From b98d6904f27cde0ba50f875b58c40c388248d6ae Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 7 Oct 2025 20:43:44 +0000 Subject: [PATCH] feat(pm/umber): add silverbullet firebrick was my private silverbullet instance, now the job falls to umber. There needs to be a bit of extra stuff here compared to teal since as this silverbullet instance shouldn't be accessible by anyone but me (compared to everyone on the Tailscale...) --- packetmix/systems/umber/acme.nix | 16 ++++++ packetmix/systems/umber/silverbullet.nix | 65 ++++++++++++++++++++++++ packetmix/systems/umber/tailscale.nix | 13 +++++ packetmix/workspace.josh.license | 3 ++ 4 files changed, 97 insertions(+) create mode 100644 packetmix/systems/umber/acme.nix create mode 100644 packetmix/systems/umber/silverbullet.nix create mode 100644 packetmix/systems/umber/tailscale.nix create mode 100644 packetmix/workspace.josh.license diff --git a/packetmix/systems/umber/acme.nix b/packetmix/systems/umber/acme.nix new file mode 100644 index 00000000..d5e1c378 --- /dev/null +++ b/packetmix/systems/umber/acme.nix @@ -0,0 +1,16 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + security.acme = { + acceptTerms = true; + defaults = { + email = "acme@starrysky.fyi"; + dnsProvider = "cloudflare"; + environmentFile = "/secrets/acme/environmentFile"; + }; + }; + + clicks.storage.impermanence.persist.directories = [ "/var/lib/acme" ]; +} diff --git a/packetmix/systems/umber/silverbullet.nix b/packetmix/systems/umber/silverbullet.nix new file mode 100644 index 00000000..4123d575 --- /dev/null +++ b/packetmix/systems/umber/silverbullet.nix @@ -0,0 +1,65 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + project, + system, + config, + ... +}: +{ + clicks.storage.impermanence.persist.directories = [ + { + directory = config.services.silverbullet.spaceDir; + mode = "0700"; + defaultPerms.mode = "0700"; + } + ]; + + services.silverbullet = { + enable = true; + listenPort = 1024; + listenAddress = "127.0.0.1"; + package = project.inputs.nixos-unstable.result.${system}.silverbullet; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."silverbullet.starrysky.fyi" = { + listenAddresses = [ "localhost.tailscale" ]; + + addSSL = true; + enableACME = true; + acmeRoot = null; + + serverAliases = [ "umber.clicks.domains" ]; + + locations."/" = { + proxyPass = "http://$silverbullet_upstream_minion_only"; + recommendedProxySettings = true; + }; + }; + + services.nginx.virtualHosts."silverbullet_access_denied" = { + listen = [ + { + addr = "127.0.0.1"; + port = 403; + } + ]; + locations."/".return = + ''403 '403 - Access Denied: Your device is logged on to tailscale as '$http_x_webauth_user'. Unfortunately, this is a private silverbullet instance for 'minion', please use https://silverbullet.clicks.codes instead' ''; + }; + + services.nginx.commonHttpConfig = '' + map $auth_user $silverbullet_upstream_minion_only { + default 127.0.0.1:403; + minion 127.0.0.1:1024; + } + ''; + + services.nginx.tailscaleAuth = { + enable = true; + virtualHosts = [ "silverbullet.starrysky.fyi" ]; + }; +} diff --git a/packetmix/systems/umber/tailscale.nix b/packetmix/systems/umber/tailscale.nix new file mode 100644 index 00000000..3d3609ac --- /dev/null +++ b/packetmix/systems/umber/tailscale.nix @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + networking.hosts."100.64.0.48" = [ "localhost.tailscale" ]; + + services.nginx.defaultListenAddresses = [ + "0.0.0.0" + "[::0]" + "localhost.tailscale" + ]; +} diff --git a/packetmix/workspace.josh.license b/packetmix/workspace.josh.license new file mode 100644 index 00000000..d698a125 --- /dev/null +++ b/packetmix/workspace.josh.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2025 FreshlyBakedCake + +SPDX-License-Identifier: CC0-1.0 -- 2.43.0 From 1575ca435f2c3a5d22f0012feac0db4592b3a85e Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 7 Oct 2025 20:17:05 +0000 Subject: [PATCH] fix(pm/server): disable zsh new user welcome Change-Id: unsyznronxyxuonvxwoolnqtsnsvluuz We can do this by redefining the function zsh calls to be a no-op... I haven't decided if we want this on user machines, but we definitely don't want it on servers Refs: https://discourse.nixos.org/t/zsh-configuration-for-new-users-keeps-recurring --- packetmix/systems/server/zsh.nix | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 packetmix/systems/server/zsh.nix diff --git a/packetmix/systems/server/zsh.nix b/packetmix/systems/server/zsh.nix new file mode 100644 index 00000000..088d2546 --- /dev/null +++ b/packetmix/systems/server/zsh.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + programs.zsh.shellInit = "zsh-newuser-install() { true }"; +} -- 2.43.0