feat(deploy): Complete mini-PaaS deployment system (t-266)

- Add Omni/Deploy/ with Manifest, Deployer, Systemd, Caddy modules
- Manifest CLI: show, update, add-service, list, rollback commands
- Deployer: polls S3 manifest, pulls closures, manages systemd units
- Caddy integration for dynamic reverse proxy routes
- bild: auto-cache to S3, outputs STORE_PATH for push.sh
- push.sh: supports both NixOS and service deploys
- Biz.nix: simplified to base OS + deployer only
- Services (podcastitlater-web/worker) now deployer-managed
- Documentation: README.md with operations guide

1 files changed, 16 insertions, 30 deletions

diff --git a/Biz/PodcastItLater/INFRASTRUCTURE.md b/Biz/PodcastItLater/INFRASTRUCTURE.md
index 1c61618..0d6392b 100644
--- a/Biz/PodcastItLater/INFRASTRUCTURE.md
+++ b/Biz/PodcastItLater/INFRASTRUCTURE.md
@@ -1,38 +1,24 @@
 # Infrastructure Setup for PodcastItLater
 
-## Mailgun Setup
+## Email Delivery via Mailgun
 
-Since PodcastItLater requires sending transactional emails (magic links), we use Mailgun.
+PodcastItLater sends transactional emails (magic links for login) via Mailgun for reliable deliverability.
 
-### 1. Sign up for Mailgun
-Sign up at [mailgun.com](https://www.mailgun.com/).
+### Setup Steps
 
-### 2. Add Domain
-Add `podcastitlater.com` (or `mg.podcastitlater.com`) to Mailgun.
-We recommend using the root domain `podcastitlater.com` if you want emails to come from `@podcastitlater.com`.
+1. **Add domain to Mailgun**: Add `bensima.com` at [mailgun.com](https://app.mailgun.com/mg/sending/new)
 
-### 3. Configure DNS
-Mailgun will provide DNS records to verify the domain and authorize email sending. You must add these to your DNS provider (e.g., Cloudflare, Namecheap).
+2. **Configure DNS**: Add the records Mailgun provides:
+   - **TXT** (SPF): Update existing to include `include:mailgun.org`
+   - **TXT** (DKIM): Add the DKIM record Mailgun provides
+   - **CNAME** (tracking, optional): For open/click tracking
 
-Required records usually include:
-- **TXT** (SPF): `v=spf1 include:mailgun.org ~all`
-- **TXT** (DKIM): `k=rsa; p=...` (Provided by Mailgun)
-- **MX** (if receiving email, optional for just sending): `10 mxa.mailgun.org`, `10 mxb.mailgun.org`
-- **CNAME** (for tracking, optional): `email.podcastitlater.com` -> `mailgun.org`
+3. **Get SMTP credentials**: Go to Sending → Domain Settings → SMTP Credentials
 
-### 4. Verify Domain
-Click "Verify DNS Settings" in Mailgun dashboard. This may take up to 24 hours but is usually instant.
-
-### 5. Generate API Key / SMTP Credentials
-Go to "Sending" -> "Domain Settings" -> "SMTP Credentials".
-Create a new SMTP user (e.g., `postmaster@podcastitlater.com`).
-**Save the password immediately.**
-
-### 6. Update Secrets
-Update the production secrets file on the server (`/run/podcastitlater/env`):
-
-```bash
-SMTP_SERVER=smtp.mailgun.org
-SMTP_PASSWORD=your-new-smtp-password
-EMAIL_FROM=noreply@podcastitlater.com
-```
+4. **Update production secrets** in `/run/podcastitlater/env`:
+   ```bash
+   EMAIL_FROM=noreply@bensima.com
+   SMTP_SERVER=smtp.mailgun.org
+   SMTP_PORT=587
+   SMTP_PASSWORD=your-mailgun-smtp-password
+   ```