infra(cron): daily Listmonk consumer-domain reconciliation (pw-listmonk-scrub)

Runs scrub_listmonk_consumer against both listmonk and listmonk_hc at 06:30 UTC,
before the campaign builders, so any ENABLED subscriber matching the authoritative
exclusion list is blocklisted retroactively. Keeps list-based campaigns (FCC
Direct Contacts, CRTC/USF, etc.) from leaking onto consumer mailboxes after a new
domain (e.g. Apple/iCloud) is added to the exclusion list. Installed to
/etc/cron.d/pw-listmonk-scrub on the host.

infra/cron/pw-listmonk-scrub

@@ -0,0 +1,11 @@
+# Daily Listmonk consumer-domain reconciliation. Blocklists any ENABLED
+# subscriber whose address is on the authoritative exclusion list
+# (scripts/_email_exclusions.py) -- consumer mailboxes (gmail/yahoo/microsoft/
+# apple/etc.), dead/legacy ISPs, and the legal do-not-contact list. The
+# per-vertical builders already exclude these from NEW selections and the
+# importer refuses to import them, but LIST-BASED campaigns (FCC Direct
+# Contacts, CRTC/USF blasts, etc.) can still hit subscribers imported before a
+# domain joined the exclusion list. This keeps the live subscriber table in
+# sync so the exclusion applies retroactively, protecting sender reputation.
+# Runs at 06:30 UTC, before the 07:00/07:45/08:00 UTC campaign builders.
+30 6 * * * deploy cd /opt/performancewest && docker compose exec -T workers python3 -m scripts.scrub_listmonk_consumer >> /var/log/pw-listmonk-scrub.log 2>&1 && LM_HC=$(docker compose exec -T workers printenv DATABASE_URL | sed 's#/[^/]*$#/listmonk_hc#') && docker compose exec -T -e LISTMONK_DATABASE_URL="$LM_HC" workers python3 -m scripts.scrub_listmonk_consumer >> /var/log/pw-listmonk-scrub.log 2>&1