Mailman: update the mailman-hyperkitty conf file

And use the mailman_url variable, and set some permissions.

inventory/host_vars/lists-dev.cloud.fedoraproject.org

@@ -10,3 +10,6 @@ root_auth_users: abompard
 description: lists-dev instance to further test hyperkitty and mailman3
 volumes: ['-d /dev/vdb vol-0000000c']
 freezes: false
+
+# Used by the mailman role
+mailman_url: lists-dev.cloud.fedoraproject.org

roles/mailman/defaults/main.yml

@@ -6,3 +6,4 @@ mailman_mailman_db_pass: changeme
 mailman_hyperkitty_admin_db_pass: changeme
 mailman_hyperkitty_db_pass: changeme
 mailman_hyperkitty_cookie_key: changeme
+mailman_url: lists.example.com

roles/mailman/files/mailman-hyperkitty.cfg

@@ -1,12 +0,0 @@
-# This is the mailman extension configuration file to enable HyperKitty as an
-# archiver. Remember to add the following lines in the mailman.cfg file:
-#
-# [archiver.hyperkitty]
-# class: hyperkitty.lib.archiver.Archiver
-# enable: yes
-# configuration: /path/to/here/hyperkitty.cfg
-#
-
-[general]
-base_url: http://localhost/archives
-api_key: SecretArchiverAPIKey

roles/mailman/tasks/main.yml

@@ -112,6 +112,7 @@
 
 - name: set the mailman conffile
   template: src={{ item }} dest=/etc/mailman.cfg
+            owner=root group=mailman mode=0640
   with_first_found:
   - mailman.cfg.{{ ansible_hostname }}.j2
   - mailman.cfg.j2
@@ -226,8 +227,9 @@
 # Plug HyperKitty into Mailman
 #
 - name: copy the mailman-hyperkitty conffile
-  copy: src=mailman-hyperkitty.cfg
-        dest="{{ mailman_webui_confdir }}/mailman-hyperkitty.cfg"
+  template: src=mailman-hyperkitty.cfg.j2
+            dest="{{ mailman_webui_confdir }}/mailman-hyperkitty.cfg"
+            owner=root group=mailman mode=0640
   tags:
   - config
   notify:

roles/mailman/templates/mailman-hyperkitty.cfg.j2

@@ -0,0 +1,25 @@
+# This is the mailman extension configuration file to enable HyperKitty as an
+# archiver. Remember to add the following lines in the mailman.cfg file:
+#
+# [archiver.hyperkitty]
+# class: hyperkitty.lib.archiver.Archiver
+# enable: yes
+# configuration: /path/to/here/hyperkitty.cfg
+#
+
+[general]
+
+# This is your HyperKitty installation, preferably on the localhost. This
+# address will be used by Mailman to forward incoming emails to HyperKitty
+# for archiving. It does not need to be publicly available, in fact it's
+# better if it is not.
+base_url: http://localhost/archives/
+
+# This is the public URL of your HyperKitty installation. This value will
+# appear as a link at the bottom of emails sent to the list, so it must be
+# publicly accessible.
+public_url: http://{{ mailman_url }}/archives/
+
+# Shared API key, must be the identical to the value in HyperKitty's
+# settings.
+api_key: SecretArchiverAPIKey

roles/mailman/templates/mailman-migration.conf.j2

@@ -1,3 +1,3 @@
 basedir: {{ mailman_webui_basedir }}
 confdir: {{ mailman_webui_confdir }}
-domain: lists.fedoraproject.org
+domain: {{ mailman_url }}

roles/mailman/templates/settings.py.j2

@@ -21,6 +21,7 @@ ADMINS = (
 # Hosts/domain names that are valid for this site; required if DEBUG is False
 # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
 ALLOWED_HOSTS = [
+    "{{ mailman_url }}",
     ".fedoraproject.org",
     "discuss.arquillian.org",
     "localhost", # Archiving API from Mailman
@@ -29,9 +30,7 @@ ALLOWED_HOSTS = [
 # And for BrowserID too, see
 # http://django-browserid.rtfd.org/page/user/settings.html#django.conf.settings.BROWSERID_AUDIENCES
 BROWSERID_AUDIENCES = [
-    "https://lists.fedoraproject.org",
-    "https://lists.stg.fedoraproject.org",
-    "https://lists-dev.cloud.fedoraproject.org",
+    "https://{{ mailman_url }}",
 ]
 
 # Mailman API credentials
@@ -109,7 +108,7 @@ DATABASES = {
 USE_X_FORWARDED_HOST = True
 # In the Fedora infra, requests are systematically redirected to HTTPS, so put
 # something always true here:
-SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SERVER', 'lists.fedoraproject.org')
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SERVER', '{{ mailman_url }}')
 
 # Internationalization
 # https://docs.djangoproject.com/en/1.6/topics/i18n/