5 files changed, 70 insertions, 71 deletions

diff --git a/roles/lists/tasks/mail.yml b/roles/lists/tasks/mail.yml
index 85d3103..2821b02 100644
--- a/roles/lists/tasks/mail.yml
+++ b/roles/lists/tasks/mail.yml
@@ -1,73 +1,62 @@
 - name: Install Postfix
-  apt: pkg={{ item }}
-  with_items:
+  apt: pkg={{ packages }}
+  vars:
+    packages:
     - postfix
-    - postfix-ldap
+    - postfix-lmdb
 
 - name: Configure Postfix
-  template: src=etc/postfix/main.cf.j2
-            dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+  template: src=etc/postfix/{{ item }}.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
             owner=root group=root
             mode=0644
+  with_items:
+    - main.cf
+    - master.cf
   notify:
     - Reload Postfix
 
 - name: Copy the transport maps
   copy: src=etc/postfix/transport
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/transport
         owner=root group=root
         mode=0644
   # no need to reload upon change, as cleanup(8) is short-running
 
-- name: Copy the Postfix relay clientcerts map
-  template: src=etc/postfix/relay_clientcerts.j2
-            dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
-            owner=root group=root
-            mode=0644
-  tags:
-    - tls_policy
-
-- name: Compile the Postfix relay clientcerts map
-  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
-           owner=root group=root
-           mode=0644
-  tags:
-    - tls_policy
-
 - name: Compile the Postfix transport maps
   # trivial-rewrite(8) is a long-running process, so it's safer to reload
-  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=lmdb
            owner=root group=root
            mode=0644
   notify:
     - Reload Postfix
 
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
 
 - name: Copy the 'sympa-queue' wrapper
   copy: src=usr/local/bin/sympa-queue
         dest=/usr/local/bin/sympa-queue
-        owner=root group=root
+        owner=root group=staff
         mode=0755
 
 
 - name: Install 'postfix_mailqueue_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
         dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_stats_
         dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   with_items:
diff --git a/roles/lists/tasks/main.yml b/roles/lists/tasks/main.yml
index f0e8e26..6d53d82 100644
--- a/roles/lists/tasks/main.yml
+++ b/roles/lists/tasks/main.yml
@@ -1,3 +1,13 @@
-- include: mail.yml      tags=postfix,mail
-- include: nginx.yml     tags=nginx,www,web
-- include: sympa.yml     tags=sympa,lists
+- import_tasks: mail.yml
+  tags:
+    - postfix
+    - mail
+- import_tasks: nginx.yml
+  tags:
+    - nginx
+    - www
+    - web
+- import_tasks: sympa.yml
+  tags:
+    - sympa
+    - lists
diff --git a/roles/lists/tasks/mlmmj.yml b/roles/lists/tasks/mlmmj.yml
index e5e029f..aeaaedc 100644
--- a/roles/lists/tasks/mlmmj.yml
+++ b/roles/lists/tasks/mlmmj.yml
@@ -1,59 +1,60 @@
 - name: Install MLMMJ
-  apt: pkg={{ item }}
-  with_items:
+  apt: pkg={{ packages }}
+  vars:
+    packages:
     - mlmmj
 
 # Weird the debian package doesn't do it by itself...
 - name: Create a user 'mlmmj'
   user: name=mlmmj system=yes
         createhome=no
         home=/var/spool/mlmmj
         shell=/usr/sbin/nologin
         password=!
         state=present
 
 - name: Add 'www-data' to the group 'mlmmj'
   user: name=www-data groups=mlmmj append=yes
 
 - name: Create a home directory for user 'mlmmj'
   file: path=/var/spool/mlmmj
         state=directory
         owner=mlmmj group=mlmmj
         mode=0700
 
 - name: Create /var/lib/mlmmj
   file: path=/var/lib/mlmmj
         state=directory
         owner=mlmmj group=mlmmj
         mode=0750
 
 - name: Auto-maintain mlmmj's spool directory
   copy: src=etc/cron.d/mlmmj
         dest=/etc/cron.d/mlmmj
         owner=root group=root
         mode=0644
 
 - name: Copy mlmmj-newlist.sh and mhonarc-scan.sh
   copy: src=usr/local/bin/{{ item }}
         dest=/usr/local/bin/{{ item }}
-        owner=root group=root
+        owner=root group=staff
         mode=0755
   with_items:
     - mlmmj-newlist.sh
     - mhonarc-scan.sh
 
 - name: Copy /etc/mhonarc.rc
   copy: src=etc/mhonarc.rc
         dest=/etc/mhonarc.rc
         owner=root group=root
         mode=0644
 
 - name: Create /usr/share/mlmmj/static/{css,fonts}
   file: path=/usr/share/mlmmj/static/{{ item }}
         state=directory
         owner=root group=root
         mode=0755
   with_items:
     - css
     - fonts
 
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
index a0aab68..bbff34a 100644
--- a/roles/lists/tasks/nginx.yml
+++ b/roles/lists/tasks/nginx.yml
@@ -1,40 +1,46 @@
 - name: Install Nginx
-  apt: pkg=nginx
-
-- name: Generate a private key and a X.509 certificate for Nginx
-  command: genkeypair.sh x509
-                         --pubkey=/etc/nginx/ssl/lists.fripost.org.pem
-                         --privkey=/etc/nginx/ssl/lists.fripost.org.key
-                         --ou=WWW --cn=lists.fripost.org --dns=lists.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Nginx
-  tags:
-    - genkey
+  apt: pkg=nginx-light
 
 - name: Copy /etc/nginx/sites-available/sympa
   copy: src=etc/nginx/sites-available/sympa
         dest=/etc/nginx/sites-available/sympa
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/sympa
   file: src=../sites-available/sympa
         dest=/etc/nginx/sites-enabled/sympa
         owner=root group=root
         state=link
+  register: r2
+  notify:
+    - Restart Nginx
+
+- name: Copy HPKP header snippet
+  # never modify the pined pubkeys as we don't want to lock out our users
+  template: src=etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
+            dest=/etc/nginx/snippets/lists.fripost.org.hpkp-hdr
+            validate=/bin/false
+            owner=root group=root
+            mode=0644
   register: r3
   notify:
     - Restart Nginx
 
 - name: Start nginx
   service: name=nginx state=started
   when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
+
+- name: Fetch Nginx's X.509 certificate
+  # Ensure we don't fetch private data
+  become: False
+  fetch_cmd: cmd="openssl x509 -noout -pubkey"
+             stdin=/etc/nginx/ssl/lists.fripost.org.pem
+             dest=certs/public/lists.fripost.org.pub
+  tags:
+    - genkey
diff --git a/roles/lists/tasks/sympa.yml b/roles/lists/tasks/sympa.yml
index 00e5d9c..27a5823 100644
--- a/roles/lists/tasks/sympa.yml
+++ b/roles/lists/tasks/sympa.yml
@@ -1,95 +1,88 @@
-- apt: pkg={{ item }} install_recommends=no
-  with_items:
-    - mysql-server
+- apt: pkg={{ packages }} install_recommends=no
+  vars:
+    packages:
+    - mariadb-server
     - sympa
+    - libnet-dns-perl
+    - libnet-dns-sec-perl
+    - libmail-dkim-perl
+    - libcrypt-smime-perl
+    - libcrypt-openssl-x509-perl
 
-- name: Make the 'sympa' MySQL user use auth_socket
-  mysql_user2: name=sympa password= auth_plugin=auth_socket
-               state=present
+- name: Make the 'sympa' MySQL user use unix_socket
+  mysql_user: name=sympa password= plugin=unix_socket
+              state=present
 
-# XXX We want to change the retun-path for sendpasswd notices from
-# 'sympa-request@$robot' to 'noreply@fripost.org'.
-#   * /usr/lib/cgi-bin/sympa/wwsympa.fcgi
-#       do_requestpasswd, do_subrequest: add $param->{'return_path'}='noreply@fripost.org';
-#   * List::send_global_file
-#       $data->{'return_path'} //= &Conf::get_robot_conf($robot, 'request');
-# See #787946.
 - name: Configure Sympa
   copy: src=etc/sympa/{{ item }}
         dest=/etc/sympa/{{ item }}
         owner=root group=sympa
         mode=0644
   with_items:
-    - sympa.conf
-    - wwsympa.conf
+    - sympa/sympa.conf
     - topics.conf
   register: r1
   notify:
     - Restart Sympa
 
 - name: Create Virtual hosts for Sympa (1)
   file: path=/etc/sympa/{{ item }}
         state=directory
-        owner=root group=root
+        owner=sympa group=sympa
         mode=0755
   with_items:
     - lists.fripost.org
   register: r2
   notify:
     - Restart Sympa
 
 - name: Create Virtual hosts for Sympa (2)
   file: path=/var/lib/sympa/list_data/{{ item }}
         state=directory
         owner=sympa group=sympa
         mode=0770
   with_items:
     - lists.fripost.org
   register: r3
   notify:
     - Restart Sympa
 
 - name: Install robot.conf
   template: src=etc/sympa/robot.conf.j2
             dest=/etc/sympa/{{ item }}/robot.conf
-            owner=root group=root
-            mode=0644
+            owner=sympa group=sympa
+            mode=0640
   with_items:
     - lists.fripost.org
   register: r4
   notify:
     - Restart Sympa
 
-# sympa uses to syslog, there is no need to reload or restart it when
-# rotating logs
-- name: Don't restart sympa on logrotate
-  lineinfile: "dest=/etc/logrotate.d/sympa state=absent
-               regexp='\\bsympa reload\\b'"
-  tags:
-    - logrotate
+- name: Enable Sympa
+  service: name=sympa enabled=yes
 
 - name: Start Sympa
   service: name=sympa state=started
   when: not (r1.changed or r2.changed or r3.changed or r4.changed)
 
 - meta: flush_handlers
 
 - name: Copy wwsympa.{service,socket}
-  copy: src=lib/systemd/system/{{ item }}
-        dest=/lib/systemd/system/{{ item }}
+  copy: src=etc/systemd/system/{{ item }}
+        dest=/etc/systemd/system/{{ item }}
         owner=root group=root
         mode=0644
   notify:
     - systemctl daemon-reload
     - Restart wwsympa
   with_items:
     - wwsympa.service
     - wwsympa.socket
 
 - meta: flush_handlers
 
 - name: Enable WWSympa
   service: name=wwsympa enabled=yes
 
 - name: Start WWSympa
   service: name=wwsympa state=started