feat(public): add listmonk instance on news.forkos.org

To prepare for public communications and updates.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

hosts/public01/default.nix

@@ -12,6 +12,10 @@
   bagel.sysadmin.enable = true;
   # Buildbot is proxied.
   bagel.raito.v6-proxy-awareness.enable = true;
+  bagel.newsletter = {
+    enable = true;
+    domain = "news.forkos.org";
+  };
   bagel.hardware.raito-vm = {
     enable = true;
     networking = {

secrets.nix

@@ -34,6 +34,8 @@ let
 
     postgres-ca-priv = [ machines.bagel-box ];
     postgres-tls-priv = [ machines.bagel-box ];
+
+    newsletter-secrets = [ machines.public01 ];
   };
 in
   builtins.listToAttrs (

secrets/newsletter-secrets.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 CyxfgQ LLKBR/y/57Y/1TYqjp8KLEQhJ7FUORnXU47vD7KCvFQ
+8Fv7pvlK76uBC2ff7tnHDWlqlKCsiHicLgVNWXt1GwM
+-> ssh-ed25519 K3b7BA +XXalaNGAVKwZFNIFesJnxqXlRVajMEEk4isESG9+Q8
+LXPCdJcZ0noqQyHlskyhDTfP8A7PCM6I2mV4bfv1GAI
+-> ssh-ed25519 +qVung WwNv3STfTW9bcluV1Y/MncsYshU+XRU4CW0IZdkTVgo
+ZauuA39WxZ5DnxTjIJjMUWhGNOS9rM3VekOZzRQJKDw
+-> ssh-rsa krWCLQ
+PJu9tYtGzFlgSeAeEFuxk2OkSEXPxcAnwRr1wgvxR2WfIUpN+5G5nQ08ABQDNHoc
+v3kpEKXvBgT6yvDk6p8W/DPVjQ9f6wREYxJJnOwzgfw7DeP9YAJ9XDdkh4/ToFLo
+th67fPjL0awdBF064osJAadyuiop6kqp2C3k19IZbFd4tCEctVK0kAEameMWMjkx
+/BV6EqZ7qDupj4Mq0RjXRgdHivR+twmLVqHbq814k5D2syrfnv+5Mt2Th2yUiKMT
+nEX+fQqU90Nbu9t7MtlI7KX0WYWna58sfM3t+taFj1V5khW64S+/1bOml8D20K2Z
+K2hiwd5SgPV9Qza5yoVJqg
+-> ssh-ed25519 /vwQcQ pVGCyA58zXp+mblJucT0YW4FvMy1PsZpUebSJNv4axg
+IMLJuX5CmBARC/q7F5NTf7lQZsOfVlsJjYPOcm3jM1w
+-> ssh-ed25519 0R97PA rSjAkrTvPKrEJ6HFOHkhxLEfCpmWgE8G+r2vTszwHnw
+UNrfN/5y2JZPybuniGpL1Gd+XCEDN7KzVh7HjU+C7hg
+--- BaRg9iHv5VcOx/UJbAgjefJTPGoM68kiOXBHIk25vOA
+Q<EFBFBD>7ｸｹﾂ-稿=ﾌ岡/ｽｷsi軅aDｨｺ<10>吠ﾕ撚<1D>ﾖﾍ埋j{堂<>ｳYｽJ旒ｽ斥B-0~<7E>ｳqLｭ"汎ﾏ:ｪｯﾌL'€~{X<>i奓湊2ﾖﾌﾞ疂<EFBE9E>

services/default.nix

@@ -10,5 +10,6 @@
     ./forgejo
     ./baremetal-builder
     ./buildbot
+    ./newsletter
   ];
 }

services/newsletter/default.nix

@@ -0,0 +1,43 @@
+{ config, lib, ... }:
+let
+  cfg = config.bagel.newsletter;
+  inherit (lib) mkIf mkOption mkEnableOption types;
+  port = 18999;
+  address = "127.0.0.1:${toString port}";
+in
+{
+  options.bagel.newsletter = {
+    enable = mkEnableOption "the newsletter web service (listmonk)";
+    domain = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets.newsletter-secrets.file = ../../secrets/newsletter-secrets.age;
+    services.listmonk = {
+      enable = true;
+      secretFile = config.age.secrets.newsletter-secrets.path;
+      settings."app" = {
+        inherit address;
+        admin_username = "admin";
+      };
+      database.createLocally = true;
+    };
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts."${cfg.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://${address}";
+    };
+
+    users.users.listmonk = {
+      isSystemUser = true;
+      group = "listmonk";
+    };
+    users.groups.listmonk = {};
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}

terraform/gandi.nix

@@ -85,6 +85,7 @@ in
       (record "buildbot" 300 "CNAME" ["buildbot.infra.p"])
       (record "b" 300 "CNAME" ["public01.infra.p"])
       (record "postgres" 300 "CNAME" ["bagel-box.infra.p"])
+      (record "news" 3600 "CNAME" ["public01.infra.p"])
 
       # S3 in delroth's basement
       (record "cache" 300 "AAAA" ["2a02:168:6426::12"]) # smol.delroth.net