freshlybakedca.ke / patisserie
Your one-stop-cake-shop for everything Freshly Baked has to offer
fork atom

feat(pm/umber): add silverbullet

firebrick was my private silverbullet instance, now the job falls to
umber. There needs to be a bit of extra stuff here compared to teal
since as this silverbullet instance shouldn't be accessible by anyone
but me (compared to everyone on the Tailscale...)

a.starrysky.fyi b33262f6 7c10c269

3/5
deadnix.yml
packetmix-build.yml
packetmix-npins-duplicate-check.yml
packetmix-treefmt.yaml
reuse.yml
options
unified split
Changed files
+93
packetmix
systems
umber
acme.nix
silverbullet.nix
tailscale.nix
+16
packetmix/systems/umber/acme.nix
··· 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { 6 + security.acme = { 7 + acceptTerms = true; 8 + defaults = { 9 + email = "acme@starrysky.fyi"; 10 + dnsProvider = "cloudflare"; 11 + environmentFile = "/secrets/acme/environmentFile"; 12 + }; 13 + }; 14 + 15 + clicks.storage.impermanence.persist.directories = [ "/var/lib/acme" ]; 16 + }
+64
packetmix/systems/umber/silverbullet.nix
··· 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { 6 + project, 7 + system, 8 + config, 9 + ... 10 + }: 11 + { 12 + clicks.storage.impermanence.persist.directories = [ 13 + { 14 + directory = config.services.silverbullet.spaceDir; 15 + mode = "0700"; 16 + defaultPerms.mode = "0700"; 17 + } 18 + ]; 19 + 20 + services.silverbullet = { 21 + enable = true; 22 + listenPort = 1024; 23 + listenAddress = "127.0.0.1"; 24 + package = project.inputs.nixos-unstable.result.${system}.silverbullet; 25 + }; 26 + 27 + services.nginx.enable = true; 28 + services.nginx.virtualHosts."silverbullet.starrysky.fyi" = { 29 + listenAddresses = [ "localhost.tailscale" ]; 30 + 31 + addSSL = true; 32 + enableACME = true; 33 + acmeRoot = null; 34 + 35 + serverAliases = [ "umber.clicks.domains" ]; 36 + 37 + locations."/" = { 38 + proxyPass = "http://$silverbullet_upstream_minion_only"; 39 + recommendedProxySettings = true; 40 + }; 41 + }; 42 + 43 + services.nginx.virtualHosts."silverbullet_access_denied" = { 44 + listen = [ 45 + { 46 + addr = "127.0.0.1"; 47 + port = 403; 48 + } 49 + ]; 50 + locations."/".return = ''403 '403 - Access Denied: Your device is logged on to tailscale as '$http_x_webauth_user'. Unfortunately, this is a private silverbullet instance for 'minion', please use https://silverbullet.clicks.codes instead' ''; 51 + }; 52 + 53 + services.nginx.commonHttpConfig = '' 54 + map $auth_user $silverbullet_upstream_minion_only { 55 + default 127.0.0.1:403; 56 + minion 127.0.0.1:1024; 57 + } 58 + ''; 59 + 60 + services.nginx.tailscaleAuth = { 61 + enable = true; 62 + virtualHosts = [ "silverbullet.starrysky.fyi" ]; 63 + }; 64 + }
+13
packetmix/systems/umber/tailscale.nix
··· 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { 6 + networking.hosts."100.64.0.48" = [ "localhost.tailscale" ]; 7 + 8 + services.nginx.defaultListenAddresses = [ 9 + "0.0.0.0" 10 + "[::0]" 11 + "localhost.tailscale" 12 + ]; 13 + }