freshlybakedca.ke / patisserie
Your one-stop-cake-shop for everything Freshly Baked has to offer
fork atom

feat(pm/umber): add silverbullet

firebrick was my private silverbullet instance, now the job falls to
umber. There needs to be a bit of extra stuff here compared to teal
since as this silverbullet instance shouldn't be accessible by anyone
but me (compared to everyone on the Tailscale...)

authored by a.starrysky.fyi and committed by Tangled b98d6904 7c10c269

options
unified split
Changed files
+97
packetmix
systems
umber
acme.nix
silverbullet.nix
tailscale.nix
workspace.josh.license
+16
packetmix/systems/umber/acme.nix
··· 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { 6 + security.acme = { 7 + acceptTerms = true; 8 + defaults = { 9 + email = "acme@starrysky.fyi"; 10 + dnsProvider = "cloudflare"; 11 + environmentFile = "/secrets/acme/environmentFile"; 12 + }; 13 + }; 14 + 15 + clicks.storage.impermanence.persist.directories = [ "/var/lib/acme" ]; 16 + }
+65
packetmix/systems/umber/silverbullet.nix
··· 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { 6 + project, 7 + system, 8 + config, 9 + ... 10 + }: 11 + { 12 + clicks.storage.impermanence.persist.directories = [ 13 + { 14 + directory = config.services.silverbullet.spaceDir; 15 + mode = "0700"; 16 + defaultPerms.mode = "0700"; 17 + } 18 + ]; 19 + 20 + services.silverbullet = { 21 + enable = true; 22 + listenPort = 1024; 23 + listenAddress = "127.0.0.1"; 24 + package = project.inputs.nixos-unstable.result.${system}.silverbullet; 25 + }; 26 + 27 + services.nginx.enable = true; 28 + services.nginx.virtualHosts."silverbullet.starrysky.fyi" = { 29 + listenAddresses = [ "localhost.tailscale" ]; 30 + 31 + addSSL = true; 32 + enableACME = true; 33 + acmeRoot = null; 34 + 35 + serverAliases = [ "umber.clicks.domains" ]; 36 + 37 + locations."/" = { 38 + proxyPass = "http://$silverbullet_upstream_minion_only"; 39 + recommendedProxySettings = true; 40 + }; 41 + }; 42 + 43 + services.nginx.virtualHosts."silverbullet_access_denied" = { 44 + listen = [ 45 + { 46 + addr = "127.0.0.1"; 47 + port = 403; 48 + } 49 + ]; 50 + locations."/".return = 51 + ''403 '403 - Access Denied: Your device is logged on to tailscale as '$http_x_webauth_user'. Unfortunately, this is a private silverbullet instance for 'minion', please use https://silverbullet.clicks.codes instead' ''; 52 + }; 53 + 54 + services.nginx.commonHttpConfig = '' 55 + map $auth_user $silverbullet_upstream_minion_only { 56 + default 127.0.0.1:403; 57 + minion 127.0.0.1:1024; 58 + } 59 + ''; 60 + 61 + services.nginx.tailscaleAuth = { 62 + enable = true; 63 + virtualHosts = [ "silverbullet.starrysky.fyi" ]; 64 + }; 65 + }
+13
packetmix/systems/umber/tailscale.nix
··· 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { 6 + networking.hosts."100.64.0.48" = [ "localhost.tailscale" ]; 7 + 8 + services.nginx.defaultListenAddresses = [ 9 + "0.0.0.0" 10 + "[::0]" 11 + "localhost.tailscale" 12 + ]; 13 + }
+3
packetmix/workspace.josh.license
··· 1 + SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + 3 + SPDX-License-Identifier: CC0-1.0