{ mailman_db_name.keys() | list }}"
+      loop_control:
+        loop_var: mailman_db
+
+  tags: mailman
+
+- name: Create a manage.py link
+  file: src={{ mailman_root_dir }}/venv/bin/mailman-web dest={{ mailman_root_dir }}/venv/bin/manage.py state=link
+  tags: mailman
+
+- name: Deploy systemd units
+  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
+  loop:
+    - mailman-core.service
+    - mailman-web.service
+  notify: restart mailman
+  register: mailman_units
+  tags: mailman
+
+- name: Deploy systemd timers
+  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
+  loop:
+    - mailman-digests.service
+    - mailman-digests.timer
+    - mailman-notify.service
+    - mailman-notify.timer
+  notify: restart mailman timers
+  register: mailman_timers
+  tags: mailman
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: >
+    mailman_units.results | selectattr('changed','equalto',True) | list | length > 0 or
+    mailman_timers.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: mailman
+
+- name: Install con jobs
+  cron:
+    cron_file: mailman
+    special_time: "{{ item.schedule | default(omit) }}"
+    minute: "{{ item.minute | default(omit) }}"
+    name: "{{ item.name }}"
+    user: "{{ mailman_user }}"
+    job: "{{ mailman_root_dir }}/venv/bin/mailman-web runjobs {{ item.name }}"
+  loop:
+    - name: yearly
+      schedule: yearly
+    - name: monthly
+      schedule: monthly
+    - name: weekly
+      schedule: weekly
+    - name: daily
+      schedule: daily
+    - name: hourly
+      schedule: hourly
+    - name: minutely
+    - name: quarter_hourly
+      minute: '2,17,32,47'
+  tags: mailman
+
+- name: Install pre/post backup hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/mailman.sh mode=700
+  loop:
+    - pre
+    - post
+  tags: mailman
--- a/roles/mailman/tasks/iptables.yml
+++ b/roles/mailman/tasks/iptables.yml
@@ -0,0 +1,15 @@
+---
+
+- name:  Handle mailman web port in the firewall
+  iptables_raw:
+    name: mailman_web_port
+    state: "{{ (mailman_web_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mailman_web_port }} -s {{ mailman_web_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,mailman
+
+- name: Handle mailman LMTP port in the firewall
+  iptables_raw:
+    name: mailman_lmtp_port
+    state: "{{ (mailman_lmtp_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mailman_lmtp_port }} -s {{ mailman_lmtp_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,mailman
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: mailman_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: archive_post.yml
+  when: mailman_install_mode == 'upgrade'
+- include: selinux.yml
+- include: services.yml
+- include: write_version.yml
+- include: cleanup.yml
--- a/roles/mailman/tasks/selinux.yml
+++ b/roles/mailman/tasks/selinux.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Restore SELinux contexts
+  command: restorecon -R {{ mailman_root_dir }}
+  changed_when: False
+  tags: mailman
--- a/roles/mailman/tasks/services.yml
+++ b/roles/mailman/tasks/services.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Start and enable services
+  service: name={{ item }} state=started enabled=True
+  loop:
+    - mailman-core
+    - mailman-web
+  tags: mailman
+
+- name: Start and enable timers
+  systemd: name={{ item }}.timer state=started enabled=True
+  loop:
+    - mailman-digests
+    - mailman-notify
+  tags: mailman
--- a/roles/mailman/tasks/user.yml
+++ b/roles/mailman/tasks/user.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Create mailman user account
+  user: name={{ mailman_user }} home={{ mailman_root_dir }} system=True shell=/bin/bash
+  tags: mailman
+
+- name: Setup the venv for mailman user
+  copy: content="source {{ mailman_root_dir }}/venv/bin/activate" dest={{ mailman_root_dir }}/.bashrc owner={{ mailman_user }} group={{ mailman_user }}
+  tags: mailman
--- a/roles/mailman/tasks/write_version.yml
+++ b/roles/mailman/tasks/write_version.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Write installed version
+  copy: content={{ mailman_version[item] }} dest={{ mailman_root_dir }}/meta/ansible_{{ item }}_version
+  loop: "{{ mailman_version.keys() | list }}"
+  tags: mailman
--- a/roles/mailman/templates/hyperkitty.cfg.j2
+++ b/roles/mailman/templates/hyperkitty.cfg.j2
@@ -0,0 +1,3 @@
+[general]
+base_url: http://localhost:{{ mailman_web_port }}/hyperkitty/
+api_key: {{ mailman_hyperkitty_api_key }}
--- a/roles/mailman/templates/mailman-core.service.j2
+++ b/roles/mailman/templates/mailman-core.service.j2
@@ -0,0 +1,24 @@
+[Unit]
+Description=GNU Mailing List Manager
+After=syslog.target network.target postgresql.service
+
+[Service]
+Type=forking
+PIDFile={{ mailman_root_dir }}/tmp/master.pid
+Environment=MAILMAN_CONFIG_FILE={{ mailman_root_dir }}/etc/mailman.cfg
+User={{ mailman_user }}
+Group={{ mailman_user }}
+ExecStart={{ mailman_root_dir }}/venv/bin/mailman start
+ExecReload={{ mailman_root_dir }}/venv/bin/mailman restart
+ExecStop={{ mailman_root_dir }}/venv/bin/mailman stop
+PrivateTmp=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=2048M
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/mailman/templates/mailman-digests.service.j2
+++ b/roles/mailman/templates/mailman-digests.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Mailman digests sender
+
+[Service]
+Type=oneshot
+PrivateTmp=yes
+User={{ mailman_user }}
+Group={{ mailman_user }}
+ExecStart={{ mailman_root_dir }}/venv/bin/mailman digests --periodic
--- a/roles/mailman/templates/mailman-digests.timer.j2
+++ b/roles/mailman/templates/mailman-digests.timer.j2
@@ -0,0 +1,8 @@
+[Unit]
+Description=Mailman digest sender
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
--- a/roles/mailman/templates/mailman-notify.service.j2
+++ b/roles/mailman/templates/mailman-notify.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Mailman notifications
+
+[Service]
+Type=oneshot
+PrivateTmp=yes
+User={{ mailman_user }}
+Group={{ mailman_user }}
+ExecStart={{ mailman_root_dir }}/venv/bin/mailman notify
--- a/roles/mailman/templates/mailman-notify.timer.j2
+++ b/roles/mailman/templates/mailman-notify.timer.j2
@@ -0,0 +1,8 @@
+[Unit]
+Description=Mailman notifications
+
+[Timer]
+OnCalendar=*-*-* 10:00:00
+
+[Install]
+WantedBy=timers.target
--- a/roles/mailman/templates/mailman-web.service.j2
+++ b/roles/mailman/templates/mailman-web.service.j2
@@ -0,0 +1,24 @@
+[Unit]
+Description=GNU Mailman Web UI
+After=syslog.target network.target postgresql.service mailman-core.service
+
+[Service]
+Type=notify
+NotifyAccess=all
+Environment=PATH={{ mailman_root_dir }}/venv/bin:/bin:/sbin
+Environment=PYTHONPATH=/opt/mailman/etc
+RuntimeDirectory=uwsgi
+User={{ mailman_user }}
+Group={{ mailman_user }}
+ExecStart={{ mailman_root_dir }}/venv/bin/uwsgi --ini {{ mailman_root_dir }}/etc/uwsgi.ini --die-on-term
+PrivateTmp=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=1024M
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/mailman/templates/mailman.cfg.j2
+++ b/roles/mailman/templates/mailman.cfg.j2
@@ -0,0 +1,56 @@
+[paths.ansible]
+bin_dir: {{ mailman_root_dir }}/venv/bin
+var_dir: {{ mailman_root_dir }}/data
+queue_dir: {{ mailman_root_dir }}/data/spool
+log_dir: {{ mailman_root_dir }}/log
+lock_dir: {{ mailman_root_dir }}/data/locks
+etc_dir: {{ mailman_root_dir }}/etc
+pid_file: {{ mailman_root_dir }}/tmp/master.pid
+
+[logging.root]
+path = /dev/stdout
+
+[mailman]
+layout: ansible
+site_owner: {{ mailman_site_owner }}
+default_language: {{ mailman_default_lang }}
+
+[database]
+{% if mailman_db_engine == 'postgres' %}
+class: mailman.database.postgresql.PostgreSQLDatabase
+url: postgres://{{ mailman_db_user }}:{{ mailman_db_pass | urlencode | regex_replace('/','%2F') }}@{{ mailman_db_server }}:{{ mailman_db_port }}/{{ mailman_db_name.core }}
+{% elif mailman_db_engine == 'mysql' %}
+class: mailman.database.mysql.MySQLDatabase
+url: mysql+pymysql://{{ mailman_db_user }}:{{ mailman_db_pass | urlencode | regex_replace('/','%2F') }}@{{ mailman_db_server }}:{{ mailman_db_port }}/{{ mailman_db_name.core }}?charset=utf8&use_unicode=1
+{% endif %}
+
+[archiver.hyperkitty]
+class: mailman_hyperkitty.Archiver
+enable: yes
+configuration: {{ mailman_root_dir }}/etc/hyperkitty.cfg
+
+[shell]
+history_file: $var_dir/history.py
+
+[mta]
+verp_confirmations: yes
+verp_personalized_deliveries: yes
+verp_delivery_interval: 1
+incoming: mailman.mta.postfix.LMTP
+outgoing: mailman.mta.deliver.deliver
+lmtp_host: 127.0.0.1
+lmtp_port: {{ mailman_lmtp_port }}
+smtp_host: {{ mailman_smtp_server }}
+smtp_port: {{ mailman_smtp_port }}
+{% if mailman_smtp_user is defined and mailman_smtp_pass is defined %}
+smtp_user: {{ mailman_smtp_user }}
+smtp_pass: {{ mailman_smtp_pass }}
+{% endif %}
+smtp_secure_mode: {{ mailman_smtp_tls | ternary('starttls','smtp') }}
+
+[webservice]
+hostname: localhost
+port: {{ mailman_rest_port }}
+use_https: no
+admin_user: mailmanapi
+admin_pass: {{ mailman_rest_pass }}
--- a/roles/mailman/templates/post-backup.sh.j2
+++ b/roles/mailman/templates/post-backup.sh.j2
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ mailman_root_dir }}/backup/*.sql.zst
--- a/roles/mailman/templates/pre-backup.sh.j2
+++ b/roles/mailman/templates/pre-backup.sh.j2
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+set -eo pipefail
+
+{% for db in mailman_db_name.keys() | list %}
+{% if mailman_db_engine == 'postgres' %}
+{% if mailman_db_server not in ['localhost', '127.0.0.1'] %}
+PGPASSWORD={{ mailman_db_pass | quote }} \
+  /usr/pgsql-14/bin/pg_dump \
+  --clean \
+  --create \
+  --username={{ mailman_db_user | quote }} \
+  --host={{ mailman_db_server | quote }} \
+  --port={{ mailman_db_port }} \
+  {{ mailman_db_name[db] }} | \
+  zstd -c > {{ mailman_root_dir }}/backup/{{ mailman_db_name[db] }}.sql.zst
+{% else %}
+su - postgres -c "/usr/pgsql-14/bin/pg_dump --clear {{ mailman_db_name[db] }}" | \
+{% endif %}
+  zstd -c > {{ mailman_root_dir }}/backup/{{ mailman_db_name[db] }}.sql.zst
+{% else %}
+/usr/bin/mysqldump \
+{% if mailman_db_server not in ['localhost', '127.0.0.1'] %}
+  --user={{ mailman_db_user | quote }} \
+  --password={{ mailman_db_pass | quote }} \
+  --host={{ mailman_db_server | quote }} \
+  --port={{ mailman_db_port }} \
+{% endif %}
+  --quick --single-transaction \
+  --add-drop-table {{ mailman_db_name[db] }} | \
+  zstd -c > {{ mailman_root_dir }}/backup/{{ mailman_db_name[db] }}.sql.zst
+{% endif %}
+{% endfor %}
--- a/roles/mailman/templates/settings.py.j2
+++ b/roles/mailman/templates/settings.py.j2
@@ -0,0 +1,101 @@
+# Mailman Web configuration file.
+
+from mailman_web.settings.base import *
+from mailman_web.settings.mailman import *
+
+#: Default list of admins who receive the emails from error logging.
+ADMINS = (
+    ('Mailman Suite Admin', '{{ mailman_site_owner }}'),
+)
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.{{ (mailman_db_engine == 'postgres') | ternary('postgresql_psycopg2','mysql') }}',
+        'NAME': '{{ mailman_db_name.web }}',
+        'USER': '{{ mailman_db_user }}',
+        'PASSWORD': '{{ mailman_db_pass }}',
+        'HOST': '{{ mailman_db_server }}',
+        'PORT': '{{ mailman_db_port }}',
+{% if mailman_db_engine != 'postgres' %}
+        'OPTIONS': {'charset': 'utf8mb4'}
+{% endif %}
+    }
+}
+
+# 'collectstatic' command will copy all the static files here.
+# Alias this location from your webserver to `/static`
+STATIC_ROOT = '{{ mailman_root_dir }}/web/static'
+
+LOGGING = {
+  'version': 1,
+  'disable_existing_loggers': False,
+  'handlers': {
+    'console': {
+      'class': 'logging.StreamHandler',
+    },
+  },
+  'root': {
+    'handlers': ['console'],
+    'level': 'WARNING',
+  }
+}
+
+#: See https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
+ALLOWED_HOSTS = [
+    'localhost',  # Archiving API from Mailman
+    '{{ mailman_public_url | urlsplit("hostname") }}'
+]
+
+# Set this to a new secret value.
+SECRET_KEY = '{{ mailman_secret_key }}'
+
+EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
+EMAIL_HOST = '{{ mailman_smtp_server }}'
+EMAIL_PORT = {{ mailman_smtp_port }}
+{% if mailman_smtp_user is defined and mailman_smtp_pass is defined %}
+EMAIL_HOST_USER='{{ mailman_smtp_user }}'
+EMAIL_HOST_PASS='{{ mailman_smtp_pass }}'
+{% endif %}
+{% if mailman_smtp_tls %}
+EMAIL_USE_TLS=True
+{% endif %}
+DEFAULT_FROM_EMAIL = '{{ mailman_email_from }}'
+
+HAYSTACK_CONNECTIONS = {
+  'default': {
+    'ENGINE': 'haystack.backends.whoosh_backend.WhooshEngine',
+    'PATH': '{{ mailman_root_dir }}/data/fulltext_index',
+  },
+}
+
+MAILMAN_REST_API_URL = 'http://localhost:{{ mailman_rest_port }}'
+MAILMAN_REST_API_USER = 'mailmanapi'
+MAILMAN_REST_API_PASS = '{{ mailman_rest_pass }}'
+MAILMAN_ARCHIVER_KEY = '{{ mailman_hyperkitty_api_key }}'
+MAILMAN_ARCHIVER_FROM = ('127.0.0.1')
+
+ROOT_URLCONF = 'urls'
+
+USE_X_FORWARDED_HOST = True
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SESSION_COOKIE_SECURE = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_HTTPONLY = True
+X_FRAME_OPTIONS = 'DENY'
+
+TIME_ZONE = '{{ (system_tz is defined) | ternary(system_tz, 'UTC') }}'
+
+ACCOUNT_AUTHENTICATION_METHOD = "username_email"
+ACCOUNT_EMAIL_REQUIRED = True
+ACCOUNT_EMAIL_VERIFICATION = "mandatory"
+ACCOUNT_UNIQUE_EMAIL  = True
+
+Q_CLUSTER = {
+    'timeout': 300,
+    'save_limit': 100,
+    'orm': 'default',
+    'retry': 360,
+}
+
--- a/roles/mailman/templates/urls.py.j2
+++ b/roles/mailman/templates/urls.py.j2
@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
+#
+# This file is part of Postorius.
+#
+# Postorius is free software: you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# Postorius is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# Postorius.  If not, see <http://www.gnu.org/licenses/>.
+
+from django.conf.urls import include, url
+from django.contrib import admin
+from django.urls import reverse_lazy
+from django.views.generic import RedirectView
+
+urlpatterns = [
+    url(r'^$', RedirectView.as_view(
+        url=reverse_lazy('list_index'),
+        permanent=True)),
+    url(r'^postorius/', include('postorius.urls')),
+    url(r'^hyperkitty/', include('hyperkitty.urls')),
+    url(r'', include('django_mailman3.urls')),
+    url(r'^accounts/', include('allauth.urls')),
+    # Django admin
+    url(r'^admin/', admin.site.urls),
+]
+
--- a/roles/mailman/templates/uwsgi.ini.j2
+++ b/roles/mailman/templates/uwsgi.ini.j2
@@ -0,0 +1,27 @@
+[uwsgi]
+http-socket = 0.0.0.0:{{ mailman_web_port }}
+virtualenv = {{ mailman_root_dir }}/venv/
+
+module=mailman_web.wsgi:application
+env = DJANGO_SETTINGS_MODULE=settings
+
+# Setup default number of processes and threads per process.
+master = true
+process = 2
+threads = 2
+
+# Setup the django_q related worker processes.
+attach-daemon = mailman-web qcluster
+
+# Setup the request log.
+req-logger = file:{{ mailman_root_dir }}/log/uwsgi.log
+
+# Log qcluster commands seperately.
+logger = qcluster syslog:mailman-web
+log-route = qcluster uwsgi-daemons
+
+# Last log and it logs the rest of the stuff.
+logger = syslog:mailman-web
+
+# Static assets
+check-static = {{ mailman_root_dir }}/web