In switching to all-HTTPS for Mailman sites, it was missed that only
the plain HTTP vhosts set a DocumentRoot of /var/www. This was only
used for publishing metadata so went unnoticed until now. Rather
than add a DocumentRoot to the new HTTPS vhosts, simply use Aliases
to map the specific files we want to expose, for improved clarity
and to make it less likely they'll be overlooked in configuration in
the future.
In order to make sure the archives.yaml file exists at server
creation, before its cronjob fires for the first time, add a direct
invocation of the script which builds it. Move all tasks related to
this after the tasks which create the mailing lists, so that the
generated file will include them. This also simplifies testing.
For the non-multihost configuration, only robots.txt is expected to
be present, so don't add an alias for archives.yaml there.
Also add regression tests to ensure we keep these working.
Change-Id: I6b54b0386f0ea9f888c1f23580ad8698314474b9
A missed detail of the HTTPS config migration,
/usr/lib/mailman/Mailman/Defaults.py explicitly sets this:
PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/pipermail/%(listname)s/'
Override that setting to https:// so that the archive URL embedded
in E-mail headers will no longer unnecessarily rely on our Apache
redirect. Once merged and deployed, fix_url.py will need to be rerun
for all the lists on both servers in order for this update to take
effect.
Change-Id: Ie4a6e04a2ef0de1db7336a2607059a2ad42665c2
For the past six months, all our mailing list sites have supported
HTTPS without incident. The main downside to the current
implementation is that Mailman itself writes some URLs with an
explicit scheme, causing people submitting forms from pages served
over HTTPS to get warnings because the forms are posting to plain
HTTP URLs for the same site. In order to correct this, we need to
tell Mailman to put https:// instead of http:// into these, but
doing so essentially eliminates any reason for us to continue
serving content over plain HTTP anyway.
Configure the default URL scheme of all our Mailman sites to use
HTTPS now, and set up permanent redirects from HTTP to HTTPS, per
the examples in the project's documentation:
https://wiki.list.org/DOC/4.27%20Securing%20Mailman%27s%20web%20GUI%20by%20using%20Secure%20HTTP-SSL%20%28HTTPS%29
Also update our testinfra functions to validate the blanket
redirects and perform all other testing over HTTPS.
Once this merges, the fix_url script will need to be run manually
against all lists for the current sites, as noted in that document.
Change-Id: I366bc915685fb47ef723f29d16211a2550e02e34
The edge-computing discussion list is not OpenStack-specific. It was
originally included on the lists.openstack.org site when we didn't
yet have a more neutral list hosting location. While we're in the
process of moving other non-OpenStack mailing lists off the
lists.openstack.org site, rehome this one to lists.opendev.org by
setting up address forwarding and Web redirects, and moving the
existing mailman list entry for it in our configuration.
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: If5207f0237bee1571924855b769a22d653964af7
In keeping with its name change to the Open Infrastructure
Foundation, the summit sponsors mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and move the existing
mailman list entry for it in our configuration.
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I29e1e94885fd16b0edd7001662f367caec591439
In keeping with its name change to the Open Infrastructure
Foundation, the foundation marketing mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: Ibadc4bfc430656286774e25b4dce6d8e29b5acf7
In keeping with its name change to the Open Infrastructure
Foundation, the foundation gold member mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I6cd92e052b26705bd16a4b38b3725248cb5691fd
In keeping with its name change to the Open Infrastructure
Foundation, the confidential board mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I191676bcb7f878afab17ec3c1735219d91b4de4d
In keeping with its name change to the Open Infrastructure
Foundation, the foundation board mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: Idcac72c067fab66b6322f08c027e9c451a488ca3
In keeping with its name change to the Open Infrastructure
Foundation, the foundation community mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I9fff3b920a7fd0f75a3cc7a704003eeb3aab4d8a
In keeping with its name change to the Open Infrastructure
Foundation, the general foundation mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I367dd2a3d9a1c70c14915efa729d643419375060
While the staff mailing list is hidden and private in production,
that configuration is set after creation, so in our deployment tests
we can absolutely verify that HTTP and HTTPS redirects for listinfo
and archives work anyway. This paves the way for any further
rewrites and associated testing we may need to do for other mailing
lists which move between domains, as well as testing redirects we
may set up as part of the v2 to v3 migration.
Change-Id: I68078554a72e3b59d8192ac4339e8654a8351f52
Add secondary vhosts for HTTPS to each mailman site, but don't
remove the plain HTTP ones for now. Before switching to Mailman 3
we'll replace the current HTTP vhosts with blanket redirects to
HTTPS.
Add tests to make sure this is working, and also add a command-line
test for the lists.openinfra.dev site now that it's got a first
non-default list of its own. Also collect Apache logs from the test
nodes so we can see for sure what might break.
Change-Id: I4d93d643381f17c9a968595587909f0ba3dd6f92
This switch testing of lists.openstack.org to Focal and we make a CGI
env var update to accomodate newer mailman.
Specifically newer mailman's CGI scripts filter env vars that it will
pass through. We were setting MAILMAN_SITE_DIR to vhost our mailman
installs with apache2, but that doesn't pass the filter and is removed.
HOST is passed through so we update our scripts, apache vhost configs,
exim, and init scripts to use the HOST env var instead.
Change-Id: I5c8c70c219669e37b7b75a61001a2b7f7bb0bb6c
We are using synchronize to copy the openstack mailman templates which
preserved the ownership and group and permissions of the source files on
bridge. This isn't a major problem but it is ugly so we fix it.
To fix it we set rsync_opts for synchronize to set a usermap and a
groupmap to map the bridge info to the data we want on the remote.
Change-Id: I209345cbe9e27beb18d1ba31e6715bf850bc022b
This converts our existing puppeted mailman configuration into a set of
ansible roles and a new playbook. We don't try to do anything new and
instead do our best to map from puppet to ansible as closely as
possible. This helps reduce churn and will help us find problems more
quickly if they happen.
Followups will further cleanup the puppetry.
Change-Id: If8cdb1164c9000438d1977d8965a92ca8eebe4df
Ian Wienand