From fa0c1b495c02515b409f24406e4dde4f6e6ef824 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Fri, 17 Dec 2021 19:00:09 +0000
Subject: [PATCH] Generate HTTPS certs for Mailman sites

We're going to want Mailman 3 served over HTTPS for security
reasons, so start by generating certificates for each of the sites
we have in v2. Also collect the acme.sh logs for verification.

Change-Id: I261ae55c6bc0a414beb473abcb30f9a86c63db85
---
 inventory/service/groups.yaml                            | 2 ++
 inventory/service/host_vars/lists.katacontainers.io.yaml | 3 +++
 inventory/service/host_vars/lists.openstack.org.yaml     | 9 +++++++++
 .../files/inventory_plugins/test-fixtures/results.yaml   | 1 +
 .../roles/letsencrypt-create-certs/handlers/main.yaml    | 7 +++++++
 zuul.d/system-config-run.yaml                            | 3 +++
 6 files changed, 25 insertions(+)

diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml
index 887387d27d..de9cee4f10 100644
--- a/inventory/service/groups.yaml
+++ b/inventory/service/groups.yaml
@@ -95,6 +95,8 @@ groups:
     - graphite[0-9]*.opendev.org
     - insecure-ci-registry[0-9]*.opendev.org
     - keycloak[0-9]*.opendev.org
+    - lists.katacontainers.io
+    - lists.openstack.org
     - meetpad[0-9]*.opendev.org
     - mirror[0-9]*.opendev.org
     - nb[0-9]*.opendev.org
diff --git a/inventory/service/host_vars/lists.katacontainers.io.yaml b/inventory/service/host_vars/lists.katacontainers.io.yaml
index 1ed231f0eb..0050867df0 100644
--- a/inventory/service/host_vars/lists.katacontainers.io.yaml
+++ b/inventory/service/host_vars/lists.katacontainers.io.yaml
@@ -58,6 +58,9 @@ exim_transports:
       headers_add = Errors-To: ${return_path}
 extra_users:
   - jbryce
+letsencrypt_certs:
+  lists-katacontainers-io-main:
+    - lists.katacontainers.io
 mailman_multihost: false
 mailman_listdomain: 'lists.katacontainers.io'
 mailman_lists:
diff --git a/inventory/service/host_vars/lists.openstack.org.yaml b/inventory/service/host_vars/lists.openstack.org.yaml
index b551ca6778..79e6cd758f 100644
--- a/inventory/service/host_vars/lists.openstack.org.yaml
+++ b/inventory/service/host_vars/lists.openstack.org.yaml
@@ -102,6 +102,15 @@ exim_transports:
       headers_remove = Errors-To
       max_rcpt = 1
       return_path = ${local_part:$return_path}+$local_part=$domain@${domain:$return_path}
+# We put lists.openstack.org first as it's the current servername
+letsencrypt_certs:
+  lists-openstack-org-main:
+    - lists.openstack.org
+    - lists.airshipit.org
+    - lists.opendev.org
+    - lists.openinfra.dev
+    - lists.starlingx.io
+    - lists.zuul-ci.org
 mailman_multihost: true
 mailman_sites:
   - name: airship
diff --git a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
index 2e3ff5f126..2b2bdc9560 100644
--- a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
+++ b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
@@ -19,6 +19,7 @@ results:
     - webservers
 
   lists.katacontainers.io:
+    - letsencrypt
     - mailman
 
   logstash-worker02.openstack.org:
diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
index eabdf9e8d0..f8bf8c30ec 100644
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@@ -41,6 +41,13 @@
 - name: letsencrypt updated meetpad01-main
   include_tasks: roles/letsencrypt-create-certs/handlers/restart_jitsi_meet.yaml
 
+# mailman
+- name: letsencrypt updated lists-katacontainers-io-main
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated lists-openstack-org-main
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
 # Static
 - name: letsencrypt updated static01-opendev-org-main
   include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml
index 8efbeddd69..159050e1f3 100644
--- a/zuul.d/system-config-run.yaml
+++ b/zuul.d/system-config-run.yaml
@@ -260,6 +260,7 @@
       - playbooks/zuul/run-lists-post.yaml
     vars:
       run_playbooks:
+        - playbooks/letsencrypt.yaml
         - playbooks/service-lists.yaml
         # Run this twice to check idempotency
         - playbooks/service-lists.yaml
@@ -267,10 +268,12 @@
     host-vars:
       lists.katacontainers.io:
         host_copy_output:
+          '/var/log/acme.sh': logs
           '/var/log/mailman': logs
       lists.openstack.org:
         host_copy_output:
           '/etc/aliases.domain': logs_txt
+          '/var/log/acme.sh': logs
           '/var/log/mailman': logs
 
 - job: