--- # Configuration for Mailman 3 # PostgreSQL initialization must have been done already - name: Install needed packages ansible.builtin.package: name: "{{ item }}" state: present with_items: - httpd - hyperkitty - fedora-messaging - mailman3 - memcached - postorius - python3-cmarkgfm - python3-gunicorn - python3-mailman-hyperkitty - python3-mailman3-fedmsg-plugin - python3-mailman-web - python3-pylibmc - python3-psycopg2 - python3-xapian-haystack - sassc tags: - packages - mailman # This is needed till https://src.fedoraproject.org/rpms/python-django-mailman3/pull-request/2 # is available - name: Apply django_mailman3 patch ansible.posix.patch: src: django_mailman3_patch/django-mailman3-fedora-oidc.patch basedir: /usr/lib/python3.9/site-packages/ tags: - mailman - patch - name: Set the mailman conffile ansible.builtin.template: src: mailman.cfg.j2 dest: /etc/mailman.cfg owner: mailman group: mailman mode: "0640" tags: - config - mailman notify: - Restart mailman3 - name: Install configuration for fedmsg-plugin ansible.builtin.template: src: fedmsg-plugin.toml.j2 dest: "/etc/fedora-messaging/config.toml" mode: "0644" tags: - config - mailman - fedora-messaging notify: - Restart mailman3 - name: Create folder where we'll place the certs ansible.builtin.file: path: /etc/pki/rabbitmq/mailman/ owner: root group: root mode: "0755" state: directory tags: - mailman - fedora-messaging - name: Deploy mailman/rabbitmq certificate ansible.builtin.copy: src: "{{ item.src }}" dest: "/etc/pki/rabbitmq/mailman/{{ item.dest }}" owner: root group: mailman mode: "{{ item.mode }}" when: env == 'staging' with_items: - src: "{{ private }}/files/rabbitmq/staging/pki/issued/mailman.stg.crt" dest: mailman.crt mode: "444" - src: "{{ private }}/files/rabbitmq/staging/pki/private/mailman.stg.key" dest: mailman.key mode: "440" - src: "{{ private }}/files/rabbitmq/staging/ca-combined.crt" dest: mailman.ca mode: "444" tags: - mailman - fedora-messaging - name: Deploy mailman/rabbitmq certificate ansible.builtin.copy: src: "{{ item.src }}" dest: "/etc/pki/rabbitmq/mailman/{{ item.dest }}" owner: root group: mailman mode: "{{ item.mode }}" when: env != 'staging' with_items: - src: "{{ private }}/files/rabbitmq/production/pki/issued/mailman.crt" dest: mailman.crt mode: "444" - src: "{{ private }}/files/rabbitmq/production/pki/private/mailman.key" dest: mailman.key mode: "440" - src: "{{ private }}/files/rabbitmq/production/ca-combined.crt" dest: mailman.ca mode: "444" tags: - mailman - fedora-messaging # # Logging # - name: Ensuring log directory exists ansible.builtin.file: path: "{{ mailman3_log_directory }}" state: directory owner: mailman group: mailman mode: "0755" tags: - logging - mailman # Only one for prod. See below and playbooks/groups/mailman # Maybe allow stg too? - name: Ensuring mailman-core is started ansible.builtin.service: name: mailman3 state: started enabled: yes when: inventory_hostname.startswith('mailman01.rdu3') tags: - mailman # # HyperKitty + Postorius setup # - name: Create site/en dir ansible.builtin.file: state: directory path: /var/lib/mailman3/templates/site/en mode: "0755" tags: - config - mailman - hyperkitty - name: Set default list footer ansible.builtin.copy: src: mailman-template-list-member-generic-footer.txt dest: /var/lib/mailman3/templates/site/en/list:member:generic:footer.txt owner: mailman group: mailman mode: "0644" tags: - config - mailman - hyperkitty - name: Set default list:admin:action:post template ansible.builtin.copy: src: mailman-template-list-admin-action-post.txt dest: /var/lib/mailman3/templates/site/en/list:admin:action:post.txt owner: mailman group: mailman mode: "0644" tags: - config - mailman - hyperkitty - name: Create lists/users.lists.fedoraproject.org/en template dir ansible.builtin.file: state: directory path: /var/lib/mailman3/templates/lists/users.lists.fedoraproject.org/en mode: "0755" tags: - config - mailman - hyperkitty - name: Set list:user:notice:hold template for users list ansible.builtin.copy: src: mailman-template-users-list-user-notice-hold.txt dest: | /var/lib/mailman3/templates/lists/users.lists.fedoraproject.org/en/list:user:notice:hold.txt owner: mailman group: mailman mode: "0644" tags: - config - mailman - hyperkitty - name: Install the hyperkitty/postorius settings file ansible.builtin.template: src: "{{ item }}.j2" dest: "{{ mailman3_webui_confdir }}/{{ item }}" mode: "0644" with_items: - settings.py - settings_admin.py tags: - config - mailman - hyperkitty notify: - Restart mailmanweb - name: Install the hyperkitty/postorius urls file ansible.builtin.copy: src: urls.py dest: "{{ mailman3_webui_confdir }}/urls.py" mode: "0644" tags: - config - mailman - hyperkitty notify: - Restart mailmanweb - name: Create the fulltext index dir ansible.builtin.file: path: "{{ mailman3_webui_basedir }}/fulltext_index" state: directory owner: mailman group: mailman mode: "0755" tags: - mailman - hyperkitty - name: Create the hyperkitty static files dirs ansible.builtin.file: path: "{{ mailman3_webui_basedir }}/{{ item }}" state: directory owner: mailman group: mailman mode: "0755" with_items: - static - static-fedora register: static_root_dir tags: - mailman - hyperkitty - name: Create the fedora-specific hyperkitty img dir ansible.builtin.file: path: "{{ mailman3_webui_basedir }}/static-fedora/hyperkitty/img" state: directory owner: mailman group: mailman mode: "0755" tags: - mailman - hyperkitty - name: Create the hyperkitty templates override dirs ansible.builtin.file: path: "{{ mailman3_webui_basedir }}/templates/{{ item }}" state: directory owner: mailman group: mailman mode: "0755" with_items: - hyperkitty - django_mailman3 tags: - mailman - hyperkitty - name: Copy the initial user fixture ansible.builtin.template: src: initial-data.json.j2 dest: "{{ mailman3_webui_confdir }}/initial-data.json" owner: root group: mailman mode: "0640" register: initial_data tags: - mailman - hyperkitty notify: - Initialize authentication providers # Add the Nest banner # See issue https://forge.fedoraproject.org/infra/tickets/issues/10103 - name: Replace the top.html template in hyperkitty/postorius to change banner ansible.builtin.copy: src: top.html dest: "{{ mailman3_webui_basedir }}/templates/hyperkitty/top.html" mode: "0644" notify: - Restart mailmanweb tags: - mailman - banner - hyperkitty - name: Install our fedora-specific logo ansible.builtin.copy: src: logo-hyperkitty-fedora.png dest: "{{ mailman3_webui_basedir }}/static-fedora/logo-hyperkitty-fedora.png" mode: "0644" tags: - mailman - hyperkitty - name: Install our fedora-specific favicon ansible.builtin.copy: src: favicon.ico dest: "{{ mailman3_webui_basedir }}/static-fedora/favicon.ico" mode: "0644" tags: - mailman - hyperkitty - name: Install our fedora-specific robots.txt ansible.builtin.copy: src: robots.txt dest: "{{ mailman3_webui_basedir }}/static-fedora/robots.txt" mode: "0644" tags: - mailman - hyperkitty - name: Install our fedora-specific brand template override ansible.builtin.copy: src: navbar-brand.html dest: "{{ mailman3_webui_basedir }}/templates/hyperkitty/navbar-brand.html" mode: "0644" tags: - mailman - hyperkitty - name: Install our fedora-specific page headers ansible.builtin.copy: src: headers.html dest: "{{ mailman3_webui_basedir }}/templates/hyperkitty/headers.html" mode: "0644" tags: - mailman - hyperkitty - name: Install our fedora-specific login page extension ansible.builtin.copy: src: login_extra_top.html dest: "{{ mailman3_webui_basedir }}/templates/django_mailman3/login_extra_top.html" mode: "0644" tags: - mailman - hyperkitty - name: Create dirs for signup_closed page ansible.builtin.file: path: "{{ mailman3_webui_basedir }}/templates/account" state: directory owner: root group: root mode: "0755" tags: - mailman - hyperkitty - name: Install our fedora-specific signup_closed page ansible.builtin.copy: src: signup_closed.html dest: "{{ mailman3_webui_basedir }}/templates/account/signup_closed.html" mode: "0644" tags: - mailman - hyperkitty - name: Install our fedmenu js hook ansible.builtin.template: src: bottom.html dest: "{{ mailman3_webui_basedir }}/templates/hyperkitty/bottom.html" mode: "0644" tags: - mailman - hyperkitty - name: Ensuring we have correct DB schema for django apps ansible.builtin.command: cmd: | mailman-web migrate --pythonpath {{ mailman3_webui_confdir }} --settings settings_admin --no-input chdir: /etc/mailman3 become_user: mailman become: true register: db_migration_output vars: pattern: "Applying" changed_when: "{{ db_migration_output.stdout | regex_search(pattern) }}" tags: - mailman - db - name: Install the fedora-specific modules ansible.builtin.copy: src: django_fedora_nosignup.py dest: "{{ mailman3_webui_confdir }}/django_fedora_nosignup.py" owner: root group: root mode: "0644" tags: - config - mailman - hyperkitty notify: - Restart mailmanweb # Fix for mailman # https://forge.fedoraproject.org/infra/tickets/issues/12011 # This should no longer be needed after update to mailman 3.3.10 - name: Apply hotfix for orphan issue ansible.posix.patch: src: mailman_patch/mailman_orphan.patch dest: /usr/lib/python3.9/site-packages/mailman/runners/task.py tags: - mailman - patch notify: - Restart mailman3 # Memcached - name: Set the memcached sysconfig file ansible.builtin.copy: src: memcached.sysconfig dest: /etc/sysconfig/memcached mode: "0644" notify: - Restart memcached tags: - mailman - memcached - name: Enable memcached ansible.builtin.systemd: name: memcached state: stopped enabled: no tags: - mailman - systemd - memcached # # Plug HyperKitty into Mailman # - name: Copy the mailman-hyperkitty conffile ansible.builtin.template: src: mailman-hyperkitty.cfg.j2 dest: "/etc/mailman3.d/hyperkitty.cfg" owner: mailman group: mailman mode: "0640" tags: - config - mailman - hyperkitty notify: - Restart mailman3 - name: Populating static_root dir with django files/css ansible.builtin.command: cmd: mailman-web collectstatic --no-input chdir: /etc/mailman3 become_user: mailman become: true register: collectstatic_output vars: pattern: "^[1-9]\\d* static files copied" changed_when: "{{ collectstatic_output.stdout | regex_search(pattern) }}" tags: - mailman - hyperkitty - name: Compress static files ansible.builtin.command: cmd: mailman-web compress chdir: /etc/mailman3 become_user: mailman become: true register: compress_output vars: pattern: "^Compressed [1-9]\\d* block" changed_when: "{{ compress_output.stdout | regex_search(pattern) }}" tags: - mailman - hyperkitty - name: Copy the configuration for gunicorn ansible.builtin.copy: src: gunicorn.conf.py dest: /etc/mailman3/gunicorn.conf.py owner: mailman group: mailman mode: "0640" notify: Restart mailmanweb tags: - mailman - hyperkitty - name: Systemd unit to start postorius/hyperkitty through gunicorn ansible.builtin.copy: src: systemd/mailmanweb.service dest: /etc/systemd/system/mailmanweb.service mode: "0644" register: mailmanweb_systemd notify: Restart mailmanweb tags: - mailman - systemd - hyperkitty - name: Enable the mailmanweb server ansible.builtin.systemd: name: mailmanweb daemon-reload: "{% if mailmanweb_systemd is changed %}yes{% else %}no{% endif %}" state: started enabled: yes tags: - mailman - systemd - hyperkitty # # Scripts # - name: Create the scripts dir ansible.builtin.file: path: "{{ mailman3_webui_basedir }}/bin" state: directory owner: root group: root mode: "0755" tags: - mailman - scripts - name: Install the scripts ansible.builtin.copy: src: "{{ item }}" dest: "{{ mailman3_webui_basedir }}/bin/{{ item }}" owner: root group: root mode: "0755" tags: - mailman - scripts - dmarc with_items: - mailman-sar.py - migrate_fedora_auth.py - generate_search_index.py - enable_dmarc_mitigation.py - name: Run the DMARC mitigation script ansible.builtin.command: cmd: "python {{ mailman3_webui_basedir }}/bin/enable_dmarc_mitigation.py" register: dmarc_output vars: pattern: "^Updated rows: [1-9]\\d*" changed_when: "{{ dmarc_output.stdout | regex_search(pattern) }}" tags: - mailman - scripts - dmarc - name: Install the staging-sync script ansible.builtin.copy: src: prod-to-stg.py dest: "{{ mailman3_webui_basedir }}/bin/prod-to-stg.py" mode: "0755" when: env == "staging" tags: mailman # # Systemd # - name: Install the systemd service files ansible.builtin.template: src: "{{ item }}.service.j2" dest: "/etc/systemd/system/{{ item }}.service" mode: "0644" with_items: - webui-qcluster - webui-warm-up-cache notify: - Systemctl daemon-reload tags: - config - mailman - systemd - name: Install hyperkitty target ansible.builtin.copy: src: "systemd/hyperkitty.target" dest: "/etc/systemd/system/hyperkitty.target" mode: "0644" notify: - Systemctl daemon-reload tags: - config - mailman - systemd - name: Install the systemd cron services ansible.builtin.copy: src: "systemd/{{ item }}.service" dest: "/etc/systemd/system/{{ item }}.service" mode: "0644" with_items: - hyperkitty-daily - hyperkitty-hourly - hyperkitty-minutely - hyperkitty-monthly - hyperkitty-quarter_hourly - hyperkitty-weekly - hyperkitty-yearly notify: - Systemctl daemon-reload tags: - config - mailman - systemd - name: Install the systemd timers ansible.builtin.copy: src: "systemd/{{ item }}.timer" dest: "/etc/systemd/system/{{ item }}.timer" mode: "0644" with_items: - hyperkitty-daily - hyperkitty-hourly - hyperkitty-minutely - hyperkitty-monthly - hyperkitty-quarter_hourly - hyperkitty-weekly - hyperkitty-yearly notify: - Systemctl daemon-reload tags: - config - mailman - systemd # Httpd - name: Import needed httpd configurations ansible.builtin.template: src: "{{ item }}.j2" dest: "/etc/httpd/conf.d/{{ item }}" mode: "0644" with_items: - mailmanweb.conf notify: - Reload apache tags: - config - httpd - mailman - name: Allow Apache to remotely connect to gunicorn ansible.posix.seboolean: name: httpd_can_network_relay state: yes persistent: yes notify: - Restart apache tags: - mailman - selinux - name: Allow Apache to connect to localhost gunicorn ansible.posix.seboolean: name: httpd_can_network_connect state: yes persistent: yes notify: - Restart apache tags: - mailman - selinux - name: Set the SELinux policy for the static files directory community.general.sefcontext: target: "{{ mailman3_webui_basedir }}/static(/.*)?" setype: httpd_sys_content_t state: present tags: - mailman - selinux - name: Set the SELinux policy for the templates override directory community.general.sefcontext: target: "{{ mailman3_webui_basedir }}/templates(/.*)?" setype: httpd_sys_content_t state: present tags: - mailman - selinux - name: Apply SELinux changes ansible.builtin.command: restorecon -irv "{{ mailman3_webui_basedir }}" register: restorecon_output changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0 tags: - mailman - selinux # Start services - name: Start services ansible.builtin.systemd: state: started enabled: yes name: "{{ item }}" with_items: - httpd - hyperkitty-daily.timer - hyperkitty-hourly.timer - hyperkitty-monthly.timer - hyperkitty-quarter_hourly.timer - hyperkitty-weekly.timer - hyperkitty-yearly.timer - mailmanweb - webui-qcluster - webui-warm-up-cache tags: - mailman - hyperkitty # Don't actually do emails from anything but _the_ host, this is also # done in playbooks/groups/mailman # Maybe allow stg too? - name: Start services (sending emails) ansible.builtin.systemd: state: started enabled: yes name: "{{ item }}" with_items: - mailman3 - postfix when: inventory_hostname.startswith('mailman01.rdu3') tags: - mailman - hyperkitty