Proofreading README and spring clean.
This commit is contained in:
parent
781e83f478
commit
c26310a90e
69
README.md
69
README.md
|
@ -19,14 +19,6 @@ Puis pour jouer les *playbooks* :
|
||||||
- Pour tout relancer : `ansible-playbook site.yml`
|
- Pour tout relancer : `ansible-playbook site.yml`
|
||||||
- Pour configurer les PyCons : `ansible-playbook pycons.yml`
|
- Pour configurer les PyCons : `ansible-playbook pycons.yml`
|
||||||
|
|
||||||
## TODO
|
|
||||||
|
|
||||||
### Mailman 3
|
|
||||||
|
|
||||||
Mailman 3 est installé sur https://mm3.afpy.org, Julien a un compte
|
|
||||||
super user, vous pouvez en demander un aussi. le mailman peut envoyer
|
|
||||||
des mails via exim4, mais pour le moment aucune mailing list.
|
|
||||||
|
|
||||||
|
|
||||||
## Faire, ne pas faire
|
## Faire, ne pas faire
|
||||||
|
|
||||||
|
@ -40,41 +32,38 @@ c'est le rôle de la CI (Github Actions, ...), pas de nos playbooks.
|
||||||
|
|
||||||
# Servers
|
# Servers
|
||||||
|
|
||||||
## TODO
|
La distinction services/serveurs :
|
||||||
|
|
||||||
- [ ] Github Actions sur Alain (déployer au push).
|
- Un serveur contient un chiffre dans son hostname : deb2.afpy.org,
|
||||||
- [ ] Setup watchghost
|
bbb2.afpy.org, …
|
||||||
- [ ] C'est quoi pycon.afpy.org ?
|
- Un service ne contient pas de chiffre dans son hostname :
|
||||||
- [ ] C'est quoi video.pycon.fr ? (IN A 91.121.116.118)
|
discuss.afpy.org, bbb.afpy.org, www.afpy.org, …
|
||||||
|
|
||||||
|
|
||||||
## deb.afpy.org
|
## deb2.afpy.org
|
||||||
|
|
||||||
La seule machine déployée via Ansible.
|
♥ Machine sponsorisée par Gandi ♥
|
||||||
|
|
||||||
fingerprint: `SHA256:xVC4sYYdmDSbJP6JWZUxApzHdbAj1p3uZlOEIksXrMA`.
|
C'est un VPS `V-R4 2 CPUs · 4 GB RAM`.
|
||||||
|
|
||||||
|
Elle héberge les services suivants :
|
||||||
|
|
||||||
|
- https://www.afpy.org ([source](https://github.com/AFPy/site))
|
||||||
|
- https://discuss.afpy.org une instance Discourse.
|
||||||
|
- [https://*.pycon.fr/*](https://pycon.fr/) (que des sites statiuques)
|
||||||
|
- https://afpyro.afpy.org ([source](https://github.com/AFPy/siteafpyro))
|
||||||
|
- Alain le bot IRC du canal #afpy ([source](https://github.com/AFPy/alain))
|
||||||
|
- La gate [IRC](https://afpy.org/irc)—[Discord](https://afpy.org/discord)
|
||||||
|
- https://dl.afpy.org: un *directory listing* nginx des vidéos de nos conférences.
|
||||||
|
- https://logs.afpy.org: Les logs du salon IRC #afpy ([source](https://github.com/AFPy/AfpyLogs/))
|
||||||
|
- https://pydocteur.afpy.org: Un bot utilisé dans le repo de la traduction ([source](https://github.com/AFPy/PyDocTeur))
|
||||||
|
|
||||||
|
|
||||||
## rainette.afpy.org
|
## bbb2.afpy.org
|
||||||
|
|
||||||
Liste des jails toujours utiles :
|
♥ Machine sponsorisée par Gandi ♥
|
||||||
|
|
||||||
- web: stoppée, sauvegardée, à supprimer.
|
C'est un VPS `V-R8 4 CPUs · 8 GB RAM`.
|
||||||
- dns: Doit être démarrée avant mailman
|
|
||||||
- smtp:
|
|
||||||
- smtpd (/usr/local/etc/mail/smtpd.conf)
|
|
||||||
- dovecot (comptes: /usr/local/etc/mail/tables/passwd)
|
|
||||||
- spamd
|
|
||||||
- mailman: Le sitepass est disponnible dans [pass](https://github.com/AFPy/pass/).
|
|
||||||
- http: toujours utile pour https://lists.afpy.org
|
|
||||||
|
|
||||||
|
|
||||||
## dl.afpy.org
|
|
||||||
|
|
||||||
C'est un directory listing nginx, accessible via https://dl.afpy.org.
|
|
||||||
|
|
||||||
Il héberge aussi https://videos-2015.pycon.fr/ (qui depuis 2021 redirige
|
|
||||||
vers dl.afpy.org/pycon-fr-15, c'est mieux rangé).
|
|
||||||
|
|
||||||
|
|
||||||
# Ansible
|
# Ansible
|
||||||
|
@ -111,23 +100,13 @@ backup storage.afpy.org:/var/www/ storage.afpy.org/
|
||||||
|
|
||||||
## BBB
|
## BBB
|
||||||
|
|
||||||
On utilise une Start-2-M-SATA chez online.net qui propose directement d'installer BBB.
|
Hébergé sur bbb2.afpy.org chez Gandi.
|
||||||
|
|
||||||
Attention a retenir son mot de passe user temporaire à l'installation
|
|
||||||
même si vous avez une clef SSH: vous en aurez besoin pour `passwd` la
|
|
||||||
première fois.
|
|
||||||
|
|
||||||
J'y ai appliqué un poil de ssh-hardening :
|
J'y ai appliqué un poil de ssh-hardening :
|
||||||
|
|
||||||
AuthenticationMethods publickey
|
AuthenticationMethods publickey
|
||||||
LogLevel VERBOSE
|
LogLevel VERBOSE
|
||||||
|
|
||||||
Et quand même un peu de confort (enfin c'est surtout que je n'aime pas
|
|
||||||
les mots de passe ni sudo) :
|
|
||||||
|
|
||||||
PermitRootLogin prohibit-password
|
|
||||||
|
|
||||||
|
|
||||||
Ensuite j'ai [rsync les enregistrements depuis le bbb
|
Ensuite j'ai [rsync les enregistrements depuis le bbb
|
||||||
précédent](https://docs.bigbluebutton.org/2.2/customize.html#transfer-published-recordings-from-another-server).
|
précédent](https://docs.bigbluebutton.org/2.2/customize.html#transfer-published-recordings-from-another-server).
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
gandi_api_key: "{{ vault_gandi_api_key }}"
|
gandi_api_key: "{{ vault_gandi_api_key }}"
|
||||||
letsencrypt_email: afpy-web@lists.afpy.org
|
letsencrypt_email: julien@python.org
|
||||||
admin_email: afpy-web@lists.afpy.org
|
admin_email: julien@python.org
|
||||||
ansible_python_interpreter: "/usr/bin/python3"
|
ansible_python_interpreter: "/usr/bin/python3"
|
||||||
ansible_user: root
|
ansible_user: root
|
||||||
authorized_keys: |
|
authorized_keys: |
|
||||||
|
|
10
mm3.yml
10
mm3.yml
|
@ -1,10 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- hosts: mailmans
|
|
||||||
tasks:
|
|
||||||
- name: Basic setup
|
|
||||||
include_role: name=common
|
|
||||||
|
|
||||||
- name: Mailman setup
|
|
||||||
tags: always
|
|
||||||
include_role: name=mailman
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: restart exim4
|
|
||||||
service: name=exim4 state=restarted
|
|
|
@ -1,120 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: Install mailman
|
|
||||||
apt:
|
|
||||||
state: present
|
|
||||||
name: [mailman3-full, nginx, python3-psycopg2]
|
|
||||||
|
|
||||||
- name: Create mm3 nginx log directory
|
|
||||||
file:
|
|
||||||
path: /var/log/nginx/mailman3
|
|
||||||
owner: www-data
|
|
||||||
group: adm
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Create mailman3 postgres user
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
postgresql_user:
|
|
||||||
user: list
|
|
||||||
|
|
||||||
- name: Create mailman3 postgres db
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
postgresql_db:
|
|
||||||
name: mailman3
|
|
||||||
owner: list
|
|
||||||
|
|
||||||
- name: Configure mailman to connect via unix socket
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/mailman3/mailman.cfg
|
|
||||||
line: 'url: postgres://list@/mailman3'
|
|
||||||
regex: '^url: postgres://'
|
|
||||||
|
|
||||||
- name: Configure mailman siteowner
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/mailman3/mailman.cfg
|
|
||||||
line: 'site_owner: julien@palard.fr'
|
|
||||||
regex: '^site_owner:'
|
|
||||||
|
|
||||||
- name: Configure mailman language
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/mailman3/mailman.cfg
|
|
||||||
line: 'default_language: fr'
|
|
||||||
regex: '^default_language:'
|
|
||||||
|
|
||||||
- name: Configure mailman to use exim4 LMTP
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/mailman3/mailman.cfg
|
|
||||||
line: 'incoming: mailman.mta.exim4.LMTP'
|
|
||||||
regex: '^incoming: mailman.mta'
|
|
||||||
|
|
||||||
- name: Configure mailman to use exim4
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/mailman3/mailman.cfg
|
|
||||||
line: 'configuration: python:mailman.config.exim4'
|
|
||||||
regex: 'configuration: python:mailman.config.'
|
|
||||||
|
|
||||||
- name: Configure exim4 macros
|
|
||||||
template:
|
|
||||||
src: 25_mm3_macros.j2
|
|
||||||
dest: /etc/exim4/conf.d/main/25_mm3_macros
|
|
||||||
|
|
||||||
- name: Configure exim4 router
|
|
||||||
template:
|
|
||||||
src: 455_mm3_router.j2
|
|
||||||
dest: /etc/exim4/conf.d/router/455_mm3_router
|
|
||||||
|
|
||||||
- name: Configure exim4 transport
|
|
||||||
template:
|
|
||||||
src: 55_mm3_transport.j2
|
|
||||||
dest: /etc/exim4/conf.d/transport/55_mm3_transport
|
|
||||||
|
|
||||||
- name: Configure nginx
|
|
||||||
include_role: name=julienpalard.nginx
|
|
||||||
vars:
|
|
||||||
nginx_domain: mm3.afpy.org
|
|
||||||
nginx_certificates: [mm3.afpy.org]
|
|
||||||
nginx_owner: mm3
|
|
||||||
nginx_conf: |
|
|
||||||
upstream mailman3 {
|
|
||||||
server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name mm3.afpy.org;
|
|
||||||
server_tokens off;
|
|
||||||
|
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
access_log /var/log/nginx/mailman3/access.log combined;
|
|
||||||
error_log /var/log/nginx/mailman3/error.log;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
server_name mm3.afpy.org;
|
|
||||||
server_tokens off;
|
|
||||||
|
|
||||||
include snippets/letsencrypt-mm3.afpy.org.conf;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
uwsgi_pass mailman3;
|
|
||||||
include /etc/nginx/uwsgi_params;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /mailman3/static {
|
|
||||||
alias /var/lib/mailman3/web/static;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /mailman3/static/favicon.ico {
|
|
||||||
alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
|
|
||||||
}
|
|
||||||
|
|
||||||
access_log /var/log/nginx/mailman3/access.log combined;
|
|
||||||
error_log /var/log/nginx/mailman3/error.log;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
tags: mailman
|
|
|
@ -1,18 +0,0 @@
|
||||||
# The colon-separated list of domains served by Mailman.
|
|
||||||
domainlist mm_domains=lists.afpy.org,lists3.afpy.org
|
|
||||||
|
|
||||||
MM3_LMTP_PORT=8024
|
|
||||||
|
|
||||||
# MM3_HOME must be set to mailman's var directory, wherever it is
|
|
||||||
# according to your installation.
|
|
||||||
MM3_HOME=/opt/mailman/var
|
|
||||||
MM3_UID=list
|
|
||||||
MM3_GID=list
|
|
||||||
|
|
||||||
################################################################
|
|
||||||
# The configuration below is boilerplate:
|
|
||||||
# you should not need to change it.
|
|
||||||
|
|
||||||
# The path to the list receipt (used as the required file when
|
|
||||||
# matching list addresses)
|
|
||||||
MM3_LISTCHK=MM3_HOME/lists/${local_part}.${domain}
|
|
|
@ -1,21 +0,0 @@
|
||||||
mailman3_router:
|
|
||||||
driver = accept
|
|
||||||
domains = +mm_domains
|
|
||||||
require_files = MM3_LISTCHK
|
|
||||||
local_part_suffix_optional
|
|
||||||
local_part_suffix = \
|
|
||||||
-bounces : -bounces+* : \
|
|
||||||
-confirm : -confirm+* : \
|
|
||||||
-join : -leave : \
|
|
||||||
-owner : -request : \
|
|
||||||
-subscribe : -unsubscribe
|
|
||||||
transport = mailman3_transport
|
|
||||||
|
|
||||||
# /etc/exim4/conf.d/transport/55_mm3_transport
|
|
||||||
mailman3_transport:
|
|
||||||
driver = smtp
|
|
||||||
protocol = lmtp
|
|
||||||
allow_localhost
|
|
||||||
hosts = localhost
|
|
||||||
port = MM3_LMTP_PORT
|
|
||||||
rcpt_include_affixes = true
|
|
|
@ -1,12 +0,0 @@
|
||||||
mailman3_router:
|
|
||||||
driver = accept
|
|
||||||
domains = +mm_domains
|
|
||||||
require_files = MM3_LISTCHK
|
|
||||||
local_part_suffix_optional
|
|
||||||
local_part_suffix = \
|
|
||||||
-bounces : -bounces+* : \
|
|
||||||
-confirm : -confirm+* : \
|
|
||||||
-join : -leave : \
|
|
||||||
-owner : -request : \
|
|
||||||
-subscribe : -unsubscribe
|
|
||||||
transport = mailman3_transport
|
|
|
@ -1,7 +0,0 @@
|
||||||
mailman3_transport:
|
|
||||||
driver = smtp
|
|
||||||
protocol = lmtp
|
|
||||||
allow_localhost
|
|
||||||
hosts = localhost
|
|
||||||
port = MM3_LMTP_PORT
|
|
||||||
rcpt_include_affixes = true
|
|
Loading…
Reference in New Issue
Block a user