infra/services/newsletter/default.nix
Raito Bezarius 92560708b8 feat: multi-tenant secrets
Lix may have its own secrets and we want to maintain a certain
generalization level on the NixOS modules, so we can decorrelate which
secret we select dynamically by having a simple tenancy hierarchy
system.

This unfortunately requires to rewrite all call sites with a floral
prefix until we migrate them to the simple internal secret module which
is aware of this.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00

43 lines
1.1 KiB
Nix

{ config, lib, ... }:
let
cfg = config.bagel.newsletter;
inherit (lib) mkIf mkOption mkEnableOption types;
port = 18999;
address = "127.0.0.1:${toString port}";
in
{
options.bagel.newsletter = {
enable = mkEnableOption "the newsletter web service (listmonk)";
domain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
age.secrets.newsletter-secrets.file = ../../secrets/floral/newsletter-secrets.age;
services.listmonk = {
enable = true;
secretFile = config.age.secrets.newsletter-secrets.path;
settings."app" = {
inherit address;
admin_username = "admin";
};
database.createLocally = true;
};
services.nginx.enable = true;
services.nginx.virtualHosts."${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${address}";
};
users.users.listmonk = {
isSystemUser = true;
group = "listmonk";
};
users.groups.listmonk = {};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}