From c2862e1e8bca290f1ef508da75b6413ccb155d3d Mon Sep 17 00:00:00 2001
From: Michal Konecny <mkonecny@redhat.com>
Date: Mon, 18 Mar 2024 17:23:36 +0100
Subject: [PATCH] [mailman3] Create a new role mailman3

It seems that the mailman update is more complicated than I originally thought. So I
decided to start with clean role and will slowly start adding new changes.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
---
 playbooks/groups/mailman.yml                  |  10 +
 roles/mailman3/defaults/main.yml              |  36 ++
 roles/mailman3/files/favicon.ico              | Bin 0 -> 32038 bytes
 roles/mailman3/files/headers.html             |   9 +
 roles/mailman3/files/login_extra_top.html     |   6 +
 .../mailman3/files/logo-hyperkitty-fedora.png | Bin 0 -> 4650 bytes
 roles/mailman3/files/mailman-hyperkitty.cfg   |  20 +
 ...ailman-template-list-admin-action-post.txt |  15 +
 ...an-template-list-member-generic-footer.txt |   8 +
 ...n-template-users-list-user-notice-hold.txt |  25 +
 roles/mailman3/files/mailman3.logrotate.conf  |   6 +
 roles/mailman3/files/memcached.sysconfig      |   5 +
 roles/mailman3/files/navbar-brand.html        |   5 +
 roles/mailman3/files/robots.txt               |   4 +
 roles/mailman3/files/signup_closed.html       |  21 +
 roles/mailman3/files/top.html                 |  10 +
 roles/mailman3/handlers/main.yml              |  12 +
 roles/mailman3/tasks/main.yml                 | 452 ++++++++++++++++++
 roles/mailman3/templates/apache.conf.j2       |  43 ++
 roles/mailman3/templates/bottom.html          |  15 +
 roles/mailman3/templates/mailman.cfg.j2       | 191 ++++++++
 roles/mailman3/templates/settings.py.j2       | 406 ++++++++++++++++
 .../templates/webui-qcluster.service.j2       |  14 +
 .../templates/webui-warm-up-cache.service.j2  |  14 +
 24 files changed, 1327 insertions(+)
 create mode 100644 roles/mailman3/defaults/main.yml
 create mode 100644 roles/mailman3/files/favicon.ico
 create mode 100644 roles/mailman3/files/headers.html
 create mode 100644 roles/mailman3/files/login_extra_top.html
 create mode 100644 roles/mailman3/files/logo-hyperkitty-fedora.png
 create mode 100644 roles/mailman3/files/mailman-hyperkitty.cfg
 create mode 100644 roles/mailman3/files/mailman-template-list-admin-action-post.txt
 create mode 100644 roles/mailman3/files/mailman-template-list-member-generic-footer.txt
 create mode 100644 roles/mailman3/files/mailman-template-users-list-user-notice-hold.txt
 create mode 100644 roles/mailman3/files/mailman3.logrotate.conf
 create mode 100644 roles/mailman3/files/memcached.sysconfig
 create mode 100644 roles/mailman3/files/navbar-brand.html
 create mode 100644 roles/mailman3/files/robots.txt
 create mode 100644 roles/mailman3/files/signup_closed.html
 create mode 100644 roles/mailman3/files/top.html
 create mode 100644 roles/mailman3/handlers/main.yml
 create mode 100644 roles/mailman3/tasks/main.yml
 create mode 100644 roles/mailman3/templates/apache.conf.j2
 create mode 100644 roles/mailman3/templates/bottom.html
 create mode 100644 roles/mailman3/templates/mailman.cfg.j2
 create mode 100644 roles/mailman3/templates/settings.py.j2
 create mode 100644 roles/mailman3/templates/webui-qcluster.service.j2
 create mode 100644 roles/mailman3/templates/webui-warm-up-cache.service.j2

diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml
index 88fb81acf4..a98106c2cf 100644
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@@ -100,6 +100,16 @@
     mailman_hyperkitty_admin_db_pass: "{{ mailman_hk_admin_db_pass }}"
     mailman_hyperkitty_db_pass: "{{ mailman_hk_db_pass }}"
     mailman_hyperkitty_cookie_key: "{{ mailman_hk_cookie_key }}"
+    when: env != "staging"
+  - role: mailman3
+    mailman_rest_api_user: "{{ mailman_stg_rest_api_user }}"
+    mailman_rest_api_pass: "{{ mailman_stg_rest_api_pass }}"
+    mailman_mailman_db_pass: "{{ mailman_mm_db_pass }}"
+    mailman_hyperkitty_admin_db_pass: "{{ mailman_hk_admin_db_pass }}"
+    mailman_hyperkitty_db_pass: "{{ mailman_hk_db_pass }}"
+    mailman_hyperkitty_cookie_key: "{{ mailman_hk_cookie_key }}"
+    mailman_hyperkitty_archiver_key: "{{ mailman_hk_stg_archiver_key }}"
+    when: env == "staging"
   - {role: fedmsg/base,
      when: env != "staging"}
   # Set up for fedora-messaging
diff --git a/roles/mailman3/defaults/main.yml b/roles/mailman3/defaults/main.yml
new file mode 100644
index 0000000000..64f5731c4f
--- /dev/null
+++ b/roles/mailman3/defaults/main.yml
@@ -0,0 +1,36 @@
+---
+# Mailman core settings
+mailman_webui_basedir: /srv/webui
+mailman_webui_confdir: /etc/mailman3
+mailman_rest_api_user: restadmin
+mailman_rest_api_pass: changeme
+mailman_rest_api_workers: 2
+mailman_log_directory: /var/log/mailman3
+mailman_log_items:
+  - archiver
+  - bounce
+  - config
+  - database
+  - http
+  - runner
+  - smtp
+  - subscribe
+  - task
+
+# Mailman DB settings (the values should be provided by playbook)
+mailman_db_server: localhost
+mailman_mailman_db_pass: changeme
+
+# Hyperkitty/Postorius settings (the values should be provided by playbook)
+mailman_hyperkitty_admin_db_pass: changeme
+mailman_hyperkitty_db_pass: changeme
+mailman_hyperkitty_cookie_key: changeme
+mailman_hyperkitty_archiver_key: changeme
+mailman_domains:
+- lists.example.com
+- lists.example.org
+mailman_social_login: []
+
+# Apache configuration
+# Use mailman-web wsgi for mailman3
+wsgi_dir: /usr/lib/python3.9/site-packages/mailman_web
diff --git a/roles/mailman3/files/favicon.ico b/roles/mailman3/files/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..05567e14242709a5330bf535a7c1aeaa6650f5bf
GIT binary patch
literal 32038
zcmdU&33wDm+JKuFuE;M)vbu8XYBsn&i2fQ5FBVVmfCNN9Wf50UNCFDt#X<<v>7Gu2
zgqv`MD}?(>!hIMJAwUEKL{tQXh+HBfMmB5x&s#G!bS5*C383p=&(lv;S66*UonL+R
zRkfy7(n7UbwKT1g)<}CjRMVc&G_6r1*L!v?O<NSIX-%8D-|x`0PJhz0R;^s`QLQ!Y
z*Or<VrD<9%@@cO4U|o1bL`0`9FASP6Iiqk{Zcg#C+~pT1PMK8re3#CHA|fIp0>NqC
zqDAZ3*>j5a?%O9m`Q#Jv(MKQ2hcI!ov*#RZ)}nc9Uoe_AZ~ow_HLEWa78Z&P8#agq
z3l@ll3m3|VFmZe%O?0zn587eWtXZ?h^w~2H?=0LY(~)-O%$Z`=tXc9QOq_y2+M2a$
z)=)4yb?*Gur+fE`l`B_Dd~4UP6?u7iV(QeX@*zwd^pJ+MZJ&MmEtP-DjA@1W`T0WE
zb&;5uC`OMSEpd^D2fW1bjWnd4Iz6+H{NWK1H>}^dLCl#mM}BuYonqLqVPegiH6EG?
z6UR4Tkape14T8LN>eh|gyyYXYc=2NSZSUT_V%f4~V*UE{p8SM~;~V)&OCIvpsarR4
z^G6@aG}EU~7n3GUl4(_WDWCj&BMtD}`6HX$efPstre}&RTef)8syzOD+68&Y`^syt
z&d@EBwjnle-t0Gzg0*SWCXqEaTabsm4$C}A*c_fB*0{@BrS;`gAI{+^GQZ60G-P<;
zqD4N_`+~7(@nV@rcN!%Q%P1K?X`)QGapOj@Z{I#yzux(%bH0&=ZxbeE2;DMD98U8>
z{^m_$|7ZKf$J@4wQRBz%{cux$328t3>@)e$cQ)qdmy8-Wb}wm2yJ_=g@?RL5JggvN
z>f~K7ztTPRzUb(OD_5x;8r8UQlTKYa5AOTcn^_5Oy_xlV=NASM$G7{Uqg#=7%JgZw
z$XoJ=rk$&)X@{$7+Q#c#Phusl%;U>7c-J+~Fvhg1;5g&YRj*#X+5-<gaBrW4_$1vj
z*BYr-kvTl2n8!$U77^F?tv8ceKJ;MI>S5KZ`GZqYcYTc-RUUitiN|!OxpBnk^pbfC
z7l^F|+r;Mw4~nl3AC?bc;`l}yhh?rO&-K?|U!|h>?C$Qn@4l)3y91}DjU8Q_|Iudg
z?THiO#EBE)z<~pD%qu7;kPqV@ao>ISolHYo@(g%q;ACLfVFv5&{ontM8k{tA%lt(P
zMbWq4im$)^T5R3AwM_f<ZqKA4ZPB+yg1o>0R<L++ty;BekZhUzSFc?oPM<z4cI?<u
z3J-nNdmL2bsiKEGr%s<1tJba&$(D0JFoU7tmO8i8a+t{*$#?S9DLJkvnD~tKmSxF@
z@sdZq^Ua=?G3n&VlL9`Hk{#=BzWHXRUcW9RBqZeZ_&(O`xpTysvuDcS26kFnn#jq?
zk>f659>(D1%a_Zr9Y0}cID7W297o@X?_+_(9{~?M^k9>;v7;}Y`0j-G_~VbuzyjXL
zkt4;bRjcG!PZ<1+`^53?jh}a50W)pP=u0ghexQjj{FN(L4(;3jt$CZad?XGYJm?b+
zu(GqWMQ(1coO>M(hkRD7SRv#1<_kY@UwrX}0CwO0Z)Stbn}!#<bh&GIdfGYK8)ZiO
z%F4<T<HwKp%=LEI%=d<2$cM1~o01VGOqd|&WMBak*s19w&qdwY_%3h!-Fx<UH+SU<
z@zqyfiFNDNi7{iw$T^vLna4CuS;q<wWllTbA*|wQ3#3)~@PP$PVCSyP6Fpvg^<8iL
zdWyOE%dftYb){quI}F0<>FFLk3ZJ)68t;6(1Cw^}#aCZ4N9Nn{-*U?>)kcmPRm}JX
zyiub@`Gf(S)vH&R!KrBAn=jnN0h4s!p7>Ub9GzYaPDR80(b0EJnl?ooKYm=MNli`l
zz(Kx3PE>KUJ%!KP=Nq_4OCItndWa)EI5MV95%)KXzSD!hS@ctL=FJs{4<D9k>~%kX
z{(SN4ufK}VKmS||9XhnsxaW<Zc19Y~{^vjck$Dw<V3HmjS@W{N|C9}X$AwE5i!Z<Y
zQl^<VZ=NR~;gXUPDQ}D&JGKl?ZyHF$Ttpr_9QYtDI2JBh4E~O#@GrTHpY}X);zY@d
zD*ud(jDTgY=%5ZrtID79;9d0*`oMxEi@+ai!~Ym^=8+>uJaFhQjOWv)O_Sq5pmwKl
zE1$8Dv4gye7A=yn)HiS-r{3Qz`Z0z7ndhEuo02v{eD?VPpJTqtd$s<DAATtIeYT%5
zNIdi0v(JIQQl&~EeflP3BP)*>l`i(}-|tgSy(YN#?GqzMkCHNSpS}t6z<uj&w?#TE
z<1F}jCQP1GN*=yiyej{mPd^otrcHIp=iqW0XTjaI+sgwKZspIIJxi{MRNkxgckkXU
zn9~(}<#*}!(p$)i>fP=y&&|0e^}xC!Z{><ouoWIRZn;iUarmRhjTNf`jI$Lj55}dj
z6UUdr;lgK}(4EF5JMIyq(#p)I6~*T(y_8SfZO?<xX%w?o^SoQ8Sh94fXRPoA=W61X
zEnj{ax2p}ZPV~f0nmV}*eEKX;Me+K}H`(3?EEC>~p@nsFZeCs~JgnVWQy{}`-@e_m
zMh!#@?G4$RJmmFW|L3j96V4H-l4pk{%l{nsGp0<I<&K<0e&#9U?-i?8$@$`&W5?v$
zXV0EJQjV~f31MW5Pe1)srupXBH*)Q<V)aT116aTWHuJ!wsZ-o#Zk%;k=27r(E7&IK
zJ$34oIP~=)v3A3HF)m|*_+aReoIZWyCl5~_d4cuJ-u?UJ9F9zV?%X-~5I%PNxcGG6
zUbzNLO&@u_Pv7_q@&W@`zyvmBQm}oyi+`tiShtMA;iJ;z`f=`p`C`<#F~S^?a`OGb
zgR<Lq?D$;GTD8KeR;wD?yhV#9J>PiUOipp`89pklWXyzdV&arZV#1V3g7ENBX_xdA
zbI)t9_eyTwqQzZRt5yvqZ@Z2ipL>7szp{Y|?Cb^e#FlMaWj_OVe7}UAx@Df%Epv1K
zfo~6fvTd8@f4ceR+T>UBlX9V<p&`|)SFiEVBM;SkvQ3-TPquB->B+WjIzG|1P3x8|
zTh^-{Rz2*x>#i%az5o_5pJ>~r<*;POAml%A#`R0+DbCdtV&io}Xqxy{(}t92+9So9
z*6^IB)#N#>X;sy;QPZvq^dxFpCG{wp{kckqt0qnp;ujXCO*KvHUNJp|;t}5-_Uo!u
zs}>q{XXAR$Jo{{GhndWrlcihcUfrdqq7N49jE9!7hi^uTHK0Ss4z0;kwOX|@b>Zdg
zH24eqazW7_6B~Pb*KRKl(k+9z>a4?Qh~yNf7&CFam^O2|m_0XJK7@(mo9-Id=wIt!
z?Dq1Yb{#w3?j}Idhf`s@Uy-nKW%68Kqee)Rd+v#RckrM@-D#Y3j!3;Ueo}_WS&=7Y
zpzpu`UR=0vLHzjRkEI^s&VK*BOha1okQbfcdxHlJzWbi0k=I{;y&a!&Dh}r>Oq`1M
z4%=NwR8&;R%ROG{>affL#-<rrv&4?Vo#M>dv*MRuev#t{V;XWcW8SV^yW~TdIKHvg
zBrSS`?S(tV^x3mqW1iD2_{S^VyMn_;k8+AWoUgEov-^bAqcytq)`$-V|BF6;Zp?)7
zVrxNx_~C~i#QF2*rR<M>h;dlyJAKV1d?O8Mk=Mx!jE@Vp$*~UD9}NCiVxwCdseK1;
zdKCTkc)Rn^>vl3-^A;`Y41E8+Oy)(U_xkClpX7Q9dK9f{Eur4a^U2Ga3|Q#WfDMkf
z-+wm~oVK#I)8#LWvwxE^e5=3zJ<MSy&ofd}E-lSjF3$h>qnvA)x9#*nyZ58M`-@lK
zfyMj<Y;YK<R<Xl0vLAThfiPrw8y|{B<@jcI>Rsk((XwSNhoNU67p&W`K@=Ak%X+uZ
z@v6-6(RIz3F+=V-pzlz06J{TRwI69z9z{PsFj<5CTwE;HZCEd55i`}A(5zXr8@$TZ
z&W}A@#wEPjx1VmA7nbGbiXSgr5Qh#Ol5N<IUxk-0T`F|}=&soF89sctT(h!nB}^RO
z&=<guopu$be}IFrD<>~k>ib`h>zxop`Kxlr$?%hH+dSrQ8bveb%oacY{If>~pm2Hn
z>{p>nK%PeLh5ip684qC<Pa36j@P?t@Wj*}-vzVDRTR;P}D7t*qg>tGcLYg#bQpMpk
z^GA&zD~=Z(7ez%y<*u2~*`b$EG!UlDd6bTVZ^WZVQ|Wy9?A?I#*zsfR&#<1#|Jyx(
zQ#yY|r{cx#LPA4BL%Y26Vs|6eDk<2pUDl=dK9_1U;8x)gBSuJlq<W`~DEd`<;oFoc
zQ)F6Sblc;=$(*-sdjb8qr1Q&NyCLTVD1XUMow{}FIGpAV<`v{%_7LrG{e{udjvF`5
zqZ45-Rq3b*lMmesX#(kU?eNhnocrM%`?vIk0%-F=zv2m5OnbR|_m_0byo5Z@T1AaD
zlpT8s=zDkwtFl(K(Z*Gr+P{SdwZF?Z(!htJGZ0*Gvo>Hq51P8X{9;#oW3f4S&^mPJ
z5H@<kxb^HWGRL!zu4qGNMPH=tvM)>@B+gEYq6we9@T8<9`4F~$Q(>hG0~RoOz+s0A
z4bZ}RXTW>!tdICpM3`4!RxafJX3_WQmRYoMQ@&g~sks%M8U0hW2j$bgXV0GPDRV^^
zKDq_^Di2}%H^P)Vd4ZweDIZ+mBpoy$6K>4^kUA*3KRWt8KlE!!!yWIZjTtT1e8^ki
zU|dJns9<~hjOof=!JEcF@8lt`H$3$YPH;m5GR8N@kBO0EMhU}m4)jOAZkc&grcaae
zEbDXHIQ>n*^ye!bI=B?g<%I+3@)aK15;Q;ybN}SbY0L-9yy%y0|Hd0{tb)D}y#Vtc
zbg<vztKBI0%BQU8({`E_AHICj2C7p9m%auKz+f!RTeSlE&qAv=5A9=OZfE_pYtL>u
zcR&l{b})Frr^a|+^m@n9E)<P{d~hqc%x9nM-bEh}(CY5Avh3ldU2N=Ad^>XVsN7Qn
zCwYCrXa9?_1O2<=Z^@D+W$5&#TfLJOxa0)}uz=|cm!hA2z9UDExag0K!9+^Z?e?{H
zu`#a?PfrskzWdHIXR(LoJw7ncve%9~bLNbcZNST3W3cUqwB$i90tWjy-+ue8l=JL7
zfLrY=F^{rWijKZrY)nr#-Ow+2XcrqZ5Lx59lP9HKnX;mtviE9-$y`cX#DN!ifN?um
z+JQ@2@{ku8JixTi*@{1CAP>53XhYZ3u0zZK8~xI?kBv!UjyQShq-Wj&&)m6lOVN)k
zeDvs1Nk8?#zM>kdE5ZX~KVuN<7U%~iu<d09Zq??P$Iv@MW4qXxBpdy%^6wCnIM$1P
z^3pch`?ABuE{bxQJbAJl<5U?bT*3I{VSEGzVPM*EfD_!ROkDJz6wuf%HYU+VKQ5$Q
zY|LBfW5<Z^PJSorO69|6{$$Szdj_>WAxs>&?P-IdoiyYjuYyZk2R3jsGc(J~+30tn
zEp6;*=<nx6KkdJVHFCJ@BglOUhoT33^d)3@9)IgVl|EP>xWH0y!J*2-4g;EKYm71N
zI>ew>#L2dUT;2J_uH6|wu`gk)RdT0-VTTz^SmnDGKI=;Q$Lh6fMY3gz&M$WPr)@2u
z)u~e_%wZ(YV*a8IuusEQ!<&a|K}$tpKs#lRjR&+*#>0%{tXt~TQF17Ijd!{At<29d
z-S(Y3Jo7+BabC;x^xIv#cMJA`b*F1D)L|JXZ@uj{kG)Lqgg9*9h<86G_GU64{pMQI
zQxRA@ckYz7uZ%0uXMg%6#5rjHcSJ@;3>rG5&_%!Ek9si0#3_@dK7&1+-@DBt_oGXh
zk~z&ow|!3zns1N1BjTC%?K-04QRT1raJYG4Eymt{Fg9`(DceA4v6n^HEBEx=ZAO-T
z>F|YT+PClMu$-y#o2`DJUDEG#`Pg8fOAdsSZ^6`2Flo>yF3Vw0^zt64ukbJz?OR-B
z?rQs`_;4D+NU_9>*)t_xa4Y=2!s=Uje3theIN9^&qCfOWw~I!2GqyM^qe!(Y==Fpx
z6TOSboZ+&cw$tV>TpnE&{XQ#ewwnj~rLVd$igc%O(N43gE?oV1^0X;({Z>)D*DC$m
zb?d~m>6voQl4b6;-S&i?#s#~b0emQ4MvosSbu|^C#a=HJ$rmUsGSX!m39mZvvQtp>
zv(L8FX47w{E0}N~dMf%2e9LokWLtK%d)qvKJ-p4%LY4j0>C?*K35ITanu^j{UV8dr
z8Tu^~JB?CyD$LWld1Y+@6>aD;kd2i6gNiQ?f1vNcVtuP%+S4ld*jKQ2bn#$FS;A#!
zVP0U|QM^r`b$P4=j>?ZL$9#@%g?*lj7cWZNKRZs9){Z|=n7ru8fW=-Ou)*O=ZUpvB
zwO6U=cN*t)r*RtEX*-mCj?E5}Jjj2@P{)oPlRBh>Uwk3vE?gkC?I@7%*l198$QXfW
zwSOZmdlcve*)QUZMfQUE5;l4&aDfxt_I%jUq$0<8##7^@!)bo0%AWa}y#r(g*8AUl
z^NlPQ${QQlHS5-@Iy}eTGj+9R@27HKnmt5x3E0>p^I_MrZQC~a5M~dUZ=|{K(@&Cb
zbWQBdo5NFR!)Iw9;J_9ZoYV<4KnpbGZ`xE!9?~u2pu;ky>;?}zKPmL=FN5Ro(Iawy
z8XHo#jTL7gmc%^Yv2&lk@yX~@8LN=<)~;VC?PQJ@6-i#OQ?)-Ae!3v{a^M#lCrr+8
z+Y^{a<NC%Y#XR4!6R_!%-~uOm<Iq6a$UW~fXT&GFTskZ%<2a$+*a+>&sHe}Ik-GL}
zc{$P+HyxXs;VIaHo&6wj@cMTWhjgvip#Dvjt5gZOvG$GCT0h$Q-uM3Xfg@2Lb`Tjb
zC2fSXzrkjha-Ef(C1%dal3{FnM^6|>8>OtzCpwZ2y!Wp`Nv$7!v?=;PU;_J{AwymQ
z7dXKU4ZvHLn<I9Ax<{T}AP)K1VHq2fou<VYimed)q^>!@q)%*qFL7{Y`;M{w+INVJ
zs#U9&Ut5uT@4YuHrbCCPUiwG3L?gwS#hDh}X;80w9Xw965PJ=Wk(|}F+sldVJH|fI
zv}sf9q~-e6?L1*{#l*%&f&0D0A(^_<+^jn#O_D}z`KTvoe>Ud1NZm44>z0%wR$3!d
z2fWawbE~L38#iir+ii9n9{B$7R;yMm<j%j{85Y&JalNR<jiaLOY}`aXu5i7msHm{2
zRjZZ@#|A$H8loCEZq&D5zgFWWjZZ*Fu3IKD&uVBF(ojj$gh;F;jg?9?Z3yoeE8(Bh
zw5s?RDB)v>gbx;*|10l9G_3^xk;{HD?+rDNe~$N>S{eT^@l~~;{f(sO{FdAImtTEX
zzEm7>-iv%T|2K1?t~05gG7yI;PHiL_z#m-a$v8^}J)D32y<O!hl|wjJcI&OT)=F|D
z-KASb58X0H=q~$R#s%zX>GRlf5k9C}##))iY4#YIo_=R!WMnO1RIXgv-ZuZxE<8NE
zN_cqqpI>;fb93D?&_C>Q^C{;7>_*YIFeeXBA1NQg#PLnddG0*B9G02bscV<$@bK`P
zYDYw<z4AYtyRmldD)k!FucsTyog7YciNk41J5~5Xx6NFZIctWrgIWLKMtSbFVCN3`
za0Yh$ha1GwoMkc%X~|=aaOtJ6U(%h%qM<2P$NCNG*8|rdr2wi{s}^!cRMbt~dh~eC
zVHvZiHzUO<=OXw;Z@FjhUUBO5De>=r|688(V9v#k1Nn}JFmap#Aq{ECvuf>X34=M<
zWg|#`F=ljowZ}7&fBoxCUSsy}?(Vqbj*wQ5wvHZVIW65XkI{BnlPy}hMC>Rml(uy6
zgq(pq$-V?SALL5pTl9}SgylZeks~q<X~{!gWDn#OU|wGDna6a~F#rB&>u6~B-5J+3
z?Js}%OIZK6-)^frrH$t$&VtNav{1@w$m__v*c75GL&ikr^d-OB<zT|3AuV~xi);og
zU@CiQWE$7_V65%`_JC)g<@YRux^?SD^ofsuU3Z#$XqS^Sr;06GKla#LvS-JcYtGwx
z^H<S#U;qo4QdT{CMtrpOV|g}3_6eu4r%yuM>vihYRkn@4scZZ6)3smi)pL;UblJgk
zHtMTGhh!h7-O`>bvStdlJb(#oa4=qgbHU<8YQ8x9YOmMchqm96`L=D_RvBjKtWQoL
zQ)BPTnPKRm@3Ni>mY*w42M%z7lW}tSid=aQfx|M397eLEb?er@$=uMaS+md~Lld!E
zJk6ZOT8nkATJL+?qIvVjnj4!3_Rg{0@cvF5-$+xQz5rbN_wRR&tKWYwR<Bzt=UHeQ
zJT$T2Bab}dcTIC8u4&VzAw!aec6K<8L)M5?x!=Vam@%5O^nu1Tc)`{Hdl~jH*&k;Q
zR_!zLoiK5HBMoWE6Q~@(iB1F>poMwXeNN`k`-48{<hIwoCN8>JbjxJR+`;^|aOo1c
zhG$<NU50l(dcU*piERWn8Q9#wBVlaAum|PA4vsj!k%lmNl#PrxO#3_K&)h&cEMB&h
zHh}K1;J#+}H@_Cl*Qs0g&qMTKoV_T?m^xXucX$tG-vc_aec((g``Os|@vt`!kJuXU
z5XNRgeJ8ETW9QXh7+Ro-zQ`FLXie0I&8kzk?iJnTpj`Fp)k7Sn$=bGL^!TyjSkZAg
z7YA#*3BA}QV~c@pi=v-?j{QkWN{W04D|;5wkd{2yU8p?e`OFPc$A)d~IJvJ_;z%+3
zRST<j#qv>Hd|U(cUnwI;h^^bViC-@LBJIq}qs9K6HceYcU$5fn*QyOr_k`_zopwMT
z#sZZm7@xBb$OzmmlH%IaKHaN-ub}R+@OHIp*ADA9pnn=N#{9*LJm=N|jdi|gWL$#}
z&NV9@u|J`WD?3uc#F3vgq@~=*>kFp8IA~)|`u^Pa^2`LZ_Z!fEMD6g}p0oSGx^^)!
z4|Cp*wa5Mg2jqMk%y{Qb8}=XYPd`^YGTz&5iU<=&Ueb`3JXd1>$yk7Fu>ZhkB7N*=
zbg_rpcW7Vgo~!a)L_|c5S9|qLLpQNx`7&|QE#IJn_U5m=cjk5Me(m-z*xuT0R0$IY
zEb5=M<nbjZl!p%*u}Pr}mMoX^K{32U{3*h7Pgfv!(@i&N?|<+?v~HP&?9(3o=BQ`?
z!Hyf-C+sD$1;g&VBDO=+YjSe3$1aO-Fm+AY&`!VwPRa~9!P|~m?Z=?wX0I4t?r#<y
z9f)t`A|oTKWzV07oOh9PWS1^olI5xTJv4xmc?~;7=4<GuzhXCsO}Krmx0jg;Gp{4#
zF!u2fE^n>}Ca}Q)E^vYy8lc54FF`A90NPzP{^rGh^yr@OKR5hOx#Ixyy~8pWF?M{i
zXLp%?&;32jO^jW3yE+xdUJcvRKys`qL(U}e*lAZ~q<qyMfaz^>s&GOJG(nrn$5=%l
zU|$1X98O~ays3Kj=eoV|kNX^!abjG?L}_!$IRjPq%uC2+3a>vO*+tnODtdhR^zZWe
zIP)g3fawpPiib961Q#@;f55gB+eU}eEc)kbuW@uYpc|H&9EY5{JU3VTbn&9p%>a*j
z@U~-BczyZQRWN<pSGm~ZfMFjiec`glF_%IsFytA+i$95_xt@Cjlzp&Yr(0$=W5)KK
zJEi^!n;~E^CL^!eag`TV=UeRjR5WZqFH;^qzC)vuC7~T18a8|GJ}}EK<8G&0=22u_
z?lxjwq3Gp4qKec5w9qfhYu^gKFQ2^r#u<NQ0gceA;IS_F;>$0^sBvQ%1LSs&Ki8{Q
zFXUah*N;sz`_&2#>l4Ome|Y`HSHyl_;ZnY`=l2KOS3ERAtAYU!i~;DPu@C6gt5-dL
z{P&5Ee+>T7E75PzF(^3PFXRiKier3YPV%lV=4u6_qCR;Qe0*Soqr9;YS`{v(Ct0vq
zo*@=};^TeZn~LilAJ5$mf_ug2H>|A{oIw1u#$!!~+<{zTpQo-B|G)$`IKUNXEVA<t
z5Ac$+G7mWj`_g~<tN-2!amnmKZOqS?>nQZlihsscU+tg%hRn{s1&%QTxlGlYlIs<m
ziumMJaDWMH9C8gfeT_%75olF-&>xe2L;i<yf33I6zSgIEBOz{rT<aEWljDZnHWmE#
zdR25W=d$ipjx!V3X;N0CzuNH+7{CH1u$2R+FIj~2(5m={2XsT+1%Tf2jfD7dKAETe
zC&bOd)`h(rbZT}zHu9%0e5~ED`B4tr6xt2-U~h+to{IXw02cKKY~{ddUqjmK!+yUY
zJirTkNbuG>A$~>x{ui;gf?YXhbnW~jQ*fTfyAM#_$Y|)EaOme*6CtBt&DgKX2^hcv
zCa`hf0w=f?-}um`&ittS@BlCH1aG|);urYi|BZyW1*G9Tn>YW!W1Yp>8t*bde?|KM
z7wcB)g*yeVrtK^GfdMRFq89-NxV+DAK@+rjuLViZT^R7>;y-SlKmL0s#ARZKhP=dB
zLtaIP@{z4ri+GPc%t_P}dJE`94p(xh%6la~Fn|S2V1vVZ{(}~1QgWXi5B(orI5Ur(
zLGOgPsR8&O#Tdc<8g0xz{wbKyL;2GlIa|ow2VK+$XRTO+dDnr;do@1o9oXOi7dXMq
z_y8^Rd0*wtSOhPdKi(qu2YM&Or3K(W5!s*nr<gMX?O!tgfRnkHd5W^XR(0;LoK#x?
z7dXKU4bb8*4?Hk8f4FIr+$ZbZH*SzW{@;j?8;FcBbw;MVcZL0De{lc5#A92)9Wt4-
zxa+_aZzROM?~DJ(AAdX~Nq1l;Dc4Hu>tcIwB|6VPO4%@eojP+`%JZD}fVZKJVR?@~
z{&<=F!FI7R53)WYje59W4f_LR&OZuI!O{Wm=s!54qxiu`r~O=P%)|CJP^C(h(C53n
zfNfeSn|0E&$IZDz<gZ|H|F_d&KhC<3`+DrWyTZn$PF-F|gJ)F+_ce>Y(_tChF;^x%
za|U-ju;=b;KKO6*>W!bhab#m`&pA`-iznSO@}u4N30J9FHMH$BPxs^>0KU_@Y@m?|
zxW8WAz2S}bkMNGp51kjX4tI(9<A?J-ZJv3$C%m&qsyj{W*8HcpOnJVW`&Kxk@kcBJ
zcxPYsz~`R}_NmL`2U|UOf2_?@P0@Lkm!9v~C1Q7jJ<^rz1^rfSg!2@fZQvZkG~efO
ze3i#hcpqk2@_cnL{F5eo{yg#7fzN!(#=jMR<-w&rau2ijSYIAbNh!|my3@=kFP;56
zdy1T&`y=%MwLiff40c+B2*dm4Aks-#*efqwyeO#u!<1KN*ZMm$FlYPH#<=dw4vr@S
z-h=A<oXwcOaDmS?#<k|<YTzwivRI^#Vc*+lpZAKF@*a2Ddc~K1XHCet-9YP%tD*T?
z=7mP;>GGMr(!6-_ie33dueefaSPxF0Ipdn>GOi_`fnYH{$ur8O&l8m5OY-b>&evBt
zj2S;puDyM&tpm~U-~PrwtjZk^okp?!oUJ$i)IH}W|G)80*+cV+l`Fl^l$7StX<Q1#
zf9A{?|Mhyj+IGah3E2Deu3Psz_qmr@^YLxu==5@JGN29Fi}e<d_qo=qrQKKlisH+|
zme9vNBX0gVdsSxLL%W|nC#&4?9$K)sVx5hh1TyGvDHpM}<6H#zc)(p=nKK{o{}9)m
z6Q$d~!{VH@>G_w2Y9rWB+Rsb-st4+u^#;0C&fsz`82d|PaP%eDvK)ZLJ|1_Mfa8br
z=jHwsxS;`Be9@@lIA6`4zT(g0%QNEKp?<kssQVeSX8Npq${Kwtwx;}-2U|<_mO0P0
za?NV_uOi~uZ-G|Y!<F_6aG}GYzR^9vE4+XH#X*s`YNb3c25#^{3p7ESulBIceMTPM
z?7ZrhaZGp0vxuH}WZazG98cNN=BQ8LqYtH>V^@S-0c%bEVTXLg7{j`gf5~yzAGEUX
z#<>;r5!4fB7qH1t^17-YeAbhc6=_II9?naly9VFkBZmd|e{#MX9>581Xn+>dKpQkd
zD>Os9!a;jx|HF&_{p!wi70;P!^gPf2END>Y9MFk#_bcb))m`u8b6Dmfhs!>`7#n<S
z4LFm)U9q%P^v{$9aJcJ>`r`aN^~yt-IKC-d<T>}l5AvQQ+Sb$=)0KVyMcrv^)t$y6
zaH~7&p$Xcckun1gw5#$!4{pD+Nb>76xAGrE#XJ7)J-g*T8}tH;^ZL~1j!z2Zzco0w
z&K)RjeJc0dXTQ>`XZxo2-t*vqci-ke1^kbo1lbGu105=5QMhZDtV8zIu%l)#SDoW0
zOgqMI7ah~iU7yJF46L;|^Jb>XbD_*tg>SzzFrn!^_p}5jxLxNBElCr!anC2TLbKvQ
zl?VS@RlK^-`LES2W08vE96o8Wec8Qdk65v0m4ulwb&5Lkukv%Yb4gNaO83a9zutb+
zpZ_d%i47YyyrIPdEnDhl@>}k6zEZZPO<;dR|G*xR{~yqHxr=~j?!x&pj&G!4{B@t@
zppRa3IE}TsX(Y6Gpk;K!h7F}1D>%WOl$zR|^QQ8QsQbSx+yem3l*h`|tE4`RyBpw*
z|1FSC@-KNe(EG|b{tc2fZ>~H;z?^xR2KoK8ga0`=je#$|^wPui8`N)9uR(({_LQ7e
zu3x|Y4fPt-zrFu}0sIG(vyrSb<#||z3!gE=k8DEPe1~P2{oZ`Db-nuaZ?9j!ehpve
zprN5&{rZidNjJ@bl1A4(2NDN7a5o_12LDuYpO0|UVT>@GW@~Kxp@;F&Mo+POY)E#b
zINLw+*ke)Q5#e>h!^3OX{^t<Tao<6Bcz7-Hb?eqG(j4x5N_U$5bf-a?pnJ%2xSk0P
z?rX5jgyiJpCptd=e5Aw`5niii&6*xPbsz^#&_+IJ9cEeWb;~q$r#!bK+abK!=76*C
ze%tN0g*j4_dtfK7TgEwen|M8Aaz<3+#*I0D9#%apEc80p9p6{%s#K}MdH7KN%UZp<
z3u^VS>NVU?m^+Sdp}y+5A`V)i87$3Pw76m0_HDQ6meEbO%z5s1_@yI7?*Z>ZaB%>R
zzscas3mS;#f(9X67c&U%aNsrvlF5Xw3mF9WIA~hU%f9Qv1i`%y-0VPhZg%kayt@8f
zgBv2jx&C8=dqje@`SP9zO>5}wOSG<k-r)H6jZfcg@W(%Ka254EaJ}<O_FVth!SSCR
w=}UH9|JA|qe;w(&yx-IH(=`6jP>DYTB~nH5(v8F+qPU^>wbI8_sSw}%AAjz`*#H0l

literal 0
HcmV?d00001

diff --git a/roles/mailman3/files/headers.html b/roles/mailman3/files/headers.html
new file mode 100644
index 0000000000..fbea0abee4
--- /dev/null
+++ b/roles/mailman3/files/headers.html
@@ -0,0 +1,9 @@
+<style>
+.socialaccount_provider.fedora {
+    padding: 10px 16px;
+    font-size: 18px;
+    line-height: 1.33333;
+    border-radius: 6px;
+    border-color: #aaa;
+}
+</style>
diff --git a/roles/mailman3/files/login_extra_top.html b/roles/mailman3/files/login_extra_top.html
new file mode 100644
index 0000000000..e1713c0450
--- /dev/null
+++ b/roles/mailman3/files/login_extra_top.html
@@ -0,0 +1,6 @@
+<p>
+By subscribing or posting to these mailing lists, you agree that any email
+to the list is public and viewable worldwide (unless it's one of the few private mailing-lists).
+For more details, see our
+<a href="https://fedoraproject.org/wiki/Legal:PrivacyPolicy">Privacy policy</a>.
+</p>
diff --git a/roles/mailman3/files/logo-hyperkitty-fedora.png b/roles/mailman3/files/logo-hyperkitty-fedora.png
new file mode 100644
index 0000000000000000000000000000000000000000..2806ade093a1defae29f5da7b7680c1ccc1ad031
GIT binary patch
literal 4650
zcmV+_64mXAP)<h;3K|Lk000e1NJLTq005c*001Ef1^@s6A@Z`J00004b3#c}2nYxW
zd<bNS00009a7bBm000fw000fw0YWI7cmMzZ8FWQhbW?9;ba!ELWdL_~cP?peYja~^
zaAhuUa%Y?FJQ@H15vNH+K~#90?VEXYl-1e5f6twFvJnW7ghfygP=Sa`5tkG>p0?Ij
z&<bG^mTGOkT5Wq!t73|xomv$|KdVx0rC(hND#@FmMclv-QNc<LT?9mmvL!%5Oackn
zX6C)m_s1kd0@<j5-)ZwZXU>`T-e<Y@&VBFl+&j=sH{Ep8O*h?i(@i&D7?l&F)6KC&
z9(g3#w=v>8C&;&eGT;M5-^b&FhK5K{Fc=KARCwyCr~H)%E6>EUX9InVkOW$bH5ICn
zzc)14&B0(W(o!cF3??Kc#f`IY5$Hvr7lNb;@-piCuiV_+n$8NEIqS9IK4WiHl~gCf
zO{<@rSlX2eUOa30L=`!2&Epe)c@*u^%`wIaMf?v5Olo=_1Z1I-g@J@5|NaN&-?v<p
zKZ5j7qcf`xd_GYivDttsfPg57kAx&&&Aj>dFB7BBqZlmLV7T0>CLeMe9bgm<AdwQ_
zmW~QJ_D8QI8L_`ZB~H{X4kz2%F4s`ZR|NY_pu3}ei8w$efa5q^d(96hFE3|T$u3Gt
ziYYJO*Bkh*3f~0<1rZ@FHI07#`jecTOk7+%jg1W)Ja~|@vQjFmDtn?j6U$5>+NTr-
z^dG>WL4!H@<WopbPv@Cu|3D-Xq1k^&^mI%wPj#FXoxFCz6>lF^4b=+W6X%zX1M~ri
zL?WzRyN1(GAIa#E8C-NhCL+Sen>X>nx<8YU5YKsIFJRQjQG~-`YHJS?3Wf1J51-FR
zTwEMId-ja#e7upO^&eub<-!Xy88vbgk%-5E0|z*G@E~i~u4(FI3P|sc3ON48<zqec
z9)%vF+&%uLS9=WHQ~P@9z{Kkmxf-ybPp^4w(zA%@CAYqk773fVik%?H7KO^@em4Hc
z%li;VF38t`a<TH@dkZdq=i*tfjaIR@3j7^mx>{Kfvhge8eD%K+Or}B!#y+y<(JNLT
z$KT@L8hK#;ebqou0KebQS!bS$<2V2$B_%O%;6T#T(?MYGp1qWnmC?}9(5}Ixq$K+F
z>&L)>15s7V%E~A$Ev3G`9stja@Q)3DBODG#3joErx8He6d-g84=}-OR)O=5oUxGfW
zVxPsDD@Ei6Mdo0vUp(d^{GzIF{qub)la>I(P<ap|C!zM20{@8k>b~K#i7$XjSLJbm
z(V({=a;aENQ{femcUA50t;1@cC;33VDo={YS3$2v<cc+qO<Z@3+WtQZ)ARu#91c^m
zdsi&8uC9*HKKqP~8#hw)VG%ob?(DFWHS6ryv4f(bA~tN;!1nFiW1S3OSMknRCj-zH
z{@Y^RW8W#m_!ohM#K%ki1C={PWG2dHqnc_w>4lh2KxXtQ?=cj}RFT<h7EF9`&1088
zB2W;mXs=<Yj0bLA`}oBCHIGjWBD@Rw{U%rYR3g`}U2w(oCL+Uta~(C;u3a!`sna*<
zPE<FcOzB#)c5^rmv|hoK?JFfYxhH9<>9Mqf2M->#;cz(IszU*M{&_k3%F7OuRNv9q
zjq^_OMKtVSa8Q$Gu?Va+MnA>ivle5#NL{mWg<1h55_S*)Yh!PUSUHGjLiB-JBk|SI
zuf&7W=p3vAsM+&RFEMd&J=UfjRU>p0!ywqh6Sr;ul>Pgwj;W){stUI4__U22Il_NO
ztXOnet)j1?^j6Uo`0P@_#(N$lIR0HCvO$fLn|af+abLZ8*|!my3gGx6I~6`g%&p^Z
zTt4>VS+7l1qhGg{rAIi4upZ1VpG~?q^X8Y%Nk|-Y4XR&7x_1@-Dh6fa;fbosmaUtq
zsi{6DPHJkZ+4|`gG#U$Ojj*9J{l;)z2=pHsGW!AizR3NEu0vUfCyNvYYn)lL;^E6`
z#p7nwI>wsCqP{y(>neP*`q9bz6@Dtv3s|gT=ZbRANo94ff|i4BiI4Zy0j&A$q$*K+
z4XUG!^}mQ}wkk_)B(it(gj>!XdPy+hm^93P5c0tM`yK&)c6i3%K_@flq?3=Cqdj|f
zQ(Ut1$N~s==gz+KR~>7sTrlhPp6ed}b`2s55D4V^N(UtO^}-F(Xv?eCFT6fBPha%2
z{KWXi9x37ENNvOZ(uUMtL*rIFd|55PCD%TaP@mE_#UJv8*8FzTen10(eBZ7C$vxIB
zxV+VyHTFlZB=vMmugWB+W>BLS+3y@Qp?BYktY5#ddCS~Q7m@k%e|4J0Y!(q;^N4e-
zJ6SWk_Y_mIySQaigQzn+H#c|BF?ZI@|0@Jw-b432A<9nxE;#=}&<;0(UkKxaKY#Fk
z(~~~%^V{dn=}adOm^@xZt}sTnsArx7$jHc0fM77FfCi>bxl*lUiqZGoB}<oOXJ=(u
z7>C$3Vx8ABGBPw647OSiW@l$zZefCfzvkx`<_D%tnW$DSZaN$Fffx}QRrPaGUFW(l
zt)<0C7MKw@M<d?!=&?vU^)-ApdgPct1cN~v2n5Ef*hww(MTm&Veye;UR{qy@-TIdK
zS<|!55|0@ol(>0?zd77~PR^9Ccq-W<sAIy9zWCy@vaIP@8RBuZF_h&mDg1RH5E!Fk
zXLi=k(Io_cq<1U_V)PTWGSV1|^OqDp(UweeIY29&CI@eU{A57?fn<yx!=_D}V#1#1
zQD0wAVqzjbU)MK??dgpfb2eMHZlSWG0#RAfC1b{n6}VlM<*w^K4dA+ND-pHwbrEh<
zD~|)qJi|7l<b%1+ahx-P!QkgD<!8*8(I@ORJSRx1T61C4h<r_iTMpZZBO)L|ASY{s
z!RF-Uy|fuXBKCAdZttk*s;meGgTDt5pB;yid!&p;J^HjFJ3H(8{QSbgSk+ZWA(9Ie
z0j)Y(*7U5A*7Al3>A>wTzPPLmz~^zA3b`6xfBzbvcZR4O;rB@76QY$rqf<#M*CKpR
zmHtzwP5r1~Nx^%E%NWa(2opr)mS{&)Nd@TFuU{-Ap{i`(zMbOYVjRa|@ZiCS2&bIV
zZfrHCw{vH7Eml%eg0+?*LxwP9$PfTRjUm!f)2OVdz=|HXa6#dc!oN+OmbFNf?|HWI
zUf_n7`JqT-P(;!MU6Sv*e`%#G`VPno00MqgPEm9wFvenD4+H|E4jXxPA>7wiImA-Z
zM)F4pheiQq0HWVQ<sudG0)arLdw7`+BM=Cjg0(AvbX6WM$S-`TU186+9-qDbkUP#5
z<pz`z46*gGSoQ;`;m~P~C5SK(_)W`=n_Ba(iryvY??rV%AP^Yqx~|uppPikRtuO)D
zrk;7CX+$Fe;MtfQd-v|8xH!6=y7baZIsg3gS-Em0Wo2db@87@OI_=rBhhf8pF=4_4
z-h1yoR;^majvYHlOiZL-zkY}ao)`5aLa1Fs#{lcoxxR=56uB-ZXUf97yrq8y2m}J7
z5&ILMQLXQe!}Ubjl%H3)uw_~x5O@${{|*en=UoZp9a5m&UD8^<6Lz*Ce@}MKl*Nk7
z6yyCAXt$$HzIt*$LUtu^vI@@?<P~-}s=BVb9f<jxnlp6@=nV)Jos~O~lXWvNP?0wa
zmJ}>+l@|y+gV7s-v&Cm`fauE;2m}&U?0f)G=H$C>$N(6n7@(%6hWPk60QT+M7c;nP
z*DlJ-%h|nqcdPWa*tc&VB_$=4mzT#nYD;?w3Gvj_L~jMD_}Y5gj~Pp!Us|H7{|y+6
zETDN#H1^kkqsoG&AE8rR*R2%vH2}4YJRap$ql*Dl+P5DF1X7%kc>_2dSpIow#Si(C
zcEGOddZNq*Q01QK)2BygC}U>>LlFIQetw|~(USqdmVjY@RTVvwlM#_tF|SRVHpSL$
zefsq2(7CFzb?a8PZryrBx-o{t#3T+J*bjiCjm2%*IF^X|<|FnxAaiQY)T@nZmBKd>
zD&l<c_aCLX=BrMv7VIcVfk0qvTMDl0uJ5XGwZ5K$f;9))$`1qri5R;KI2ZV!p)QoO
zdiCl^Te2sL{QSZ<136i50+&T>=)P&wzH_e^U5Bb-ZlmcXZ~*G-y{!pJW_NW>^`M&S
zYEn{CNJ~qjy86g~ZF+jg8<O<&^w@~ilC-omQd3hYE!|6FV<W)Fvu6i89v+WmQXnVm
zsNP=Jbq{7|XWgyBLQ#D{g<1erz4wI|Ug+}iM^4U^aTb{jU|{WG*`qMFs2$ZV9Vc9M
z)m6O(y&XUd@3$f1N7N;{?g2;>k)t}kJ8oDr8)Lr#{LoY9Odts;ELc(ytA_&+3<mAI
z2k$Qw(Hl2z+Q`T=Mp0E&MO|GTrKN{1vJM(Fhyeoz#Gb?9Fr}rXoOIGjv7P1M!Gqh?
z>({RzMeCzW4^>)k8@omw(B943R3N3T3{~?qVrL<YX-fJ`tnbP8oG5ZhASdf702Sgz
zIn}~=z@YMKetzNM9j%%U)>Lh9R<nIUjj9=l=*2`&EsDc_udTA3jp*6Ht|qw=@rnK?
zfNPGz?{UF(-3?QxWj!s*bwuwMhOp-6EoGe8H=iuV>a4&1tw_e5cRsy)_vVZ<&S1!p
zA=K5?(W6HX;^X51VquGI+qO|!T1q4m;nY)4jitAxmztW2<9FD&X#;>~urK}#bz0@-
z6<*O+#?<Vr$3(cXordtTv$JNa@CJY)a|&Fyqm9VurccWVSp)Dt3Gs<PKSEmA>Mkj~
zw9B=CA;6EC%5unw%1R@VAHTHd<@QGUa;*8L8qE;25V$%!J8MOLe&OPy@O@km&)ki%
z(}84FepleStq!(hk=Z%7&G`@|FA|Bc>g~5U?X(g2{eBV>66o8vZ>*D5S69c@Yt0uO
zlarHCRX+OYBkJm+7bjZk#mC1peE4uyu6zS)Ex^Lu+`G1%m?ns#YTj!8E>_x_np(0#
zk!(e>MY+<T7bV0crMY>9vlcB{)b(rR?IEmhVSloqe*{pYJM!{g{;VCXT7yn>U3W`C
zUcpj{Zf;QF$v_}5;tQAQ3*x$NDMZiB#pn_3>$H4`IC{I|$rYPF`MAe`0RtE{dK8;B
zZi<B?AUa(-jzcIEqN=Kjl#~=IDk|vJs~3*rG+)m?<iK&r$jIQsqQ9_x$98}U8<D$?
zLtT#<f`01e75*zzd)H9*6yz1e?9ZGzb5$tZaH+s`+1Xhy=jRu`)`r&Ryu76!Hb3-E
z>3eI{fr@d!h4}1}rr6tY4Htb8TAek`y>)J}sC*aj-d??m;$1sA=bW=iN=k~!^zGZ1
z<m6<Eii!{sGBPp<hr_I2zn;E*`_ijdub6Cdax&+hdk&jF`IryZy$=vlvDtUraYw}o
zs^5u085Nk8Rn+DuC+nTg)SrL;`D%>j0;sU?s;jQ*@OnGI!i5XN*2hfX0LoY~+R4R)
zFP9?@HFI<Ccv)0$1bAb`>%6z-UCuiDEQSspir?=?L>Mt*1euwcj2=B2$8i`lW(=8`
znVfp+sQ|>q#W8HyFwQ*lOjf?Ng4OS=g6MMO`*UXBwd#b{@WhaWGPcbRoYNHp?vka8
zfwzG{aq;G{uILoLP`C}z9|9<PTVVR+qgf}OP@J|Bb93iDIq#u+_ln9h8#aEFvUBGS
zGBd|>-g)OySy{<}0|%(7sUZ{!5e|p(`~Ael#nG!*FH%xc=+mbU8#iuX+47gDt*r&9
zR`dsRX3s5b%U`Eh^Q`sTS4`N{wI||*?L8*ZJZ9@{n=vTYb-k<^S;GM;%8t0^3qT}f
z?>C9&i8zh#(nY-Z_@r0syt?5X$@r}oJIGhhJZ=5<Pwmu0<D7)68nhv;DIya6|Cr}{
z)%xvl6E=-))@#Yqf+;hm3>Cx|r(SJSxmMPBb;DJ(&8ajoF7eHd@>}AQ$Yo*U_(L^~
zo&S&4nyJ=r<4xFi#Ac?$7|(+b{%Vwpc@7u{kd)Me;lqY=+KAIhOG_s)F_DCX1R5F|
zsH?AI-@Y=oZv7|QcWjIOPe9=vJag@wIdgV&TF`F(ZRs?asH*bd!}m=><rhGk(eHK)
zueD->b7tT5R_D^){JV2hm*D5kn>WHZ-sP(DHAIJ^^an{r`5d$qBiq&LO23cSZ@X>o
gk=JRv`H$uQ0MakfdfNMrZ2$lO07*qoM6N<$f?3fLUH||9

literal 0
HcmV?d00001

diff --git a/roles/mailman3/files/mailman-hyperkitty.cfg b/roles/mailman3/files/mailman-hyperkitty.cfg
new file mode 100644
index 0000000000..b442e216fa
--- /dev/null
+++ b/roles/mailman3/files/mailman-hyperkitty.cfg
@@ -0,0 +1,20 @@
+# This is the mailman extension configuration file to enable HyperKitty as an
+# archiver. Remember to add the following lines in the mailman.cfg file:
+#
+# [archiver.hyperkitty]
+# class: mailman_hyperkitty.Archiver
+# enable: yes
+# configuration: /path/to/here/hyperkitty.cfg
+#
+
+[general]
+
+# This is your HyperKitty installation, preferably on the localhost. This
+# address will be used by Mailman to forward incoming emails to HyperKitty
+# for archiving. It does not need to be publicly available, in fact it's
+# better if it is not.
+base_url: http://localhost/archives/
+
+# Shared API key, must be the identical to the value in HyperKitty's
+# settings.
+api_key: {{ mailman_hypperkitty_archiver_key }}
diff --git a/roles/mailman3/files/mailman-template-list-admin-action-post.txt b/roles/mailman3/files/mailman-template-list-admin-action-post.txt
new file mode 100644
index 0000000000..1c7d64f788
--- /dev/null
+++ b/roles/mailman3/files/mailman-template-list-admin-action-post.txt
@@ -0,0 +1,15 @@
+As list administrator, your authorization is requested for the
+following mailing list posting:
+
+    List:    $listname
+    From:    $sender_email
+    Subject: $subject
+
+The message is being held because:
+
+$reasons
+
+At your convenience, visit your dashboard to approve or deny the
+request:
+
+https://lists.fedoraproject.org/admin/lists/$list_id/held_messages
diff --git a/roles/mailman3/files/mailman-template-list-member-generic-footer.txt b/roles/mailman3/files/mailman-template-list-member-generic-footer.txt
new file mode 100644
index 0000000000..5ced9904aa
--- /dev/null
+++ b/roles/mailman3/files/mailman-template-list-member-generic-footer.txt
@@ -0,0 +1,8 @@
+-- 
+_______________________________________________
+$display_name mailing list -- $listname
+To unsubscribe send an email to ${short_listname}-leave@${domain}
+Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
+List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
+List Archives: https://${domain}/archives/list/${listname}
+Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
diff --git a/roles/mailman3/files/mailman-template-users-list-user-notice-hold.txt b/roles/mailman3/files/mailman-template-users-list-user-notice-hold.txt
new file mode 100644
index 0000000000..eadc4a7216
--- /dev/null
+++ b/roles/mailman3/files/mailman-template-users-list-user-notice-hold.txt
@@ -0,0 +1,25 @@
+Your mail to '$listname' with the subject
+
+    $subject
+
+Is being held until the list moderator can review it for approval.
+
+The message is being held because:
+
+$reasons
+
+Either the message will get posted to the list, or you will receive
+notification of the moderator's decision.
+
+NOTE: If your message has been held due to size, please consider
+this a rejection and a friendly request to reduce the size and
+resend.  The list moderators will not approve such messages.
+
+If you are attaching logs or command output, please trim it to a
+minimal amount (we can ask for more context, if needed).
+
+If you are attaching an image, please crop it to reduce their size.
+
+Also keep in mind that attachments will be encoded by your mail
+client (usually via base64) and this encoding increases the size by
+as much as 33%.
diff --git a/roles/mailman3/files/mailman3.logrotate.conf b/roles/mailman3/files/mailman3.logrotate.conf
new file mode 100644
index 0000000000..cc5bb7438f
--- /dev/null
+++ b/roles/mailman3/files/mailman3.logrotate.conf
@@ -0,0 +1,6 @@
+/var/log/mailman3/*.log {
+    missingok
+    notifempty
+    delaycompress
+    su root apache
+}
diff --git a/roles/mailman3/files/memcached.sysconfig b/roles/mailman3/files/memcached.sysconfig
new file mode 100644
index 0000000000..4482f6e76c
--- /dev/null
+++ b/roles/mailman3/files/memcached.sysconfig
@@ -0,0 +1,5 @@
+PORT="11211"
+USER="memcached"
+MAXCONN="1024"
+CACHESIZE="655350"
+OPTIONS=""
diff --git a/roles/mailman3/files/navbar-brand.html b/roles/mailman3/files/navbar-brand.html
new file mode 100644
index 0000000000..d44999aadd
--- /dev/null
+++ b/roles/mailman3/files/navbar-brand.html
@@ -0,0 +1,5 @@
+{% load static %}
+<a class="navbar-brand" href="{% url 'hk_root' %}"
+   title="{{ site_name|title }}" style="padding:8px 15px">
+    <img alt="{{ site_name|title }}" src="{% static 'logo-hyperkitty-fedora.png' %}" />
+</a>
diff --git a/roles/mailman3/files/robots.txt b/roles/mailman3/files/robots.txt
new file mode 100644
index 0000000000..e97727942b
--- /dev/null
+++ b/roles/mailman3/files/robots.txt
@@ -0,0 +1,4 @@
+User-agent: *
+Disallow: /accounts/
+Disallow: /django-admin/
+Disallow: /archives/*/vote$
diff --git a/roles/mailman3/files/signup_closed.html b/roles/mailman3/files/signup_closed.html
new file mode 100644
index 0000000000..ac1e89a9cf
--- /dev/null
+++ b/roles/mailman3/files/signup_closed.html
@@ -0,0 +1,21 @@
+{% extends "account/base.html" %}
+
+{% load i18n %}
+
+{% block head_title %}{% trans "Signup" %}{% endblock %}
+
+{% block content %}
+<h1>{% trans "Sign Up" %}</h1>
+
+<p>
+{% blocktrans %}
+Account creation for the Fedora mailing-lists is done by
+<a href="https://accounts.fedoraproject.org/">creating an account in FAS</a>.
+{% endblocktrans %}
+</p>
+
+{% url LOGIN_URL as login_url %}
+<p>{% blocktrans %}Already have an account? Then please <a href="{{login_url}}">sign in</a>.{% endblocktrans %}</p>
+
+
+{% endblock %}
diff --git a/roles/mailman3/files/top.html b/roles/mailman3/files/top.html
new file mode 100644
index 0000000000..b607d331c3
--- /dev/null
+++ b/roles/mailman3/files/top.html
@@ -0,0 +1,10 @@
+<!-- This markup will be inserted after the <body> tag -->
+
+<!-- https://pagure.io/fedora-infrastructure/issue/10741 -->
+<!--
+<div style="margin: auto" class="container">
+    <a href="https://fedoraproject.limequery.com/2023" target="_blank">
+        <img src="https://pagure.io/fedora-infrastructure/issue/raw/files/b4d328e7ce730f610530822af4c9cdab1029c47dc2bdb15648d4008e1b304e43-contributor-survey-banner.png" style="max-width: 100%">
+    </a>
+</div>
+-->
diff --git a/roles/mailman3/handlers/main.yml b/roles/mailman3/handlers/main.yml
new file mode 100644
index 0000000000..685b5fc917
--- /dev/null
+++ b/roles/mailman3/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: restart mailman3
+  service: name=mailman3 state=restarted
+
+- name: reload apache
+  service: name=httpd state=reloaded
+
+- name: restart memcached
+  service: name=memcached state=restarted
+
+- name: systemctl daemon-reload
+  command: /usr/bin/systemctl daemon-reload
diff --git a/roles/mailman3/tasks/main.yml b/roles/mailman3/tasks/main.yml
new file mode 100644
index 0000000000..e3c4ef1f6a
--- /dev/null
+++ b/roles/mailman3/tasks/main.yml
@@ -0,0 +1,452 @@
+---
+# Configuration for Mailman 3
+# PostgreSQL initialization must have been done already
+
+#
+# SELinux
+#
+- name: Set the SELinux policy for the fulltext index
+  community.general.sefcontext:
+    target: "{{ mailman_webui_basedir }}/fulltext_index(/.*)?"
+    setype: httpd_sys_rw_content_t
+    state: present
+  tags:
+    - mailman
+    - selinux
+
+- name: Set the SELinux policy for the static files directory
+  community.general.sefcontext:
+    target: "{{ mailman_webui_basedir }}/static(/.*)?"
+    setype: httpd_sys_content_t
+    state: present
+  tags:
+    - mailman
+    - selinux
+
+- name: Set the SELinux policy for the templates override directory
+  community.general.sefcontext:
+    target: "{{ mailman_webui_basedir }}/templates(/.*)?"
+    setype: httpd_sys_content_t
+    state: present
+  tags:
+    - mailman
+    - selinux
+
+- name: set the SELinux policy for the log directory
+  community.general.sefcontext:
+    target: "{{ mailman_log_directory }}(/.*)?"
+    setype: httpd_log_t
+    state: present
+  tags:
+    - mailman
+    - selinux
+
+- name: Set the SELinux policy for the generated postfix databases
+  community.general.sefcontext:
+    target: "{{ mailman_webui_basedir }}/var/data/postfix_.*"
+    setype: etc_aliases_t
+    state: present
+  tags:
+    - mailman
+    - selinux
+
+- name: Set the SELinux policy for the old static archives
+  community.general.sefcontext:
+    target: "{{ mailman_webui_basedir }}/old-archives/pipermail(/.*)?"
+    setype: httpd_sys_content_t
+    state: present
+  tags:
+    - mailman
+    - selinux
+
+- name: Allow Apache to remotely connect to PostgreSQL
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect_db
+    state: yes
+    persistent: yes
+  tags:
+    - mailman
+    - selinux
+
+- name: Allow Apache to remotely connect to Mailman
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: yes
+    persistent: yes
+  tags:
+    - mailman
+    - selinux
+
+- name: Allow Apache to remotely connect to Memcached
+  ansible.posix.seboolean:
+    name: httpd_can_network_memcache
+    state: yes
+    persistent: yes
+  tags:
+    - mailman
+    - selinux
+
+
+- name: Install needed packages
+  ansible.builtin.package:
+    name: {{item}}
+    state: present
+  with_items:
+    - httpd
+    - hyperkitty
+    - fedora-messaging
+    - mailman3
+    - memcached
+    - postorius
+    - python3-mailman-hyperkitty
+    - python3-mailman-web
+    - python3-mod_wsgi
+    - python3-pylibmc
+    - python3-psycopg2
+    - python3-whoosh
+    - sassc
+  tags:
+    - packages
+    - mailman
+
+- name: Set the mailman conffile
+  ansible.builtin.template:
+    src: mailman.cfg.j2
+    dest: /etc/mailman.cfg
+    owner: mailman
+    group: mailman
+    mode: 0640
+  tags:
+    - config
+    - mailman
+  notify:
+    - restart mailman3
+
+#
+# Logging
+#
+- name: Ensuring log directory exists
+  ansible.builtin.file:
+    path: "{{ mailman3_log_directory }}"
+    state: directory
+    owner: mailman
+    group: mailman
+  tags:
+    - logging
+    - mailman
+
+- name: Mailman logging -- rotation
+  ansible.builtin.copy:
+    src: mailman3.logrotate.conf
+    dest: /etc/logrotate.d/mailman3
+  tags:
+    - logging
+    - mailman
+
+- name: Ensuring mailman-core is started
+  ansible.builtin.service:
+    name: mailman3
+    state: started
+    enabled: yes
+  tags:
+    - mailman
+
+#
+# HyperKitty + Postorius setup
+#
+- name: Create site/en dir
+  ansible.builtin.file:
+    state: directory
+    path: /var/lib/mailman3/templates/site/en
+  tags:
+    - config
+    - mailman
+
+- name: Set default list footer
+  ansible.builtin.copy:
+    src: mailman-template-list-member-generic-footer.txt
+    dest: /var/lib/mailman3/templates/site/en/list:member:generic:footer.txt
+    owner: mailman
+    group: mailman
+    mode: 0644
+  tags:
+    - config
+    - mailman
+
+- name: Set default list:admin:action:post template
+  ansible.builtin.copy:
+    src: mailman-template-list-admin-action-post.txt
+    dest: /var/lib/mailman3/templates/site/en/list:admin:action:post.txt
+    owner: mailman
+    group: mailman
+    mode: 0644
+  tags:
+    - config
+    - mailman
+
+- name: Create lists/users.lists.fedoraproject.org/en template dir
+  ansible.builtin.file:
+    state: directory
+    path: /var/lib/mailman3/templates/lists/users.lists.fedoraproject.org/en
+  tags:
+    - config
+    - mailman
+
+- name: Set list:user:notice:hold template for users list
+  anisble.builtin.copy:
+    src: mailman-template-users-list-user-notice-hold.txt
+    dest: /var/lib/mailman3/templates/lists/users.lists.fedoraproject.org/en/list:user:notice:hold.txt
+    owner: mailman
+    group: mailman
+    mode: 0644
+  tags:
+    - config
+    - mailman
+
+- name: Install the hyperkitty/postorius settings file
+  ansible.builtin.template:
+    src: settings.py.j2
+    dest: "{{ mailman_webui_confdir }}/settings.py"
+    owner: root
+    group: apache
+    mode: 0640
+  tags:
+    - config
+    - mailman
+  notify:
+    - reload apache
+
+- name: Install the hyperkitty/postorius httpd conf file
+  ansible.builtin.template:
+    src: apache.conf.j2
+    dest: /etc/httpd/conf.d/mailman-webui.conf
+  tags:
+    - config
+    - mailman
+  notify:
+    - reload apache
+
+- name: Create the fulltext index dir
+  ansible.builtin.file:
+    path: "{{ mailman_webui_basedir }}/fulltext_index"
+    state: directory
+    owner: apache
+    group: apache
+    mode: 0755
+  tags: mailman
+
+- name: Create the hyperkitty static files dirs
+  ansible.builtin.file:
+    path: "{{ mailman_webui_basedir }}/{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  with_items:
+    - static
+    - static-fedora
+  register: static_root_dir
+  tags: mailman
+
+- name: Create the fedora-specific hyperkitty img dir
+  ansible.builtin.file:
+    path: "{{ mailman_webui_basedir }}/static-fedora/hyperkitty/img"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Create the hyperkitty templates override dirs
+  ansible.builtin.file:
+    path: "{{ mailman_webui_basedir }}/templates/{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  with_items:
+    - hyperkitty
+    - django_mailman3
+  tags:
+    - mailman
+    - hypperkitty
+
+# Add the Nest banner
+# See issue https://pagure.io/fedora-infrastructure/issue/10103
+- name: Replace the top.html template in hyperkitty/postorius to change banner
+  ansible.builtin.copy:
+    src: top.html
+    dest: "{{ mailman_webui_basedir }}/templates/hyperkitty/top.html"
+  notify:
+    - reload apache
+  tags:
+    - mailman
+    - banner
+    - hyperkitty
+
+- name: Install our fedora-specific logo
+  ansible.builtin.copy:
+    src: logo-hyperkitty-fedora.png
+    dest: "{{ mailman_webui_basedir }}/static-fedora/logo-hyperkitty-fedora.png"
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Install our fedora-specific favicon
+  ansible.builtin.copy:
+    src: favicon.ico
+    dest: "{{ mailman_webui_basedir }}/static-fedora/favicon.ico"
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Install our fedora-specific robots.txt
+  ansible.builtin.copy:
+    src: robots.txt
+    dest: "{{ mailman_webui_basedir }}/static-fedora/robots.txt"
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Install our fedora-specific brand template override
+  ansible.builtin.copy:
+    src: navbar-brand.html
+    dest: "{{ mailman_webui_basedir }}/templates/hyperkitty/navbar-brand.html"
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Install our fedora-specific page headers
+  ansible.builtin.copy:
+    src: headers.html
+    dest: "{{ mailman_webui_basedir }}/templates/hyperkitty/headers.html"
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Install our fedora-specific login page extension
+  ansible.builtin.copy:
+    src: login_extra_top.html
+    dest: "{{ mailman_webui_basedir }}/templates/django_mailman3/login_extra_top.html"
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Create dirs for signup_closed page
+  ansible.builtin.file:
+    path: "{{ mailman_webui_basedir }}/templates/account"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Install our fedora-specific signup_closed page
+  ansible.builtin.copy:
+    src: signup_closed.html
+    dest: "{{ mailman_webui_basedir }}/templates/account/signup_closed.html"
+  tags:
+    - mailman
+    - hyperkitty
+
+- name: Install our fedmenu js hook
+  ansible.builtin.template:
+    src: bottom.html
+    dest: "{{mailman_webui_basedir }}/templates/hyperkitty/bottom.html"
+  tags:
+    - mailman
+    - hyperkitty
+
+
+- name: Ensuring we have correct DB schema for django apps
+  ansible.builtin.command:
+    cmd: mailman-web migrate
+    chdir: /etc/mailman3
+  become_user: mailman
+  tags:
+    - mailman
+    - db
+
+#
+# Plug HyperKitty into Mailman
+#
+- name: Copy the mailman-hyperkitty conffile
+  ansible.builtin.copy:
+    src: mailman-hyperkitty.cfg
+    dest: "/etc/mailman3.d/hyperkitty.cfg"
+    owner: mailman
+    group: mailman
+    mode: 0640
+  tags:
+    - config
+    - mailman
+    - hyperkitty
+  notify:
+    - restart mailman3
+
+- name: Populating static_root dir with django files/css
+  ansible.builtin.command:
+    cmd: mailman-web collectstatic --no-input
+    chdir: /etc/mailman3
+  become_user: mailman
+  when:
+    - static_root_dir is changed
+
+#
+# Scripts
+#
+
+- name: Install the staging-sync script
+  ansible.builtin.copy:
+    src: prod-to-stg.py
+    dest: "{{ mailman_webui_basedir }}/bin/prod-to-stg.py"
+  when: env == "staging"
+  tags: mailman
+
+#
+# Systemd
+#
+- name: Install the systemd service files
+  ansible.builtin.template:
+    src: "{{ item }}.service.j2"
+    dest: "/etc/systemd/system/{{ item }}.service"
+  with_items:
+    - webui-qcluster
+    - webui-warm-up-cache
+  notify:
+    - systemctl daemon-reload
+  tags:
+    - config
+    - mailman
+    - systemd
+
+# Memcached
+- name: Set the memcached sysconfig file
+  ansible.builtin.copy:
+    src: memcached.sysconfig
+    dest: /etc/sysconfig/memcached
+  notify:
+    - restart memcached
+  tags:
+    - mailman
+    - memcached
+
+# Start services
+- name: Start services
+  ansible.builtin.systemd:
+    state: started
+    enabled: yes
+    name: {{item}}
+  with_items:
+    - httpd
+    - mailman3
+    - postfix
+    - webui-qcluster
+    - webui-warm-up-cache
+  tags:
+    - mailman
+    - hyperkitty
diff --git a/roles/mailman3/templates/apache.conf.j2 b/roles/mailman3/templates/apache.conf.j2
new file mode 100644
index 0000000000..cdf09069bb
--- /dev/null
+++ b/roles/mailman3/templates/apache.conf.j2
@@ -0,0 +1,43 @@
+Alias /favicon.ico {{ mailman_webui_basedir }}/static/favicon.ico
+Alias /robots.txt  {{ mailman_webui_basedir }}/static/robots.txt
+Alias /static      {{ mailman_webui_basedir }}/static
+
+#ErrorLog /var/log/httpd/webui_error.log
+#CustomLog /var/log/httpd/webui_access.log combined
+
+WSGIScriptAlias / {{ wsgi_dir }}/wsgi.py
+WSGIDaemonProcess webui display-name=webui maximum-requests=1000 processes=4 threads=30 python-path={{ wsgi_dir }}
+WSGIProcessGroup webui
+WSGISocketPrefix run/wsgi
+WSGIRestrictStdout On
+WSGIRestrictSignal Off
+WSGIPythonOptimize 1
+
+<Directory "{{ wsgi_dir }}">
+    <Files wsgi.py>
+        Order deny,allow
+        Allow from all
+        Require all granted
+    </Files>
+</Directory>
+
+<Directory "{{ mailman_webui_basedir }}/static">
+    Order deny,allow
+    Allow from all
+    Require all granted
+</Directory>
+
+
+# Old static archives
+
+Alias /pipermail/ {{ mailman_webui_basedir }}/old-archives/pipermail/
+<Directory {{ mailman_webui_basedir }}/old-archives/pipermail>
+    Options FollowSymLinks
+    AllowOverride None
+    Require all granted
+    AddDefaultCharset Off
+</Directory>
+
+RedirectMatch ^/pipermail[/]*$ /
+RedirectMatch ^/mailman/listinfo/$ /
+RedirectMatch ^/mailman$ /
diff --git a/roles/mailman3/templates/bottom.html b/roles/mailman3/templates/bottom.html
new file mode 100644
index 0000000000..a892972a1f
--- /dev/null
+++ b/roles/mailman3/templates/bottom.html
@@ -0,0 +1,15 @@
+{% if env == 'staging' %}
+<script src="https://apps.stg.fedoraproject.org/fedmenu/js/fedmenu.js"> </script>
+{% else %}
+<script src="https://apps.fedoraproject.org/fedmenu/js/fedmenu.js"> </script>
+{% endif %}
+<script>
+ fedmenu({
+{% if env == 'staging' %}
+   'url': 'https://apps.stg.fedoraproject.org/js/data.js',
+{% else %}
+   'url': 'https://apps.fedoraproject.org/js/data.js',
+{% endif %}
+   'position': 'bottom-left'
+ });
+</script>
diff --git a/roles/mailman3/templates/mailman.cfg.j2 b/roles/mailman3/templates/mailman.cfg.j2
new file mode 100644
index 0000000000..e8187c69b0
--- /dev/null
+++ b/roles/mailman3/templates/mailman.cfg.j2
@@ -0,0 +1,191 @@
+# This is the absolute bare minimum base configuration file.  User supplied
+# configurations are pushed onto this.
+
+[mailman]
+# This address is the "site owner" address.  Certain messages which must be
+# delivered to a human, but which can't be delivered to a list owner (e.g. a
+# bounce from a list owner), will be sent to this address.  It should point to
+# a human.
+site_owner: admin@fedoraproject.org
+
+# The local URL part to the administration interface (Postorius).
+# The full URL will be constructed by prepending the domain URL set in the
+# list's domain properties.
+listinfo_url = /admin/
+
+# Set the paths to be Fedora-compliant
+layout: fhs
+
+[paths.fhs]
+bin_dir: /usr/libexec/mailman3
+var_dir: /var/lib/mailman3
+queue_dir: /var/spool/mailman3
+log_dir: /var/log/mailman3
+lock_dir: /run/lock/mailman3
+ext_dir: /etc/mailman3.d
+pid_file: /run/mailman3/master.pid
+
+[database]
+class: mailman.database.postgresql.PostgreSQLDatabase
+url: postgresql://mailmanadmin:{{ mailman_mailman_db_pass }}@{{ mailman_db_server }}/mailman
+
+[archiver.hyperkitty]
+class: mailman_hyperkitty.Archiver
+enable: yes
+configuration: /etc/mailman3.d/hyperkitty.cfg
+
+[webservice]
+hostname: localhost
+port: 8001
+admin_user: {{ mailman3_rest_api_user }}
+admin_pass: {{ mailman3_rest_api_pass }}
+workers: {{ mailman3_rest_api_workers }}
+
+{% for item in mailman3_log_items %}
+
+[loggin.{{ item }}]
+level: {{ mailman3_log_level }}
+path: {{ mailman3_log_directory }}/{{ item }}.log
+
+{% endfor %}
+
+[antispam]
+# This section defines basic antispam detection settings.
+
+# This value contains lines which specify RFC 822 headers in the email to
+# check for spamminess.  Each line contains a `key: value` pair, where the key
+# is the header to check and the value is a Python regular expression to match
+# against the header's value.  E.g.:
+#
+# X-Spam: (yes|maybe)
+#
+# The header value and regular expression are always matched
+# case-insensitively.
+header_checks:
+    X-Spam: yes
+    X-Spam-Flag: Yes
+    X-Spam-Status: ^Yes,
+
+# The chain to jump to if any of the header patterns matches.  This must be
+# the name of an existing chain such as 'discard', 'reject', 'hold', or
+# 'accept', otherwise 'hold' will be used.
+jump_chain: discard
+
+
+[mta]
+# Email is sent on the submission port to bypass spam checking.
+smtp_port: 587
+# Remove DKIM signatures in the email headers.
+remove_dkim_headers: yes
+# Don't process old stale bounces
+verp_probes: yes
+
+
+[language.en]
+# Change the english language to be UTF-8 (it defaults to ascii).
+description: English (USA)
+charset: utf-8
+enabled: yes
+
+
+# http://www.lingoes.net/en/translator/langcode.htm
+
+[language.pt]
+description: Protuguese
+charset: iso-8859-15
+enabled: yes
+
+[language.cs]
+description: Czech
+charset: utf-8
+enabled: yes
+
+[language.ca]
+description: Catalan
+charset: utf-8
+enabled: yes
+
+[language.ja]
+description: Japanese
+charset: utf-8
+enabled: yes
+
+[language.ar]
+description: Arabic
+charset: utf-8
+enabled: yes
+
+[language.nl]
+description: Dutch
+charset: utf-8
+enabled: yes
+
+[language.pl]
+description: Polish
+charset: utf-8
+enabled: yes
+
+[language.es]
+description: Spanish
+charset: utf-8
+enabled: yes
+
+[language.pt_BR]
+description: Protuguese (Brazil)
+charset: iso-8859-15
+enabled: yes
+
+[language.zh_CN]
+description: Chinese (S)
+charset: utf-8
+enabled: yes
+
+[language.zh_TW]
+description: Chinese (T)
+charset: utf-8
+enabled: yes
+
+[language.ru]
+description: Russian
+charset: utf-8
+enabled: yes
+
+[language.vi]
+description: Vietnamese
+charset: utf-8
+enabled: yes
+
+[language.it]
+description: Italian
+charset: utf-8
+enabled: yes
+
+[language.fr]
+description: French
+charset: utf-8
+enabled: yes
+
+[language.ro]
+description: Romanian
+charset: utf-8
+enabled: yes
+
+[language.de]
+description: German
+charset: utf-8
+enabled: yes
+
+[language.hu]
+description: Hungarian
+charset: utf-8
+enabled: yes
+
+[language.ko]
+description: Korean
+charset: utf-8
+enabled: yes
+
+[language.uk]
+description: Ukrainian
+charset: utf-8
+enabled: yes
diff --git a/roles/mailman3/templates/settings.py.j2 b/roles/mailman3/templates/settings.py.j2
new file mode 100644
index 0000000000..eef4a4ee5d
--- /dev/null
+++ b/roles/mailman3/templates/settings.py.j2
@@ -0,0 +1,406 @@
+#-*- coding: utf-8 -*-
+"""
+Django settings for HyperKitty + Postorius
+"""
+
+import os
+
+# Import mailman_web default settings
+from mailman_web.settings.base import *  # noqa: F403
+from mailman_web.settings.mailman import *  # noqa: F403
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = '{{ mailman_hyperkitty_cookie_key }}'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = False
+
+ADMINS = (
+     ('HyperKitty Admin', 'abompard@fedoraproject.org'),
+)
+
+SERVER_EMAIL = 'root@fedoraproject.org'
+DEFAULT_FROM_EMAIL = "admin@fedoraproject.org"
+
+SITE_ID = 1
+
+# Hosts/domain names that are valid for this site; required if DEBUG is False
+# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
+ALLOWED_HOSTS = [
+{% for host in mailman_domains %}
+    "{{ host }}",
+{% endfor %}
+    ".fedoraproject.org",
+    "localhost", # Archiving API from Mailman
+    "127.0.0.1", # HAProxy ping
+    "{{ ansible_hostname }}", # Varnish ping
+]
+
+# Mailman API credentials
+MAILMAN_REST_API_URL = 'http://localhost:8001'
+MAILMAN_REST_API_USER = '{{ mailman_rest_api_user }}'
+MAILMAN_REST_API_PASS = '{{ mailman_rest_api_pass }}'
+MAILMAN_ARCHIVER_KEY = '{{ mailman_hyperkitty_archiver_key }}'
+MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1')
+
+ROOT_URLCONF = 'mailman_web.urls'
+
+# Application definition
+
+INSTALLED_APPS = (
+    'allauth',
+    'allauth.account',
+    'allauth.socialaccount',
+    'compressor',
+    # Uncomment the next line to enable the admin:
+    'django.contrib.admin',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.sites',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'django.contrib.humanize',
+    'django_extensions',
+    'django_gravatar',
+    'django_mailman3',
+    'django_mailman3.lib.auth.fedora',
+    'django_q',
+    'hyperkitty',
+    'postorius',
+    {% for service_name, service_data in mailman_login.items() %}
+    'allauth.socialaccount.providers.{{ service_data.provider }}',
+    {% endfor %}
+    'allauth.socialaccount.providers.openid',
+)
+
+
+MIDDLEWARE = (
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django_mailman3.middleware.TimezoneMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.middleware.locale.LocaleMiddleware',
+    'django.middleware.security.SecurityMiddleware',
+    'postorius.middleware.PostoriusMiddleware',
+)
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [
+            '{{ mailman_webui_basedir }}/templates',
+        ],
+        'OPTIONS': {
+            'loaders': [
+                # https://docs.djangoproject.com/en/1.8/ref/templates/api/#django.template.loaders.cached.Loader
+                ('django.template.loaders.cached.Loader', [
+                    'django.template.loaders.filesystem.Loader',
+                    'django.template.loaders.app_directories.Loader',
+                ]),
+            ],
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.i18n',
+                'django.template.context_processors.media',
+                'django.template.context_processors.static',
+                'django.template.context_processors.tz',
+                'django.template.context_processors.csrf',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+                'django_mailman3.context_processors.common',
+                'hyperkitty.context_processors.common',
+                'postorius.context_processors.postorius',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'NAME': 'hyperkitty',
+        'USER': 'hyperkittyapp',
+        'PASSWORD': '{{ mailman_hyperkitty_db_pass }}',
+        'HOST': '{{ mailman_db_server }}',
+        'PORT': '',                      # Set to empty string for default.
+    }
+}
+
+
+
+# Security & production settings
+# https://docs.djangoproject.com/en/1.8/howto/deployment/checklist/
+
+CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_HTTPONLY = True
+SESSION_COOKIE_SECURE = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+X_FRAME_OPTIONS = 'DENY'
+# We're behind a proxy, use the X-Forwarded-Host header
+# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host
+USE_X_FORWARDED_HOST = True
+# In the Fedora infra, requests are systematically redirected to HTTPS.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/1.8/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'America/Chicago'
+
+USE_I18N = True
+
+USE_L10N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/1.8/howto/static-files/
+
+# Absolute path to the directory static files should be collected to.
+# Don't put anything in this directory yourself; store your static files
+# in apps' "static/" subdirectories and in STATICFILES_DIRS.
+# Example: "/var/www/example.com/static/"
+STATIC_ROOT = "{{ mailman_webui_basedir }}/static/"
+
+# URL prefix for static files.
+# Example: "http://example.com/static/", "http://static.example.com/"
+STATIC_URL = '/static/'
+
+# Additional locations of static files
+STATICFILES_DIRS = (
+    # Put strings here, like "/home/html/static" or "C:/www/django/static".
+    # Always use forward slashes, even on Windows.
+    # Don't forget to use absolute paths, not relative paths.
+    "{{ mailman_webui_basedir }}/static-fedora/",
+)
+
+# List of finder classes that know how to find static files in
+# various locations.
+STATICFILES_FINDERS = (
+    'django.contrib.staticfiles.finders.FileSystemFinder',
+    'django.contrib.staticfiles.finders.AppDirectoriesFinder',
+    'compressor.finders.CompressorFinder',
+)
+
+
+# Compatibility with Bootstrap 3
+from django.contrib.messages import constants as messages
+MESSAGE_TAGS = {
+    messages.ERROR: 'danger'
+}
+
+
+#
+# Authentication
+#
+
+LOGIN_URL          = 'account_login'
+LOGIN_REDIRECT_URL = 'hk_root'
+LOGOUT_URL         = 'account_logout'
+
+AUTHENTICATION_BACKENDS = (
+    'django.contrib.auth.backends.ModelBackend',
+    'allauth.account.auth_backends.AuthenticationBackend',
+)
+
+# Django Allauth
+ACCOUNT_AUTHENTICATION_METHOD = "username_email"
+ACCOUNT_EMAIL_REQUIRED = True
+ACCOUNT_EMAIL_VERIFICATION = "mandatory"
+ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
+ACCOUNT_UNIQUE_EMAIL  = True
+# Disable local signup
+ACCOUNT_ADAPTER = "django_fedora_nosignup.NoLocalSignUpAdapter"
+SOCIALACCOUNT_ADAPTER = "django_fedora_nosignup.SignUpEnabledSocialAdapter"
+
+SOCIALACCOUNT_PROVIDERS = {
+    'openid': {
+        'SERVERS': [
+            dict(id='yahoo',
+                 name='Yahoo',
+                 openid_url='http://me.yahoo.com'),
+        ],
+    },
+    'google': {
+        'SCOPE': ['profile', 'email'],
+        'AUTH_PARAMS': {'access_type': 'online'},
+    },
+    'facebook': {
+       'METHOD': 'oauth2',
+       'SCOPE': ['email'],
+       'FIELDS': [
+           'email',
+           'name',
+           'first_name',
+           'last_name',
+           'locale',
+           'timezone',
+           ],
+       'VERSION': 'v2.4',
+    },
+    'stackexchange': {
+        'SITE': 'stackoverflow',
+    },
+}
+
+
+#
+# Gravatar
+# https://github.com/twaddington/django-gravatar
+#
+# Gravatar base url.
+GRAVATAR_URL = 'http://cdn.libravatar.org/'
+# Gravatar base secure https url.
+GRAVATAR_SECURE_URL = 'https://seccdn.libravatar.org/'
+# Gravatar size in pixels.
+#GRAVATAR_DEFAULT_SIZE = '80'
+# An image url or one of the following: 'mm', 'identicon', 'monsterid', 'wavatar', 'retro'.
+GRAVATAR_DEFAULT_IMAGE = 'retro'
+# One of the following: 'g', 'pg', 'r', 'x'.
+#GRAVATAR_DEFAULT_RATING = 'g'
+# True to use https by default, False for plain http.
+GRAVATAR_DEFAULT_SECURE = True
+
+#
+# django-compressor
+# https://pypi.python.org/pypi/django_compressor
+#
+COMPRESS_PRECOMPILERS = (
+   ('text/less', 'lessc {infile} {outfile}'),
+   ('text/x-scss', 'sassc -t compressed {infile} {outfile}'),
+   ('text/x-sass', 'sassc -t compressed {infile} {outfile}'),
+)
+COMPRESS_OFFLINE = True
+# needed for debug mode
+#INTERNAL_IPS = ('127.0.0.1',)
+
+
+#
+# Full-text search engine
+#
+HAYSTACK_CONNECTIONS = {
+    'default': {
+        'ENGINE': 'haystack.backends.whoosh_backend.WhooshEngine',
+        'PATH': "{{ mailman_webui_basedir }}/fulltext_index",
+    },
+}
+
+
+#
+# Asynchronous tasks
+#
+Q_CLUSTER = {
+    'timeout': 300,
+    'save_limit': 100000,
+    'orm': 'default',
+}
+
+
+#
+# REST framework
+#
+REST_FRAMEWORK = {
+    'PAGE_SIZE': 10,
+    'DEFAULT_FILTER_BACKENDS': (
+        'rest_framework.filters.OrderingFilter',
+    ),
+}
+
+
+# A sample logging configuration. The only tangible logging
+# performed by this configuration is to send an email to
+# the site admins on every HTTP 500 error when DEBUG=False.
+# See http://docs.djangoproject.com/en/dev/topics/logging for
+# more details on how to customize your logging configuration.
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'filters': {
+        'require_debug_false': {
+            '()': 'django.utils.log.RequireDebugFalse'
+        },
+        'exclude_useless_errors': {
+            '()': 'django.utils.log.CallbackFilter',
+            'callback': django_fedora.exclude_useless_errors,
+        }
+    },
+    'handlers': {
+        'mail_admins': {
+            'level': 'ERROR',
+            'filters': ['require_debug_false', 'exclude_useless_errors'],
+            'class': 'django.utils.log.AdminEmailHandler'
+        },
+        'file':{
+            'level': 'DEBUG',
+            #'class': 'logging.handlers.RotatingFileHandler',
+            'class': 'logging.handlers.WatchedFileHandler',
+            'filename': '/var/log/hyperkitty/hyperkitty.log',
+            'formatter': 'verbose',
+        },
+        'null': {
+            'class': 'logging.NullHandler',
+        },
+    },
+    'loggers': {
+        'django.request': {
+            'handlers': [
+                'file',
+                # Don't send an email on server errors, there's just too many
+                #{% if env == 'production' %}
+                #'mail_admins',
+                #{% endif %}
+                #
+
+            ],
+            'level': 'DEBUG',
+        },
+        'django.security.DisallowedHost': {
+            'handlers': ['null'],
+            'propagate': False,
+        },
+        'requests.packages.urllib3': {
+            'level': 'WARNING',
+        },
+    },
+    'formatters': {
+        'verbose': {
+            'format': '%(levelname)s %(asctime)s %(process)d %(name)s %(message)s'
+        },
+        'simple': {
+            'format': '%(levelname)s %(message)s'
+        },
+    },
+    'root': {
+        'handlers': ['file'],
+        'level': 'INFO',
+    },
+}
+
+
+# Cache: use the local memcached server
+CACHES = {
+    'default': {
+        'BACKEND': 'django.core.cache.backends.memcached.PyLibMCCache',
+        'LOCATION': '127.0.0.1:11211',
+    }
+}
+
+
+# Only display mailing-lists from the same virtual host as the webserver
+FILTER_VHOST = False
diff --git a/roles/mailman3/templates/webui-qcluster.service.j2 b/roles/mailman3/templates/webui-qcluster.service.j2
new file mode 100644
index 0000000000..5a926d95e4
--- /dev/null
+++ b/roles/mailman3/templates/webui-qcluster.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Mailman web UI async tasks runner
+After=network.target remote-fs.target
+
+[Service]
+ExecStart=/usr/bin/mailman-web qcluster
+ExecStop=/bin/kill -s TERM $MAINPID
+User=mailman
+Group=mailman
+WorkingDirectory=/etc/mailman3
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/mailman3/templates/webui-warm-up-cache.service.j2 b/roles/mailman3/templates/webui-warm-up-cache.service.j2
new file mode 100644
index 0000000000..930914724c
--- /dev/null
+++ b/roles/mailman3/templates/webui-warm-up-cache.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Mailman web UI warm up cache
+Requires=memcached.service
+After=memcached.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/mailman-web hyperkitty_warm_up_cache
+User=mailman
+Group=mailman
+WorkingDirectory=/etc/mailman3
+
+[Install]
+WantedBy=multi-user.target