diff --git a/hosts/public01/default.nix b/hosts/public01/default.nix index d1d3798..0844dec 100755 --- a/hosts/public01/default.nix +++ b/hosts/public01/default.nix @@ -12,6 +12,10 @@ bagel.sysadmin.enable = true; # Buildbot is proxied. bagel.raito.v6-proxy-awareness.enable = true; + bagel.newsletter = { + enable = true; + domain = "news.forkos.org"; + }; bagel.hardware.raito-vm = { enable = true; networking = { diff --git a/secrets.nix b/secrets.nix index d3df1bf..3c4d143 100644 --- a/secrets.nix +++ b/secrets.nix @@ -34,6 +34,8 @@ let postgres-ca-priv = [ machines.bagel-box ]; postgres-tls-priv = [ machines.bagel-box ]; + + newsletter-secrets = [ machines.public01 ]; }; in builtins.listToAttrs ( diff --git a/secrets/newsletter-secrets.age b/secrets/newsletter-secrets.age new file mode 100644 index 0000000..dd1d2ec --- /dev/null +++ b/secrets/newsletter-secrets.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 CyxfgQ LLKBR/y/57Y/1TYqjp8KLEQhJ7FUORnXU47vD7KCvFQ +8Fv7pvlK76uBC2ff7tnHDWlqlKCsiHicLgVNWXt1GwM +-> ssh-ed25519 K3b7BA +XXalaNGAVKwZFNIFesJnxqXlRVajMEEk4isESG9+Q8 +LXPCdJcZ0noqQyHlskyhDTfP8A7PCM6I2mV4bfv1GAI +-> ssh-ed25519 +qVung WwNv3STfTW9bcluV1Y/MncsYshU+XRU4CW0IZdkTVgo +ZauuA39WxZ5DnxTjIJjMUWhGNOS9rM3VekOZzRQJKDw +-> ssh-rsa krWCLQ +PJu9tYtGzFlgSeAeEFuxk2OkSEXPxcAnwRr1wgvxR2WfIUpN+5G5nQ08ABQDNHoc +v3kpEKXvBgT6yvDk6p8W/DPVjQ9f6wREYxJJnOwzgfw7DeP9YAJ9XDdkh4/ToFLo +th67fPjL0awdBF064osJAadyuiop6kqp2C3k19IZbFd4tCEctVK0kAEameMWMjkx +/BV6EqZ7qDupj4Mq0RjXRgdHivR+twmLVqHbq814k5D2syrfnv+5Mt2Th2yUiKMT +nEX+fQqU90Nbu9t7MtlI7KX0WYWna58sfM3t+taFj1V5khW64S+/1bOml8D20K2Z +K2hiwd5SgPV9Qza5yoVJqg +-> ssh-ed25519 /vwQcQ pVGCyA58zXp+mblJucT0YW4FvMy1PsZpUebSJNv4axg +IMLJuX5CmBARC/q7F5NTf7lQZsOfVlsJjYPOcm3jM1w +-> ssh-ed25519 0R97PA rSjAkrTvPKrEJ6HFOHkhxLEfCpmWgE8G+r2vTszwHnw +UNrfN/5y2JZPybuniGpL1Gd+XCEDN7KzVh7HjU+C7hg +--- BaRg9iHv5VcOx/UJbAgjefJTPGoM68kiOXBHIk25vOA +Q7-e=̉/si_aDiՔQ͖j{ YJֽB-0~ qL":L'~{Xi2i \ No newline at end of file diff --git a/services/default.nix b/services/default.nix index 4fb2e42..f205ca8 100644 --- a/services/default.nix +++ b/services/default.nix @@ -10,5 +10,6 @@ ./forgejo ./baremetal-builder ./buildbot + ./newsletter ]; } diff --git a/services/newsletter/default.nix b/services/newsletter/default.nix new file mode 100644 index 0000000..627238a --- /dev/null +++ b/services/newsletter/default.nix @@ -0,0 +1,43 @@ +{ config, lib, ... }: +let + cfg = config.bagel.newsletter; + inherit (lib) mkIf mkOption mkEnableOption types; + port = 18999; + address = "127.0.0.1:${toString port}"; +in +{ + options.bagel.newsletter = { + enable = mkEnableOption "the newsletter web service (listmonk)"; + domain = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + age.secrets.newsletter-secrets.file = ../../secrets/newsletter-secrets.age; + services.listmonk = { + enable = true; + secretFile = config.age.secrets.newsletter-secrets.path; + settings."app" = { + inherit address; + admin_username = "admin"; + }; + database.createLocally = true; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."${cfg.domain}" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://${address}"; + }; + + users.users.listmonk = { + isSystemUser = true; + group = "listmonk"; + }; + users.groups.listmonk = {}; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} diff --git a/terraform/gandi.nix b/terraform/gandi.nix index 54c8497..593dd9b 100644 --- a/terraform/gandi.nix +++ b/terraform/gandi.nix @@ -85,6 +85,7 @@ in (record "buildbot" 300 "CNAME" ["buildbot.infra.p"]) (record "b" 300 "CNAME" ["public01.infra.p"]) (record "postgres" 300 "CNAME" ["bagel-box.infra.p"]) + (record "news" 3600 "CNAME" ["public01.infra.p"]) # S3 in delroth's basement (record "cache" 300 "AAAA" ["2a02:168:6426::12"]) # smol.delroth.net