All lists expect arch-mirrors-announce and aur-requests[1] require the
user to be a member before they can post. Moderating mails from
nonmembers are a lot of work and most of the mails are spam, so let's
just reject them. Mails to arch-mirrors-announce and aur-requests from
nonmembers will still be checked manually, as you aren't required to be
subscribed[1].
[1] https://wiki.archlinux.org/index.php?title=General_guidelines&oldid=750602#Reply_to_the_mailing_list
With the final lists migrated to mailman3[1], the mailman2 server can
finally be killed.
When the mailman3 server was initially setup[2], it was done on a
separate server because the mailman and mailman3 packages conflicted,
and the traffic was routed over wireguard (HTTP, LMTP and SMTP).
Instead of installing mailman3 on the original lists.al.org server and
transferring the data, it was easier just to install the missing pieces
(basically Postfix and adjusting the Nginx configuration) on the ml3
server and move the IPs (to keep the IP mail reputation).
So basically the following was done:
- The IPs for the original lists.al.org was moved to the mailman3.al.org
server
- The mailman2 datadir was transferred to mailman3.al.org server, so we
can keep the pipermail links alive, and import missing mails if needed
- The original lists.al.org server was decommissioned
- The mailman3.al.org server was renamed to lists.al.org
- The missing pieces was added to the mailman3 role (basically Postfix +
Nginx adjustments)
- The mailman role was deleted and the mailman3 role renamed to mailman
[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")
[2] 9294828f ("Setup mailman3 server")
Fix #59
All lists have been migrated to mailman3[1] and mailman3 is what users
should use, so show its interface by default and not the mailman2
interface.
[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")
arch-general
aur-general
aur-requests
It has been decided not to migrate the following unlisted and unused
lists:
arch-magazine
arch-notifications
arch-test
mailman
These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.
We want to migrate to mailman3 as mailman2 is basically unmaintained and
requires Python 2 which is EOL.
Because the mailman and mailman3 packages conflict and we don't want to
perform a big bang migration, mailman3 must be deployed on a separate
server. mailman-web (mailman3's web interface) hasn't been packaged yet,
so for now we are using my homebrewed PKGBUILD[1].
[1] https://gist.github.com/klausenbusk/5982063f95c503754a51ed2fefb8915e
Ref #59
A extra access_log entry was added with the following commands:
$ cd roles
$ grep -lr access_log | xargs -P 1 -n 1 sed -i '/access_log/ s/\(.*\)\( \)\(\(reduced\|main\);$\)/\1 \3\n\1.json json_\3/'
yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
For proxy/fastcgi/uwsgi blocks, logging is still set to the old format,
but for everything else (= static data) a reduced format is used that
excludes items that no longer make sense (request_time, remote_user) and
those that are personal information all the time (remote_addr, http_x_forwarded_for).
Signed-off-by: Florian Pritz <bluewind@xinu.at>
To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.