Fix linting, add nginx, various other updates

sdarwin · sdarwin · commit e7eb980141dc · 2023-06-15T22:26:12.000Z
diff --git a/.github/workflows/lint-local.yml b/.github/workflows/lint-local.yml
@@ -0,0 +1,31 @@
+---
+name: ansible-lint-local
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - develop
+      - feature/**
+jobs:
+  ansible-lint-local:
+    name: ansible-lint-local
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v3
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v3
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install yamllint ansible-lint ansible
+
+      - name: Lint code.
+        run: |
+          set -e
+          yamllint .
+          ansible-lint .
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,13 +1,14 @@
+---
 name: ansible-lint
 on: [pull_request_target]
 jobs:
   ansible-lint:
     name: ansible-lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v3
         with:
           python-version: '3.x'
 
diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,13 @@
+---
+extends: default
+rules:
+  line-length:
+    max: 400
+    level: warning
+  truthy:
+    allowed-values:
+      - 'true'
+      - 'false'
+    check-keys: true
+    ignore: |
+      .github/workflows
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -426,3 +426,10 @@ __mailman3_os: >-
       ansible_os_family
     ) | lower
   }}
+
+# Server name nginx should listen on, defaults to inventory_hostname.
+mailman3_web_url: "{{ inventory_hostname }}"
+mailman3_install_nginx: true
+# Override this will a value similar to mailman3_web_url. Used in /etc/mailman3/hyperkitty.cfg:
+mailman3_hyperkitty_server_url: "http://localhost"
+mailman3_nginx_ssl_certs: "include snippets/snakeoil.conf;"
diff --git a/files/distribute_maps.playbook.yml b/files/distribute_maps.playbook.yml
@@ -3,19 +3,21 @@
 - name: Distribute Mailman transport maps to backup MX servers
   hosts: all
   tasks:
-    - name: Check postfix_lmtp
-      stat:
+    - name: Check postfix_lmtp  # noqa run-once
+      ansible.builtin.stat:
         path: "{{ mailman3_core_var_dir }}/data/postfix_lmtp"
       register: result
       delegate_to: localhost
       run_once: true
     - name: Copy postfix_lmtp
-      copy:
+      ansible.builtin.copy:
         src: "{{ mailman3_core_var_dir }}/data/postfix_lmtp"
         dest: "{{ mailman3_distribute_maps_dir }}/postfix_lmtp"
+        mode: '0644'
       when: result.stat.exists
       notify:
-        - postmap
+        - Postmap
   handlers:
-    - name: postmap
-      command: "{{ mailman3_postmap_command | default('postmap') }} {{ mailman3_distribute_maps_dir | quote }}/postfix_lmtp"
+    - name: Postmap
+      changed_when: false
+      ansible.builtin.command: "{{ mailman3_postmap_command | default('postmap') }} {{ mailman3_distribute_maps_dir | quote }}/postfix_lmtp"
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -6,29 +6,30 @@
 
 # invoke systemctl directly until someone implements https://github.com/ansible/ansible/issues/61763
 
-- name: Restart mailman3-core service
+- name: Restart mailman3-core service  # noqa command-instead-of-module
   ansible.builtin.command: systemctl try-restart {{ mailman3_core_service_name }}.service
-  args:
-    # can't noqa a multi-line yaml string and noqa command-instead-of-module makes the line fail the line length rule
-    warn: false
+  changed_when: false
   when:
     - mailman3_process_manager == "systemd"
     - ansible_virtualization_type != "docker"
 
-- name: Restart mailman3-web service
+- name: Restart mailman3-web service  # noqa command-instead-of-module
   ansible.builtin.command: systemctl try-restart {{ mailman3_web_service_name }}{{ '@' if mailman3_domains is defined else '' }}{{ item }}.service
-  args:
-    warn: false
   loop: "{{ mailman3_domains | default(['']) }}"
+  changed_when: false
   when:
     - mailman3_process_manager == "systemd"
     - ansible_virtualization_type != "docker"
 
-- name: Reload mailman3-web service
+- name: Reload mailman3-web service  # noqa command-instead-of-module
   ansible.builtin.command: systemctl try-reload-or-restart {{ mailman3_web_service_name }}{{ '@' if mailman3_domains is defined else '' }}{{ item }}.service
-  args:
-    warn: false
   loop: "{{ mailman3_domains | default(['']) }}"
+  changed_when: false
   when:
     - mailman3_process_manager == "systemd"
     - ansible_virtualization_type != "docker"
+
+- name: Restart nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted
diff --git a/tasks/config.yml b/tasks/config.yml
@@ -14,7 +14,7 @@
   ansible.builtin.copy:
     content: |
       [general]
-      base_url: http://localhost/{{ mailman3_hyperkitty_root | default('hyperkitty/') }}
+      base_url: {{ mailman3_hyperkitty_server_url }}/{{ mailman3_hyperkitty_root | default('archives/') }}
       api_key: {{ mailman3_archiver_key }}
     dest: "{{ mailman3_core_etc_dir }}/hyperkitty.cfg"
     group: "{{ __mailman3_core_group_name }}"
@@ -42,3 +42,17 @@
   when: mailman3_wsgi_socket.startswith("/")
   notify:
     - Reload mailman3-web service
+
+- name: Install digest cron task
+  ansible.builtin.cron:
+    name: "mailman digests"
+    special_time: daily
+    job: "{{ mailman3_install_dir}}/bin/mailman digests --periodic"
+    user: "{{ __mailman3_core_user_name }}"
+
+- name: Install notify cron task
+  ansible.builtin.cron:
+    name: "mailman notify"
+    special_time: daily
+    job: "{{ mailman3_install_dir}}/bin/mailman notify"
+    user: "{{ __mailman3_core_user_name }}"
diff --git a/tasks/django.yml b/tasks/django.yml
@@ -41,7 +41,7 @@
   become_user: "{{ __mailman3_web_user_name }}"
 
 - name: Create Django superusers
-  community.general.django_manage: # noqa no-handler
+  community.general.django_manage:  # noqa no-handler
     command: >-
       shell -c 'import sys;
       from django.contrib.auth.models import User;
@@ -75,7 +75,7 @@
   become_user: "{{ __mailman3_web_user_name }}"
 
 - name: Correct default Django site
-  community.general.django_manage: # noqa no-handler
+  community.general.django_manage:  # noqa no-handler
     command: >-
       shell -c 'from django.contrib.sites.models import Site;
       Site.objects.filter(domain="example.com").update(
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -30,6 +30,10 @@
 - name: Include Django management tasks
   ansible.builtin.import_tasks: django.yml
 
+- name: Include Nginx tasks
+  ansible.builtin.import_tasks: nginx.yml
+  when: mailman3_install_nginx
+
 - name: Include Postfix map distribution tasks
   ansible.builtin.include_tasks: distribute_maps.yml
   when: mailman3_distribute_maps is defined
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
@@ -0,0 +1,32 @@
+---
+
+- name: Install Nginx packages
+  ansible.builtin.package:
+    name: "nginx"
+    state: present
+
+- name: Create letsencrypt renewal dir
+  ansible.builtin.file:
+    dest: "/var/www/letsencrypt"
+    state: directory
+    mode: '0755'
+
+- name: Copy nginx vhost
+  ansible.builtin.template:
+    src: templates/vhost.j2
+    dest: /etc/nginx/sites-available/mailman-web
+    mode: '0644'
+  notify: Restart nginx
+
+- name: Create link to the new config to enable it
+  ansible.builtin.file:
+    dest: /etc/nginx/sites-enabled/mailman-web
+    src: /etc/nginx/sites-available/mailman-web
+    state: link
+  notify: Restart nginx
+
+- name: Remove default nginx vhost
+  ansible.builtin.file:
+    dest: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: Restart nginx
diff --git a/templates/urls.py.j2 b/templates/urls.py.j2
@@ -23,14 +23,14 @@ from django.urls import path, reverse_lazy
 from django.views.generic import RedirectView
 
 urlpatterns = [
-{% if mailman3_postorius_root | default('postorius/') %}
+{% if mailman3_postorius_root | default('mailman3/') %}
     path(
         '',
         RedirectView.as_view(url=reverse_lazy('list_index'), permanent=True),
     ),
 {% endif %}
-    path(r'{{ mailman3_postorius_root | default("postorius/") }}', include('postorius.urls')),
-    path(r'{{ mailman3_hyperkitty_root | default("hyperkitty/") }}', include('hyperkitty.urls')),
+    path(r'{{ mailman3_postorius_root | default("mailman3/") }}', include('postorius.urls')),
+    path(r'{{ mailman3_hyperkitty_root | default("archives/") }}', include('hyperkitty.urls')),
     path('', include('django_mailman3.urls')),
     path('accounts/', include('allauth.urls')),
     path('admin/', admin.site.urls),
diff --git a/templates/vhost.j2 b/templates/vhost.j2
@@ -0,0 +1,41 @@
+
+upstream myapp {
+  server unix:/run/mailman3-web.sock;
+}
+
+server {
+    listen 80 default_server;
+    server_name {{ mailman3_web_url }};
+    #return 301 https://cpp.al$request_uri;
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        root /var/www/letsencrypt;
+    }
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+   listen 443 ssl default_server;
+   listen [::]:443 ssl default_server;
+   server_name {{ mailman3_web_url }};
+   location /static/ {
+        alias /var/lib/mailman3/web/static/;
+   }
+   location / {
+           proxy_pass http://myapp;
+           proxy_set_header Host $host;
+           proxy_set_header X-Forwarded-For $remote_addr;
+   }
+
+    {{ mailman3_nginx_ssl_certs }}
+    ssl_session_cache shared:le_nginx_SSL:10m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
