<VirtualHost *:80>
	ServerName {{ mailman_site.listdomain }}

	ErrorLog ${APACHE_LOG_DIR}/{{ mailman_site.listdomain }}-error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/{{ mailman_site.listdomain }}-access.log combined

	DocumentRoot /var/www

RewriteEngine on
# TODO(fungi): convert this vhost into a blanket redirect to HTTPS when ready
RewriteRule ^/$ /cgi-bin/mailman/listinfo [R]
RewriteCond %{HTTP_HOST} ^lists\.openstack\.org$ [nocase]
RewriteRule /(cgi-bin/mailman/listinfo|pipermail)/(community|foundation|foundation-board|foundation-board-confidential|goldmembers|marketing|staff|summitsponsors)(/.*|$) %{REQUEST_SCHEME}://lists.openinfra.dev/$1/$2$3 [last,redirect=permanent]

# We can find mailman here:
ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/
# And the public archives:
Alias /pipermail/ /srv/mailman/{{ mailman_site.name }}/archives/public/
# Logos:
Alias /images/mailman/ /usr/share/images/mailman/

# Use this if you don't want the "cgi-bin" component in your URL:
# In case you want to access mailman through a shorter URL you should enable
# this:
#ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
# In this case you need to set the DEFAULT_URL_PATTERN in
# /etc/mailman/mm_cfg.py to http://%s/mailman/ for the cookie
# authentication code to work.  Note that you need to change the base
# URL for all the already-created lists as well.

<Directory /usr/lib/cgi-bin/mailman/>
    AllowOverride None
    Options ExecCGI
    AddHandler cgi-script .cgi
    SetEnv HOST {{ mailman_site.listdomain }}
    Order allow,deny
    Allow from all
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>
</Directory>
<Directory /srv/mailman/{{ mailman_site.name }}/archives/public/>
    Options FollowSymlinks
    AllowOverride None
    Order allow,deny
    Allow from all
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>
</Directory>
<Directory /usr/share/images/mailman/>
    AllowOverride None
    Order allow,deny
    Allow from all
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>
</Directory>

</VirtualHost>

<VirtualHost *:443>
  ServerName {{ mailman_site.listdomain }}
  ServerAdmin webmaster@openstack.org
  ErrorLog ${APACHE_LOG_DIR}/{{ mailman_site.listdomain }}-ssl-error.log
  LogLevel warn
  CustomLog ${APACHE_LOG_DIR}/{{ mailman_site.listdomain }}-ssl-access.log combined

  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Note: this list should ensure ciphers that provide forward secrecy
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on

  SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer

  RewriteEngine on
  RewriteRule ^/$ /cgi-bin/mailman/listinfo [R]
  RewriteCond %{HTTP_HOST} ^lists\.openstack\.org$ [nocase]
  RewriteRule /(cgi-bin/mailman/listinfo|pipermail)/(community|foundation|foundation-board|foundation-board-confidential|goldmembers|marketing|staff|summitsponsors)(/.*|$) %{REQUEST_SCHEME}://lists.openinfra.dev/$1/$2$3 [last,redirect=permanent]

  ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/
  Alias /pipermail/ /srv/mailman/{{ mailman_site.name }}/archives/public/
  Alias /images/mailman/ /usr/share/images/mailman/

  <Directory /usr/lib/cgi-bin/mailman/>
    AllowOverride None
    Options ExecCGI
    AddHandler cgi-script .cgi
    SetEnv HOST {{ mailman_site.listdomain }}
    Order allow,deny
    Allow from all
    Require all granted
  </Directory>
  <Directory /srv/mailman/{{ mailman_site.name }}/archives/public/>
    Options FollowSymlinks
    AllowOverride None
    Order allow,deny
    Allow from all
    Require all granted
  </Directory>
  <Directory /usr/share/images/mailman/>
    AllowOverride None
    Order allow,deny
    Allow from all
    Require all granted
  </Directory>
</VirtualHost>