Enable SSL for mailman vhost.

roles/mail/tasks/main.yml

@@ -104,6 +104,10 @@
   template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}_mail.conf
   tags: mail
 
+- name: Configure certificate manager for mailman
+  template: src=mailman/certs.j2 dest=/etc/acme/domains.d/{{ mailman_domain }}_mailman.conf
+  tags: mail
+
 - name: Create razor directory structure
   command: razor-admin -create chdir=/var/lib/amavis creates=/var/lib/amavis/.razor
   become: yes

roles/mail/templates/mailman/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ mailman_domain }}:
+- path: /etc/nginx/ssl/{{ mailman_domain }}.crt
+  user: nginx
+  group: nginx
+  perm: '400'
+  format: crt
+  notify: 'service nginx reload'
+- path: /etc/nginx/ssl/{{ mailman_domain }}.key
+  user: nginx
+  group: nginx
+  perm: '400'
+  format: key
+  notify: 'service nginx reload'

roles/mail/templates/mailman/mm_cfg.py.j2

@@ -58,7 +58,7 @@ MAILMAN_SITE_LIST = 'mailman'
 # If you change these, you have to configure your http server
 # accordingly (Alias and ScriptAlias directives in most httpds)
 #DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
-DEFAULT_URL_PATTERN = 'http://%s/'
+DEFAULT_URL_PATTERN = 'https://%s/'
 IMAGE_LOGOS         = '/images/mailman/'
 
 #-------------------------------------------------------------

roles/mail/templates/nginx/vhost.j2

@@ -1,13 +1,20 @@
 server {
 	listen 80;
+	listen [::]:80;
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	ssl_certificate /etc/nginx/ssl/{{ mailman_domain }}.crt;
+	ssl_certificate_key /etc/nginx/ssl/{{ mailman_domain }}.key;
+
 	server_name {{ mailman_domain }};
-	root /usr/lib/cgi-bin/mailman/;
 
 	location = / {
 		rewrite ^ /listinfo permanent;
 	}
 
 	location / {
+		root /usr/lib/cgi-bin/mailman/;
 		fastcgi_split_path_info (^/[^/]*)(.*)$;
 		include /etc/nginx/fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;