Build works

hosts/flora-6/caddy.nix

@@ -72,6 +72,19 @@
           reverse_proxy :4000
         '';
       };
+      "list.pub.solar" = {
+        logFormat = lib.mkForce ''
+          output discard
+        '';
+        extraConfig = ''
+          handle_path /static/* {
+            root * /var/lib/mailman/web
+            file_server
+          }
+
+          reverse_proxy :8000
+        '';
+      };
       "obs-portal.pub.solar" = {
         logFormat = lib.mkForce ''
           output discard

hosts/flora-6/flora-6.nix

@@ -19,6 +19,7 @@ in {
     ./drone.nix
     ./keycloak.nix
     ./gitea.nix
+    ./mailman.nix
 
     profiles.base-user
     profiles.users.root # make sure to configure ssh keys

hosts/flora-6/mailman.nix

@@ -0,0 +1,114 @@
+{
+  config,
+  lib,
+  pkgs,
+  self,
+  ...
+}: {
+  system.activationScripts.mkMailmanNet = let
+    docker = config.virtualisation.oci-containers.backend;
+    dockerBin = "${pkgs.${docker}}/bin/${docker}";
+  in ''
+    ${dockerBin} network inspect mailman-net >/dev/null 2>&1 || ${dockerBin} network create mailman-net --subnet 172.20.1.0/24
+  '';
+
+  users.users.mailman = {
+    description = "Mailman Service";
+    home = "/var/lib/mailman";
+    useDefaultShell = true;
+    uid = 993;
+    # Group hakkonaut so caddy can serve the static files from mailman-web directly
+    group = "hakkonaut";
+    isSystemUser = true;
+  };
+
+  age.secrets.mailman-core-secrets = {
+    file = "${self}/secrets/mailman-core-secrets.age";
+    mode = "600";
+    owner = "mailman";
+  };
+
+  age.secrets.mailman-web-secrets = {
+    file = "${self}/secrets/mailman-web-secrets.age";
+    mode = "600";
+    owner = "mailman";
+  };
+
+  age.secrets.mailman-db-secrets = {
+    file = "${self}/secrets/mailman-db-secrets.age";
+    mode = "600";
+    owner = "mailman";
+  };
+
+  virtualisation = {
+    docker = {
+      enable = true;
+    };
+
+    oci-containers = {
+      backend = "docker";
+      containers."mailman-core" = {
+        image = "maxking/mailman-core:0.4";
+        autoStart = true;
+        user = "993";
+        volumes = [
+          "/var/lib/mailman/core:/opt/mailman/"
+        ];
+        extraOptions = [
+          "--network=mailman-net"
+        ];
+        environment = {
+          DATABASE_TYPE = "postgres";
+          DATABASE_CLASS = "mailman.database.postgresql.PostgreSQLDatabase";
+        };
+        environmentFiles = [
+          config.age.secrets.mailman-core-secrets.path
+        ];
+        ports = [
+          "127.0.0.1:8001:8001" # API
+          "127.0.0.1:8024:8024" # LMTP - incoming emails
+        ];
+      };
+
+      containers."mailman-web" = {
+        image = "maxking/mailman-web:0.4";
+        autoStart = true;
+        user = "993";
+        volumes = [
+          "/var/lib/mailman/web:/opt/mailman-web-data"
+        ];
+        extraOptions = [
+          "--network=mailman-net"
+        ];
+        environment = {
+          DATABASE_TYPE = "postgres";
+          SERVE_FROM_DOMAIN = "list.pub.solar";
+          MAILMAN_ADMIN_USER = "admin";
+          MAILMAN_ADMIN_EMAIL = "admins@pub.solar";
+        };
+        environmentFiles = [
+          config.age.secrets.mailman-web-secrets.path
+        ];
+        ports = [
+          "127.0.0.1:8000:8000" # HTTP
+          # "127.0.0.1:8080:8080" # uwsgi
+        ];
+      };
+
+      containers."mailman-db" = {
+        image = "postgres:14-alpine";
+        autoStart = true;
+        user = "993";
+        extraOptions = [
+          "--network=mailman-net"
+        ];
+        volumes = [
+          "/var/lib/mailman/database:/var/lib/postgresql/data"
+        ];
+        environmentFiles = [
+          config.age.secrets.mailman-db-secrets.path
+        ];
+      };
+    };
+  };
+}

secrets/mailman-db-secrets.age

@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 Y0ZZaw WqfbigFDHy0nh/B8SjJk2MCKKRQ1Jt/gXxRz2neNvlc
+5wJjaxa1sOPPQfg4n6n6HurhkN/+ARVhthxoK8bzOWE
+-> ssh-ed25519 BVsyTA Lvki0R7gZediS9KnQGerUtVZQ7qZYUXaUbPvqv2zmgM
+YTLaJM1UqpL+avMZz0mMKz1i9LSalbTQkC6xFbYbyAw
+-> ssh-rsa kFDS0A
+Xcm7KqiO5yK5RUwhJPrJ3fk/GTVK0OJlsGouc71p35o5AgqBrbW0HiNBGMl24oUP
+jMU9nSlATq4VaQWKHCqnGOeJCw83C1AON7sVHhoT3vzFWKs9TO0TDR0Gm0fCBTm1
+hk2fQZ/sMe8lGuSyISDg1QmEkC7ow/FwXmMlW5xw0honj1ca+mZ8w5YeWVCMLpGg
+pob/79odfVMtlk4uqcjboto6X6aY/W43yG8VQUJwZ3hK/4wVn16Os+RlNH6GAFr0
+aZ6SS4cJR9uTd/y9rQIg9rgQ95qTusg66ClBRdMCy7fvXbfMAMvmtmwBQJQdpO2q
+tURAN4Id3+j+vuqk0nqnj0oXx61mIlutbADbkoRlhB9VFVffSu/KeMFVOtSMD0AN
+Sp0q4nhv5BSaOP/D0YwOMPmCuS2M6aVfWvPQvrQ5YE4MEWK2qs4A3vZRn2d8o5hh
+mvH+y+Foxt69D+k32DWFMCbZCSxlBKW1aGZ6AexFXx6zYyzBoYE9zB6QSI8ZbqN0
+LfBpz2YNCix+6y5qUsCYsY9aa9m4azpsKD7M5IFgmkLqUGvsH7Xx7PC/Z9B4zTgs
+MHMJPPR/yRZ8PzbnXIUen4/PnO4j7AbgYDv4FCAAfWJjufC7v+vTI0m80Y/7uZCu
+dk6DPZaUMbJFYXPNUNODP/6Dn5RL8hy74IjdLtNIbzg
+-> ejJ:5Us-grease
+fWwlxnUaotXS0iwGa0zkPyoHuNjTBBgFJUO8cVMNfB2vxoPKraJ+weyTXbu8Fa7i
+WVehDudiKTfaK4Ruy6hbUZBjZ+Aq3LDpezw
+--- XjN/bkA+YEfIro1w01fcKA7n0xMq6raWxpXoedRIw/g
+EC†í³dtyaè¢(QqÆ.j²H	6¾‰‹®i[M
+sº”Çm0©])Õ±T‘Täo½<6F>=¹¢Ì¢
å¡7£DýA¯Ô}±&HàÞ=OâRæ6·>ª°?<3F>ý$ŒO¥‰m͸öÇg…‰ÿê´–AF£™YqÜ°Ì~ô½kƒàâi¾ú2iu1!U›?2<Ä©$eÜ6×ë­ï3·µ

secrets/secrets.nix

@@ -1,15 +1,26 @@
 let
   # set ssh public keys here for your system and user
-  b12f-main = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg=";
+  b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw==";
-  b12f-backup = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw=";
+  teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
-  teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
   flora-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@pub-solar-infra-vm-1";
-  allKeys = [flora-6 teutat3s b12f-main b12f-backup];
+
-  deployKeys = [flora-6 teutat3s b12f-main b12f-backup];
+  allKeys = [
+    flora-6
+    teutat3s-dumpyourvms
+    b12f-bbcom
+  ];
+  deployKeys = [
+    flora-6
+    teutat3s-dumpyourvms
+    b12f-bbcom
+  ];
 in {
   "gitea-database-password.age".publicKeys = deployKeys;
   "gitea-mailer-password.age".publicKeys = deployKeys;
   "keycloak-database-password.age".publicKeys = deployKeys;
   "drone-secrets.age".publicKeys = deployKeys;
   "drone-db-secrets.age".publicKeys = deployKeys;
+  "mailman-core-secrets.age".publicKeys = deployKeys;
+  "mailman-web-secrets.age".publicKeys = deployKeys;
+  "mailman-db-secrets.age".publicKeys = deployKeys;
 }